From 5f90f566a82963182c27b74ba1dd914553172146 Mon Sep 17 00:00:00 2001 From: Lauri Tirkkonen Date: Wed, 21 Dec 2016 12:54:58 +0200 Subject: [PATCH] update openssh to 7.4p1 --- components/network/openssh/Makefile | 6 +- components/network/openssh/files/sshd_config | 263 ++++---- components/network/openssh/network-ssh.p5m | 70 --- .../network/openssh/patches/0004-lastlogin.patch | 74 +-- .../0011-PAM-enhancements-for-Solaris.patch | 676 --------------------- .../patches/0014-Solaris-Auditing-support.patch | 2 +- ...able-login-to-a-role-if-PAM-is-ok-with-it.patch | 11 +- ...-and-LC_-environment-variables-from-clien.patch | 16 +- .../patches/0101-unregister-kexinit-handler.patch | 27 - components/network/openssh/service-network-ssh.p5m | 70 --- 10 files changed, 156 insertions(+), 1059 deletions(-) rewrite components/network/openssh/files/sshd_config (97%) delete mode 100644 components/network/openssh/network-ssh.p5m rewrite components/network/openssh/patches/0004-lastlogin.patch (84%) delete mode 100644 components/network/openssh/patches/0011-PAM-enhancements-for-Solaris.patch delete mode 100644 components/network/openssh/patches/0101-unregister-kexinit-handler.patch delete mode 100644 components/network/openssh/service-network-ssh.p5m diff --git a/components/network/openssh/Makefile b/components/network/openssh/Makefile index 128d82ff9..10a09f618 100644 --- a/components/network/openssh/Makefile +++ b/components/network/openssh/Makefile @@ -23,18 +23,18 @@ include ../../../make-rules/shared-macros.mk COMPONENT_NAME= openssh -COMPONENT_VERSION= 7.3p1 +COMPONENT_VERSION= 7.4p1 HUMAN_VERSION= $(COMPONENT_VERSION) COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION) # Version for IPS. The encoding rules are: # OpenSSH .p => IPS ..0. # OpenSSH ..p => IPS ... -IPS_COMPONENT_VERSION= 7.3.0.1 +IPS_COMPONENT_VERSION= 7.4.0.1 COMPONENT_PROJECT_URL= http://www.openssh.org/ COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz -COMPONENT_ARCHIVE_HASH= sha256:3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc +COMPONENT_ARCHIVE_HASH= sha256:1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 COMPONENT_ARCHIVE_URL= http://ftp.aso.ee/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB=utility/openssh diff --git a/components/network/openssh/files/sshd_config b/components/network/openssh/files/sshd_config dissimilarity index 97% index 1ee20f838..4df87d4f9 100644 --- a/components/network/openssh/files/sshd_config +++ b/components/network/openssh/files/sshd_config @@ -1,145 +1,118 @@ -# -# Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. -# -# Configuration file for sshd(1m) (see also sshd_config(4)) -# - -# Protocol versions supported -# -# The sshd shipped in this release of Solaris has support for major versions -# 1 and 2. It is recommended due to security weaknesses in the v1 protocol -# that sites run only v2 if possible. Support for v1 is provided to help sites -# with existing ssh v1 clients/servers to transition. -# Support for v1 may not be available in a future release of Solaris. -# -# To enable support for v1 an RSA1 key must be created with ssh-keygen(1). -# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they -# do not already exist, RSA1 keys for protocol v1 are not automatically created. - -# Uncomment ONLY ONE of the following Protocol statements. - -# Only v2 (recommended) -Protocol 2 - -# Both v1 and v2 (not recommended) -#Protocol 2,1 - -# Only v1 (not recommended) -#Protocol 1 - -# Listen port (the IANA registered port number for ssh is 22) -Port 22 - -# The default listen address is all interfaces, this may need to be changed -# if you wish to restrict the interfaces sshd listens on for a multi homed host. -# Multiple ListenAddress entries are allowed. - -# IPv4 only -#ListenAddress 0.0.0.0 -# IPv4 & IPv6 -ListenAddress :: - -# If port forwarding is enabled (default), specify if the server can bind to -# INADDR_ANY. -# This allows the local port forwarding to work when connections are received -# from any remote host. -GatewayPorts no - -# X11 tunneling options -X11Forwarding yes -X11DisplayOffset 10 -X11UseLocalhost yes - -# The maximum number of concurrent unauthenticated connections to sshd. -# start:rate:full see sshd(1) for more information. -# The default is 10 unauthenticated clients. -#MaxStartups 10:30:60 - -# Banner to be printed before authentication starts. -#Banner /etc/issue - -# Should sshd print the /etc/motd file and check for mail. -# On Solaris it is assumed that the login shell will do these (eg /etc/profile). -PrintMotd no - -# KeepAlive specifies whether keep alive messages are sent to the client. -# See sshd(1) for detailed description of what this means. -# Note that the client may also be sending keep alive messages to the server. -KeepAlive yes - -# Syslog facility and level -SyslogFacility auth -LogLevel info - -# -# Authentication configuration -# - -# Host private key files -# Must be on a local disk and readable only by the root user (root:sys 600). -# HostKey /etc/ssh/ssh_host_rsa_key -# HostKey /etc/ssh/ssh_host_dsa_key - -# Length of the server key -# Default 768, Minimum 512 -ServerKeyBits 768 - -# sshd regenerates the key every KeyRegenerationInterval seconds. -# The key is never stored anywhere except the memory of sshd. -# The default is 1 hour (3600 seconds). -KeyRegenerationInterval 3600 - -# Ensure secure permissions on users .ssh directory. -StrictModes yes - -# Length of time in seconds before a client that hasn't completed -# authentication is disconnected. -# Default is 600 seconds. 0 means no time limit. -LoginGraceTime 600 - -# Maximum number of retries for authentication -# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2 -MaxAuthTries 6 -MaxAuthTriesLog 3 - -# Are logins to accounts with empty passwords allowed. -# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK -# to pam_authenticate(3PAM). -PermitEmptyPasswords no - -# To disable tunneled clear text passwords, change PasswordAuthentication to no. -PasswordAuthentication yes - -# Are root logins permitted using sshd. -# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user -# maybe denied access by a PAM module regardless of this setting. -# Valid options are yes, without-password, no. -PermitRootLogin no - -# sftp subsystem -Subsystem sftp internal-sftp - - -# SSH protocol v1 specific options -# -# The following options only apply to the v1 protocol and provide -# some form of backwards compatibility with the very weak security -# of /usr/bin/rsh. Their use is not recommended and the functionality -# will be removed when support for v1 protocol is removed. - -# Should sshd use .rhosts and .shosts for password less authentication. -IgnoreRhosts yes -RhostsAuthentication no - -# Rhosts RSA Authentication -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts. -# If the user on the client side is not root then this won't work on -# Solaris since /usr/bin/ssh is not installed setuid. -RhostsRSAAuthentication no - -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. -#IgnoreUserKnownHosts yes - -# Is pure RSA authentication allowed. -# Default is yes -RSAAuthentication yes +# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/components/network/openssh/network-ssh.p5m b/components/network/openssh/network-ssh.p5m deleted file mode 100644 index 0183fcfe2..000000000 --- a/components/network/openssh/network-ssh.p5m +++ /dev/null @@ -1,70 +0,0 @@ -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License (the "License"). -# You may not use this file except in compliance with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# -# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. -# - -set name=pkg.fmri value=pkg:/network/ssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) -set name=pkg.summary value="OpenSSH client and associated utilities" -set name=pkg.description \ - value="OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including user name and password) over the wire in unencrypted form. OpenSSH provides the SSH known host mechanism which verifies that the system you connect to is really the one you intended to. OpenSSH provides secure tunneling capabilities and several authentication methods. It also supports forwarding X11 connections and arbitrary TCP ports over the secure channel." -set name=pkg.human-version value=$(HUMAN_VERSION) -set name=info.classification \ - value=org.opensolaris.category.2008:Applications/Internet \ - value=org.opensolaris.category.2008:System/Security -set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) -set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2012/335 -set name=org.opensolaris.consolidation value=$(CONSOLIDATION) - -# We have to preserve original_name as file was once moved to -# ssh-common and back again -file files/ssh_config original_name=network/ssh:etc/ssh/ssh_config \ - path=etc/ssh/ssh_config mode=0644 preserve=true - -file path=usr/bin/scp -file path=usr/bin/sftp -file path=usr/bin/ssh -file path=usr/bin/ssh-add -file path=usr/bin/ssh-agent mode=2555 -file path=usr/bin/ssh-keyscan -file path=usr/bin/ssh-keygen -file path=usr/share/man/man1/scp.1 -file path=usr/share/man/man1/sftp.1 -file path=usr/share/man/man1/ssh-add.1 -file path=usr/share/man/man1/ssh-agent.1 -file path=usr/share/man/man1/ssh-keyscan.1 -file path=usr/share/man/man1/ssh.1 -file path=usr/share/man/man4/ssh_config.4 - -license openssh.license license="BSD, BSD-like (OpenSSH)" \ - com.oracle.info.description="OpenSSH, a suite of tools that help secure network connections" \ - com.oracle.info.name=openssh com.oracle.info.tpno=$(TPNO_OPENSSH) \ - com.oracle.info.version=$(COMPONENT_VERSION) -license openssh.license license="BSD, BSD-like (gsskex)" \ - com.oracle.info.description="GSS-API authenticated key exchange" \ - com.oracle.info.name=gsskex com.oracle.info.tpno=$(TPNO_GSSKEX) \ - com.oracle.info.version=5.7p1 - -depend type=conditional fmri=pkg:/x11/session/xauth \ - predicate=pkg:/x11/library/libxau - -depend type=conditional fmri=pkg:/network/ssh-askpass \ - predicate=pkg:/x11/server/xserver-common diff --git a/components/network/openssh/patches/0004-lastlogin.patch b/components/network/openssh/patches/0004-lastlogin.patch dissimilarity index 84% index c5db99bd7..ccde3d8c6 100644 --- a/components/network/openssh/patches/0004-lastlogin.patch +++ b/components/network/openssh/patches/0004-lastlogin.patch @@ -1,52 +1,22 @@ -From b90dd44d2485d5a95db4602bc8f811d267366f20 Mon Sep 17 00:00:00 2001 -From: oracle -Date: Mon, 3 Aug 2015 14:34:41 -0700 -Subject: [PATCH 04/34] lastlogin - -# The man page change here is Solaris-specific and thus is not being -# contributed back to the upstream community. The servconf.c change -# was developed in-house and has been submitted upstream to OpenSSH for -# their consideration: -# https://bugzilla.mindrot.org/show_bug.cgi?id=2278 -# -# OpenSSH normally updates lastlog when users login and reads lastlog to -# determine the last login time of the user however on Solaris the -# pam_unix_session(5) module handles both of these tasks so we compile -# OpenSSH with --disable-lastlog to disable all lastlog references. -# This means the sshd_config option of PrintLastLog is now ignored and -# can't be changed so we update sshd's configuration parsing to flag -# this as unsupported and update the man page here. -# -*** old/servconf.c Wed Sep 17 02:54:26 2014 ---- - sshd_config.5 | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/sshd_config.5 b/sshd_config.5 -index a37a3ac..0e4ab0e 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -1308,8 +1308,8 @@ Specifies whether - .Xr sshd 8 - should print the date and time of the last user login when a user logs - in interactively. --The default is --.Dq yes . -+On Solaris this option is always ignored since pam_unix_session(5) -+reports the last login time. - .It Cm PrintMotd - Specifies whether - .Xr sshd 8 -@@ -1735,7 +1735,8 @@ This file should be writable by root only, but it is recommended - (though not necessary) that it be world-readable. - .El - .Sh SEE ALSO --.Xr sshd 8 -+.Xr sshd 8 , -+.Xr pam_unix_session 5 - .Sh AUTHORS - OpenSSH is a derivative of the original and free - ssh 1.2.12 release by Tatu Ylonen. --- -2.5.4 (Apple Git-61) - +--- openssh-7.4p1.orig/sshd_config.5 Mon Dec 19 06:59:41 2016 ++++ openssh-7.4p1/sshd_config.5 Wed Dec 21 12:03:05 2016 +@@ -1260,8 +1260,9 @@ + .Xr sshd 8 + should print the date and time of the last user login when a user logs + in interactively. +-The default is +-.Cm yes . ++This option is ignored on illumos, since ++.Xr pam_unix_session 5 ++prints the last login time. + .It Cm PrintMotd + Specifies whether + .Xr sshd 8 +@@ -1666,6 +1667,7 @@ + (though not necessary) that it be world-readable. + .El + .Sh SEE ALSO ++.Xr pam_unix_session 5, + .Xr sftp-server 8 , + .Xr sshd 8 + .Sh AUTHORS diff --git a/components/network/openssh/patches/0011-PAM-enhancements-for-Solaris.patch b/components/network/openssh/patches/0011-PAM-enhancements-for-Solaris.patch deleted file mode 100644 index aa4897a5c..000000000 --- a/components/network/openssh/patches/0011-PAM-enhancements-for-Solaris.patch +++ /dev/null @@ -1,676 +0,0 @@ -From 44ace33bdb8ac3a8033dabcde4d5c8242fcec169 Mon Sep 17 00:00:00 2001 -From: oracle -Date: Mon, 3 Aug 2015 14:36:19 -0700 -Subject: [PATCH 11/34] PAM enhancements for Solaris - -# -# This patch contains a couple of PAM enhancements: -# 1) Each SSHv2 userauth method has its own PAM service name so that PAM can -# be used to control what userauth methods are allowed. -# 2) The PAMServiceName and PAMServicePrefix options. -# -# We have contributed back this feature to the OpenSSH upstream community. -# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246 -# In the future, if these enhancements are accepted by the upsteam in a -# later release, we will remove this patch when we upgrade to that release. -# ---- - auth-pam.c | 119 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - auth.h | 3 ++ - auth2.c | 61 ++++++++++++++++++++++++++++- - monitor.c | 63 ++++++++++++++++++++++++++++++ - monitor.h | 3 ++ - monitor_wrap.c | 18 +++++++++ - servconf.c | 56 +++++++++++++++++++++++++++ - servconf.h | 10 +++++ - sshd.8 | 27 +++++++++++++ - sshd.c | 5 +++ - sshd_config.5 | 18 ++++++++- - 11 files changed, 379 insertions(+), 4 deletions(-) - -diff --git a/auth-pam.c b/auth-pam.c -index 92c3b1c..4ca0a58 100644 ---- a/auth-pam.c -+++ b/auth-pam.c -@@ -618,6 +618,72 @@ sshpam_cleanup(void) - sshpam_handle = NULL; - } - -+#ifdef PAM_ENHANCEMENT -+char * -+derive_pam_service_name(Authctxt *authctxt) -+{ -+ char *svcname = xmalloc(BUFSIZ); -+ -+ /* -+ * If PamServiceName is set we use that for everything, including -+ * SSHv1 -+ */ -+ if (options.pam_service_name != NULL) { -+ (void) strlcpy(svcname, options.pam_service_name, BUFSIZ); -+ return (svcname); -+ } -+ -+ if (compat20) { -+ char *method_name = authctxt->authmethod_name; -+ -+ if (!method_name) -+ fatal("Userauth method unknown while starting PAM"); -+ -+ /* -+ * For SSHv2 we use "sshd- -+ * The "sshd" prefix can be changed via the PAMServicePrefix -+ * sshd_config option. -+ */ -+ if (strcmp(method_name, "none") == 0) { -+ snprintf(svcname, BUFSIZ, "%s-none", -+ options.pam_service_prefix); -+ } -+ if (strcmp(method_name, "password") == 0) { -+ snprintf(svcname, BUFSIZ, "%s-password", -+ options.pam_service_prefix); -+ } -+ if (strcmp(method_name, "keyboard-interactive") == 0) { -+ /* "keyboard-interactive" is too long, shorten it */ -+ snprintf(svcname, BUFSIZ, "%s-kbdint", -+ options.pam_service_prefix); -+ } -+ if (strcmp(method_name, "publickey") == 0) { -+ /* "publickey" is too long, shorten it */ -+ snprintf(svcname, BUFSIZ, "%s-pubkey", -+ options.pam_service_prefix); -+ } -+ if (strcmp(method_name, "hostbased") == 0) { -+ snprintf(svcname, BUFSIZ, "%s-hostbased", -+ options.pam_service_prefix); -+ } -+ if (strncmp(method_name, "gssapi-", 7) == 0) { -+ /* -+ * Although OpenSSH only supports "gssapi-with-mic" -+ * for now. We will still map any userauth method -+ * prefixed with "gssapi-" to the gssapi PAM service. -+ */ -+ snprintf(svcname, BUFSIZ, "%s-gssapi", -+ options.pam_service_prefix); -+ } -+ return svcname; -+ } else { -+ /* SSHv1 doesn't get to be so cool */ -+ snprintf(svcname, BUFSIZ, "sshd-v1"); -+ } -+ return svcname; -+} -+#endif /* PAM_ENHANCEMENT */ -+ - static int - sshpam_init(Authctxt *authctxt) - { -@@ -625,18 +691,71 @@ sshpam_init(Authctxt *authctxt) - const char *pam_rhost, *pam_user, *user = authctxt->user; - const char **ptr_pam_user = &pam_user; - -+#ifdef PAM_ENHANCEMENT -+ const char *pam_service; -+ const char **ptr_pam_service = &pam_service; -+ char *svc = NULL; -+ -+ svc = derive_pam_service_name(authctxt); -+ debug3("PAM service is %s", svc); -+#endif -+ - if (sshpam_handle != NULL) { -+#ifdef PAM_ENHANCEMENT -+ /* get the pam service name */ -+ sshpam_err = pam_get_item(sshpam_handle, -+ PAM_SERVICE, (sshpam_const void **)ptr_pam_service); -+ if (sshpam_err != PAM_SUCCESS) -+ fatal("Failed to get the PAM service name"); -+ debug3("Previous pam_service is %s", pam_service ? -+ pam_service : "NULL"); -+ -+ /* get the pam user name */ -+ sshpam_err = pam_get_item(sshpam_handle, -+ PAM_USER, (sshpam_const void **)ptr_pam_user); -+ -+ /* -+ * only need to re-start if either user or service is -+ * different. -+ */ -+ if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0 -+ && strncmp(svc, pam_service, strlen(svc)) == 0) { -+ free(svc); -+ return (0); -+ } -+ -+ /* -+ * Clean up previous PAM state. No need to clean up session -+ * and creds. -+ */ -+ sshpam_authenticated = 0; -+ sshpam_account_status = -1; -+ -+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, NULL); -+ if (sshpam_err != PAM_SUCCESS) -+ debug3("Cannot remove PAM conv"); /* a warning only */ -+#else /* Original */ - /* We already have a PAM context; check if the user matches */ - sshpam_err = pam_get_item(sshpam_handle, - PAM_USER, (sshpam_const void **)ptr_pam_user); - if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) - return (0); -+#endif /* PAM_ENHANCEMENT */ - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; - } - debug("PAM: initializing for \"%s\"", user); -+ -+#ifdef PAM_ENHANCEMENT -+ debug3("Starting PAM service %s for user %s method %s", svc, user, -+ authctxt->authmethod_name); -+ sshpam_err = -+ pam_start(svc, user, &store_conv, &sshpam_handle); -+ free(svc); -+#else /* Original */ - sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); -+#endif - sshpam_authctxt = authctxt; - - if (sshpam_err != PAM_SUCCESS) { -diff --git a/auth.h b/auth.h -index 2160154..985053c 100644 ---- a/auth.h -+++ b/auth.h -@@ -81,6 +81,9 @@ struct Authctxt { - - struct sshkey **prev_userkeys; - u_int nprev_userkeys; -+#ifdef PAM_ENHANCEMENT -+ char *authmethod_name; -+#endif - }; - /* - * Every authentication method has to handle authentication requests for -diff --git a/auth2.c b/auth2.c -index 7177962..32ba663 100644 ---- a/auth2.c -+++ b/auth2.c -@@ -243,10 +243,21 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) - PRIVSEP(audit_event(SSH_INVALID_USER)); - #endif - } -+ -+ - #ifdef USE_PAM -+#ifdef PAM_ENHANCEMENT -+ /* -+ * Start PAM here and once only, if each userauth does not -+ * has its own PAM service. -+ */ -+ if (options.use_pam && !options.pam_service_per_authmethod) -+ PRIVSEP(start_pam(authctxt)); -+#else - if (options.use_pam) - PRIVSEP(start_pam(authctxt)); - #endif -+#endif - setproctitle("%s%s", authctxt->valid ? user : "unknown", - use_privsep ? " [net]" : ""); - authctxt->service = xstrdup(service); -@@ -277,6 +288,18 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) - /* try to authenticate user */ - m = authmethod_lookup(authctxt, method); - if (m != NULL && authctxt->failures < options.max_authtries) { -+ -+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) -+ /* start PAM service for each userauth */ -+ if (options.use_pam && options.pam_service_per_authmethod) { -+ if (authctxt->authmethod_name != NULL) -+ free(authctxt->authmethod_name); -+ authctxt->authmethod_name = xstrdup(method); -+ if (use_privsep) -+ mm_inform_authmethod(method); -+ PRIVSEP(start_pam(authctxt)); -+ } -+#endif - debug2("input_userauth_request: try method %s", method); - authenticated = m->userauth(authctxt); - } -@@ -295,6 +318,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, - char *methods; - int partial = 0; - -+#ifdef PAM_ENHANCEMENT -+ debug3("%s: entering", __func__); -+#endif -+ - if (!authctxt->valid && authenticated) - fatal("INTERNAL ERROR: authenticated invalid user %s", - authctxt->user); -@@ -311,6 +338,25 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, - } - - if (authenticated && options.num_auth_methods != 0) { -+ -+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) -+ /* -+ * If each userauth has its own PAM service, then PAM need to -+ * perform account check for this service. -+ */ -+ if (options.use_pam && options.pam_service_per_authmethod && -+ !PRIVSEP(do_pam_account())) { -+ /* if PAM returned a message, send it to the user */ -+ if (buffer_len(&loginmsg) > 0) { -+ buffer_append(&loginmsg, "\0", 1); -+ userauth_send_banner(buffer_ptr(&loginmsg)); -+ packet_write_wait(); -+ } -+ -+ fatal("Access denied for user %s by PAM account " -+ "configuration", authctxt->user); -+ } -+#endif - if (!auth2_update_methods_lists(authctxt, method, submethod)) { - authenticated = 0; - partial = 1; -@@ -324,7 +370,20 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, - return; - - #ifdef USE_PAM -+ -+#ifdef PAM_ENHANCEMENT -+ /* -+ * PAM needs to perform account checks after auth. However, if each -+ * userauth has its own PAM service and options.num_auth_methods != 0, -+ * then no need to perform account checking, because it was done -+ * already. -+ */ -+ if (options.use_pam && authenticated && -+ !(options.num_auth_methods != 0 && -+ options.pam_service_per_authmethod)){ -+#else - if (options.use_pam && authenticated) { -+#endif - if (!PRIVSEP(do_pam_account())) { - /* if PAM returned a message, send it to the user */ - if (buffer_len(&loginmsg) > 0) { -@@ -615,5 +674,3 @@ auth2_update_methods_lists(Authctxt *authctxt, const char *method, - fatal("%s: method not in AuthenticationMethods", __func__); - return 0; - } -- -- -diff --git a/monitor.c b/monitor.c -index ac7dd30..63bde62 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -126,6 +126,9 @@ int mm_answer_sign(int, Buffer *); - int mm_answer_pwnamallow(int, Buffer *); - int mm_answer_auth2_read_banner(int, Buffer *); - int mm_answer_authserv(int, Buffer *); -+#ifdef PAM_ENHANCEMENT -+int mm_answer_authmethod(int, Buffer *); -+#endif - int mm_answer_authpassword(int, Buffer *); - int mm_answer_bsdauthquery(int, Buffer *); - int mm_answer_bsdauthrespond(int, Buffer *); -@@ -205,10 +208,17 @@ struct mon_table mon_dispatch_proto20[] = { - {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, - {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, - {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, -+#ifdef PAM_ENHANCEMENT -+ {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod}, -+#endif - {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, - {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, - #ifdef USE_PAM -+#ifdef PAM_ENHANCEMENT -+ {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start}, -+#else - {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, -+#endif - {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, - {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, - {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, -@@ -370,6 +380,24 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) - if (!compat20) - fatal("AuthenticationMethods is not supported" - "with SSH protocol 1"); -+ -+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) -+ /* -+ * If each userauth has its own PAM service, then PAM -+ * need to perform account check for this service. -+ */ -+ if (options.use_pam && authenticated && -+ options.pam_service_per_authmethod) { -+ Buffer m; -+ -+ buffer_init(&m); -+ mm_request_receive_expect(pmonitor->m_sendfd, -+ MONITOR_REQ_PAM_ACCOUNT, &m); -+ authenticated = -+ mm_answer_pam_account(pmonitor->m_sendfd, &m); -+ buffer_free(&m); -+ } -+#endif - if (authenticated && - !auth2_update_methods_lists(authctxt, - auth_method, auth_submethod)) { -@@ -388,8 +416,21 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) - !auth_root_allowed(auth_method)) - authenticated = 0; - #ifdef USE_PAM -+#ifdef PAM_ENHANCEMENT -+ /* -+ * PAM needs to perform account checks after auth. -+ * However, if each userauth has its own PAM service -+ * and options.num_auth_methods != 0, then no need to -+ * perform account checking, because it was done -+ * already. -+ */ -+ if (options.use_pam && authenticated && -+ !(options.num_auth_methods != 0 && -+ options.pam_service_per_authmethod)) { -+#else - /* PAM needs to perform account checks after auth */ - if (options.use_pam && authenticated) { -+#endif - Buffer m; - - buffer_init(&m); -@@ -859,6 +900,10 @@ mm_answer_pwnamallow(int sock, Buffer *m) - /* Allow service/style information on the auth context */ - monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); -+#ifdef PAM_ENHANCEMENT -+ /* Allow authmethod information on the auth context */ -+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1); -+#endif - } - #ifdef USE_PAM - if (options.use_pam) -@@ -899,6 +944,24 @@ mm_answer_authserv(int sock, Buffer *m) - return (0); - } - -+#ifdef PAM_ENHANCEMENT -+int -+mm_answer_authmethod(int sock, Buffer *m) -+{ -+ monitor_permit_authentications(1); -+ -+ authctxt->authmethod_name = buffer_get_string(m, NULL); -+ debug3("%s: authmethod_name=%s", __func__, authctxt->authmethod_name); -+ -+ if (strlen(authctxt->authmethod_name) == 0) { -+ free(authctxt->authmethod_name); -+ authctxt->authmethod_name = NULL; -+ } -+ -+ return (0); -+} -+#endif -+ - int - mm_answer_authpassword(int sock, Buffer *m) - { -diff --git a/monitor.h b/monitor.h -index 93b8b66..da63e7d 100644 ---- a/monitor.h -+++ b/monitor.h -@@ -65,6 +65,9 @@ enum monitor_reqtype { - MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, - MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, - -+#ifdef PAM_ENHANCEMENT -+ MONITOR_REQ_AUTHMETHOD = 114, -+#endif - }; - - struct mm_master; -diff --git a/monitor_wrap.c b/monitor_wrap.c -index c5db6df..30e3c15 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -345,6 +345,24 @@ mm_inform_authserv(char *service, char *style) - buffer_free(&m); - } - -+#ifdef PAM_ENHANCEMENT -+/* Inform the privileged process about the authentication method */ -+void -+mm_inform_authmethod(char *authmethod) -+{ -+ Buffer m; -+ -+ debug3("%s entering", __func__); -+ -+ buffer_init(&m); -+ buffer_put_cstring(&m, authmethod); -+ -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m); -+ -+ buffer_free(&m); -+} -+#endif -+ - /* Do the password authentication */ - int - mm_auth_password(Authctxt *authctxt, char *password) -diff --git a/servconf.c b/servconf.c -index 1872661..b16a8be 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -169,6 +169,18 @@ initialize_server_options(ServerOptions *options) - options->ip_qos_bulk = -1; - options->version_addendum = NULL; - options->fingerprint_hash = -1; -+#ifdef PAM_ENHANCEMENT -+ options->pam_service_name = NULL; -+ options->pam_service_prefix = NULL; -+ -+ /* -+ * Each user method will have its own PAM service by default. -+ * However, if PAMServiceName is specified or the protocal version -+ * is not compat20, then there will be only one PAM service for the -+ * entire user authentication. -+ */ -+ options->pam_service_per_authmethod = 1; -+#endif - } - - /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -352,6 +364,12 @@ fill_default_server_options(ServerOptions *options) - options->ip_qos_bulk = IPTOS_THROUGHPUT; - if (options->version_addendum == NULL) - options->version_addendum = xstrdup(""); -+ -+#ifdef PAM_ENHANCEMENT -+ if (options->pam_service_prefix == NULL) -+ options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; -+#endif -+ - if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) - options->fwd_opts.streamlocal_bind_mask = 0177; - if (options->fwd_opts.streamlocal_bind_unlink == -1) -@@ -428,6 +446,9 @@ typedef enum { - sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, sAllowAgentForwarding, - sHostCertificate, -+#ifdef PAM_ENHANCEMENT -+ sPAMServicePrefix, sPAMServiceName, -+#endif - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, - sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, - sKexAlgorithms, sIPQoS, sVersionAddendum, -@@ -566,6 +587,10 @@ static struct { - { "forcecommand", sForceCommand, SSHCFG_ALL }, - { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, - { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, -+#ifdef PAM_ENHANCEMENT -+ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, -+ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, -+#endif - { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, -@@ -1868,6 +1893,37 @@ process_server_config_line(ServerOptions *options, char *line, - options->fingerprint_hash = value; - break; - -+ case sPAMServicePrefix: -+ arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: Missing argument.", -+ filename, linenum); -+ if (options->pam_service_name != NULL) -+ fatal("%s line %d: PAMServiceName and PAMServicePrefix" -+ " are mutually exclusive.", filename, linenum); -+ if (options->pam_service_prefix == NULL) -+ options->pam_service_prefix = xstrdup(arg); -+ break; -+ -+ case sPAMServiceName: -+ arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: Missing argument.", -+ filename, linenum); -+ if (options->pam_service_prefix != NULL) -+ fatal("%s line %d: PAMServiceName and PAMServicePrefix" -+ " are mutually exclusive.", filename, linenum); -+ if (options->pam_service_name == NULL) { -+ options->pam_service_name = xstrdup(arg); -+ -+ /* -+ * When this option is specified, we will not have -+ * PAM service for each auth method. -+ */ -+ options->pam_service_per_authmethod = 0; -+ } -+ break; -+ - case sDeprecated: - logit("%s line %d: Deprecated option %s", - filename, linenum, arg); -diff --git a/servconf.h b/servconf.h -index f4137af..8c86b57 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -54,6 +54,10 @@ - /* Magic name for internal sftp-server */ - #define INTERNAL_SFTP_NAME "internal-sftp" - -+#ifdef PAM_ENHANCEMENT -+#define _SSH_PAM_SERVICE_PREFIX "sshd" -+#endif -+ - typedef struct { - u_int num_ports; - u_int ports_from_cmdline; -@@ -194,6 +198,12 @@ typedef struct { - u_int num_auth_methods; - char *auth_methods[MAX_AUTH_METHODS]; - -+#ifdef PAM_ENHANCEMENT -+ char *pam_service_prefix; -+ char *pam_service_name; -+ int pam_service_per_authmethod; -+#endif -+ - int fingerprint_hash; - } ServerOptions; - -diff --git a/sshd.8 b/sshd.8 -index dac5c14..500c4d5 100644 ---- a/sshd.8 -+++ b/sshd.8 -@@ -977,6 +977,33 @@ concurrently for different ports, this contains the process ID of the one - started last). - The content of this file is not sensitive; it can be world-readable. - .El -+ -+.Sh SECURITY -+sshd uses pam(3PAM) for password and keyboard-interactive methods as well as -+for account management, session management, and the password management for all -+authentication methods. -+.Pp -+Each SSHv2 userauth type has its own PAM service name: -+ -+.Bd -literal -offset 3n -+ -+----------------------------------------------- -+| SSHv2 Userauth | PAM Service Name | -+----------------------------------------------- -+| none | sshd-none | -+----------------------------------------------- -+| password | sshd-password | -+----------------------------------------------- -+| keyboard-interactive | sshd-kbdint | -+----------------------------------------------- -+| pubkey | sshd-pubkey | -+----------------------------------------------- -+| hostbased | sshd-hostbased | -+----------------------------------------------- -+| gssapi-with-mic | sshd-gssapi | -+----------------------------------------------- -+.Ed -+ - .Sh SEE ALSO - .Xr scp 1 , - .Xr sftp 1 , -diff --git a/sshd.c b/sshd.c -index 68fd1ea..418e1fd 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -2165,6 +2165,11 @@ main(int ac, char **av) - - sshd_exchange_identification(sock_in, sock_out); - -+#ifdef PAM_ENHANCEMENT -+ if (!compat20) -+ options.pam_service_per_authmethod = 0; -+#endif -+ - /* In inetd mode, generate ephemeral key only for proto 1 connections */ - if (!compat20 && inetd_flag && sensitive_data.server_key == NULL) - generate_ephemeral_server_key(); -diff --git a/sshd_config.5 b/sshd_config.5 -index 6351b43..f45ddef 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -1168,6 +1168,21 @@ The probability increases linearly and all connection attempts - are refused if the number of unauthenticated connections reaches - .Dq full - (60). -+.It Cm PAMServiceName -+Specifies the PAM service name for the PAM session. The PAMServiceName and -+PAMServicePrefix options are mutually exclusive and if both set, sshd does not -+start. If this option is set the service name is the same for all user -+authentication methods. The option has no default value. See PAMServicePrefix -+for more information. -+.It Cm PAMServicePrefix -+Specifies the PAM service name prefix for service names used for individual -+user authentication methods. The default is sshd. The PAMServiceName and -+PAMServicePrefix options are mutually exclusive and if both set, sshd does not -+start. -+.Pp -+For example, if this option is set to admincli, the service name for the -+keyboard-interactive authentication method is admincli-kbdint instead of the -+default sshd-kbdint. - .It Cm PasswordAuthentication - Specifies whether password authentication is allowed. - The default is -@@ -1582,8 +1597,7 @@ If - is enabled, you will not be able to run - .Xr sshd 1M - as a non-root user. --The default is --.Dq no . -+On Solaris, the option is always enabled. - .It Cm UsePrivilegeSeparation - Specifies whether - .Xr sshd 1M --- -2.5.4 (Apple Git-61) - diff --git a/components/network/openssh/patches/0014-Solaris-Auditing-support.patch b/components/network/openssh/patches/0014-Solaris-Auditing-support.patch index aee79d4b1..a91717d75 100644 --- a/components/network/openssh/patches/0014-Solaris-Auditing-support.patch +++ b/components/network/openssh/patches/0014-Solaris-Auditing-support.patch @@ -76,7 +76,7 @@ index 61a97de..abc9285 100644 @@ -100,7 +100,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o - SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ - audit.o audit-bsm.o audit-linux.o platform.o \ + audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ diff --git a/components/network/openssh/patches/0016-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch b/components/network/openssh/patches/0016-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch index f6645ceb3..1f6b1c13b 100644 --- a/components/network/openssh/patches/0016-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch +++ b/components/network/openssh/patches/0016-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch @@ -35,20 +35,19 @@ index 4ca0a58..d049779 100644 +#endif + void - do_pam_set_tty(const char *tty) + do_pam_setcred(int init) { diff --git a/auth-pam.h b/auth-pam.h index a1a2b52..6c41fd9 100644 --- a/auth-pam.h +++ b/auth-pam.h -@@ -35,6 +35,9 @@ void start_pam(Authctxt *); +@@ -35,5 +35,8 @@ void start_pam(Authctxt *); void finish_pam(void); u_int do_pam_account(void); void do_pam_session(void); +#ifdef HAVE_PAM_AUSER +void do_pam_set_auser(const char *); +#endif - void do_pam_set_tty(const char *); void do_pam_setcred(int ); void do_pam_chauthtok(void); diff --git a/auth.h b/auth.h @@ -56,9 +55,9 @@ index 985053c..6883f16 100644 --- a/auth.h +++ b/auth.h @@ -84,6 +84,9 @@ struct Authctxt { - #ifdef PAM_ENHANCEMENT - char *authmethod_name; - #endif + + struct sshkey **prev_userkeys; + u_int nprev_userkeys; +#ifdef HAVE_PAM_AUSER + char *auser; +#endif diff --git a/components/network/openssh/patches/0031-Accept-LANG-and-LC_-environment-variables-from-clien.patch b/components/network/openssh/patches/0031-Accept-LANG-and-LC_-environment-variables-from-clien.patch index 483668cb8..dffcc4a68 100644 --- a/components/network/openssh/patches/0031-Accept-LANG-and-LC_-environment-variables-from-clien.patch +++ b/components/network/openssh/patches/0031-Accept-LANG-and-LC_-environment-variables-from-clien.patch @@ -100,7 +100,7 @@ index 36f8c62..cabd1d2 100644 * Reads environment variables from the given file and adds/overrides them * into the environment. If the file does not exist, this does nothing. * Otherwise, it must consist of empty lines, comments (line starts with '#') -@@ -1204,6 +1216,16 @@ do_setup_env(Session *s, const char *shell) +@@ -1204,5 +1216,15 @@ do_setup_env(Session *s, const char *shell) ssh_gssapi_do_child(&env, &envsize); #endif @@ -114,16 +114,14 @@ index 36f8c62..cabd1d2 100644 + child_inherit_env(&env, &envsize, "LC_MONETARY"); + child_inherit_env(&env, &envsize, "LC_MESSAGES"); + - if (!options.use_login) { - /* Set basic environment. */ - for (i = 0; i < s->num_env; i++) -@@ -1248,8 +1270,8 @@ do_setup_env(Session *s, const char *shell) - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); - } + /* Set basic environment. */ + for (i = 0; i < s->num_env; i++) +@@ -1248,8 +1270,7 @@ do_setup_env(Session *s, const char *shell) + /* Normal systems set SHELL by default. */ + child_set_env(&env, &envsize, "SHELL", shell); + - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -+ + child_inherit_env(&env, &envsize, "TZ"); #ifdef PER_SESSION_XAUTHFILE diff --git a/components/network/openssh/patches/0101-unregister-kexinit-handler.patch b/components/network/openssh/patches/0101-unregister-kexinit-handler.patch deleted file mode 100644 index da05a089a..000000000 --- a/components/network/openssh/patches/0101-unregister-kexinit-handler.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 -From: "markus@openbsd.org" -Date: Mon, 10 Oct 2016 19:28:48 +0000 -Subject: [PATCH] upstream commit - -Unregister the KEXINIT handler after message has been -received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause -allocation of up to 128MB -- until the connection is closed. Reported by -shilei-c at 360.cn - -Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 ---- - kex.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kex.c b/kex.c -index 3f97f8c..6a94bc5 100644 ---- a/kex.c -+++ b/kex.c -@@ -477,6 +477,7 @@ - if (kex == NULL) - return SSH_ERR_INVALID_ARGUMENT; - -+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); - ptr = sshpkt_ptr(ssh, &dlen); - if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) - return r; diff --git a/components/network/openssh/service-network-ssh.p5m b/components/network/openssh/service-network-ssh.p5m deleted file mode 100644 index 2104cbfc5..000000000 --- a/components/network/openssh/service-network-ssh.p5m +++ /dev/null @@ -1,70 +0,0 @@ -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License (the "License"). -# You may not use this file except in compliance with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# -# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. -# - -set name=pkg.fmri value=pkg:/service/network/ssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) -set name=pkg.summary value="OpenSSH servers and SSH (Secure Shell) services" -set name=pkg.human-version value=$(HUMAN_VERSION) -set name=info.classification \ - value=org.opensolaris.category.2008:Applications/Internet \ - value=org.opensolaris.category.2008:System/Security -set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) -set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2012/335 -set name=org.opensolaris.consolidation value=$(CONSOLIDATION) - -# We have to preserve original_name as file was once moved to -# ssh-common and back again -file files/sshd_config original_name=service/network/ssh:etc/ssh/sshd_config \ - path=etc/ssh/sshd_config mode=0644 preserve=true -file files/ssh.xml path=lib/svc/manifest/network/ssh.xml -file files/sshd path=lib/svc/method/sshd - -file path=etc/ssh/moduli -file path=usr/lib/dtrace/sftp.d mode=0555 -file path=usr/lib/ssh/sftp-server mode=0555 -file path=usr/lib/ssh/ssh-keysign mode=4555 -file path=usr/lib/ssh/ssh-pkcs11-helper mode=0555 -file path=usr/lib/ssh/sshd mode=0555 -file path=usr/share/man/man1m/sftp-server.1m -file path=usr/share/man/man1m/ssh-keysign.1m -file path=usr/share/man/man1m/ssh-pkcs11-helper.1m -file path=usr/share/man/man1m/sshd.1m -file path=usr/share/man/man4/moduli.4 -file path=usr/share/man/man4/sshd_config.4 - -dir path=var/empty owner=root group=sys mode=0755 sysattr=readonly - -group groupname=sshd gid=22 -user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \ - home-dir=/var/empty login-shell=/bin/false uid=22 - -license openssh.license license="BSD, BSD-like (OpenSSH)" \ - com.oracle.info.description="OpenSSH, a suite of tools that help secure network connections" \ - com.oracle.info.name=openssh com.oracle.info.tpno=$(TPNO_OPENSSH) \ - com.oracle.info.version=$(COMPONENT_VERSION) -license openssh.license license="BSD, BSD-like (gsskex)" \ - com.oracle.info.description="GSS-API authenticated key exchange" \ - com.oracle.info.name=gsskex com.oracle.info.tpno=$(TPNO_GSSKEX) \ - com.oracle.info.version=5.7p1 - -depend type=require fmri=pkg:/network/ssh -- 2.11.4.GIT