./0000775000175000017500000000000012511411356011434 5ustar nielsenrnielsenr./sshd0000664000175000017500000000045112511411356012320 0ustar nielsenrnielsenr#%PAM-1.0 auth include common-auth account required pam_nologin.so account include common-account password include common-password session optional pam_keyinit.so force revoke session include common-session session required pam_loginuid.so ./sshd.socket0000664000175000017500000000023012511411356013602 0ustar nielsenrnielsenr[Unit] Conflicts=sshd.service [Socket] ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd ListenStream=22 Accept=yes [Install] WantedBy=sockets.target ./sshd@.service0000664000175000017500000000036412511411356014062 0ustar nielsenrnielsenr[Unit] Description=OpenSSH Per-Connection Daemon Wants=sshdgenkeys.service After=sshdgenkeys.service [Service] ExecStart=-@SBINDIR@/sshd -i ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket StandardError=syslog KillMode=process ./add-test-support-for-busybox.patch0000664000175000017500000000437412511411356020161 0ustar nielsenrnielsenrAdjust test cases to work with busybox. - Replace dd parameter "obs" with "bs". - Replace "head -" with "head -n ". Signed-off-by: Maxin B. John Upstream-Status: Pending --- a/regress/cipher-speed.sh 2012-06-30 07:08:53.000000000 +0200 +++ b/regress/cipher-speed.sh 2013-02-15 11:30:20.670022055 +0100 @@ -26,7 +26,7 @@ echon "$c/$m:\t" ( ${SSH} -o 'compression no' \ -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ - exec sh -c \'"dd of=/dev/null obs=32k"\' \ + exec sh -c \'"dd of=/dev/null bs=32k"\' \ < ${DATA} ) 2>&1 | getbytes if [ $? -ne 0 ]; then @@ -42,7 +42,7 @@ echon "$c:\t" ( ${SSH} -o 'compression no' \ -F $OBJ/ssh_proxy -1 -c $c somehost \ - exec sh -c \'"dd of=/dev/null obs=32k"\' \ + exec sh -c \'"dd of=/dev/null bs=32k"\' \ < ${DATA} ) 2>&1 | getbytes if [ $? -ne 0 ]; then fail "ssh -1 failed with cipher $c" --- a/regress/transfer.sh 2003-09-04 06:54:40.000000000 +0200 +++ b/regress/transfer.sh 2013-02-15 11:25:34.666411185 +0100 @@ -18,7 +18,7 @@ for s in 10 100 1k 32k 64k 128k 256k; do trace "proto $p dd-size ${s}" rm -f ${COPY} - dd if=$DATA obs=${s} 2> /dev/null | \ + dd if=$DATA bs=${s} 2> /dev/null | \ ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh cat $DATA failed" --- a/regress/yes-head.sh 2005-11-28 06:41:03.000000000 +0100 +++ b/regress/yes-head.sh 2013-02-15 11:55:11.413715068 +0100 @@ -4,7 +4,7 @@ tid="yes pipe head" for p in 1 2; do - lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` if [ $? -ne 0 ]; then fail "yes|head test failed" lines = 0; --- a/regress/key-options.sh 2008-07-04 09:08:58.000000000 +0200 +++ b/regress/key-options.sh 2013-02-15 12:06:05.109486098 +0100 @@ -54,7 +54,7 @@ fi sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys - from=`head -1 $authkeys | cut -f1 -d ' '` + from=`head -n 1 $authkeys | cut -f1 -d ' '` verbose "key option proto $p $from" r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` if [ "$r" = "true" ]; then ./openssh-CVE-2011-4327.patch0000664000175000017500000000227412511411356015532 0ustar nielsenrnielsenropenssh-CVE-2011-4327 A security flaw was found in the way ssh-keysign, a ssh helper program for host based authentication, attempted to retrieve enough entropy information on configurations that lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would be executed to retrieve the entropy from the system environment). A local attacker could use this flaw to obtain unauthorized access to host keys via ptrace(2) process trace attached to the 'ssh-rand-helper' program. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 http://www.openssh.com/txt/portable-keysign-rand-helper.adv Upstream-Status: Pending Signed-off-by: Li Wang --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -170,6 +170,10 @@ key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); + if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || + fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || + fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) + fatal("fcntl failed"); original_real_uid = getuid(); /* XXX readconf.c needs this */ if ((pw = getpwuid(original_real_uid)) == NULL) ./volatiles.99_sshd0000664000175000017500000000011312511411356014635 0ustar nielsenrnielsenrd root root 0755 /var/run/sshd none f root root 0644 /var/log/lastlog none ./ssh_config0000664000175000017500000000272612511411356013510 0ustar nielsenrnielsenr# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * ForwardAgent yes ForwardX11 yes # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no ./sshd_config0000664000175000017500000000631112511411356013646 0ustar nielsenrnielsenr# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation yes #PermitUserEnvironment no Compression no ClientAliveInterval 15 ClientAliveCountMax 4 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server ./openssh-CVE-2014-2532.patch0000664000175000017500000000067412511411356015533 0ustar nielsenrnielsenrUpstream-Status: Backport Fix for CVE-2014-2532 Backported from openssh-6.6p1.tar.gz Signed-off-by: Chen Qi --- --- a/session.c +++ b/session.c @@ -955,6 +955,11 @@ u_int envsize; u_int i, namelen; + if (strchr(name, '=') != NULL) { + error("Invalid environment variable \"%.100s\"", name); + return; + } + /* * If we're passed an uninitialized list, allocate a single null * entry before continuing. ./init0000664000175000017500000000522112511411356012322 0ustar nielsenrnielsenr#! /bin/sh set -e PIDFILE=/var/run/sshd.pid # source function library . /etc/init.d/functions # /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon test -x /usr/sbin/sshd || exit 0 ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 # /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS if test -f /etc/default/ssh; then . /etc/default/ssh fi [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh mkdir -p $SYSCONFDIR HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key check_for_no_start() { # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)" exit 0 fi } check_privsep_dir() { # Create the PrivSep empty dir if necessary if [ ! -d /var/run/sshd ]; then mkdir /var/run/sshd chmod 0755 /var/run/sshd fi } check_config() { /usr/sbin/sshd -t || exit 1 } check_keys() { # create keys if necessary if [ ! -f $HOST_KEY_RSA ]; then echo " generating ssh RSA key..." ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa fi if [ ! -f $HOST_KEY_ECDSA ]; then echo " generating ssh ECDSA key..." ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa fi if [ ! -f $HOST_KEY_DSA ]; then echo " generating ssh DSA key..." ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa fi if [ ! -f $HOST_KEY_ED25519 ]; then echo " generating ssh ED25519 key..." ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 fi } export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" case "$1" in start) check_for_no_start echo "Starting OpenBSD Secure Shell server: sshd" check_keys check_privsep_dir start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS echo "done." ;; stop) echo -n "Stopping OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd echo "." ;; reload|force-reload) check_for_no_start check_keys check_config echo -n "Reloading OpenBSD Secure Shell server's configuration" start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd echo "." ;; restart) check_keys check_config echo -n "Restarting OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd check_for_no_start check_privsep_dir sleep 2 start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS echo "." ;; status) status /usr/sbin/sshd exit $? ;; *) echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}" exit 1 esac exit 0 ./run-ptest0000775000175000017500000000025412511411356013324 0ustar nielsenrnielsenr#!/bin/sh export TEST_SHELL=sh cd regress make -k .OBJDIR=`pwd` .CURDIR=`pwd` tests \ | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' ./sshdgenkeys.service0000664000175000017500000000041112511411356015341 0ustar nielsenrnielsenr[Unit] Description=OpenSSH Key Generation ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key [Service] ExecStart=@BINDIR@/ssh-keygen -A Type=oneshot RemainAfterExit=yes ./auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch0000664000175000017500000000164112511411356024465 0ustar nielsenrnielsenrUpstream-Status: Pending Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon will try to authenticate an empty password, resulting in login failures of any user. If PAM is enabled, then we should leave the task of password authentication to PAM. Signed-off-by: Chen Qi --- auth2-none.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth2-none.c b/auth2-none.c index c8c6c74..b48b2fd 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt) { none_enabled = 0; packet_check_eom(); - if (options.permit_empty_passwd && options.password_authentication) + if (options.permit_empty_passwd && options.password_authentication && !options.use_pam) return (PRIVSEP(auth_password(authctxt, ""))); return (0); } -- 1.7.9.5 ./openssh-CVE-2014-2653.patch0000664000175000017500000000615312511411356015535 0ustar nielsenrnielsenrUpstream-Status: Backport This CVE could be removed if openssh is upgrade to 6.6 or higher. Below are some details. Attempt SSHFP lookup even if server presents a certificate Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 If an ssh server presents a certificate to the client, then the client does not check the DNS for SSHFP records. This means that a malicious server can essentially disable DNS-host-key-checking, which means the client will fall back to asking the user (who will just say "yes" to the fingerprint, sadly). This patch means that the ssh client will, if necessary, extract the server key from the proffered certificate, and attempt to verify it against the DNS. The patch was written by Mark Wooding . I modified it to add one debug2 call, reviewed it, and tested it. Signed-off-by: Matthew Vernon Signed-off-by: Chen Qi --- --- a/sshconnect.c +++ b/sshconnect.c @@ -1210,36 +1210,63 @@ fail: return -1; } +static int +check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key) +{ + int rc = -1; + int flags = 0; + Key *raw_key = NULL; + + if (!options.verify_host_key_dns) + goto done; + + /* XXX certs are not yet supported for DNS; try looking the raw key + * up in the DNS anyway. + */ + if (key_is_cert(host_key)) { + debug2("Extracting key from cert for SSHFP lookup"); + raw_key = key_from_private(host_key); + if (key_drop_cert(raw_key)) + fatal("Couldn't drop certificate"); + host_key = raw_key; + } + + if (verify_host_key_dns(host, hostaddr, host_key, &flags)) + goto done; + + if (flags & DNS_VERIFY_FOUND) { + + if (options.verify_host_key_dns == 1 && + flags & DNS_VERIFY_MATCH && + flags & DNS_VERIFY_SECURE) { + rc = 0; + } else if (flags & DNS_VERIFY_MATCH) { + matching_host_key_dns = 1; + } else { + warn_changed_key(host_key); + error("Update the SSHFP RR in DNS with the new " + "host key to get rid of this message."); + } + } + +done: + if (raw_key) + key_free(raw_key); + return rc; +} + /* returns 0 if key verifies or -1 if key does NOT verify */ int verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { - int flags = 0; char *fp; fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); debug("Server host key: %s %s", key_type(host_key), fp); free(fp); - /* XXX certs are not yet supported for DNS */ - if (!key_is_cert(host_key) && options.verify_host_key_dns && - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { - if (flags & DNS_VERIFY_FOUND) { - - if (options.verify_host_key_dns == 1 && - flags & DNS_VERIFY_MATCH && - flags & DNS_VERIFY_SECURE) - return 0; - - if (flags & DNS_VERIFY_MATCH) { - matching_host_key_dns = 1; - } else { - warn_changed_key(host_key); - error("Update the SSHFP RR in DNS with the new " - "host key to get rid of this message."); - } - } - } + if (check_host_key_sshfp(host, hostaddr, host_key) == 0) + return 0; return check_host_key(host, hostaddr, options.port, host_key, RDRW, options.user_hostfiles, options.num_user_hostfiles, -- 1.7.9.5 ./nostrip.patch0000664000175000017500000000116012511411356014151 0ustar nielsenrnielsenrDisable stripping binaries during make install. Upstream-Status: Inappropriate [configuration] Build system specific. Signed-off-by: Scott Garman diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in --- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700 +++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700 @@ -29,7 +29,7 @@ RAND_HELPER=$(libexecdir)/ssh-rand-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -STRIP_OPT=@STRIP_OPT@ +STRIP_OPT= PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \