[gsi-openssh/f19] Based on openssh-6.1p1-7.fc19
Mattias Ellert
ellert at fedoraproject.org
Sat Apr 6 14:56:08 UTC 2013
commit 6ef9c4838f10879e83cea20251d8c7a3cdbf0391
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Sat Apr 6 16:14:30 2013 +0200
Based on openssh-6.1p1-7.fc19
- Security fix for vulnerability
http://grid.ncsa.illinois.edu/ssh/pamuserchange-2013-01.adv
https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2013-5168
gsi-openssh.spec | 8 +++++++-
gsisshd-keygen | 6 +++---
openssh-6.1p1-gsissh.patch | 6 ++++--
openssh-6.1p1-privsep-selinux.patch | 17 ++++++++++++++---
4 files changed, 28 insertions(+), 9 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index df27f99..09f35dc 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -32,7 +32,7 @@
%global nologin 1
%global openssh_ver 6.1p1
-%global openssh_rel 4
+%global openssh_rel 5
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -529,6 +529,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/gsisshd.service
%changelog
+* Sat Apr 06 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.1p1-5
+- Based on openssh-6.1p1-7.fc19
+- Security fix for vulnerability
+ http://grid.ncsa.illinois.edu/ssh/pamuserchange-2013-01.adv
+ https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2013-5168
+
* Tue Feb 26 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.1p1-4
- Based on openssh-6.1p1-6.fc18
diff --git a/gsisshd-keygen b/gsisshd-keygen
index 025a753..e3fc330 100644
--- a/gsisshd-keygen
+++ b/gsisshd-keygen
@@ -8,15 +8,15 @@
# source function library
. /etc/rc.d/init.d/functions
-# pull in sysconfig settings
-[ -f /etc/sysconfig/gsisshd ] && . /etc/sysconfig/gsisshd
-
# Some functions to make the below more readable
KEYGEN=/usr/bin/gsissh-keygen
RSA1_KEY=/etc/gsissh/ssh_host_key
RSA_KEY=/etc/gsissh/ssh_host_rsa_key
DSA_KEY=/etc/gsissh/ssh_host_dsa_key
+# pull in sysconfig settings
+[ -f /etc/sysconfig/gsisshd ] && . /etc/sysconfig/gsisshd
+
fips_enabled() {
if [ -r /proc/sys/crypto/fips_enabled ]; then
cat /proc/sys/crypto/fips_enabled
diff --git a/openssh-6.1p1-gsissh.patch b/openssh-6.1p1-gsissh.patch
index 79cf702..558d299 100644
--- a/openssh-6.1p1-gsissh.patch
+++ b/openssh-6.1p1-gsissh.patch
@@ -370,7 +370,7 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
typedef pid_t sp_pthread_t;
#endif
-@@ -277,6 +281,49 @@
+@@ -277,6 +281,51 @@
# define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b)))
#endif
@@ -410,8 +410,10 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
+ fatal("PAM: could not get passwd entry for user "
+ "'%.100s' provided by PAM_USER", user);
+ pwfree(sshpam_authctxt->pw);
-+ sshpam_authctxt->pw = pw;
++ sshpam_authctxt->pw = pwcopy(pw);
+ sshpam_authctxt->valid = allowed_user(pw);
++ xfree(sshpam_authctxt->user);
++ sshpam_authctxt->user = xstrdup(user);
+ debug("PAM: user '%.100s' now %svalid", user,
+ sshpam_authctxt->valid ? "" : "in");
+ }
diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch
index a2912f5..881c71a 100644
--- a/openssh-6.1p1-privsep-selinux.patch
+++ b/openssh-6.1p1-privsep-selinux.patch
@@ -75,9 +75,20 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
}
diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
---- openssh-6.1p1/sshd.c.privsep-selinux 2012-11-05 14:46:39.335809209 +0100
-+++ openssh-6.1p1/sshd.c 2012-11-05 14:46:39.341809247 +0100
-@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
+--- openssh-6.1p1/sshd.c.privsep-selinux 2013-02-24 11:29:32.997823377 +0100
++++ openssh-6.1p1/sshd.c 2013-02-24 11:43:34.171182720 +0100
+@@ -653,6 +653,10 @@ privsep_preauth_child(void)
+ /* Demote the private keys to public keys. */
+ demote_sensitive_data();
+
++#ifdef WITH_SELINUX
++ ssh_selinux_change_context("sshd_net_t");
++#endif
++
+ /* Change our root directory */
+ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+ fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+@@ -794,6 +798,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
More information about the scm-commits
mailing list