diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2004-12-29 01:49:29 +0000 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2004-12-29 01:49:29 +0000 |
| commit | 13faa76db22ac987825631897b241d7b86ab73ba (patch) | |
| tree | 5e6c5c1108730f995feea26b6cd1fa5799375385 /net-misc | |
| parent | Moving to sci-geosciences (diff) | |
| download | gentoo-2-13faa76db22ac987825631897b241d7b86ab73ba.tar.gz gentoo-2-13faa76db22ac987825631897b241d7b86ab73ba.tar.bz2 gentoo-2-13faa76db22ac987825631897b241d7b86ab73ba.zip | |
Add infoleak fix #59361 and allow the chroot patch to support PAM auth #72987.
Diffstat (limited to 'net-misc')
| -rw-r--r-- | net-misc/openssh/ChangeLog | 9 | ||||
| -rw-r--r-- | net-misc/openssh/files/digest-openssh-3.9_p1-r1 | 2 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.9_p1-chroot.patch | 74 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.9_p1-chroot.patch.bz2 | bin | 1119 -> 0 bytes | |||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.9_p1-infoleak.patch | 75 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-3.9_p1-r1.ebuild | 145 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-3.9_p1.ebuild | 6 |
7 files changed, 307 insertions, 4 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog index 4e4f7ab9f5b3..9dfa51fda1d7 100644 --- a/net-misc/openssh/ChangeLog +++ b/net-misc/openssh/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for net-misc/openssh # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.103 2004/11/16 05:11:12 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.104 2004/12/29 01:49:29 vapier Exp $ + +*openssh-3.9_p1-r1 (28 Dec 2004) + + 28 Dec 2004; Mike Frysinger <vapier@gentoo.org> + files/openssh-3.9_p1-chroot.patch, +openssh-3.9_p1-r1.ebuild, + +files/openssh-3.9_p1-infoleak.patch: + Add infoleak fix #59361 and allow the chroot patch to support PAM auth #72987. 16 Nov 2004; Mike Frysinger <vapier@gentoo.org> openssh-3.9_p1.ebuild: If USE=pam, then disable PasswordAuthentication since PAM overrides it #71233. diff --git a/net-misc/openssh/files/digest-openssh-3.9_p1-r1 b/net-misc/openssh/files/digest-openssh-3.9_p1-r1 new file mode 100644 index 000000000000..d0b53cdb61cf --- /dev/null +++ b/net-misc/openssh/files/digest-openssh-3.9_p1-r1 @@ -0,0 +1,2 @@ +MD5 8e1774d0b52aff08f817f3987442a16e openssh-3.9p1.tar.gz 854027 +MD5 eedb263c96a1d7bf208eb2ba70c2e238 openssh-3.9p1+x509h.diff.gz 98011 diff --git a/net-misc/openssh/files/openssh-3.9_p1-chroot.patch b/net-misc/openssh/files/openssh-3.9_p1-chroot.patch new file mode 100644 index 000000000000..ecb418c35f3c --- /dev/null +++ b/net-misc/openssh/files/openssh-3.9_p1-chroot.patch @@ -0,0 +1,74 @@ +################################################################################ +################################################################################ +# # +# Original patch by Ricardo Cerqueira <rmcc@clix.pt> # +# # +# Updated by James Dennis <james@firstaidmusic.com> for openssh-3.7.1p2 # +# # +# A patch to cause sshd to chroot when it encounters the magic token # +# '/./' in a users home directory. The directory portion before the # +# token is the directory to chroot() to, the portion after the # +# token is the user's home directory relative to the new root. # +# # +# Patch source using: patch -p0 < /path/to/patch # +# # +# Systems with a bad diff (doesn't understand -u or -N) should use gnu diff. # +# Solaris may store this as gdiff under /opt/sfw/bin. I can't say much about # +# other systems (unless you email me your experiences!). # +# # +################################################################################ +################################################################################ + +diff -uNr openssh-3.7.1p2/session.c openssh-3.7.1p2-chroot/session.c +--- openssh-3.7.1p2/session.c Tue Sep 23 04:59:08 2003 ++++ openssh-3.7.1p2-chroot/session.c Fri Sep 26 13:42:52 2003 +@@ -58,6 +58,8 @@ + #include "session.h" + #include "monitor_wrap.h" + ++#define CHROOT ++ + #ifdef GSSAPI + #include "ssh-gss.h" + #endif +@@ -1231,6 +1233,12 @@ + void + do_setusercontext(struct passwd *pw) + { ++ ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ ++ + #ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) + #endif /* HAVE_CYGWIN */ +@@ -1268,6 +1276,27 @@ + do_pam_setcred(0); + } + # endif /* USE_PAM */ ++ ++#ifdef CHROOT ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory % s", user_dir); ++ pw->pw_dir = new_root; ++ break; ++ } ++ new_root += 2; ++ } ++#endif /* CHROOT */ ++ ++ + # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) + irix_setusercontext(pw); + # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ diff --git a/net-misc/openssh/files/openssh-3.9_p1-chroot.patch.bz2 b/net-misc/openssh/files/openssh-3.9_p1-chroot.patch.bz2 Binary files differdeleted file mode 100644 index f1a759d5c205..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-chroot.patch.bz2 +++ /dev/null diff --git a/net-misc/openssh/files/openssh-3.9_p1-infoleak.patch b/net-misc/openssh/files/openssh-3.9_p1-infoleak.patch new file mode 100644 index 000000000000..c47020047304 --- /dev/null +++ b/net-misc/openssh/files/openssh-3.9_p1-infoleak.patch @@ -0,0 +1,75 @@ +openssh has an information leak related to timing under some conditions + +nothing special + +http://bugs.gentoo.org/show_bug.cgi?id=59361 + +Index: auth2-chall.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v +retrieving revision 1.21 +diff -u -p -r1.21 auth2-chall.c +--- auth2-chall.c 1 Jun 2004 14:20:45 -0000 1.21 ++++ auth2-chall.c 6 Jul 2004 12:13:10 -0000 +@@ -268,12 +268,9 @@ input_userauth_info_response(int type, u + } + packet_check_eom(); + +- if (authctxt->valid) { +- res = kbdintctxt->device->respond(kbdintctxt->ctxt, +- nresp, response); +- } else { +- res = -1; +- } ++ res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); ++ if (!authctxt->valid) ++ res = 1; /* keep going if login invalid */ + + for (i = 0; i < nresp; i++) { + memset(response[i], 'r', strlen(response[i])); +@@ -285,7 +282,7 @@ input_userauth_info_response(int type, u + switch (res) { + case 0: + /* Success! */ +- authenticated = 1; ++ authenticated = authctxt->valid ? 1 : 0; + break; + case 1: + /* Authentication needs further interaction */ +Index: auth-pam.c +=================================================================== +RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v +retrieving revision 1.118 +diff -u -p -r1.118 auth-pam.c +--- auth-pam.c 16 Oct 2004 08:52:44 -0000 1.118 ++++ auth-pam.c 20 Nov 2004 02:40:58 -0000 +@@ -186,6 +186,7 @@ static int sshpam_account_status = -1; + static char **sshpam_env = NULL; + static Authctxt *sshpam_authctxt = NULL; + static const char *sshpam_password = NULL; ++static char badpw[] = "\b\n\r\177INCORRECT"; + + /* Some PAM implementations don't implement this */ + #ifndef HAVE_PAM_GETENVLIST +@@ -746,7 +747,12 @@ sshpam_respond(void *ctx, u_int num, cha + return (-1); + } + buffer_init(&buffer); +- buffer_put_cstring(&buffer, *resp); ++ if (sshpam_authctxt->valid && ++ (sshpam_authctxt->pw->pw_uid != 0 || ++ options.permit_root_login == PERMIT_YES)) ++ buffer_put_cstring(&buffer, *resp); ++ else ++ buffer_put_cstring(&buffer, badpw); + if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { + buffer_free(&buffer); + return (-1); +@@ -1093,7 +1097,6 @@ sshpam_auth_passwd(Authctxt *authctxt, c + { + int flags = (options.permit_empty_passwd == 0 ? + PAM_DISALLOW_NULL_AUTHTOK : 0); +- static char badpw[] = "\b\n\r\177INCORRECT"; + + if (!options.use_pam || sshpam_handle == NULL) + fatal("PAM: %s called when PAM disabled or failed to " diff --git a/net-misc/openssh/openssh-3.9_p1-r1.ebuild b/net-misc/openssh/openssh-3.9_p1-r1.ebuild new file mode 100644 index 000000000000..e452df3099fd --- /dev/null +++ b/net-misc/openssh/openssh-3.9_p1-r1.ebuild @@ -0,0 +1,145 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.9_p1-r1.ebuild,v 1.1 2004/12/29 01:49:29 vapier Exp $ + +inherit eutils flag-o-matic ccc gnuconfig + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_/} + +SFTPLOG_PATCH_VER="1.2" +X509_PATCH="${PARCH}+x509h.diff.gz" +SELINUX_PATCH="openssh-3.9_p1-selinux.diff" + +S=${WORKDIR}/${PARCH} +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.com/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + X509? ( http://roumenpetrov.info/openssh/x509h/${X509_PATCH} )" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" +IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509 ldap smartcard uclibc sftplogging" + +RDEPEND="virtual/libc + pam? ( >=sys-libs/pam-0.73 + >=sys-apps/shadow-4.0.2-r2 ) + !mips? ( kerberos? ( virtual/krb5 ) ) + selinux? ( sys-libs/libselinux ) + !ppc64? ( skey? ( >=app-admin/skey-1.1.5-r1 ) ) + >=dev-libs/openssl-0.9.6d + >=sys-libs/zlib-1.1.4 + x86? ( smartcard? ( dev-libs/opensc ) ) + !ppc64? ( tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) )" +DEPEND="${RDEPEND} + virtual/os-headers + dev-lang/perl + !uclibc? ( sys-apps/groff ) + >=sys-apps/sed-4 + sys-devel/autoconf" +PROVIDE="virtual/ssh" + +src_unpack() { + unpack ${PARCH}.tar.gz + cd ${S} + + epatch ${FILESDIR}/${P}-largekey.patch.bz2 + epatch ${FILESDIR}/${P}-fix_suid.patch.bz2 + epatch ${FILESDIR}/${P}-infoleak.patch #59361 + + use sftplogging && epatch ${FILESDIR}/${P}-sftplogging-1.2-gentoo.patch.bz2 + use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch.bz2 + use skey && epatch ${FILESDIR}/${P}-skey.patch.bz2 + use chroot && epatch ${FILESDIR}/${P}-chroot.patch + use X509 && epatch ${DISTDIR}/${X509_PATCH} + use selinux && epatch ${FILESDIR}/${SELINUX_PATCH}.bz2 + use smartcard && epatch ${FILESDIR}/${P}-opensc.patch.bz2 + + autoconf || die "autoconf failed" +} + +src_compile() { + local myconf + + addwrite /dev/ptmx + gnuconfig_update + + # make sure .sbss is large enough + use skey && use alpha && append-ldflags -mlarge-data + use ldap && filter-flags -funroll-loops + use selinux && append-flags "-DWITH_SELINUX" + + if use static; then + append-ldflags -static + export LDFLAGS + if use pam; then + ewarn "Disabling pam support becuse of static flag." + myconf="${myconf} --without-pam" + else + myconf="${myconf} --without-pam" + fi + else + myconf="${myconf} `use_with pam`" + fi + + use ipv6 || myconf="${myconf} --with-ipv4-default" + + econf \ + --sysconfdir=/etc/ssh \ + --libexecdir=/usr/lib/misc \ + --datadir=/usr/share/openssh \ + --disable-suid-ssh \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + `use_with kerberos kerberos5 /usr` \ + `use_with tcpd tcp-wrappers` \ + `use_with skey` \ + `use_with smartcard opensc` \ + ${myconf} \ + || die "bad configure" + +# use static && { +# # statically link to libcrypto -- good for the boot cd +# sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" Makefile +# } + + emake || die "compile problem" +} + +src_install() { + make install-files DESTDIR=${D} || die + chmod 600 ${D}/etc/ssh/sshd_config + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + use pam && ( insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd ) + exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd + keepdir /var/empty + dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config + use pam \ + && dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config \ + && dosed "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" /etc/ssh/sshd_config +} + +pkg_postinst() { + enewgroup sshd 22 + enewuser sshd 22 /bin/false /var/empty sshd + + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "restart sshd: '/etc/init.d/sshd restart'." + ewarn + einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation" + einfo "functionality, but please ensure that you do not explicitly disable" + einfo "this in your configuration as disabling it opens security holes" + einfo + einfo "This revision has removed your sshd user id and replaced it with a" + einfo "new one with UID 22. If you have any scripts or programs that" + einfo "that referenced the old UID directly, you will need to update them." + einfo + use pam >/dev/null 2>&1 && { + einfo "Please be aware users need a valid shell in /etc/passwd" + einfo "in order to be allowed to login." + einfo + } +} diff --git a/net-misc/openssh/openssh-3.9_p1.ebuild b/net-misc/openssh/openssh-3.9_p1.ebuild index d05da329d65d..6916018216dc 100644 --- a/net-misc/openssh/openssh-3.9_p1.ebuild +++ b/net-misc/openssh/openssh-3.9_p1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.9_p1.ebuild,v 1.8 2004/11/16 05:11:12 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.9_p1.ebuild,v 1.9 2004/12/29 01:49:29 vapier Exp $ inherit eutils flag-o-matic ccc gnuconfig @@ -20,7 +20,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="as-is" SLOT="0" -KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509 ldap smartcard uclibc sftplogging" RDEPEND="virtual/libc @@ -50,7 +50,7 @@ src_unpack() { use sftplogging && epatch ${FILESDIR}/${P}-sftplogging-1.2-gentoo.patch.bz2 use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch.bz2 use skey && epatch ${FILESDIR}/${P}-skey.patch.bz2 - use chroot && epatch ${FILESDIR}/${P}-chroot.patch.bz2 + use chroot && epatch ${FILESDIR}/${P}-chroot.patch use X509 && epatch ${DISTDIR}/${X509_PATCH} use selinux && epatch ${FILESDIR}/${SELINUX_PATCH}.bz2 use smartcard && epatch ${FILESDIR}/${P}-opensc.patch.bz2 |