[openssh] another audit improovements
Jan F. Chadima
jfch2222 at fedoraproject.org
Thu Feb 24 13:25:15 UTC 2011
commit aefa65dfca63663e473b847066af2d0168b0bee0
Author: Jan F <jfch at kerberos.example.com>
Date: Thu Feb 24 14:25:14 2011 +0100
another audit improovements
openssh-5.8p1-fingerprint.patch | 419 +++++++++++++++++++++++++++++++++++++++
openssh.spec | 2 +-
2 files changed, 420 insertions(+), 1 deletions(-)
---
diff --git a/openssh-5.8p1-fingerprint.patch b/openssh-5.8p1-fingerprint.patch
new file mode 100644
index 0000000..180c92a
--- /dev/null
+++ b/openssh-5.8p1-fingerprint.patch
@@ -0,0 +1,419 @@
+diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c
+--- openssh-5.8p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200
++++ openssh-5.8p1/auth2-hostbased.c 2011-02-24 10:30:47.000000000 +0100
+@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
+
+ if (host_status == HOST_OK) {
+ if (key_is_cert(key)) {
+- fp = key_fingerprint(key->cert->signature_key,
+- SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_selected_fingerprint(key->cert->signature_key,
++ SSH_FP_HEX);
+ verbose("Accepted certificate ID \"%s\" signed by "
+- "%s CA %s from %s@%s", key->cert->key_id,
+- key_type(key->cert->signature_key), fp,
++ "%s CA %s%s from %s@%s", key->cert->key_id,
++ key_type(key->cert->signature_key),
++ key_fingerprint_prefix(), fp,
+ cuser, lookup);
+ } else {
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+- verbose("Accepted %s public key %s from %s@%s",
+- key_type(key), fp, cuser, lookup);
++ fp = key_selected_fingerprint(key, SSH_FP_HEX);
++ verbose("Accepted %s public key %s%s from %s@%s",
++ key_type(key), key_fingerprint_prefix(),
++ fp, cuser, lookup);
+ }
+ xfree(fp);
+ }
+diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
+--- openssh-5.8p1/auth2-pubkey.c.fingerprint 2010-12-01 01:50:14.000000000 +0100
++++ openssh-5.8p1/auth2-pubkey.c 2011-02-24 10:30:47.000000000 +0100
+@@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key
+ continue;
+ if (!key_is_cert_authority)
+ continue;
+- fp = key_fingerprint(found, SSH_FP_MD5,
+- SSH_FP_HEX);
+- debug("matching CA found: file %s, line %lu, %s %s",
+- file, linenum, key_type(found), fp);
++ fp = key_selected_fingerprint(found, SSH_FP_HEX);
++ debug("matching CA found: file %s, line %lu, %s %s%s",
++ file, linenum, key_type(found),
++ key_fingerprint_prefix(), fp);
+ /*
+ * If the user has specified a list of principals as
+ * a key option, then prefer that list to matching
+@@ -362,9 +362,9 @@ user_key_allowed2(struct passwd *pw, Key
+ found_key = 1;
+ debug("matching key found: file %s, line %lu",
+ file, linenum);
+- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+- verbose("Found matching %s key: %s",
+- key_type(found), fp);
++ fp = key_selected_fingerprint(found, SSH_FP_HEX);
++ verbose("Found matching %s key: %s%s",
++ key_type(found), key_fingerprint_prefix(), fp);
+ xfree(fp);
+ break;
+ }
+@@ -388,13 +388,13 @@ user_cert_trusted_ca(struct passwd *pw,
+ if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
+ return 0;
+
+- ca_fp = key_fingerprint(key->cert->signature_key,
+- SSH_FP_MD5, SSH_FP_HEX);
++ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
+
+ if (key_in_file(key->cert->signature_key,
+ options.trusted_user_ca_keys, 1) != 1) {
+- debug2("%s: CA %s %s is not listed in %s", __func__,
+- key_type(key->cert->signature_key), ca_fp,
++ debug2("%s: CA %s%s %s is not listed in %s", __func__,
++ key_type(key->cert->signature_key),
++ key_fingerprint_prefix(), ca_fp,
+ options.trusted_user_ca_keys);
+ goto out;
+ }
+diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
+--- openssh-5.8p1/auth.c.fingerprint 2010-12-01 02:21:51.000000000 +0100
++++ openssh-5.8p1/auth.c 2011-02-24 10:30:47.000000000 +0100
+@@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key)
+ return 1;
+ case 1:
+ /* Key revoked */
+- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ error("WARNING: authentication attempt with a revoked "
+- "%s key %s ", key_type(key), key_fp);
++ "%s key %s%s ", key_type(key),
++ key_fingerprint_prefix(), key_fp);
+ xfree(key_fp);
+ return 1;
+ }
+diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
+--- openssh-5.8p1/auth-rsa.c.fingerprint 2010-12-04 23:01:47.000000000 +0100
++++ openssh-5.8p1/auth-rsa.c 2011-02-24 10:30:47.000000000 +0100
+@@ -318,9 +318,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
+ * options; this will be reset if the options cause the
+ * authentication to be rejected.
+ */
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+- verbose("Found matching %s key: %s",
+- key_type(key), fp);
++ fp = key_selected_fingerprint(key, SSH_FP_HEX);
++ verbose("Found matching %s key: %s%s",
++ key_type(key), key_fingerprint_prefix(), fp);
+ xfree(fp);
+ key_free(key);
+
+diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
+--- openssh-5.8p1/key.c.fingerprint 2011-02-04 01:48:34.000000000 +0100
++++ openssh-5.8p1/key.c 2011-02-24 10:33:05.000000000 +0100
+@@ -594,6 +594,32 @@ key_fingerprint(Key *k, enum fp_type dgs
+ return retval;
+ }
+
++int
++key_fingerprint_selection(void)
++{
++ char *env;
++ static int rv = -1;
++
++ if (rv == -1) {
++ env = getenv("SSH_FINGERPRINT_TYPE");
++ rv = env && !strcmp (env, "sha");
++ }
++ return rv;
++}
++
++char *
++key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
++{
++ return key_fingerprint(k, key_fingerprint_selection() ?
++ SSH_FP_SHA1 : SSH_FP_MD5, dgst_rep);
++}
++
++char *
++key_fingerprint_prefix(void)
++{
++ return key_fingerprint_selection() ? "sha1:" : "";
++}
++
+ /*
+ * Reads a multiple-precision integer in decimal from the buffer, and advances
+ * the pointer. The integer must already be initialized. This function is
+diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
+--- openssh-5.8p1/key.h.fingerprint 2010-11-05 00:19:49.000000000 +0100
++++ openssh-5.8p1/key.h 2011-02-24 10:30:47.000000000 +0100
+@@ -96,6 +96,9 @@ int key_equal_public(const Key *, cons
+ int key_equal(const Key *, const Key *);
+ char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
+ u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *);
++int key_fingerprint_selection(void);
++char *key_selected_fingerprint(Key *, enum fp_rep);
++char *key_fingerprint_prefix(void);
+ const char *key_type(const Key *);
+ const char *key_cert_type(const Key *);
+ int key_write(const Key *, FILE *);
+diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
+--- openssh-5.8p1/ssh-add.c.fingerprint 2010-11-11 04:17:02.000000000 +0100
++++ openssh-5.8p1/ssh-add.c 2011-02-24 10:30:47.000000000 +0100
+@@ -280,10 +280,10 @@ list_identities(AuthenticationConnection
+ key = ssh_get_next_identity(ac, &comment, version)) {
+ had_identities = 1;
+ if (do_fp) {
+- fp = key_fingerprint(key, SSH_FP_MD5,
+- SSH_FP_HEX);
+- printf("%d %s %s (%s)\n",
+- key_size(key), fp, comment, key_type(key));
++ fp = key_selected_fingerprint(key, SSH_FP_HEX);
++ printf("%d %s%s %s (%s)\n",
++ key_size(key), key_fingerprint_prefix(),
++ fp, comment, key_type(key));
+ xfree(fp);
+ } else {
+ if (!key_write(key, stdout))
+diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
+--- openssh-5.8p1/ssh-agent.c.fingerprint 2010-12-01 01:50:35.000000000 +0100
++++ openssh-5.8p1/ssh-agent.c 2011-02-24 10:30:47.000000000 +0100
+@@ -199,9 +199,9 @@ confirm_key(Identity *id)
+ char *p;
+ int ret = -1;
+
+- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
+- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
+- id->comment, p))
++ p = key_selected_fingerprint(id->key, SSH_FP_HEX);
++ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
++ id->comment, key_fingerprint_prefix(), p))
+ ret = 0;
+ xfree(p);
+
+diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
+--- openssh-5.8p1/sshconnect2.c.fingerprint 2010-12-01 02:21:51.000000000 +0100
++++ openssh-5.8p1/sshconnect2.c 2011-02-24 10:30:47.000000000 +0100
+@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
+ key->type, pktype);
+ goto done;
+ }
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+- debug2("input_userauth_pk_ok: fp %s", fp);
++ fp = key_selected_fingerprint(key, SSH_FP_HEX);
++ debug2("input_userauth_pk_ok: fp %s%s",
++ key_fingerprint_prefix(), fp);
+ xfree(fp);
+
+ /*
+@@ -1203,8 +1204,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
+ int have_sig = 1;
+ char *fp;
+
+- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
+- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
++ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
++ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
++ key_fingerprint_prefix(), fp);
+ xfree(fp);
+
+ if (key_to_blob(id->key, &blob, &bloblen) == 0) {
+diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
+--- openssh-5.8p1/sshconnect.c.fingerprint 2011-01-16 13:17:59.000000000 +0100
++++ openssh-5.8p1/sshconnect.c 2011-02-24 10:30:47.000000000 +0100
+@@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so
+ "key for IP address '%.128s' to the list "
+ "of known hosts.", type, ip);
+ } else if (options.visual_host_key) {
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(host_key, SSH_FP_MD5,
+- SSH_FP_RANDOMART);
+- logit("Host key fingerprint is %s\n%s\n", fp, ra);
++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
++ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
++ logit("Host key fingerprint is %s%s\n%s\n",
++ key_fingerprint_prefix(), fp, ra);
+ xfree(ra);
+ xfree(fp);
+ }
+@@ -838,9 +838,8 @@ check_host_key(char *hostname, struct so
+ else
+ snprintf(msg1, sizeof(msg1), ".");
+ /* The default */
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(host_key, SSH_FP_MD5,
+- SSH_FP_RANDOMART);
++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
++ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
+ msg2[0] = '\0';
+ if (options.verify_host_key_dns) {
+ if (matching_host_key_dns)
+@@ -855,10 +854,11 @@ check_host_key(char *hostname, struct so
+ snprintf(msg, sizeof(msg),
+ "The authenticity of host '%.200s (%s)' can't be "
+ "established%s\n"
+- "%s key fingerprint is %s.%s%s\n%s"
++ "%s key fingerprint is %s%s.%s%s\n%s"
+ "Are you sure you want to continue connecting "
+ "(yes/no)? ",
+- host, ip, msg1, type, fp,
++ host, ip, msg1, type,
++ key_fingerprint_prefix(), fp,
+ options.visual_host_key ? "\n" : "",
+ options.visual_host_key ? ra : "",
+ msg2);
+@@ -1104,8 +1104,9 @@ verify_host_key(char *host, struct socka
+ int flags = 0;
+ char *fp;
+
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+- debug("Server host key: %s %s", key_type(host_key), fp);
++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
++ debug("Server host key: %s %s%s", key_type(host_key),
++ key_fingerprint_prefix(), fp);
+ xfree(fp);
+
+ /* XXX certs are not yet supported for DNS */
+@@ -1214,14 +1215,15 @@ show_other_keys(struct hostkeys *hostkey
+ continue;
+ if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
+ continue;
+- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
++ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
++ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
+ logit("WARNING: %s key found for host %s\n"
+ "in %s:%lu\n"
+- "%s key fingerprint %s.",
++ "%s key fingerprint %s%s.",
+ key_type(found->key),
+ found->host, found->file, found->line,
+- key_type(found->key), fp);
++ key_type(found->key),
++ key_fingerprint_prefix(), fp);
+ if (options.visual_host_key)
+ logit("%s", ra);
+ xfree(ra);
+@@ -1236,7 +1238,7 @@ warn_changed_key(Key *host_key)
+ {
+ char *fp;
+
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
+@@ -1244,8 +1246,8 @@ warn_changed_key(Key *host_key)
+ error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
+ error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
+ error("It is also possible that a host key has just been changed.");
+- error("The fingerprint for the %s key sent by the remote host is\n%s.",
+- key_type(host_key), fp);
++ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
++ key_type(host_key),key_fingerprint_prefix(), fp);
+ error("Please contact your system administrator.");
+
+ xfree(fp);
+diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
+--- openssh-5.8p1/ssh-keygen.c.fingerprint 2011-01-11 07:20:31.000000000 +0100
++++ openssh-5.8p1/ssh-keygen.c 2011-02-24 10:30:47.000000000 +0100
+@@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw)
+ {
+ FILE *f;
+ Key *public;
+- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
++ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
+ int i, skip = 0, num = 0, invalid = 1;
+ enum fp_rep rep;
+ enum fp_type fptype;
+ struct stat st;
+
+- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
++ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
++ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+
+ if (!have_identity)
+@@ -732,8 +733,8 @@ do_fingerprint(struct passwd *pw)
+ public = key_load_public(identity_file, &comment);
+ if (public != NULL) {
+ fp = key_fingerprint(public, fptype, rep);
+- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
+- printf("%u %s %s (%s)\n", key_size(public), fp, comment,
++ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
++ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
+ key_type(public));
+ if (log_level >= SYSLOG_LEVEL_VERBOSE)
+ printf("%s\n", ra);
+@@ -798,8 +799,8 @@ do_fingerprint(struct passwd *pw)
+ }
+ comment = *cp ? cp : comment;
+ fp = key_fingerprint(public, fptype, rep);
+- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
+- printf("%u %s %s (%s)\n", key_size(public), fp,
++ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
++ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
+ comment ? comment : "no comment", key_type(public));
+ if (log_level >= SYSLOG_LEVEL_VERBOSE)
+ printf("%s\n", ra);
+@@ -823,13 +824,15 @@ printhost(FILE *f, const char *name, Key
+ if (print_fingerprint) {
+ enum fp_rep rep;
+ enum fp_type fptype;
+- char *fp, *ra;
++ char *fp, *ra, *pfx;
+
+- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
++ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
++ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
++
+ fp = key_fingerprint(public, fptype, rep);
+- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
+- printf("%u %s %s (%s)\n", key_size(public), fp, name,
++ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
++ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
+ key_type(public));
+ if (log_level >= SYSLOG_LEVEL_VERBOSE)
+ printf("%s\n", ra);
+@@ -1695,16 +1698,17 @@ do_show_cert(struct passwd *pw)
+ fatal("%s is not a certificate", identity_file);
+ v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
+
+- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+- ca_fp = key_fingerprint(key->cert->signature_key,
+- SSH_FP_MD5, SSH_FP_HEX);
++ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
++ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
+
+ printf("%s:\n", identity_file);
+ printf(" Type: %s %s certificate\n", key_ssh_name(key),
+ key_cert_type(key));
+- printf(" Public key: %s %s\n", key_type(key), key_fp);
+- printf(" Signing CA: %s %s\n",
+- key_type(key->cert->signature_key), ca_fp);
++ printf(" Public key: %s %s%s\n", key_type(key),
++ key_fingerprint_prefix(), key_fp);
++ printf(" Signing CA: %s %s%s\n",
++ key_type(key->cert->signature_key),
++ key_fingerprint_prefix(), ca_fp);
+ printf(" Key ID: \"%s\"\n", key->cert->key_id);
+ if (!v00) {
+ printf(" Serial: %llu\n",
+@@ -2249,13 +2253,12 @@ passphrase_again:
+ fclose(f);
+
+ if (!quiet) {
+- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
+- char *ra = key_fingerprint(public, SSH_FP_MD5,
+- SSH_FP_RANDOMART);
++ char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
++ char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+ printf("Your public key has been saved in %s.\n",
+ identity_file);
+ printf("The key fingerprint is:\n");
+- printf("%s %s\n", fp, comment);
++ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
+ printf("The key's randomart image is:\n");
+ printf("%s\n", ra);
+ xfree(ra);
diff --git a/openssh.spec b/openssh.spec
index 1d24258..420a265 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -96,7 +96,7 @@ Source5: pam_ssh_agent-rmheaders
Patch99: openssh-5.8p1-wIm.patch
Patch0: openssh-5.6p1-redhat.patch
#?
-Patch100: openssh-5.8p1-fingerprit.patch
+Patch100: openssh-5.8p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch1: openssh-5.8p1-audit1.patch
Patch101: openssh-5.8p1-audit1a.patch
More information about the scm-commits
mailing list