PSARC/2017/022 OpenSSH 7.4
25295722 upgrade OpenSSH to 7.4p1
25295787 problem in UTILITY/OPENSSH
25295804 problem in UTILITY/OPENSSH
25295822 problem in UTILITY/OPENSSH
25295840 problem in UTILITY/OPENSSH
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
25795760 openssh drops connection when GSSAPIAuthentication set to no
--- a/components/openssh/Makefile Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/Makefile Tue Apr 25 15:08:28 2017 -0700
@@ -26,22 +26,22 @@
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= openssh
-COMPONENT_VERSION= 7.3p1
+COMPONENT_VERSION= 7.4p1
HUMAN_VERSION= $(COMPONENT_VERSION)
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
# Version for IPS. The encoding rules are:
# OpenSSH <x>.<y>p<n> => IPS <x>.<y>.0.<n>
# OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION= 7.3.0.1
+IPS_COMPONENT_VERSION= 7.4.0.1
COMPONENT_PROJECT_URL= http://www.openssh.org/
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH= sha256:3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
+COMPONENT_ARCHIVE_HASH= sha256:1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1
COMPONENT_ARCHIVE_URL= http://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB=utility/openssh
-TPNO_OPENSSH= 30602
+TPNO_OPENSSH= 33237
TPNO_GSSKEX= 20377
include $(WS_MAKE_RULES)/prep.mk
@@ -62,8 +62,10 @@
CFLAGS += -DPER_SESSION_XAUTHFILE
CFLAGS += -DOPENSSL_NO_CAST
CFLAGS += -DENABLE_OPENSSL_FIPS
+CFLAGS += -DDEFAULT_PKCS11_WHITELIST='\"/usr/lib*,/lib/*,/usr/lib/sparcv9/*,/lib/sparcv9/*,/usr/lib/amd64/*,/lib/amd64/*\"'
-CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)"
+
+CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)"
# We need to disable lazyloading of dynamic dependent libraries. During the
# pre-authentication phase, sshd will chroot to /var/empty which doesn't
@@ -93,24 +95,27 @@
CONFIGURE_OPTIONS += --disable-lastlog
# Copy the sftp dtrace provider file and the header file to source directory
-COMPONENT_PRE_BUILD_ACTION = \
- ( echo "Copying dtrace sftp files..."; \
- $(LN) -fs $(COMPONENT_DIR)/dtrace_sftp/*.[dh] $(SOURCE_DIR); \
- )
+#
+# To avoid complexity with updates, after patching for specific code-related
+# issues, auto-edit the man pages to meet Solaris legacy standards for
+# man page organization.
MANLIST= moduli.5 scp.1 sftp-server.8 sftp.1 ssh-add.1 ssh-agent.1 \
ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8 \
ssh.1 ssh_config.5 sshd.8 sshd_config.5
-# To avoid complexity with updates, after patching for specific code-related
-# issues, auto-edit the man pages to meet Solaris legacy standards for
-# man page organization.
-# Then copy Solaris specific source files and generate configuration script
-COMPONENT_PREP_ACTION += ( \
- files/convert-man $(SOURCE_DIR) $(MANLIST); \
+COMPONENT_PRE_BUILD_ACTION = \
+ ( echo "Copying dtrace sftp files..."; \
+ $(LN) -fs $(COMPONENT_DIR)/dtrace_sftp/*.[dh] $(SOURCE_DIR); \
+ echo "Adjusting man page sections...." ; \
+ files/convert-man $(SOURCE_DIR) $(MANLIST); \
+ )
+
+# Copy Solaris specific source files and generate configuration script
+COMPONENT_PREP_ACTION = ( \
$(CP) sources/*.c $(@D)/; \
cd $(@D); autoconf; \
- )
+ )
# common targets
configure: $(CONFIGURE_32)
--- a/components/openssh/openssh.p5m Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/openssh.p5m Tue Apr 25 15:08:28 2017 -0700
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Uncommitted">
set name=pkg.fmri \
@@ -34,7 +34,7 @@
value=org.opensolaris.category.2008:System/Security
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2012/335
+set name=org.opensolaris.arc-caseid value=PSARC/2012/335 value=PSARC/2017/022
set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
file sources/sshd-none path=etc/pam.d/sshd-none group=sys mode=0644 \
overlay=allow preserve=renamenew
--- a/components/openssh/patches/003-last_login.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/003-last_login.patch Tue Apr 25 15:08:28 2017 -0700
@@ -18,24 +18,24 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -1300,8 +1300,8 @@ Specifies whether
+@@ -1260,8 +1260,8 @@ Specifies whether
.Xr sshd 8
should print the date and time of the last user login when a user logs
in interactively.
-The default is
--.Dq yes .
-+On Solaris this option is always ignored since pam_unix_session(7)
+-.Cm yes .
++On Solaris this option is always ignored since pam_unix_session(5)
+reports the last login time.
.It Cm PrintMotd
Specifies whether
.Xr sshd 8
-@@ -1721,7 +1721,8 @@ This file should be writable by root onl
- (though not necessary) that it be world-readable.
+@@ -1667,7 +1667,8 @@ This file should be writable by root onl
.El
.Sh SEE ALSO
+ .Xr sftp-server 8 ,
-.Xr sshd 8
+.Xr sshd 8 ,
+.Xr pam_unix_session 7
.Sh AUTHORS
+ .An -nosplit
OpenSSH is a derivative of the original and free
- ssh 1.2.12 release by Tatu Ylonen.
--- a/components/openssh/patches/016-pam_enhancement.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/016-pam_enhancement.patch Tue Apr 25 15:08:28 2017 -0700
@@ -10,8 +10,8 @@
# later release, we will remove this patch when we upgrade to that release.
#
diff -pur old/auth-pam.c new/auth-pam.c
---- old/auth-pam.c 2015-04-28 06:15:57.335765454 -0700
-+++ new/auth-pam.c 2015-04-28 06:15:57.417753483 -0700
+--- old/auth-pam.c
++++ new/auth-pam.c
@@ -617,6 +617,72 @@ sshpam_cleanup(void)
sshpam_handle = NULL;
}
@@ -86,8 +86,8 @@
sshpam_init(Authctxt *authctxt)
{
@@ -624,18 +690,71 @@ sshpam_init(Authctxt *authctxt)
- const char *pam_rhost, *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
+ struct ssh *ssh = active_state; /* XXX */
+#ifdef PAM_ENHANCEMENT
+ const char *pam_service;
@@ -158,8 +158,8 @@
if (sshpam_err != PAM_SUCCESS) {
diff -pur old/auth.h new/auth.h
---- old/auth.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/auth.h 2015-04-28 06:18:25.719914272 -0700
+--- old/auth.h
++++ new/auth.h
@@ -81,6 +81,9 @@ struct Authctxt {
struct sshkey **prev_userkeys;
@@ -171,8 +171,8 @@
/*
* Every authentication method has to handle authentication requests for
diff -pur old/auth2.c new/auth2.c
---- old/auth2.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/auth2.c 2015-04-28 06:15:57.419262466 -0700
+--- old/auth2.c
++++ new/auth2.c
@@ -243,10 +243,21 @@ input_userauth_request(int type, u_int32
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
@@ -279,8 +279,8 @@
-
-
diff -pur old/monitor.c new/monitor.c
---- old/monitor.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/monitor.c 2015-04-28 06:15:57.421294814 -0700
+--- old/monitor.c
++++ new/monitor.c
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
@@ -291,7 +291,7 @@
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -206,10 +209,17 @@ struct mon_table mon_dispatch_proto20[]
+@@ -202,10 +205,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -307,13 +307,12 @@
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+#endif
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
- {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
- {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-@@ -371,6 +381,24 @@ monitor_child_preauth(Authctxt *_authctx
- if (!compat20)
- fatal("AuthenticationMethods is not supported"
- "with SSH protocol 1");
-+
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, 0, mm_answer_pam_query},
+@@ -311,6 +321,23 @@ monitor_child_preauth(Authctxt *_authctx
+
+ /* Special handling for multiple required authentications */
+ if (options.num_auth_methods != 0) {
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
+ /*
+ * If each userauth has its own PAM service, then PAM
@@ -334,7 +333,7 @@
if (authenticated &&
!auth2_update_methods_lists(authctxt,
auth_method, auth_submethod)) {
-@@ -389,8 +417,21 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -329,8 +356,21 @@ monitor_child_preauth(Authctxt *_authctx
!auth_root_allowed(auth_method))
authenticated = 0;
#ifdef USE_PAM
@@ -356,18 +355,18 @@
Buffer m;
buffer_init(&m);
-@@ -863,6 +904,10 @@ mm_answer_pwnamallow(int sock, Buffer *m
- /* Allow service/style information on the auth context */
- monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+@@ -770,6 +810,10 @@ mm_answer_pwnamallow(int sock, Buffer *m
+ /* Allow service/style information on the auth context */
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+#ifdef PAM_ENHANCEMENT
-+ /* Allow authmethod information on the auth context */
-+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1);
++ /* Allow authmethod information on the auth context */
++ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1);
+#endif
- }
+
#ifdef USE_PAM
if (options.use_pam)
-@@ -903,6 +948,24 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -810,6 +854,24 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@@ -393,8 +392,8 @@
mm_answer_authpassword(int sock, Buffer *m)
{
diff -pur old/monitor.h new/monitor.h
---- old/monitor.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/monitor.h 2015-04-28 06:15:57.421684373 -0700
+--- old/monitor.h
++++ new/monitor.h
@@ -65,6 +65,9 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
@@ -404,11 +403,11 @@
+#endif
};
- struct mm_master;
+ struct monitor {
diff -pur old/monitor_wrap.c new/monitor_wrap.c
---- old/monitor_wrap.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/monitor_wrap.c 2015-04-28 06:15:57.419906674 -0700
-@@ -347,6 +347,24 @@ mm_inform_authserv(char *service, char *
+--- old/monitor_wrap.c
++++ new/monitor_wrap.c
+@@ -345,6 +345,24 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
@@ -434,12 +433,12 @@
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -pur old/servconf.c new/servconf.c
---- old/servconf.c 2015-04-28 06:15:57.300968063 -0700
-+++ new/servconf.c 2015-04-28 06:27:06.330272555 -0700
-@@ -163,6 +163,18 @@ initialize_server_options(ServerOptions
- options->ip_qos_bulk = -1;
- options->version_addendum = NULL;
- options->fingerprint_hash = -1;
+--- old/servconf.c
++++ new/servconf.c
+@@ -156,6 +156,18 @@ initialize_server_options(ServerOptions
+ options->authorized_keys_command_user = NULL;
+ options->revoked_keys_file = NULL;
+ options->trusted_user_ca_keys = NULL;
+#ifdef PAM_ENHANCEMENT
+ options->pam_service_name = NULL;
+ options->pam_service_prefix = NULL;
@@ -452,10 +451,10 @@
+ */
+ options->pam_service_per_authmethod = 1;
+#endif
- }
-
- /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -332,6 +344,12 @@ fill_default_server_options(ServerOption
+ options->authorized_principals_file = NULL;
+ options->authorized_principals_command = NULL;
+ options->authorized_principals_command_user = NULL;
+@@ -330,6 +342,12 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
@@ -468,7 +467,7 @@
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
-@@ -400,6 +418,9 @@ typedef enum {
+@@ -416,6 +434,9 @@ typedef enum {
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
@@ -476,9 +475,9 @@
+ sPAMServicePrefix, sPAMServiceName,
+#endif
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
sKexAlgorithms, sIPQoS, sVersionAddendum,
- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-@@ -534,6 +555,10 @@ static struct {
+@@ -554,6 +575,10 @@ static struct {
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
@@ -489,7 +488,7 @@
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-@@ -1765,6 +1790,37 @@ process_server_config_line(ServerOptions
+@@ -1854,6 +1879,37 @@ process_server_config_line(ServerOptions
options->fingerprint_hash = value;
break;
@@ -525,11 +524,11 @@
+ break;
+
case sDeprecated:
- logit("%s line %d: Deprecated option %s",
- filename, linenum, arg);
+ case sIgnore:
+ case sUnsupported:
diff -pur old/servconf.h new/servconf.h
---- old/servconf.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/servconf.h 2015-04-28 06:28:25.181429777 -0700
+--- old/servconf.h
++++ new/servconf.h
@@ -54,6 +54,10 @@
/* Magic name for internal sftp-server */
#define INTERNAL_SFTP_NAME "internal-sftp"
@@ -555,9 +554,9 @@
} ServerOptions;
diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8 2015-04-28 06:15:57.254681499 -0700
-+++ new/sshd.8 2015-04-28 06:15:57.426325504 -0700
-@@ -945,6 +945,33 @@ concurrently for different ports, this c
+--- old/sshd.8
++++ new/sshd.8
+@@ -920,6 +920,33 @@ concurrently for different ports, this c
started last).
The content of this file is not sensitive; it can be world-readable.
.El
@@ -591,28 +590,13 @@
.Sh SEE ALSO
.Xr scp 1 ,
.Xr sftp 1 ,
-diff -pur old/sshd.c new/sshd.c
---- old/sshd.c 2015-04-28 06:15:57.302106750 -0700
-+++ new/sshd.c 2015-04-28 06:15:57.427449259 -0700
-@@ -2146,6 +2146,11 @@ main(int ac, char **av)
-
- sshd_exchange_identification(sock_in, sock_out);
-
-+#ifdef PAM_ENHANCEMENT
-+ if (!compat20)
-+ options.pam_service_per_authmethod = 0;
-+#endif
-+
- /* In inetd mode, generate ephemeral key only for proto 1 connections */
- if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
- generate_ephemeral_server_key();
diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5 2015-04-28 06:15:57.256560985 -0700
-+++ new/sshd_config.5 2015-04-28 06:15:57.425661853 -0700
-@@ -1044,6 +1044,21 @@ The probability increases linearly and a
- are refused if the number of unauthenticated connections reaches
- .Dq full
- (60).
+--- old/sshd_config.5
++++ new/sshd_config.5
+@@ -813,6 +813,21 @@ is set to
+ .Cm yes ) .
+ .It Cm KerberosAuthentication
+ Specifies whether the password provided by the user for
+.It Cm PAMServiceName
+Specifies the PAM service name for the PAM session. The PAMServiceName and
+PAMServicePrefix options are mutually exclusive and if both set, sshd does not
@@ -628,16 +612,16 @@
+For example, if this option is set to admincli, the service name for the
+keyboard-interactive authentication method is admincli-kbdint instead of the
+default sshd-kbdint.
- .It Cm PasswordAuthentication
- Specifies whether password authentication is allowed.
- The default is
-@@ -1427,8 +1442,7 @@ If
+ .Cm PasswordAuthentication
+ will be validated through the Kerberos KDC.
+ To use this option, the server needs a
+@@ -1472,8 +1487,7 @@ If
is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
-The default is
--.Dq no .
-+On Solaris, the option is always enabled.
+-.Cm no .
+++On Solaris, the option is always enabled.
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
--- a/components/openssh/patches/017-option_default_value.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/017-option_default_value.patch Tue Apr 25 15:08:28 2017 -0700
@@ -13,7 +13,7 @@
diff -pur old/readconf.c new/readconf.c
--- old/readconf.c
+++ new/readconf.c
-@@ -1803,7 +1803,11 @@ fill_default_options(Options * options)
+@@ -1936,7 +1936,11 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
@@ -24,8 +24,8 @@
+#endif
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
- if (options->exit_on_forward_failure == -1)
-@@ -1825,7 +1829,11 @@ fill_default_options(Options * options)
+ /*
+@@ -1969,7 +1973,11 @@ fill_default_options(Options * options)
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
@@ -40,7 +40,7 @@
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c
+++ new/servconf.c
-@@ -265,7 +265,11 @@ fill_default_server_options(ServerOption
+@@ -249,7 +249,11 @@ fill_default_server_options(ServerOption
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -52,7 +52,7 @@
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -303,7 +307,11 @@ fill_default_server_options(ServerOption
+@@ -283,7 +287,11 @@ fill_default_server_options(ServerOption
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
@@ -67,25 +67,29 @@
diff -pur old/ssh_config.5 new/ssh_config.5
--- old/ssh_config.5
+++ new/ssh_config.5
-@@ -802,8 +802,8 @@ Furthermore, the
- token used for the session will be set to expire after 20 minutes.
- Remote clients will be refused access after this time.
+@@ -714,12 +714,11 @@ The default is to disable untrusted X11
+ elapsed.
+ .It Cm ForwardX11Trusted
+ If this option is set to
+-.Cm yes ,
++.Cm yes (the default on Solaris),
+ remote X11 clients will have full access to the original X11 display.
.Pp
--The default is
--.Dq no .
-+The default on Solaris is
-+.Dq yes .
- .Pp
- See the X11 SECURITY extension specification for full details on
- the restrictions imposed on untrusted clients.
-@@ -832,8 +832,8 @@ The default is
+ If this option is set to
+-.Cm no
+-(the default),
++.Cm no,
+ remote X11 clients will be considered untrusted and prevented
+ from stealing or tampering with data belonging to trusted X11
+ clients.
+@@ -754,8 +753,8 @@ The default is
.Pa /etc/ssh/ssh_known_hosts2 .
.It Cm GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
-The default is
--.Dq no .
+-.Cm no .
+The default on Solaris is
-+.Dq yes .
++.Cm yes .
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
@@ -93,24 +97,24 @@
--- old/sshd_config.5
+++ new/sshd_config.5
@@ -621,8 +621,8 @@ The default is
- .Dq no .
+ .Cm no .
.It Cm GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
-The default is
--.Dq no .
+-.Cm no .
+The default on Solaris is
-+.Dq yes .
++.Cm yes .
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
-@@ -1637,8 +1637,8 @@ The argument must be
- .Dq yes
+@@ -1527,8 +1527,8 @@ The argument must be
+ .Cm yes
or
- .Dq no .
+ .Cm no .
-The default is
--.Dq no .
+-.Cm no .
+The default on Solaris is
-+.Dq yes .
++.Cm yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
--- a/components/openssh/patches/022-solaris_audit.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/022-solaris_audit.patch Tue Apr 25 15:08:28 2017 -0700
@@ -23,7 +23,7 @@
diff -pur old/INSTALL new/INSTALL
--- old/INSTALL
+++ new/INSTALL
-@@ -92,9 +92,13 @@ http://www.gnu.org/software/autoconf/
+@@ -98,9 +98,13 @@ http://www.gnu.org/software/autoconf/
Basic Security Module (BSM):
@@ -40,7 +40,7 @@
2. Building / Installation
-@@ -147,8 +151,9 @@ name).
+@@ -153,8 +157,9 @@ name).
There are a few other options to the configure script:
--with-audit=[module] enable additional auditing via the specified module.
@@ -56,18 +56,18 @@
--- old/Makefile.in
+++ new/Makefile.in
@@ -100,7 +100,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
- roaming_common.o roaming_client.o
+ sshconnect.o sshconnect1.o sshconnect2.o mux.o
- SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
- audit.o audit-bsm.o audit-linux.o platform.o \
+ audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
- auth.o auth1.o auth2.o auth-options.o session.o \
- auth-chall.o auth2-chall.o groupaccess.o \
+ auth.o auth2.o auth-options.o session.o \
+ auth2-chall.o groupaccess.o \
diff -pur old/README.platform new/README.platform
--- old/README.platform
+++ new/README.platform
-@@ -68,8 +68,8 @@ zlib-devel and pam-devel, on Debian base
+@@ -71,8 +71,8 @@ zlib-devel and pam-devel, on Debian base
libssl-dev, libz-dev and libpam-dev.
@@ -78,7 +78,7 @@
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output. The following line needs to be
added to /etc/security/audit_event:
-@@ -82,6 +82,9 @@ There is no official registry of 3rd par
+@@ -85,6 +85,9 @@ There is no official registry of 3rd par
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
@@ -91,7 +91,7 @@
diff -pur old/config.h.in new/config.h.in
--- old/config.h.in
+++ new/config.h.in
-@@ -1635,6 +1635,9 @@
+@@ -1679,6 +1679,9 @@
/* Use Linux audit module */
#undef USE_LINUX_AUDIT
@@ -104,7 +104,7 @@
diff -pur old/configure.ac new/configure.ac
--- old/configure.ac
+++ new/configure.ac
-@@ -1517,10 +1517,21 @@ AC_ARG_WITH([libedit],
+@@ -1560,10 +1560,21 @@ AC_ARG_WITH([libedit],
AUDIT_MODULE=none
AC_ARG_WITH([audit],
@@ -130,7 +130,7 @@
diff -pur old/defines.h new/defines.h
--- old/defines.h
+++ new/defines.h
-@@ -635,6 +635,11 @@ struct winsize {
+@@ -645,6 +645,11 @@ struct winsize {
# define CUSTOM_SSH_AUDIT_EVENTS
#endif
@@ -145,7 +145,7 @@
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
-@@ -2234,7 +2234,9 @@ main(int ac, char **av)
+@@ -2043,7 +2043,9 @@ main(int ac, char **av)
}
#ifdef SSH_AUDIT_EVENTS
@@ -155,7 +155,7 @@
#endif
#ifdef GSSAPI
-@@ -2264,6 +2266,10 @@ main(int ac, char **av)
+@@ -2073,6 +2075,10 @@ main(int ac, char **av)
do_pam_session();
}
#endif
--- a/components/openssh/patches/023-gsskex.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/023-gsskex.patch Tue Apr 25 15:08:28 2017 -0700
@@ -22,18 +22,18 @@
diff -pur old/Makefile.in new/Makefile.in
--- old/Makefile.in
+++ new/Makefile.in
-@@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
+@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
+ sftp_provider.o \
+ kexgssc.o \
- sftp_provider.o \
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o \
-@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+ ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
+@@ -107,7 +108,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
- monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
+ monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
@@ -42,7 +42,7 @@
diff -pur old/auth.c new/auth.c
--- old/auth.c
+++ new/auth.c
-@@ -363,6 +363,7 @@ auth_root_allowed(const char *method)
+@@ -372,6 +372,7 @@ auth_root_allowed(const char *method)
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
@@ -50,7 +50,7 @@
strcmp(method, "gssapi-with-mic") == 0)
return 1;
break;
-@@ -786,99 +787,6 @@ fakepw(void)
+@@ -795,99 +796,6 @@ fakepw(void)
}
/*
@@ -352,7 +352,7 @@
--- old/gss-genr.c
+++ new/gss-genr.c
@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.24 2016/09/12 01:22:38 deraadt Exp $ */
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -360,7 +360,7 @@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
-@@ -41,12 +41,167 @@
+@@ -40,12 +40,167 @@
#include "buffer.h"
#include "log.h"
#include "ssh2.h"
@@ -528,7 +528,7 @@
/* Check that the OID in a data stream matches that in the context */
int
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-@@ -231,6 +386,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
+@@ -230,6 +385,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
OM_uint32
ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
{
@@ -538,7 +538,7 @@
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
-@@ -238,6 +396,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
+@@ -237,6 +395,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
return (ctx->major);
}
@@ -558,7 +558,7 @@
void
ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
const char *context)
-@@ -256,6 +427,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
+@@ -255,6 +426,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
OM_uint32 major, minor;
gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
@@ -569,7 +569,7 @@
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
-@@ -274,7 +449,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
+@@ -273,7 +448,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
GSS_C_NO_BUFFER);
}
@@ -656,7 +656,7 @@
diff -pur old/kex.c new/kex.c
--- old/kex.c
+++ new/kex.c
-@@ -55,6 +55,10 @@
+@@ -54,6 +54,10 @@
#include "sshbuf.h"
#include "digest.h"
@@ -668,8 +668,8 @@
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
@@ -111,6 +115,11 @@ static const struct kexalg kexalgs[] = {
- #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+ { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
+#ifdef GSSAPI
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
@@ -691,7 +691,7 @@
diff -pur old/kex.h new/kex.h
--- old/kex.h
+++ new/kex.h
-@@ -98,6 +98,9 @@ enum kex_exchange {
+@@ -99,6 +99,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
@@ -701,7 +701,7 @@
KEX_MAX
};
-@@ -146,6 +149,10 @@ struct kex {
+@@ -147,6 +150,10 @@ struct kex {
u_int flags;
int hash_alg;
int ec_nid;
@@ -712,7 +712,7 @@
char *client_version_string;
char *server_version_string;
char *failed_choice;
-@@ -195,6 +202,10 @@ int kexecdh_client(struct ssh *);
+@@ -196,6 +203,10 @@ int kexecdh_client(struct ssh *);
int kexecdh_server(struct ssh *);
int kexc25519_client(struct ssh *);
int kexc25519_server(struct ssh *);
@@ -726,7 +726,7 @@
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c
+++ new/monitor.c
-@@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
+@@ -160,6 +160,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -734,10 +734,10 @@
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -245,11 +246,17 @@ struct mon_table mon_dispatch_proto20[]
- {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
- {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
- {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+@@ -240,11 +241,17 @@ struct mon_table mon_dispatch_proto20[]
+ {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+ {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
+ {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
#endif
{0, 0, NULL}
@@ -752,29 +752,29 @@
#ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
-@@ -364,6 +371,10 @@ monitor_child_preauth(Authctxt *_authctx
- /* Permit requests for moduli and signatures */
- monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+@@ -311,6 +318,10 @@ monitor_child_preauth(Authctxt *_authctx
+ /* Permit requests for moduli and signatures */
+ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
-+ /* and for the GSSAPI key exchange */
-+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
++ /* and for the GSSAPI key exchange */
++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
- } else {
- mon_dispatch = mon_dispatch_proto15;
-@@ -503,6 +514,10 @@ monitor_child_postauth(struct monitor *p
- monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+ /* The first few requests do not require asynchronous access */
+ while (!authenticated) {
+@@ -440,6 +451,10 @@ monitor_child_postauth(struct monitor *p
+ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
-+ /* and for the GSSAPI key exchange */
-+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
++ /* and for the GSSAPI key exchange */
++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
- } else {
- mon_dispatch = mon_dispatch_postauth15;
- monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1939,6 +1954,13 @@ monitor_apply_keystate(struct monitor *p
+
+ if (!no_pty_flag) {
+ monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
+@@ -1663,6 +1678,13 @@ monitor_apply_keystate(struct monitor *p
# endif
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -788,27 +788,29 @@
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
-@@ -2038,6 +2060,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -1742,8 +1764,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
+- if (!options.gss_authentication)
+- fatal("%s: GSSAPI authentication not enabled", __func__);
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
-+
+
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-
-@@ -2065,6 +2090,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -1772,8 +1794,8 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
+- if (!options.gss_authentication)
+- fatal("%s: GSSAPI authentication not enabled", __func__);
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
-+
+
in.value = buffer_get_string(m, &len);
in.length = len;
- major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2082,6 +2110,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -1792,6 +1814,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -816,27 +818,29 @@
}
return (0);
}
-@@ -2093,6 +2122,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+@@ -1803,8 +1826,8 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
+- if (!options.gss_authentication)
+- fatal("%s: GSSAPI authentication not enabled", __func__);
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
-+
+
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
- mic.value = buffer_get_string(m, &len);
-@@ -2119,6 +2151,9 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -1832,8 +1855,8 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
+- if (!options.gss_authentication)
+- fatal("%s: GSSAPI authentication not enabled", __func__);
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
-+
+
authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
- buffer_clear(m);
-@@ -2132,5 +2167,47 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -1848,5 +1871,47 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -896,11 +900,11 @@
+#endif
};
- struct mm_master;
+ struct monitor {
diff -pur old/monitor_wrap.c new/monitor_wrap.c
--- old/monitor_wrap.c
+++ new/monitor_wrap.c
-@@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user)
+@@ -959,5 +959,28 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
@@ -932,7 +936,7 @@
diff -pur old/monitor_wrap.h new/monitor_wrap.h
--- old/monitor_wrap.h
+++ new/monitor_wrap.h
-@@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
+@@ -57,6 +57,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
int mm_ssh_gssapi_userok(char *user);
OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
@@ -967,7 +971,7 @@
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -1002,6 +1007,10 @@ parse_time:
+@@ -1001,6 +1006,10 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -978,7 +982,7 @@
case oGssDelegateCreds:
intptr = &options->gss_deleg_creds;
goto parse_flag;
-@@ -1824,6 +1833,7 @@ initialize_options(Options * options)
+@@ -1823,6 +1832,7 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -986,7 +990,7 @@
options->gss_deleg_creds = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
-@@ -1979,6 +1989,12 @@ fill_default_options(Options * options)
+@@ -1978,6 +1988,12 @@ fill_default_options(Options * options)
#else
options->gss_authentication = 0;
#endif
@@ -1013,7 +1017,7 @@
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c
+++ new/servconf.c
-@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
+@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -1021,7 +1025,7 @@
options->gss_cleanup_creds = -1;
options->gss_strict_acceptor = -1;
options->password_authentication = -1;
-@@ -312,6 +313,12 @@ fill_default_server_options(ServerOption
+@@ -292,6 +293,12 @@ fill_default_server_options(ServerOption
#else
options->gss_authentication = 0;
#endif
@@ -1034,7 +1038,7 @@
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
-@@ -457,6 +464,7 @@ typedef enum {
+@@ -437,6 +444,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -1042,7 +1046,7 @@
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-@@ -534,6 +542,8 @@ static struct {
+@@ -514,6 +522,8 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssauthentication", sGssAuthentication, SSHCFG_ALL }, /* alias */
@@ -1051,7 +1055,7 @@
#ifdef USE_GSS_STORE_CRED
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
#else /* USE_GSS_STORE_CRED */
-@@ -543,6 +553,8 @@ static struct {
+@@ -523,6 +533,8 @@ static struct {
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssauthentication", sUnsupported, SSHCFG_ALL }, /* alias */
@@ -1060,7 +1064,7 @@
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
#endif
-@@ -1328,6 +1340,10 @@ process_server_config_line(ServerOptions
+@@ -1284,6 +1296,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@@ -1071,7 +1075,7 @@
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-@@ -2416,6 +2432,7 @@ dump_config(ServerOptions *o)
+@@ -2356,6 +2372,7 @@ dump_config(ServerOptions *o)
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -1082,7 +1086,7 @@
diff -pur old/servconf.h new/servconf.h
--- old/servconf.h
+++ new/servconf.h
-@@ -122,6 +122,7 @@ typedef struct {
+@@ -116,6 +116,7 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -1143,15 +1147,15 @@
diff -pur old/ssh_config.5 new/ssh_config.5
--- old/ssh_config.5
+++ new/ssh_config.5
-@@ -834,6 +834,12 @@ The default is
+@@ -755,6 +755,12 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default on Solaris is
- .Dq yes .
+ .Cm yes .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default on Solaris is
-+.Dq yes .
++.Cm yes .
+Note that this option applies to protocol version 2 only.
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
@@ -1245,7 +1249,7 @@
#endif
void userauth(Authctxt *, char *);
-@@ -330,6 +379,11 @@ static char *authmethods_get(void);
+@@ -331,6 +380,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -1257,7 +1261,7 @@
{"gssapi-with-mic",
userauth_gssapi,
NULL,
-@@ -672,7 +726,10 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -674,7 +728,10 @@ userauth_gssapi(Authctxt *authctxt)
* once. */
if (gss_supported == NULL)
@@ -1269,7 +1273,7 @@
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
-@@ -776,8 +833,8 @@ input_gssapi_response(int type, u_int32_
+@@ -778,8 +835,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@@ -1280,7 +1284,7 @@
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
-@@ -890,6 +947,48 @@ input_gssapi_error(int type, u_int32_t p
+@@ -892,6 +949,48 @@ input_gssapi_error(int type, u_int32_t p
free(lang);
return 0;
}
@@ -1332,21 +1336,21 @@
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
-@@ -1892,10 +1892,13 @@ main(int ac, char **av)
- logit("Disabling protocol version 1. Could not load host key");
- options.protocol &= ~SSH_PROTO_1;
+@@ -1705,10 +1705,13 @@ main(int ac, char **av)
+ key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
+ free(fp);
}
+#ifndef GSSAPI
+ /* The GSSAPI key exchange can run without a host key */
- if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
- logit("Disabling protocol version 2. Could not load host key");
- options.protocol &= ~SSH_PROTO_2;
+ if (!sensitive_data.have_ssh2_key) {
+ logit("sshd: no hostkeys available -- exiting.");
+ exit(1);
}
+#endif
- if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
- logit("sshd: no hostkeys available -- exiting.");
- exit(1);
-@@ -2656,6 +2659,48 @@ do_ssh2_kex(void)
+
+ /*
+ * Load certificates. They are stored in an array at identical
+@@ -2179,6 +2182,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
@@ -1395,7 +1399,7 @@
/* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
-@@ -2673,6 +2718,13 @@ do_ssh2_kex(void)
+@@ -2196,6 +2241,13 @@ do_ssh2_kex(void)
# endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -1412,22 +1416,22 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -632,6 +632,11 @@ The default is
+@@ -623,6 +623,11 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default on Solaris is
- .Dq yes .
+ .Cm yes .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default on Solaris is
-+.Dq yes .
++.Cm yes .
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
diff -pur old/sshkey.c new/sshkey.c
--- old/sshkey.c
+++ new/sshkey.c
-@@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
+@@ -114,6 +114,7 @@ static const struct keytype keytypes[] =
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
--- a/components/openssh/patches/025-login_to_a_role.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/025-login_to_a_role.patch Tue Apr 25 15:08:28 2017 -0700
@@ -10,10 +10,10 @@
# https://bugzilla.mindrot.org/show_bug.cgi?id=2378
#
diff -pur old/auth-pam.c new/auth-pam.c
---- old/auth-pam.c 2015-05-21 04:08:41.910932322 -0700
-+++ new/auth-pam.c 2015-05-21 04:08:42.024831668 -0700
-@@ -1038,6 +1038,20 @@ do_pam_account(void)
- return (sshpam_account_status);
+--- old/auth-pam.c
++++ new/auth-pam.c
+@@ -1040,6 +1040,20 @@ start_pam(Authctxt *authctxt)
+ fatal("PAM: initialisation failed");
}
+#ifdef HAVE_PAM_AUSER
@@ -31,24 +31,24 @@
+#endif
+
void
- do_pam_set_tty(const char *tty)
+ finish_pam(void)
{
diff -pur old/auth-pam.h new/auth-pam.h
---- old/auth-pam.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/auth-pam.h 2015-05-21 04:08:42.025160216 -0700
-@@ -35,6 +35,9 @@ void start_pam(Authctxt *);
+--- old/auth-pam.h
++++ new/auth-pam.h
+@@ -29,6 +29,9 @@ void start_pam(Authctxt *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(void);
+#ifdef HAVE_PAM_AUSER
+void do_pam_set_auser(const char *);
+#endif
- void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
+ int do_pam_putenv(char *, char *);
diff -pur old/auth.h new/auth.h
---- old/auth.h 2015-05-21 04:08:41.911346027 -0700
-+++ new/auth.h 2015-05-21 04:08:42.025504068 -0700
+--- old/auth.h
++++ new/auth.h
@@ -84,6 +84,9 @@ struct Authctxt {
#ifdef PAM_ENHANCEMENT
char *authmethod_name;
@@ -60,8 +60,8 @@
/*
* Every authentication method has to handle authentication requests for
diff -pur old/auth2-hostbased.c new/auth2-hostbased.c
---- old/auth2-hostbased.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/auth2-hostbased.c 2015-05-21 04:08:42.026208843 -0700
+--- old/auth2-hostbased.c
++++ new/auth2-hostbased.c
@@ -85,6 +85,9 @@ userauth_hostbased(Authctxt *authctxt)
buffer_dump(&b);
buffer_free(&b);
@@ -72,7 +72,7 @@
pktype = key_type_from_name(pkalg);
if (pktype == KEY_UNSPEC) {
/* this is perfectly legal */
-@@ -143,6 +146,13 @@ userauth_hostbased(Authctxt *authctxt)
+@@ -142,6 +145,13 @@ userauth_hostbased(Authctxt *authctxt)
buffer_len(&b))) == 1)
authenticated = 1;
@@ -87,8 +87,8 @@
done:
debug2("userauth_hostbased: authenticated %d", authenticated);
diff -pur old/auth2.c new/auth2.c
---- old/auth2.c 2015-05-21 04:08:41.947286493 -0700
-+++ new/auth2.c 2015-05-21 04:08:42.026846014 -0700
+--- old/auth2.c
++++ new/auth2.c
@@ -339,6 +339,14 @@ userauth_finish(Authctxt *authctxt, int
#endif
}
@@ -105,9 +105,9 @@
#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
diff -pur old/config.h.in new/config.h.in
---- old/config.h.in 2015-05-21 04:08:41.938119429 -0700
-+++ new/config.h.in 2015-05-21 04:08:42.027796887 -0700
-@@ -827,6 +827,9 @@
+--- old/config.h.in
++++ new/config.h.in
+@@ -839,6 +839,9 @@
/* Define if you have Digital Unix Security Integration Architecture */
#undef HAVE_OSF_SIA
@@ -118,9 +118,9 @@
#undef HAVE_PAM_GETENVLIST
diff -pur old/configure.ac new/configure.ac
---- old/configure.ac 2015-05-21 04:08:41.886514252 -0700
-+++ new/configure.ac 2015-05-21 04:08:42.052981088 -0700
-@@ -904,6 +904,7 @@ mips-sony-bsd|mips-sony-newsos4)
+--- old/configure.ac
++++ new/configure.ac
+@@ -951,6 +951,7 @@ mips-sony-bsd|mips-sony-newsos4)
TEST_SHELL=$SHELL # let configure find us a capable shell
AC_DEFINE([USE_GSS_STORE_CRED])
AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
@@ -129,9 +129,9 @@
*-*-sunos4*)
CPPFLAGS="$CPPFLAGS -DSUNOS4"
diff -pur old/monitor.c new/monitor.c
---- old/monitor.c 2015-05-21 04:08:41.964048305 -0700
-+++ new/monitor.c 2015-05-21 04:08:42.054374639 -0700
-@@ -461,6 +461,12 @@ monitor_child_preauth(Authctxt *_authctx
+--- old/monitor.c
++++ new/monitor.c
+@@ -400,6 +400,12 @@ monitor_child_preauth(Authctxt *_authctx
}
}
@@ -144,7 +144,7 @@
if (!authctxt->valid)
fatal("%s: authenticated invalid user", __func__);
if (strcmp(auth_method, "unknown") == 0)
-@@ -694,12 +700,14 @@ monitor_reset_key_state(void)
+@@ -599,12 +605,14 @@ monitor_reset_key_state(void)
{
/* reset state */
free(key_blob);
@@ -160,9 +160,9 @@
hostbased_chost = NULL;
}
-@@ -1146,6 +1154,11 @@ mm_answer_pam_account(int sock, Buffer *
+@@ -1061,6 +1069,11 @@ mm_answer_pam_account(int sock, Buffer *
if (!options.use_pam)
- fatal("UsePAM not set, but ended up in %s anyway", __func__);
+ fatal("%s: PAM not enabled", __func__);
+#ifdef HAVE_PAM_AUSER
+ if (hostbased_cuser != NULL)
--- a/components/openssh/patches/033-without_cast128.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/033-without_cast128.patch Tue Apr 25 15:08:28 2017 -0700
@@ -19,9 +19,33 @@
#
# This is a Solaris specific patch and it is not likely to be accepted upstream.
#
---- orig/ssh_config.5 Mon Aug 15 17:22:20 2016
-+++ new/ssh_config.5 Mon Aug 15 17:25:28 2016
-@@ -478,8 +478,6 @@
+diff -pur old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5
++++ new/ssh_config.5
+@@ -431,7 +431,6 @@ arcfour
+ arcfour128
+ arcfour256
+ blowfish-cbc
+-cast128-cbc
+ [email protected]
+ .Ed
+ .Pp
+diff -pur old/sshd.8 new/sshd.8
+--- old/sshd.8
++++ new/sshd.8
+@@ -255,7 +255,7 @@ host key against its own database to ver
+ Forward security is provided through a Diffie-Hellman key agreement.
+ This key agreement results in a shared session key.
+ The rest of the session is encrypted using a symmetric cipher, currently
+-128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
++128-bit AES, Blowfish, 3DES, Arcfour, 192-bit AES, or 256-bit AES.
+ The client selects the encryption algorithm
+ to use from those offered by the server.
+ Additionally, session integrity is provided
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5
++++ new/sshd_config.5
+@@ -468,8 +468,6 @@ arcfour256
.It
blowfish-cbc
.It
@@ -30,25 +54,3 @@
[email protected]
.El
.Pp
---- orig/sshd_config.5 Mon Aug 15 17:22:29 2016
-+++ new/sshd_config.5 Mon Aug 15 17:25:58 2016
-@@ -479,8 +479,6 @@
- .It
- blowfish-cbc
- .It
--cast128-cbc
--.It
- [email protected]
- .El
- .Pp
---- orig/sshd.8 Mon Aug 15 17:22:36 2016
-+++ new/sshd.8 Mon Aug 15 17:26:48 2016
-@@ -307,7 +307,7 @@
- forward security is provided through a Diffie-Hellman key agreement.
- This key agreement results in a shared session key.
- The rest of the session is encrypted using a symmetric cipher, currently
--128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
-+128-bit AES, Blowfish, 3DES, Arcfour, 192-bit AES, or 256-bit AES.
- The client selects the encryption algorithm
- to use from those offered by the server.
- Additionally, session integrity is provided
--- a/components/openssh/patches/035-fips.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/035-fips.patch Tue Apr 25 15:08:28 2017 -0700
@@ -7,7 +7,7 @@
diff -pur old/cipher.c new/cipher.c
--- old/cipher.c
+++ new/cipher.c
-@@ -77,7 +77,34 @@ struct sshcipher {
+@@ -86,7 +86,34 @@ struct sshcipher {
#endif
};
@@ -99,7 +99,7 @@
diff -pur old/gss-genr.c new/gss-genr.c
--- old/gss-genr.c
+++ new/gss-genr.c
-@@ -44,6 +44,7 @@
+@@ -43,6 +43,7 @@
#include "cipher.h"
#include "key.h"
#include "kex.h"
@@ -107,7 +107,7 @@
#include <openssl/evp.h>
#include "ssh-gss.h"
-@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -99,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
char deroid[2];
const EVP_MD *evp_md = EVP_md5();
EVP_MD_CTX md;
@@ -115,7 +115,7 @@
if (gss_enc2oid != NULL) {
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
-@@ -112,6 +114,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -111,6 +113,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
buffer_init(&buf);
@@ -130,7 +130,7 @@
oidpos = 0;
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
-@@ -119,7 +129,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -118,7 +128,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
deroid[0] = SSH_GSS_OIDTYPE;
deroid[1] = gss_supported->elements[i].length;
@@ -138,7 +138,7 @@
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, deroid, 2);
EVP_DigestUpdate(&md,
-@@ -151,6 +160,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -150,6 +159,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
oidpos++;
}
}
@@ -154,7 +154,7 @@
diff -pur old/kex.c new/kex.c
--- old/kex.c
+++ new/kex.c
-@@ -90,7 +90,43 @@ struct kexalg {
+@@ -89,7 +89,43 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@@ -319,7 +319,7 @@
diff -pur old/misc.h new/misc.h
--- old/misc.h
+++ new/misc.h
-@@ -40,6 +40,11 @@ struct ForwardOptions {
+@@ -44,6 +44,11 @@ struct ForwardOptions {
char *chop(char *);
char *strdelim(char **);
@@ -334,7 +334,7 @@
diff -pur old/myproposal.h new/myproposal.h
--- old/myproposal.h
+++ new/myproposal.h
-@@ -88,21 +88,33 @@
+@@ -90,21 +90,33 @@
# else
# define KEX_CURVE25519_METHODS ""
# endif
@@ -372,7 +372,7 @@
HOSTKEY_ECDSA_CERT_METHODS \
"[email protected]," \
"[email protected]," \
-@@ -112,17 +124,32 @@
+@@ -114,17 +126,32 @@
"rsa-sha2-256," \
"ssh-rsa"
@@ -394,21 +394,21 @@
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
+#define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \
-+ "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
++ "aes128-cbc,aes192-cbc,aes256-cbc"
+
+#define KEX_SERVER_ENCRYPT_FIPS \
+ "aes128-ctr,aes192-ctr,aes256-ctr" \
+ AESGCM_CIPHER_MODES
+
+#define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \
- "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+ "aes128-cbc,aes192-cbc,aes256-cbc"
-#define KEX_SERVER_MAC \
+#define KEX_SERVER_MAC_DFLT \
"[email protected]," \
"[email protected]," \
"[email protected]," \
-@@ -134,7 +161,42 @@
+@@ -136,7 +163,42 @@
"hmac-sha2-512," \
"hmac-sha1"
@@ -483,7 +483,7 @@
diff -pur old/ssh-agent.1 new/ssh-agent.1
--- old/ssh-agent.1
+++ new/ssh-agent.1
-@@ -117,6 +117,8 @@ and
+@@ -118,6 +118,8 @@ and
.Dq sha256 .
The default is
.Dq sha256 .
@@ -495,7 +495,7 @@
diff -pur old/ssh-agent.c new/ssh-agent.c
--- old/ssh-agent.c
+++ new/ssh-agent.c
-@@ -1196,6 +1196,7 @@ main(int ac, char **av)
+@@ -1214,6 +1214,7 @@ main(int ac, char **av)
struct timeval *tvp = NULL;
size_t len;
mode_t prev_mask;
@@ -503,7 +503,7 @@
ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-@@ -1207,6 +1208,9 @@ main(int ac, char **av)
+@@ -1225,6 +1226,9 @@ main(int ac, char **av)
platform_disable_tracing(0); /* strict=no */
@@ -513,7 +513,7 @@
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
#endif
-@@ -1337,8 +1341,19 @@ main(int ac, char **av)
+@@ -1363,8 +1367,19 @@ main(int ac, char **av)
printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
SSH_AUTHSOCKET_ENV_NAME);
printf("echo Agent pid %ld;\n", (long)parent_pid);
@@ -611,7 +611,7 @@
diff -pur old/ssh.c new/ssh.c
--- old/ssh.c
+++ new/ssh.c
-@@ -609,6 +609,11 @@ main(int ac, char **av)
+@@ -606,6 +606,11 @@ main(int ac, char **av)
*/
initialize_options(&options);
@@ -623,7 +623,7 @@
/* Parse command-line arguments. */
host = NULL;
use_syslog = 0;
-@@ -1028,6 +1033,10 @@ main(int ac, char **av)
+@@ -1027,6 +1032,10 @@ main(int ac, char **av)
#endif
);
@@ -651,8 +651,8 @@
diff -pur old/ssh_config.5 new/ssh_config.5
--- old/ssh_config.5
+++ new/ssh_config.5
-@@ -489,6 +489,13 @@ [email protected],aes256-gcm@openss
- aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
+@@ -442,6 +442,13 @@ [email protected],aes256-gcm@openss
+ aes128-cbc,aes192-cbc,aes256-cbc
.Ed
.Pp
+The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
@@ -662,19 +662,19 @@
+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
+.Ed
+.Pp
- The list of available ciphers may also be obtained using the
- .Fl Q
- option of
-@@ -738,6 +745,8 @@ and
- .Dq sha256 .
- The default is
- .Dq sha256 .
+ The list of available ciphers may also be obtained using
+ .Qq ssh -Q cipher .
+ .It Cm ClearAllForwardings
+@@ -665,6 +672,8 @@ Valid options are:
+ and
+ .Cm sha256
+ (the default).
+In FIPS-140 mode the only supported option is
+.Dq sha256 .
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
-@@ -1249,6 +1258,16 @@ [email protected],[email protected]
+@@ -1129,6 +1138,16 @@ [email protected],[email protected]
hmac-sha2-256,hmac-sha2-512,hmac-sha1
.Ed
.Pp
@@ -688,13 +688,13 @@
+hmac-sha1,hmac-sha1-96
+.Ed
+.Pp
- The list of available MAC algorithms may also be obtained using the
- .Fl Q
- option of
+ The list of available MAC algorithms may also be obtained using
+ .Qq ssh -Q mac .
+ .It Cm NoHostAuthenticationForLocalhost
diff -pur old/sshconnect.c new/sshconnect.c
--- old/sshconnect.c
+++ new/sshconnect.c
-@@ -530,8 +530,14 @@ send_client_banner(int connection_out, i
+@@ -529,8 +529,14 @@ send_client_banner(int connection_out, i
{
/* Send our own protocol version identification. */
if (compat20) {
@@ -712,7 +712,7 @@
diff -pur old/sshd.8 new/sshd.8
--- old/sshd.8
+++ new/sshd.8
-@@ -86,6 +86,9 @@ rereads its configuration file when it r
+@@ -84,6 +84,9 @@ rereads its configuration file when it r
by executing itself with the name and options it was started with, e.g.\&
.Pa /usr/sbin/sshd .
.Pp
@@ -725,26 +725,26 @@
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
-@@ -431,10 +431,18 @@ sshd_exchange_identification(struct ssh
- minor = PROTOCOL_MINOR_1;
- }
+@@ -366,10 +366,18 @@ sshd_exchange_identification(struct ssh
+ char buf[256]; /* Must not be larger than remote_version. */
+ char remote_version[256]; /* Must be at least as big as buf. */
+#ifdef ENABLE_OPENSSL_FIPS
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
-+ major, minor, SSH_VERSION,
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ ssh_FIPS_mode() ? " FIPS" : " ",
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
+#else
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
+#endif
/* Send our protocol version identification. */
if (atomicio(vwrite, sock_out, server_version_string,
-@@ -1562,6 +1570,10 @@ main(int ac, char **av)
+@@ -1395,6 +1403,10 @@ main(int ac, char **av)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@@ -755,7 +755,7 @@
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
-@@ -1712,6 +1724,10 @@ main(int ac, char **av)
+@@ -1541,6 +1553,10 @@ main(int ac, char **av)
SYSLOG_FACILITY_AUTH : options.log_facility,
log_stderr || !inetd_flag);
@@ -769,7 +769,7 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -489,6 +489,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
+@@ -478,6 +478,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
[email protected],[email protected]
.Ed
.Pp
@@ -780,19 +780,19 @@
+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
+.Ed
+.Pp
- The list of available ciphers may also be obtained using the
- .Fl Q
- option of
-@@ -585,6 +592,8 @@ and
- .Dq sha256 .
+ The list of available ciphers may also be obtained using
+ .Qq ssh -Q cipher .
+ .It Cm ClientAliveCountMax
+@@ -576,6 +583,8 @@ and
+ .Cm sha256 .
The default is
- .Dq sha256 .
+ .Cm sha256 .
+In FIPS-140 mode the only supported option is
+.Dq sha256 .
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,
-@@ -1034,6 +1043,16 @@ [email protected],[email protected]
+@@ -1006,6 +1015,16 @@ [email protected],[email protected]
hmac-sha2-256,hmac-sha2-512,hmac-sha1
.Ed
.Pp
@@ -806,13 +806,13 @@
+hmac-sha1,hmac-sha1-96
+.Ed
+.Pp
- The list of available MAC algorithms may also be obtained using the
- .Fl Q
- option of
+ The list of available MAC algorithms may also be obtained using
+ .Qq ssh -Q mac .
+ .It Cm Match
diff -pur old/sshkey.c new/sshkey.c
--- old/sshkey.c
+++ new/sshkey.c
-@@ -85,7 +85,46 @@ struct keytype {
+@@ -84,7 +84,46 @@ struct keytype {
int cert;
int sigonly;
};
--- a/components/openssh/patches/041-pam_ctx_preserve.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/041-pam_ctx_preserve.patch Tue Apr 25 15:08:28 2017 -0700
@@ -25,7 +25,7 @@
diff -pur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c
+++ new/auth-pam.c
-@@ -98,6 +98,7 @@
+@@ -103,6 +103,7 @@ extern char *__progname;
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
@@ -33,7 +33,7 @@
extern ServerOptions options;
extern Buffer loginmsg;
-@@ -110,38 +111,26 @@ extern u_int utmp_len;
+@@ -115,38 +116,26 @@ extern u_int utmp_len;
#endif
/*
@@ -82,7 +82,7 @@
static mysig_t sshpam_oldsig;
static void
-@@ -150,85 +139,25 @@ sshpam_sigchld_handler(int sig)
+@@ -155,85 +144,25 @@ sshpam_sigchld_handler(int sig)
signal(SIGCHLD, SIG_DFL);
if (cleanup_ctxt == NULL)
return; /* handler called after PAM cleanup, shouldn't happen */
@@ -180,7 +180,7 @@
static pam_handle_t *sshpam_handle = NULL;
static int sshpam_err = 0;
-@@ -298,55 +227,11 @@ sshpam_password_change_required(int reqd
+@@ -303,55 +232,11 @@ sshpam_password_change_required(int reqd
}
}
@@ -238,7 +238,7 @@
struct pam_response **resp, void *data)
{
Buffer buffer;
-@@ -411,48 +296,85 @@ sshpam_thread_conv(int n, sshpam_const s
+@@ -416,48 +301,85 @@ sshpam_thread_conv(int n, sshpam_const s
}
/*
@@ -354,7 +354,7 @@
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&sshpam_conv);
if (sshpam_err != PAM_SUCCESS)
-@@ -477,63 +399,35 @@ sshpam_thread(void *ctxtp)
+@@ -482,63 +404,35 @@ sshpam_thread(void *ctxtp)
}
}
@@ -438,15 +438,7 @@
}
}
-@@ -681,7 +575,6 @@ derive_pam_service_name(Authctxt *authct
- static int
- sshpam_init(Authctxt *authctxt)
- {
-- extern char *__progname;
- const char *pam_rhost, *pam_user, *user = authctxt->user;
- const char **ptr_pam_user = &pam_user;
- struct ssh *ssh = active_state; /* XXX */
-@@ -788,6 +681,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -792,6 +686,7 @@ sshpam_init_ctx(Authctxt *authctxt)
{
struct pam_ctxt *ctxt;
int socks[2];
@@ -454,7 +446,7 @@
debug3("PAM: %s entering", __func__);
/*
-@@ -805,7 +699,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -809,7 +704,7 @@ sshpam_init_ctx(Authctxt *authctxt)
ctxt = xcalloc(1, sizeof *ctxt);
@@ -463,7 +455,7 @@
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
free(ctxt);
-@@ -813,15 +707,29 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -817,15 +712,29 @@ sshpam_init_ctx(Authctxt *authctxt)
}
ctxt->pam_psock = socks[0];
ctxt->pam_csock = socks[1];
@@ -497,7 +489,7 @@
return (ctxt);
}
-@@ -836,8 +744,10 @@ sshpam_query(void *ctx, char **name, cha
+@@ -840,8 +749,10 @@ sshpam_query(void *ctx, char **name, cha
u_char type;
char *msg;
size_t len, mlen;
@@ -508,7 +500,7 @@
buffer_init(&buffer);
*name = xstrdup("");
*info = xstrdup("");
-@@ -845,6 +755,17 @@ sshpam_query(void *ctx, char **name, cha
+@@ -849,6 +760,17 @@ sshpam_query(void *ctx, char **name, cha
**prompts = NULL;
plen = 0;
*echo_on = xmalloc(sizeof(u_int));
@@ -526,7 +518,7 @@
while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
type = buffer_get_char(&buffer);
msg = buffer_get_string(&buffer, NULL);
-@@ -880,15 +801,6 @@ sshpam_query(void *ctx, char **name, cha
+@@ -884,15 +806,6 @@ sshpam_query(void *ctx, char **name, cha
/* FALLTHROUGH */
case PAM_AUTH_ERR:
debug3("PAM: %s", pam_strerror(sshpam_handle, type));
@@ -542,7 +534,7 @@
/* FALLTHROUGH */
case PAM_SUCCESS:
if (**prompts != NULL) {
-@@ -899,25 +811,20 @@ sshpam_query(void *ctx, char **name, cha
+@@ -903,25 +816,20 @@ sshpam_query(void *ctx, char **name, cha
free(**prompts);
**prompts = NULL;
}
@@ -581,7 +573,7 @@
default:
*num = 0;
**echo_on = 0;
-@@ -997,7 +904,7 @@ sshpam_free_ctx(void *ctxtp)
+@@ -1001,7 +909,7 @@ sshpam_free_ctx(void *ctxtp)
struct pam_ctxt *ctxt = ctxtp;
debug3("PAM: %s entering", __func__);
@@ -593,7 +585,7 @@
diff -pur old/auth-pam.h new/auth-pam.h
--- old/auth-pam.h
+++ new/auth-pam.h
-@@ -45,7 +45,8 @@ int do_pam_putenv(char *, char *);
+@@ -38,7 +38,8 @@ int do_pam_putenv(char *, char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
@@ -606,14 +598,15 @@
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c
+++ new/monitor.c
-@@ -1184,12 +1184,39 @@ mm_answer_pam_init_ctx(int sock, Buffer
- sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
- sshpam_authok = NULL;
- buffer_clear(m);
+@@ -1090,6 +1090,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+ int pam_done = 0;
- if (sshpam_ctxt != NULL) {
- monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
- buffer_put_int(m, 1);
+ debug3("%s", __func__);
+ if (!options.kbd_interactive_authentication)
+ fatal("%s: kbd-int authentication not enabled", __func__);
+@@ -1105,6 +1106,33 @@ mm_answer_pam_init_ctx(int sock, Buffer
} else {
buffer_put_int(m, 0);
}
@@ -621,6 +614,7 @@
+ /* pam conversation successfully finished in child process */
+ if (sshpam_ctxt != NULL &&
+ (pam_done = get_pam_done(sshpam_ctxt)) != 0) {
++ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_RESPOND, 1);
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
+ /*
@@ -646,7 +640,7 @@
mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
return (0);
}
-@@ -1947,7 +1974,8 @@ monitor_apply_keystate(struct monitor *p
+@@ -1671,7 +1699,8 @@ monitor_apply_keystate(struct monitor *p
int r;
debug3("%s: packet_set_state", __func__);
@@ -659,7 +653,7 @@
diff -pur old/packet.c new/packet.c
--- old/packet.c
+++ new/packet.c
-@@ -2449,7 +2449,7 @@ ssh_packet_get_output(struct ssh *ssh)
+@@ -2439,7 +2439,7 @@ ssh_packet_get_output(struct ssh *ssh)
}
/* Reset after_authentication and reset compression in post-auth privsep */
@@ -667,21 +661,21 @@
+int
ssh_packet_set_postauth(struct ssh *ssh)
{
- struct sshcomp *comp;
-@@ -2775,8 +2775,7 @@ ssh_packet_set_state(struct ssh *ssh, st
- cipher_set_keycontext(&state->send_context, keyout);
- cipher_set_keycontext(&state->receive_context, keyin);
+ int r;
+@@ -2754,9 +2754,6 @@ ssh_packet_set_state(struct ssh *ssh, st
+ cipher_set_keycontext(state->send_context, keyout);
+ cipher_set_keycontext(state->receive_context, keyin);
-- if ((r = ssh_packet_set_compress_state(ssh, m)) != 0 ||
-- (r = ssh_packet_set_postauth(ssh)) != 0)
-+ if ((r = ssh_packet_set_compress_state(ssh, m)) != 0)
- return r;
-
+- if ((r = ssh_packet_set_postauth(ssh)) != 0)
+- return r;
+-
sshbuf_reset(state->input);
+ sshbuf_reset(state->output);
+ if ((r = sshbuf_get_string_direct(m, &input, &ilen)) != 0 ||
diff -pur old/packet.h new/packet.h
--- old/packet.h
+++ new/packet.h
-@@ -144,6 +144,7 @@ u_int ssh_packet_get_maxsize(struct ssh
+@@ -148,6 +148,7 @@ u_int ssh_packet_get_maxsize(struct ssh
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
int ssh_packet_set_state(struct ssh *, struct sshbuf *);
@@ -692,7 +686,7 @@
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c
+++ new/servconf.c
-@@ -435,6 +435,18 @@ fill_default_server_options(ServerOption
+@@ -415,6 +415,18 @@ fill_default_server_options(ServerOption
options->compression = 0;
}
#endif
@@ -714,7 +708,7 @@
diff -pur old/session.c new/session.c
--- old/session.c
+++ new/session.c
-@@ -2890,7 +2890,7 @@ do_cleanup(Authctxt *authctxt)
+@@ -2645,7 +2645,7 @@ do_cleanup(Authctxt *authctxt)
#ifdef USE_PAM
if (options.use_pam) {
sshpam_cleanup();
--- a/components/openssh/patches/047-login_grace_time_watchdog.patch Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/047-login_grace_time_watchdog.patch Tue Apr 25 15:08:28 2017 -0700
@@ -19,7 +19,7 @@
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
-@@ -252,9 +252,16 @@ Buffer loginmsg;
+@@ -236,7 +236,14 @@ Buffer loginmsg;
/* Unprivileged user */
struct passwd *privsep_pw = NULL;
@@ -30,13 +30,11 @@
+#define GRACE_WATCHDOG_THRESHOLD 10
+
/* Prototypes for various functions defined later in this file. */
++static void stop_grace_watchdog(void);
void destroy_sensitive_data(void);
void demote_sensitive_data(void);
-+static void stop_grace_watchdog(void);
-
- #ifdef WITH_SSH1
- static void do_ssh1_kex(void);
-@@ -369,12 +376,102 @@ grace_alarm_handler(int sig)
+ static void do_ssh2_kex(void);
+@@ -351,12 +358,101 @@ grace_alarm_handler(int sig)
signal(SIGTERM, SIG_IGN);
kill(0, SIGTERM);
}
@@ -135,11 +133,10 @@
+ grace_watchdog_pid = -1;
+}
+
-+
- /*
- * Signal handler for the key regeneration alarm. Note that this
- * alarm only occurs in the daemon waiting for connections, and it does not
-@@ -723,6 +820,7 @@ privsep_preauth(Authctxt *authctxt)
+ static void
+ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
+ {
+@@ -623,6 +719,7 @@ privsep_preauth(Authctxt *authctxt)
/* child */
close(pmonitor->m_sendfd);
close(pmonitor->m_log_recvfd);
@@ -147,7 +144,7 @@
/* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
-@@ -2235,8 +2333,10 @@ main(int ac, char **av)
+@@ -2006,8 +2103,10 @@ main(int ac, char **av)
* are about to discover the bug.
*/
signal(SIGALRM, grace_alarm_handler);
@@ -158,8 +155,8 @@
+ }
sshd_exchange_identification(ssh, sock_in, sock_out);
-
-@@ -2302,6 +2402,7 @@ main(int ac, char **av)
+ packet_set_nonblocking();
+@@ -2055,6 +2154,7 @@ main(int ac, char **av)
*/
alarm(0);
signal(SIGALRM, SIG_DFL);
--- a/components/openssh/patches/048-maxstartups-log_dropped.patch Tue Apr 25 00:30:07 2017 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-#
-# When MaxStartups of unauthenticated concurrent connections is hit,
-# additional connections are dropped.
-#
-# Dropped connections should be logged. Server administrator should be able to
-# find this information and might be interested in details.
-#
-# Patch source: in-house
-# Offered upstream:
-# https://bugzilla.mindrot.org/show_bug.cgi?id=2613
-#
-diff -pur old/sshd.c new/sshd.c
---- old/sshd.c
-+++ new/sshd.c
-@@ -1419,7 +1419,8 @@ server_accept_loop(int *sock_in, int *so
- continue;
- }
- if (drop_connection(startups) == 1) {
-- debug("drop connection #%d", startups);
-+ logit("MaxStartups: dropping connection #%d",
-+ startups);
- close(*newsock);
- continue;
- }
--- a/components/openssh/patches/049-kexinit_mem_exhaust.patch Tue Apr 25 00:30:07 2017 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-#
-# Unregister the KEXINIT handler after message has been received.
-#
-# CVE-2016-8858
-#
-# Patch source: upstream
-# https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe
-#
-# We will drop this patch when upgrading to OpenSSH 7.4 or later.
-#
-diff -pur old/kex.c new/kex.c
---- old/kex.c
-+++ new/kex.c
-@@ -517,6 +517,7 @@ kex_input_kexinit(int type, u_int32_t se
- if (kex == NULL)
- return SSH_ERR_INVALID_ARGUMENT;
-
-+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- ptr = sshpkt_ptr(ssh, &dlen);
- if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- return r;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/99-sha2-regression.patch Tue Apr 25 15:08:28 2017 -0700
@@ -0,0 +1,74 @@
+#
+# Temporary patch for 7.4p1 regression fixed in 7.5
+# From upstream
+# Remove when upgrading
+#
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2680
+# fix regression in 7.4 server-sig-algs,
+# accidentally excluding SHA2 RSA signature methods.
+#
+
+diff -rupN old/kex.c new/kex.c
+--- old/kex.c 2017-03-28 19:08:53.584501767 -0700
++++ new/kex.c 2017-03-28 19:22:26.034204047 -0700
+@@ -388,7 +388,7 @@ kex_send_ext_info(struct ssh *ssh)
+ int r;
+ char *algs;
+
+- if ((algs = sshkey_alg_list(0, 1, ',')) == NULL)
++ if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
+ (r = sshpkt_put_u32(ssh, 1)) != 0 ||
+diff -rupN old/ssh.c new/ssh.c
+--- old/ssh.c 2017-03-28 19:08:53.587726975 -0700
++++ new/ssh.c 2017-03-28 19:25:10.561309338 -0700
+@@ -697,11 +697,11 @@ main(int ac, char **av)
+ else if (strcmp(optarg, "kex") == 0)
+ cp = kex_alg_list('\n');
+ else if (strcmp(optarg, "key") == 0)
+- cp = sshkey_alg_list(0, 0, '\n');
++ cp = sshkey_alg_list(0, 0, 0, '\n');
+ else if (strcmp(optarg, "key-cert") == 0)
+- cp = sshkey_alg_list(1, 0, '\n');
++ cp = sshkey_alg_list(1, 0, 0, '\n');
+ else if (strcmp(optarg, "key-plain") == 0)
+- cp = sshkey_alg_list(0, 1, '\n');
++ cp = sshkey_alg_list(0, 1, 0, '\n');
+ else if (strcmp(optarg, "protocol-version") == 0) {
+ #ifdef WITH_SSH1
+ cp = xstrdup("1\n2");
+diff -rupN old/sshkey.c new/sshkey.c
+--- old/sshkey.c 2017-03-28 19:08:53.590992687 -0700
++++ new/sshkey.c 2017-03-28 19:32:28.309848396 -0700
+@@ -235,14 +235,16 @@ sshkey_ecdsa_nid_from_name(const char *n
+ }
+
+ char *
+-sshkey_alg_list(int certs_only, int plain_only, char sep)
++sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+ {
+ char *tmp, *ret = NULL;
+ size_t nlen, rlen = 0;
+ const struct keytype *kt;
+
+ for (kt = keytypes; kt->type != -1; kt++) {
+- if (kt->name == NULL || kt->sigonly)
++ if (kt->name == NULL)
++ continue;
++ if (!include_sigonly && kt->sigonly)
+ continue;
+ if ((certs_only && !kt->cert) || (plain_only && kt->cert))
+ continue;
+diff -rupN old/sshkey.h new/sshkey.h
+--- old/sshkey.h 2017-03-28 19:08:53.594083865 -0700
++++ new/sshkey.h 2017-03-28 19:33:39.322046181 -0700
+@@ -157,7 +157,7 @@ int sshkey_ec_validate_private(const E
+ const char *sshkey_ssh_name(const struct sshkey *);
+ const char *sshkey_ssh_name_plain(const struct sshkey *);
+ int sshkey_names_valid2(const char *, int);
+-char *sshkey_alg_list(int, int, char);
++char *sshkey_alg_list(int, int, int, char);
+
+ int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
+ int sshkey_fromb(struct sshbuf *, struct sshkey **);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/99-smartcard-key-regression.patch Tue Apr 25 15:08:28 2017 -0700
@@ -0,0 +1,58 @@
+#
+# Temporary patch for 7.4p1 regression, fixed in 7.5
+# Fix from upstream
+# Remove when upgrading
+#
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2682
+# fix regression in 7.4: deletion of PKCS#11-hosted keys
+# would fail unless they were specified by full physical pathname.
+#
+diff -rupN old/ssh-agent.c new/ssh-agent.c
+--- old/ssh-agent.c 2017-03-30 14:48:53.785202740 -0700
++++ new/ssh-agent.c 2017-03-30 16:19:56.238660913 -0700
+@@ -821,7 +821,7 @@ send:
+ static void
+ process_remove_smartcard_key(SocketEntry *e)
+ {
+- char *provider = NULL, *pin = NULL;
++ char *provider = NULL, *pin = NULL, canonical_provider[PATH_MAX];
+ int r, version, success = 0;
+ Identity *id, *nxt;
+ Idtab *tab;
+@@ -831,6 +831,14 @@ process_remove_smartcard_key(SocketEntry
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ free(pin);
+
++ if (realpath(provider, canonical_provider) == NULL) {
++ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
++ provider, strerror(errno));
++ goto send;
++ }
++
++ debug("%s: remove %.100s", __func__, canonical_provider);
++
+ for (version = 1; version < 3; version++) {
+ tab = idtab_lookup(version);
+ for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
+@@ -838,18 +846,19 @@ process_remove_smartcard_key(SocketEntry
+ /* Skip file--based keys */
+ if (id->provider == NULL)
+ continue;
+- if (!strcmp(provider, id->provider)) {
++ if (!strcmp(canonical_provider, id->provider)) {
+ TAILQ_REMOVE(&tab->idlist, id, next);
+ free_identity(id);
+ tab->nentries--;
+ }
+ }
+ }
+- if (pkcs11_del_provider(provider) == 0)
++ if (pkcs11_del_provider(canonical_provider) == 0)
+ success = 1;
+ else
+ error("process_remove_smartcard_key:"
+ " pkcs11_del_provider failed");
++send:
+ free(provider);
+ send_status(e, success);
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/99-unbreak-root-regression.patch Tue Apr 25 15:08:28 2017 -0700
@@ -0,0 +1,69 @@
+#
+# Temporary patch for 7.4p1 regression, fixed in 7.5
+# Fix from upstream
+# Remove when upgrading
+#
+# https://github.com/openssh/openssh-portable/commit/51045869fa084cdd016fdd721ea760417c0a3bf3
+# unbreak Unix domain socket forwarding for root
+#
+diff -rupN old/serverloop.c new/serverloop.c
+--- old/serverloop.c 2017-03-30 14:34:07.762152901 -0700
++++ new/serverloop.c 2017-03-30 14:43:20.195633292 -0700
+@@ -469,6 +469,11 @@ server_request_direct_streamlocal(void)
+ char *target, *originator;
+ u_short originator_port;
+
++ struct passwd *pw = the_authctxt->pw;
++
++ if (pw == NULL || !the_authctxt->valid)
++ fatal("server_input_global_request: no/invalid user");
++
+ target = packet_get_string(NULL);
+ originator = packet_get_string(NULL);
+ originator_port = packet_get_int();
+@@ -480,7 +485,7 @@ server_request_direct_streamlocal(void)
+ /* XXX fine grained permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+ !no_port_forwarding_flag && !options.disable_forwarding &&
+- use_privsep) {
++ (pw->pw_uid == 0 || use_privsep)) {
+ c = channel_connect_to_path(target,
+ "[email protected]", "direct-streamlocal");
+ } else {
+@@ -702,6 +707,10 @@ server_input_global_request(int type, u_
+ int want_reply;
+ int r, success = 0, allocated_listen_port = 0;
+ struct sshbuf *resp = NULL;
++ struct passwd *pw = the_authctxt->pw;
++
++ if (pw == NULL || !the_authctxt->valid)
++ fatal("server_input_global_request: no/invalid user");
+
+ rtype = packet_get_string(NULL);
+ want_reply = packet_get_char();
+@@ -709,12 +718,8 @@ server_input_global_request(int type, u_
+
+ /* -R style forwarding */
+ if (strcmp(rtype, "tcpip-forward") == 0) {
+- struct passwd *pw;
+ struct Forward fwd;
+
+- pw = the_authctxt->pw;
+- if (pw == NULL || !the_authctxt->valid)
+- fatal("server_input_global_request: no/invalid user");
+ memset(&fwd, 0, sizeof(fwd));
+ fwd.listen_host = packet_get_string(NULL);
+ fwd.listen_port = (u_short)packet_get_int();
+@@ -762,9 +767,10 @@ server_input_global_request(int type, u_
+ /* check permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+ || no_port_forwarding_flag || options.disable_forwarding ||
+- !use_privsep) {
++ (pw->pw_uid != 0 && !use_privsep)) {
+ success = 0;
+- packet_send_debug("Server has disabled port forwarding.");
++ packet_send_debug("Server has disabled "
++ "streamlocal forwarding.");
+ } else {
+ /* Start listening on the socket */
+ success = channel_setup_remote_fwd_listener(