[openssh] improve session keys audit
Jan F. Chadima
jfch2222 at fedoraproject.org
Wed Mar 9 07:49:06 UTC 2011
commit d1fc5c2d4103e3a6f21154844037c19b2fd9bc91
Author: Jan F <jfch at kerberos.example.com>
Date: Wed Mar 9 08:48:51 2011 +0100
improve session keys audit
openssh-5.8p1-audit4a.patch | 79 +++++++++++++++++++++++++++++++++++++++++++
openssh-5.8p1-audit5a.patch | 11 ++++++
openssh-5.8p1-ldap.patch | 4 +-
openssh.spec | 5 ++-
4 files changed, 96 insertions(+), 3 deletions(-)
---
diff --git a/openssh-5.8p1-audit4a.patch b/openssh-5.8p1-audit4a.patch
index e69de29..e6e6720 100644
--- a/openssh-5.8p1-audit4a.patch
+++ b/openssh-5.8p1-audit4a.patch
@@ -0,0 +1,79 @@
+diff -up openssh-5.8p1/packet.c.audit4a openssh-5.8p1/packet.c
+--- openssh-5.8p1/packet.c.audit4a 2011-03-08 08:52:12.000000000 +0100
++++ openssh-5.8p1/packet.c 2011-03-08 08:52:39.000000000 +0100
+@@ -473,6 +473,13 @@ packet_get_connection_out(void)
+ return active_state->connection_out;
+ }
+
++static int
++packet_state_has_keys (const struct session_state *state)
++{
++ return state != NULL &&
++ (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
++}
++
+ /* Closes the connection and clears and frees internal data structures. */
+
+ void
+@@ -481,13 +488,6 @@ packet_close(void)
+ if (!active_state->initialized)
+ return;
+ active_state->initialized = 0;
+- if (active_state->connection_in == active_state->connection_out) {
+- shutdown(active_state->connection_out, SHUT_RDWR);
+- close(active_state->connection_out);
+- } else {
+- close(active_state->connection_in);
+- close(active_state->connection_out);
+- }
+ buffer_free(&active_state->input);
+ buffer_free(&active_state->output);
+ buffer_free(&active_state->outgoing_packet);
+@@ -496,9 +496,18 @@ packet_close(void)
+ buffer_free(&active_state->compression_buffer);
+ buffer_compress_uninit();
+ }
+- cipher_cleanup(&active_state->send_context);
+- cipher_cleanup(&active_state->receive_context);
+- audit_session_key_free(2);
++ if (packet_state_has_keys(active_state)) {
++ cipher_cleanup(&active_state->send_context);
++ cipher_cleanup(&active_state->receive_context);
++ audit_session_key_free(2);
++ }
++ if (active_state->connection_in == active_state->connection_out) {
++ shutdown(active_state->connection_out, SHUT_RDWR);
++ close(active_state->connection_out);
++ } else {
++ close(active_state->connection_in);
++ close(active_state->connection_out);
++ }
+ }
+
+ /* Sets remote side protocol flags. */
+@@ -1945,13 +1954,6 @@ packet_destroy_state(struct session_stat
+ // memset(state, 0, sizeof(state));
+ }
+
+-static int
+-packet_state_has_keys (const struct session_state *state)
+-{
+- return state != NULL &&
+- (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
+-}
+-
+ void
+ packet_destroy_all(int audit_it, int privsep)
+ {
+diff -up openssh-5.8p1/sshd.c.audit4a openssh-5.8p1/sshd.c
+--- openssh-5.8p1/sshd.c.audit4a 2011-03-08 08:53:02.000000000 +0100
++++ openssh-5.8p1/sshd.c 2011-03-08 08:55:23.000000000 +0100
+@@ -2033,7 +2033,7 @@ main(int ac, char **av)
+ do_authenticated(authctxt);
+
+ /* The connection has been terminated. */
+- packet_destroy_all(1, 0);
++ packet_destroy_all(1, 1);
+
+ packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
+ packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
diff --git a/openssh-5.8p1-audit5a.patch b/openssh-5.8p1-audit5a.patch
index e69de29..31a0dce 100644
--- a/openssh-5.8p1-audit5a.patch
+++ b/openssh-5.8p1-audit5a.patch
@@ -0,0 +1,11 @@
+diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
+--- openssh-5.8p1/sshd.c.audit5a 2011-03-08 09:03:49.000000000 +0100
++++ openssh-5.8p1/sshd.c 2011-03-08 09:06:23.000000000 +0100
+@@ -2085,6 +2085,7 @@ main(int ac, char **av)
+
+ /* The connection has been terminated. */
+ packet_destroy_all(1, 1);
++ destroy_sensitive_data(1);
+
+ packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
+ packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
diff --git a/openssh-5.8p1-ldap.patch b/openssh-5.8p1-ldap.patch
index 0498021..d6bb196 100644
--- a/openssh-5.8p1-ldap.patch
+++ b/openssh-5.8p1-ldap.patch
@@ -117,7 +117,7 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
+2) add appropriate schema
+3) insert users into LDAP
+4) on the ssh side set in sshd_config
-+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
++AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
+5) do not forget to set
+PubkeyAuthentication yes
@@ -2262,7 +2262,7 @@ diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
+
+ 2 tokens are added to sshd_config :
+ # here is the new patched ldap related tokens
-+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u
++ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+ AuthorizedKeysCommandRunAs nobody
+
+ The LDAP configuratin is read from common /etc/ldap.conf configuration file.
diff --git a/openssh.spec b/openssh.spec
index 6300d54..b913f3d 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -71,7 +71,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.8p1
-%define openssh_rel 15
+%define openssh_rel 16
%define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 30
@@ -652,6 +652,9 @@ fi
%endif
%changelog
+* Tue Mar 8 2011 Jan F. Chadima <jchadima at redhat.com> - 5.8p1-16 + 0.9.2-30
+- improve session keys audit
+
* Mon Mar 7 2011 Jan F. Chadima <jchadima at redhat.com> - 5.8p1-15 + 0.9.2-30
- CVE-2010-4755
More information about the scm-commits
mailing list