[openssh] fix various issues in openssh-5.9p1-required-authentications.patch
plautrba
plautrba at fedoraproject.org
Fri Mar 30 18:08:47 UTC 2012
commit 5bad1d43cfbaacd3b56c5cff66b6c2c2ee7af3b8
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Fri Mar 30 19:29:02 2012 +0200
fix various issues in openssh-5.9p1-required-authentications.patch
openssh-5.9p1-required-authentications.patch | 88 +++++++++++++-------------
1 files changed, 44 insertions(+), 44 deletions(-)
---
diff --git a/openssh-5.9p1-required-authentications.patch b/openssh-5.9p1-required-authentications.patch
index b5bf087..491069a 100644
--- a/openssh-5.9p1-required-authentications.patch
+++ b/openssh-5.9p1-required-authentications.patch
@@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
---- openssh-5.9p1/auth.c.required-authentication 2012-02-06 17:03:51.034158031 +0100
-+++ openssh-5.9p1/auth.c 2012-02-06 17:03:55.007830206 +0100
+--- openssh-5.9p1/auth.c.required-authentication 2012-03-30 18:37:59.990184619 +0200
++++ openssh-5.9p1/auth.c 2012-03-30 18:38:00.003189876 +0200
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
}
@@ -92,7 +92,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
+}
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p1/auth.h 2012-02-06 17:03:55.008839468 +0100
++++ openssh-5.9p1/auth.h 2012-03-30 18:38:00.003189876 +0200
@@ -142,10 +142,11 @@ void disable_forwarding(void);
void do_authentication(Authctxt *);
void do_authentication2(Authctxt *);
@@ -122,7 +122,7 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.9p1/auth1.c 2012-02-06 17:03:55.055811924 +0100
++++ openssh-5.9p1/auth1.c 2012-03-30 18:38:00.004189905 +0200
@@ -98,6 +98,54 @@ static const struct AuthMethod1
return (NULL);
}
@@ -282,7 +282,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
packet_send();
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2.c 2012-02-06 17:03:55.100896430 +0100
++++ openssh-5.9p1/auth2.c 2012-03-30 18:38:04.560122485 +0200
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
{
Authctxt *authctxt = ctxt;
@@ -444,7 +444,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
+ ret = -1;
+ }
+ /* Activate method if it isn't already */
-+ if (*(m->enabled) == -1)
++ if (m->enabled != NULL && *(m->enabled) == -1)
+ *(m->enabled) = 1;
+ }
+ xfree(orig_methods);
@@ -453,7 +453,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
+
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:03:55.098862514 +0100
++++ openssh-5.9p1/auth2-gss.c 2012-03-30 18:38:00.005184630 +0200
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
}
authctxt->postponed = 0;
@@ -483,21 +483,20 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
Authmethod method_gssapi = {
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
-+++ openssh-5.9p1/auth2-chall.c 2012-02-06 17:03:55.098862514 +0100
-@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u
++++ openssh-5.9p1/auth2-chall.c 2012-03-30 19:25:49.049897712 +0200
+@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
auth2_challenge_start(authctxt);
}
}
- userauth_finish(authctxt, authenticated, method);
-- xfree(method);
+ userauth_finish(authctxt, authenticated, "keyboard-interactive",
-+ kbdintctxt->device?kbdintctxt->device->name:NULL);
++ authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
+ xfree(method);
}
- void
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
-+++ openssh-5.9p1/auth2-none.c 2012-02-06 17:03:55.099879104 +0100
++++ openssh-5.9p1/auth2-none.c 2012-03-30 18:38:00.006184515 +0200
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
@@ -508,8 +507,8 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
return (0);
}
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
---- openssh-5.9p1/monitor.c.required-authentication 2012-02-06 17:03:51.020095446 +0100
-+++ openssh-5.9p1/monitor.c 2012-02-06 17:03:55.101912924 +0100
+--- openssh-5.9p1/monitor.c.required-authentication 2012-03-30 18:37:59.976189954 +0200
++++ openssh-5.9p1/monitor.c 2012-03-30 18:38:04.555127442 +0200
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
@@ -552,7 +551,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
if (authenticated) {
if (!(ent->flags & MON_AUTHDECIDE))
-@@ -401,11 +407,23 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -401,11 +407,24 @@ monitor_child_preauth(Authctxt *_authctx
}
#endif
}
@@ -564,9 +563,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
+ auth_method, *req_auth);
+ debug2("monitor_child_preauth: required list now: %s",
+ *req_auth == NULL ? "DONE" : *req_auth);
-+ if (*req_auth != NULL)
++ if (*req_auth != NULL) {
+ authenticated = 0;
-+ no_increment = 1;
++ no_increment = 1;
++ }
+ }
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
@@ -578,7 +578,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
authctxt->failures++;
}
#ifdef JPAKE
-@@ -862,6 +880,7 @@ mm_answer_authpassword(int sock, Buffer
+@@ -862,6 +881,7 @@ mm_answer_authpassword(int sock, Buffer
auth_method = "none";
else
auth_method = "password";
@@ -586,7 +586,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* Causes monitor loop to terminate if authenticated */
return (authenticated);
-@@ -921,6 +940,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
+@@ -921,6 +941,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
auth_method = "bsdauth";
@@ -594,7 +594,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (authok != 0);
}
-@@ -970,6 +990,7 @@ mm_answer_skeyrespond(int sock, Buffer *
+@@ -970,6 +991,7 @@ mm_answer_skeyrespond(int sock, Buffer *
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
auth_method = "skey";
@@ -602,7 +602,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (authok != 0);
}
-@@ -1059,7 +1080,8 @@ mm_answer_pam_query(int sock, Buffer *m)
+@@ -1059,7 +1081,8 @@ mm_answer_pam_query(int sock, Buffer *m)
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
@@ -612,7 +612,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0);
}
-@@ -1088,7 +1110,8 @@ mm_answer_pam_respond(int sock, Buffer *
+@@ -1088,7 +1111,8 @@ mm_answer_pam_respond(int sock, Buffer *
buffer_clear(m);
buffer_put_int(m, ret);
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
@@ -622,7 +622,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (ret == 0)
sshpam_authok = sshpam_ctxt;
return (0);
-@@ -1102,7 +1125,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
+@@ -1102,7 +1126,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
(sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
@@ -632,7 +632,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (sshpam_authok == sshpam_ctxt);
}
#endif
-@@ -1138,6 +1162,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1138,6 +1163,7 @@ mm_answer_keyallowed(int sock, Buffer *m
allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key);
auth_method = "publickey";
@@ -640,7 +640,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (options.pubkey_authentication && allowed != 1)
auth_clear_options();
break;
-@@ -1146,6 +1171,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1146,6 +1172,7 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
auth_method = "hostbased";
@@ -648,7 +648,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
break;
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
-@@ -1155,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1155,6 +1182,7 @@ mm_answer_keyallowed(int sock, Buffer *m
if (options.rhosts_rsa_authentication && allowed != 1)
auth_clear_options();
auth_method = "rsa";
@@ -656,7 +656,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
break;
default:
fatal("%s: unknown key type %d", __func__, type);
-@@ -1180,7 +1207,8 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1180,7 +1208,8 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_chost = chost;
} else {
/* Log failed attempt */
@@ -666,7 +666,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
xfree(blob);
xfree(cuser);
xfree(chost);
-@@ -1356,6 +1384,7 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1356,6 +1385,7 @@ mm_answer_keyverify(int sock, Buffer *m)
xfree(data);
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@@ -674,7 +674,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
monitor_reset_key_state();
-@@ -1545,6 +1574,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
+@@ -1545,6 +1575,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
debug3("%s entering", __func__);
auth_method = "rsa";
@@ -682,7 +682,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
-@@ -1650,6 +1680,7 @@ mm_answer_rsa_response(int sock, Buffer
+@@ -1650,6 +1681,7 @@ mm_answer_rsa_response(int sock, Buffer
xfree(response);
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@@ -690,7 +690,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* reset state */
BN_clear_free(ssh1_challenge);
-@@ -2099,6 +2130,7 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2099,6 +2131,7 @@ mm_answer_gss_userok(int sock, Buffer *m
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
auth_method = "gssapi-with-mic";
@@ -698,7 +698,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* Monitor loop will terminate if authenticated */
return (authenticated);
-@@ -2303,6 +2335,7 @@ mm_answer_jpake_check_confirm(int sock,
+@@ -2303,6 +2336,7 @@ mm_answer_jpake_check_confirm(int sock,
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
auth_method = "jpake-01 at openssh.com";
@@ -707,8 +707,8 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
}
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.required-authentication 2012-02-06 17:03:51.024963230 +0100
-+++ openssh-5.9p1/servconf.c 2012-02-06 17:03:55.102929716 +0100
+--- openssh-5.9p1/servconf.c.required-authentication 2012-03-30 18:37:59.981184513 +0200
++++ openssh-5.9p1/servconf.c 2012-03-30 18:38:04.558121635 +0200
@@ -42,6 +42,8 @@
#include "key.h"
#include "kex.h"
@@ -752,12 +752,12 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
+ case sRequiredAuthentications1:
+ charptr = &options->required_auth1;
+ arg = strdelim(&cp);
-+ if (auth1_check_required(arg) != 0)
-+ fatal("%.200s line %d: Invalid required authentication "
-+ "list", filename, linenum);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
++ if (auth1_check_required(arg) != 0)
++ fatal("%.200s line %d: Invalid required authentication "
++ "list", filename, linenum);
+ if (*charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
@@ -765,12 +765,12 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
+ case sRequiredAuthentications2:
+ charptr = &options->required_auth2;
+ arg = strdelim(&cp);
-+ if (auth2_check_required(arg) != 0)
-+ fatal("%.200s line %d: Invalid required authentication "
-+ "list", filename, linenum);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
++ if (auth2_check_required(arg) != 0)
++ fatal("%.200s line %d: Invalid required authentication "
++ "list", filename, linenum);
+ if (*charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
@@ -780,7 +780,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
goto parse_int;
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.h 2012-02-06 17:03:55.102929716 +0100
++++ openssh-5.9p1/servconf.h 2012-03-30 18:38:00.009184624 +0200
@@ -154,6 +154,9 @@ typedef struct {
u_int num_authkeys_files; /* Files containing public keys */
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
@@ -793,7 +793,7 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
int use_pam; /* Enable auth via PAM */
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
-+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:09:39.038871798 +0100
++++ openssh-5.9p1/sshd_config.5 2012-03-30 18:38:00.009184624 +0200
@@ -723,6 +723,8 @@ Available keywords are
.Cm PermitOpen ,
.Cm PermitRootLogin ,
@@ -803,7 +803,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
-@@ -920,6 +937,21 @@ Specifies a list of revoked public keys.
+@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
More information about the scm-commits
mailing list