[openssh] fix various issues in openssh-5.9p1-required-authentications.patch

Fri Mar 30 18:08:47 UTC 2012

commit 5bad1d43cfbaacd3b56c5cff66b6c2c2ee7af3b8
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Fri Mar 30 19:29:02 2012 +0200

    fix various issues in openssh-5.9p1-required-authentications.patch

 openssh-5.9p1-required-authentications.patch |   88 +++++++++++++-------------
 1 files changed, 44 insertions(+), 44 deletions(-)
---

diff --git a/openssh-5.9p1-required-authentications.patch b/openssh-5.9p1-required-authentications.patch
index b5bf087..491069a 100644
--- a/openssh-5.9p1-required-authentications.patch
+++ b/openssh-5.9p1-required-authentications.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
---- openssh-5.9p1/auth.c.required-authentication	2012-02-06 17:03:51.034158031 +0100
-+++ openssh-5.9p1/auth.c	2012-02-06 17:03:55.007830206 +0100
+--- openssh-5.9p1/auth.c.required-authentication	2012-03-30 18:37:59.990184619 +0200
++++ openssh-5.9p1/auth.c	2012-03-30 18:38:00.003189876 +0200
 @@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
  }
  
@@ -92,7 +92,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
 +}
 diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
 --- openssh-5.9p1/auth.h.required-authentication	2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p1/auth.h	2012-02-06 17:03:55.008839468 +0100
++++ openssh-5.9p1/auth.h	2012-03-30 18:38:00.003189876 +0200
 @@ -142,10 +142,11 @@ void disable_forwarding(void);
  void	do_authentication(Authctxt *);
  void	do_authentication2(Authctxt *);
@@ -122,7 +122,7 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
  
 diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 --- openssh-5.9p1/auth1.c.required-authentication	2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.9p1/auth1.c	2012-02-06 17:03:55.055811924 +0100
++++ openssh-5.9p1/auth1.c	2012-03-30 18:38:00.004189905 +0200
 @@ -98,6 +98,54 @@ static const struct AuthMethod1
  	return (NULL);
  }
@@ -282,7 +282,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  		packet_send();
 diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 --- openssh-5.9p1/auth2.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2.c	2012-02-06 17:03:55.100896430 +0100
++++ openssh-5.9p1/auth2.c	2012-03-30 18:38:04.560122485 +0200
 @@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
  {
  	Authctxt *authctxt = ctxt;
@@ -444,7 +444,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 +			ret = -1;
 +		}
 +		/* Activate method if it isn't already */
-+		if (*(m->enabled) == -1)
++		if (m->enabled != NULL && *(m->enabled) == -1)
 +			*(m->enabled) = 1;
 +	}
 +	xfree(orig_methods);
@@ -453,7 +453,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 +
 diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
 --- openssh-5.9p1/auth2-gss.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2-gss.c	2012-02-06 17:03:55.098862514 +0100
++++ openssh-5.9p1/auth2-gss.c	2012-03-30 18:38:00.005184630 +0200
 @@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
  		}
  		authctxt->postponed = 0;
@@ -483,21 +483,20 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
  Authmethod method_gssapi = {
 diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
 --- openssh-5.9p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
-+++ openssh-5.9p1/auth2-chall.c	2012-02-06 17:03:55.098862514 +0100
-@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u
++++ openssh-5.9p1/auth2-chall.c	2012-03-30 19:25:49.049897712 +0200
+@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
  			auth2_challenge_start(authctxt);
  		}
  	}
 -	userauth_finish(authctxt, authenticated, method);
--	xfree(method);
 +	userauth_finish(authctxt, authenticated, "keyboard-interactive",
-+	    kbdintctxt->device?kbdintctxt->device->name:NULL);
++	    authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
+ 	xfree(method);
  }
  
- void
 diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
 --- openssh-5.9p1/auth2-none.c.required-authentication	2010-06-26 02:01:33.000000000 +0200
-+++ openssh-5.9p1/auth2-none.c	2012-02-06 17:03:55.099879104 +0100
++++ openssh-5.9p1/auth2-none.c	2012-03-30 18:38:00.006184515 +0200
 @@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
  {
  	none_enabled = 0;
@@ -508,8 +507,8 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
  	return (0);
  }
 diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
---- openssh-5.9p1/monitor.c.required-authentication	2012-02-06 17:03:51.020095446 +0100
-+++ openssh-5.9p1/monitor.c	2012-02-06 17:03:55.101912924 +0100
+--- openssh-5.9p1/monitor.c.required-authentication	2012-03-30 18:37:59.976189954 +0200
++++ openssh-5.9p1/monitor.c	2012-03-30 18:38:04.555127442 +0200
 @@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
  static char *hostbased_cuser = NULL;
  static char *hostbased_chost = NULL;
@@ -552,7 +551,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
  		if (authenticated) {
  			if (!(ent->flags & MON_AUTHDECIDE))
-@@ -401,11 +407,23 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -401,11 +407,24 @@ monitor_child_preauth(Authctxt *_authctx
  			}
  #endif
  		}
@@ -564,9 +563,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 +				    auth_method, *req_auth);
 +			debug2("monitor_child_preauth: required list now: %s",
 +			    *req_auth == NULL ? "DONE" : *req_auth);
-+			if (*req_auth != NULL)
++			if (*req_auth != NULL) {
 +				authenticated = 0;
-+			no_increment = 1;
++				no_increment = 1;
++			}
 +		}
  
  		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
@@ -578,7 +578,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  				authctxt->failures++;
  		}
  #ifdef JPAKE
-@@ -862,6 +880,7 @@ mm_answer_authpassword(int sock, Buffer 
+@@ -862,6 +881,7 @@ mm_answer_authpassword(int sock, Buffer 
  		auth_method = "none";
  	else
  		auth_method = "password";
@@ -586,7 +586,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	/* Causes monitor loop to terminate if authenticated */
  	return (authenticated);
-@@ -921,6 +940,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
+@@ -921,6 +941,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
  	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
  
  	auth_method = "bsdauth";
@@ -594,7 +594,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	return (authok != 0);
  }
-@@ -970,6 +990,7 @@ mm_answer_skeyrespond(int sock, Buffer *
+@@ -970,6 +991,7 @@ mm_answer_skeyrespond(int sock, Buffer *
  	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
  
  	auth_method = "skey";
@@ -602,7 +602,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	return (authok != 0);
  }
-@@ -1059,7 +1080,8 @@ mm_answer_pam_query(int sock, Buffer *m)
+@@ -1059,7 +1081,8 @@ mm_answer_pam_query(int sock, Buffer *m)
  		xfree(prompts);
  	if (echo_on != NULL)
  		xfree(echo_on);
@@ -612,7 +612,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
  	return (0);
  }
-@@ -1088,7 +1110,8 @@ mm_answer_pam_respond(int sock, Buffer *
+@@ -1088,7 +1111,8 @@ mm_answer_pam_respond(int sock, Buffer *
  	buffer_clear(m);
  	buffer_put_int(m, ret);
  	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
@@ -622,7 +622,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  	if (ret == 0)
  		sshpam_authok = sshpam_ctxt;
  	return (0);
-@@ -1102,7 +1125,8 @@ mm_answer_pam_free_ctx(int sock, Buffer 
+@@ -1102,7 +1126,8 @@ mm_answer_pam_free_ctx(int sock, Buffer 
  	(sshpam_device.free_ctx)(sshpam_ctxt);
  	buffer_clear(m);
  	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
@@ -632,7 +632,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  	return (sshpam_authok == sshpam_ctxt);
  }
  #endif
-@@ -1138,6 +1162,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1138,6 +1163,7 @@ mm_answer_keyallowed(int sock, Buffer *m
  			allowed = options.pubkey_authentication &&
  			    user_key_allowed(authctxt->pw, key);
  			auth_method = "publickey";
@@ -640,7 +640,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  			if (options.pubkey_authentication && allowed != 1)
  				auth_clear_options();
  			break;
-@@ -1146,6 +1171,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1146,6 +1172,7 @@ mm_answer_keyallowed(int sock, Buffer *m
  			    hostbased_key_allowed(authctxt->pw,
  			    cuser, chost, key);
  			auth_method = "hostbased";
@@ -648,7 +648,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  			break;
  		case MM_RSAHOSTKEY:
  			key->type = KEY_RSA1; /* XXX */
-@@ -1155,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1155,6 +1182,7 @@ mm_answer_keyallowed(int sock, Buffer *m
  			if (options.rhosts_rsa_authentication && allowed != 1)
  				auth_clear_options();
  			auth_method = "rsa";
@@ -656,7 +656,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  			break;
  		default:
  			fatal("%s: unknown key type %d", __func__, type);
-@@ -1180,7 +1207,8 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1180,7 +1208,8 @@ mm_answer_keyallowed(int sock, Buffer *m
  		hostbased_chost = chost;
  	} else {
  		/* Log failed attempt */
@@ -666,7 +666,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  		xfree(blob);
  		xfree(cuser);
  		xfree(chost);
-@@ -1356,6 +1384,7 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1356,6 +1385,7 @@ mm_answer_keyverify(int sock, Buffer *m)
  	xfree(data);
  
  	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@@ -674,7 +674,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	monitor_reset_key_state();
  
-@@ -1545,6 +1574,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
+@@ -1545,6 +1575,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
  	debug3("%s entering", __func__);
  
  	auth_method = "rsa";
@@ -682,7 +682,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  	if (options.rsa_authentication && authctxt->valid) {
  		if ((client_n = BN_new()) == NULL)
  			fatal("%s: BN_new", __func__);
-@@ -1650,6 +1680,7 @@ mm_answer_rsa_response(int sock, Buffer 
+@@ -1650,6 +1681,7 @@ mm_answer_rsa_response(int sock, Buffer 
  	xfree(response);
  
  	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@@ -690,7 +690,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	/* reset state */
  	BN_clear_free(ssh1_challenge);
-@@ -2099,6 +2130,7 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2099,6 +2131,7 @@ mm_answer_gss_userok(int sock, Buffer *m
  	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
  
  	auth_method = "gssapi-with-mic";
@@ -698,7 +698,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	/* Monitor loop will terminate if authenticated */
  	return (authenticated);
-@@ -2303,6 +2335,7 @@ mm_answer_jpake_check_confirm(int sock, 
+@@ -2303,6 +2336,7 @@ mm_answer_jpake_check_confirm(int sock, 
  	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
  
  	auth_method = "jpake-01 at openssh.com";
@@ -707,8 +707,8 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  }
  
 diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.required-authentication	2012-02-06 17:03:51.024963230 +0100
-+++ openssh-5.9p1/servconf.c	2012-02-06 17:03:55.102929716 +0100
+--- openssh-5.9p1/servconf.c.required-authentication	2012-03-30 18:37:59.981184513 +0200
++++ openssh-5.9p1/servconf.c	2012-03-30 18:38:04.558121635 +0200
 @@ -42,6 +42,8 @@
  #include "key.h"
  #include "kex.h"
@@ -752,12 +752,12 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
 +	case sRequiredAuthentications1:
 +		charptr = &options->required_auth1;
 +		arg = strdelim(&cp);
-+		if (auth1_check_required(arg) != 0)
-+			fatal("%.200s line %d: Invalid required authentication "
-+			    "list", filename, linenum);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing argument.",
 +			    filename, linenum);
++		if (auth1_check_required(arg) != 0)
++			fatal("%.200s line %d: Invalid required authentication "
++			    "list", filename, linenum);
 +		if (*charptr == NULL)
 +			*charptr = xstrdup(arg);
 +		break;
@@ -765,12 +765,12 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
 +	case sRequiredAuthentications2:
 +		charptr = &options->required_auth2;
 +		arg = strdelim(&cp);
-+		if (auth2_check_required(arg) != 0)
-+			fatal("%.200s line %d: Invalid required authentication "
-+			    "list", filename, linenum);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing argument.",
 +			    filename, linenum);
++		if (auth2_check_required(arg) != 0)
++			fatal("%.200s line %d: Invalid required authentication "
++			    "list", filename, linenum);
 +		if (*charptr == NULL)
 +			*charptr = xstrdup(arg);
 +		break;
@@ -780,7 +780,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
  		goto parse_int;
 diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
 --- openssh-5.9p1/servconf.h.required-authentication	2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.h	2012-02-06 17:03:55.102929716 +0100
++++ openssh-5.9p1/servconf.h	2012-03-30 18:38:00.009184624 +0200
 @@ -154,6 +154,9 @@ typedef struct {
  	u_int num_authkeys_files;	/* Files containing public keys */
  	char   *authorized_keys_files[MAX_AUTHKEYS_FILES];
@@ -793,7 +793,7 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
  	int	use_pam;		/* Enable auth via PAM */
 diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
 --- openssh-5.9p1/sshd_config.5.required-authentication	2011-08-05 22:17:33.000000000 +0200
-+++ openssh-5.9p1/sshd_config.5	2012-02-06 17:09:39.038871798 +0100
++++ openssh-5.9p1/sshd_config.5	2012-03-30 18:38:00.009184624 +0200
 @@ -723,6 +723,8 @@ Available keywords are
  .Cm PermitOpen ,
  .Cm PermitRootLogin ,
@@ -803,7 +803,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
  .Cm PubkeyAuthentication ,
  .Cm RhostsRSAAuthentication ,
  .Cm RSAAuthentication ,
-@@ -920,6 +937,21 @@ Specifies a list of revoked public keys.
+@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
  Keys listed in this file will be refused for public key authentication.
  Note that if this file is not readable, then public key authentication will
  be refused for all users.
