[gsi-openssh/f21] Based on openssh-6.6.1p1-8.fc21
Mattias Ellert
ellert at fedoraproject.org
Mon Nov 24 13:07:41 UTC 2014
commit b5761e5d23044cbf3738e3dbe7cc6bc0f8835e8c
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Mon Nov 24 13:32:03 2014 +0100
Based on openssh-6.6.1p1-8.fc21
gsi-openssh.spec | 29 ++-
gsisshd-keygen | 4 +-
openssh-6.3p1-krb5-use-default_ccache_name.patch | 2 +-
...overity.patch => openssh-6.6.1p1-coverity.patch | 360 +++++++++++--------
openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch | 28 ++
openssh-6.6.1p1-selinux-contexts.patch | 118 +++++++
openssh-6.6.1p1-servconf-parser.patch | 31 ++
openssh-6.6p1-audit.patch | 76 +++--
openssh-6.6p1-gsissh.patch | 7 +-
openssh-6.6p1-gsskex.patch | 26 +-
openssh-6.6p1-kuserok.patch | 210 +++++++++---
11 files changed, 650 insertions(+), 241 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 161c235..3a5bae1 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -29,7 +29,7 @@
%global ldap 1
%global openssh_ver 6.6.1p1
-%global openssh_rel 2
+%global openssh_rel 3
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -50,7 +50,7 @@ Source13: gsisshd-keygen
Source99: README.sshd-and-gsisshd
#?
-Patch100: openssh-6.3p1-coverity.patch
+Patch100: openssh-6.6.1p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Patch101: openssh-6.6p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
@@ -148,6 +148,14 @@ Patch912: openssh-6.6.1p1-utf8-banner.patch
# don't consider a partial success as a failure
# https://bugzilla.mindrot.org/show_bug.cgi?id=2270
Patch913: openssh-6.6.1p1-partial-success.patch
+# fix parsing of empty options in sshd_conf
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2281
+Patch914: openssh-6.6.1p1-servconf-parser.patch
+# Ignore SIGXFSZ in postauth monitor
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2263
+Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
+# privsep_preauth: use SELinux context from selinux-policy (#1008580)
+Patch916: openssh-6.6.1p1-selinux-contexts.patch
# This is the patch that adds GSI support
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.6p1.patch
@@ -176,8 +184,8 @@ BuildRequires: krb5-devel
%if %{gsi}
BuildRequires: globus-gss-assist-devel >= 8
-BuildRequires: globus-gssapi-gsi >= 10
-BuildRequires: globus-common >= 14
+BuildRequires: globus-gssapi-gsi-devel >= 10
+BuildRequires: globus-common-devel >= 14
BuildRequires: globus-usage-devel >= 3
%endif
@@ -186,8 +194,8 @@ BuildRequires: libedit-devel ncurses-devel
%endif
%if %{WITH_SELINUX}
-Requires: libselinux >= 1.27.7
-BuildRequires: libselinux-devel >= 1.27.7
+Requires: libselinux >= 2.3-5
+BuildRequires: libselinux-devel >= 2.3-5
Requires: audit-libs >= 1.0.8
BuildRequires: audit-libs >= 1.0.8
%endif
@@ -249,7 +257,6 @@ This version of OpenSSH has been modified to support GSI authentication.
%prep
%setup -q -n openssh-6.6p1
-# rework %patch100 -p1 -b .coverity
%patch101 -p1 -b .fingerprint
# investigate %patch102 -p1 -b .getaddrinfo
%patch103 -p1 -b .packet
@@ -301,10 +308,15 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch911 -p1 -b .set_remote_ipaddr
%patch912 -p1 -b .utf8-banner
%patch913 -p1 -b .partial-success
+%patch914 -p1 -b .servconf
+%patch915 -p1 -b .SIGXFSZ
+%patch916 -p1 -b .contexts
%patch200 -p1 -b .audit
%patch700 -p1 -b .fips
+%patch100 -p1 -b .coverity
+
%patch98 -p1 -b .gsi
sed 's/sshd.pid/gsisshd.pid/' -i pathnames.h
@@ -519,6 +531,9 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen.service
%changelog
+* Mon Nov 24 2014 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.6.1p1-3
+- Based on openssh-6.6.1p1-8.fc21
+
* Wed Oct 22 2014 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.6.1p1-2
- Based on openssh-6.6.1p1-5.fc21
diff --git a/gsisshd-keygen b/gsisshd-keygen
index 80134db..b313c87 100644
--- a/gsisshd-keygen
+++ b/gsisshd-keygen
@@ -71,7 +71,7 @@ do_rsa_keygen() {
}
do_dsa_keygen() {
- if [ ! -s $DSA_KEY ]; then
+ if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
echo -n $"Generating SSH2 DSA host key: "
rm -f $DSA_KEY
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
@@ -113,7 +113,7 @@ do_ecdsa_keygen() {
}
do_ed25519_keygen() {
- if [ ! -s $ED25519_KEY ]; then
+ if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
echo -n $"Generating SSH2 ED25519 host key: "
rm -f $ED25519_KEY
if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
diff --git a/openssh-6.3p1-krb5-use-default_ccache_name.patch b/openssh-6.3p1-krb5-use-default_ccache_name.patch
index b9c8000..dd201a4 100644
--- a/openssh-6.3p1-krb5-use-default_ccache_name.patch
+++ b/openssh-6.3p1-krb5-use-default_ccache_name.patch
@@ -30,7 +30,7 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
+ if (authctxt->krb5_ticket_file[0] == ':')
+ authctxt->krb5_ticket_file++;
+
-+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type);
++ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
authctxt->krb5_ccname = xmalloc(len);
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+
diff --git a/openssh-6.3p1-coverity.patch b/openssh-6.6.1p1-coverity.patch
similarity index 65%
rename from openssh-6.3p1-coverity.patch
rename to openssh-6.6.1p1-coverity.patch
index 69bcb81..9f71f9c 100644
--- a/openssh-6.3p1-coverity.patch
+++ b/openssh-6.6.1p1-coverity.patch
@@ -1,7 +1,8 @@
-diff -up openssh-6.3p1/auth-pam.c.coverity openssh-6.3p1/auth-pam.c
---- openssh-6.3p1/auth-pam.c.coverity 2013-06-02 00:07:32.000000000 +0200
-+++ openssh-6.3p1/auth-pam.c 2013-10-07 13:20:36.288298063 +0200
-@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
+diff --git a/auth-pam.c b/auth-pam.c
+index cd1a775..690711e 100644
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void **value)
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
signal(SIGCHLD, sshpam_oldsig);
@@ -15,10 +16,11 @@ diff -up openssh-6.3p1/auth-pam.c.coverity openssh-6.3p1/auth-pam.c
return (status);
}
#endif
-diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c
---- openssh-6.3p1/channels.c.coverity 2013-09-13 08:19:31.000000000 +0200
-+++ openssh-6.3p1/channels.c 2013-10-07 13:20:36.289298058 +0200
-@@ -233,11 +233,11 @@ channel_register_fds(Channel *c, int rfd
+diff --git a/channels.c b/channels.c
+index af3fdc2..39c9f89 100644
+--- a/channels.c
++++ b/channels.c
+@@ -233,11 +233,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
@@ -33,7 +35,7 @@ diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
-@@ -255,11 +255,11 @@ channel_register_fds(Channel *c, int rfd
+@@ -255,11 +255,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
/* enable nonblocking mode */
if (nonblock) {
@@ -48,10 +50,11 @@ diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c
set_nonblock(efd);
}
}
-diff -up openssh-6.3p1/clientloop.c.coverity openssh-6.3p1/clientloop.c
---- openssh-6.3p1/clientloop.c.coverity 2013-06-10 05:07:12.000000000 +0200
-+++ openssh-6.3p1/clientloop.c 2013-10-07 13:20:36.289298058 +0200
-@@ -2068,14 +2068,15 @@ client_input_global_request(int type, u_
+diff --git a/clientloop.c b/clientloop.c
+index 9c60108..d372b53 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -2081,14 +2081,15 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt)
char *rtype;
int want_reply;
int success = 0;
@@ -69,10 +72,11 @@ diff -up openssh-6.3p1/clientloop.c.coverity openssh-6.3p1/clientloop.c
packet_send();
packet_write_wait();
}
-diff -up openssh-6.3p1/key.c.coverity openssh-6.3p1/key.c
---- openssh-6.3p1/key.c.coverity 2013-06-01 23:41:51.000000000 +0200
-+++ openssh-6.3p1/key.c 2013-10-07 13:20:36.290298054 +0200
-@@ -807,8 +807,10 @@ key_read(Key *ret, char **cpp)
+diff --git a/key.c b/key.c
+index a2050f6..6487d81 100644
+--- a/key.c
++++ b/key.c
+@@ -880,8 +880,10 @@ key_read(Key *ret, char **cpp)
success = 1;
/*XXXX*/
key_free(k);
@@ -83,10 +87,11 @@ diff -up openssh-6.3p1/key.c.coverity openssh-6.3p1/key.c
/* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t')
cp++;
-diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
---- openssh-6.3p1/monitor.c.coverity 2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.3p1/monitor.c 2013-10-07 13:54:36.761314042 +0200
-@@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx
+diff --git a/monitor.c b/monitor.c
+index 3ff62b0..70b9b4c 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -472,7 +472,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
mm_get_keystate(pmonitor);
/* Drain any buffered messages from the child */
@@ -95,7 +100,7 @@ diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
;
close(pmonitor->m_sendfd);
-@@ -1202,6 +1202,10 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1254,6 +1254,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
break;
}
}
@@ -106,7 +111,7 @@ diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
if (key != NULL)
key_free(key);
-@@ -1223,9 +1227,6 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1275,9 +1279,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
free(chost);
}
@@ -116,10 +121,11 @@ diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
-diff -up openssh-6.3p1/monitor_wrap.c.coverity openssh-6.3p1/monitor_wrap.c
---- openssh-6.3p1/monitor_wrap.c.coverity 2013-06-02 00:07:32.000000000 +0200
-+++ openssh-6.3p1/monitor_wrap.c 2013-10-07 13:20:36.291298049 +0200
-@@ -710,10 +710,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 6df236a..93f6535 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -743,10 +743,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__);
@@ -133,10 +139,11 @@ diff -up openssh-6.3p1/monitor_wrap.c.coverity openssh-6.3p1/monitor_wrap.c
return 0;
}
close(tmp1);
-diff -up openssh-6.3p1/openbsd-compat/bindresvport.c.coverity openssh-6.3p1/openbsd-compat/bindresvport.c
---- openssh-6.3p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
-+++ openssh-6.3p1/openbsd-compat/bindresvport.c 2013-10-07 13:20:36.291298049 +0200
-@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
+diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
+index c89f214..80115c2 100644
+--- a/openbsd-compat/bindresvport.c
++++ b/openbsd-compat/bindresvport.c
+@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
@@ -145,10 +152,11 @@ diff -up openssh-6.3p1/openbsd-compat/bindresvport.c.coverity openssh-6.3p1/open
int i;
if (sa == NULL) {
-diff -up openssh-6.3p1/packet.c.coverity openssh-6.3p1/packet.c
---- openssh-6.3p1/packet.c.coverity 2013-07-18 08:12:45.000000000 +0200
-+++ openssh-6.3p1/packet.c 2013-10-07 13:20:36.291298049 +0200
-@@ -1199,6 +1199,7 @@ packet_read_poll1(void)
+diff --git a/packet.c b/packet.c
+index f5b122b..1305e87 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1234,6 +1234,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: "
"network attack detected");
@@ -156,19 +164,20 @@ diff -up openssh-6.3p1/packet.c.coverity openssh-6.3p1/packet.c
case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of "
"service detected");
-diff -up openssh-6.3p1/progressmeter.c.coverity openssh-6.3p1/progressmeter.c
---- openssh-6.3p1/progressmeter.c.coverity 2013-06-02 15:46:24.000000000 +0200
-+++ openssh-6.3p1/progressmeter.c 2013-10-07 13:42:32.377850691 +0200
+diff --git a/progressmeter.c b/progressmeter.c
+index bbbc706..ae6d1aa 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
static time_t last_update; /* last progress update */
-static char *file; /* name of the file being transferred */
+static const char *file; /* name of the file being transferred */
+ static off_t start_pos; /* initial position of transfer */
static off_t end_pos; /* ending position of transfer */
static off_t cur_pos; /* transfer position as of last refresh */
- static volatile off_t *counter; /* progress counter */
-@@ -247,7 +247,7 @@ update_progress_meter(int ignore)
+@@ -248,7 +248,7 @@ update_progress_meter(int ignore)
}
void
@@ -177,9 +186,10 @@ diff -up openssh-6.3p1/progressmeter.c.coverity openssh-6.3p1/progressmeter.c
{
start = last_update = monotime();
file = f;
-diff -up openssh-6.3p1/progressmeter.h.coverity openssh-6.3p1/progressmeter.h
---- openssh-6.3p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
-+++ openssh-6.3p1/progressmeter.h 2013-10-07 13:20:36.292298044 +0200
+diff --git a/progressmeter.h b/progressmeter.h
+index 10bab99..e9ca8f0 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
@@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
@@ -187,9 +197,10 @@ diff -up openssh-6.3p1/progressmeter.h.coverity openssh-6.3p1/progressmeter.h
-void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void);
-diff -up openssh-6.3p1/scp.c.coverity openssh-6.3p1/scp.c
---- openssh-6.3p1/scp.c.coverity 2013-07-18 08:11:25.000000000 +0200
-+++ openssh-6.3p1/scp.c 2013-10-07 13:20:36.292298044 +0200
+diff --git a/scp.c b/scp.c
+index 1178a07..d9bc016 100644
+--- a/scp.c
++++ b/scp.c
@@ -155,7 +155,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
@@ -199,10 +210,11 @@ diff -up openssh-6.3p1/scp.c.coverity openssh-6.3p1/scp.c
}
if (signo)
-diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c
---- openssh-6.3p1/servconf.c.coverity 2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.3p1/servconf.c 2013-10-07 13:20:36.293298039 +0200
-@@ -1323,7 +1323,7 @@ process_server_config_line(ServerOptions
+diff --git a/servconf.c b/servconf.c
+index 3839928..d482e79 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1382,7 +1382,7 @@ process_server_config_line(ServerOptions *options, char *line,
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
@@ -211,7 +223,7 @@ diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c
break;
}
for (i = 0; i < options->num_subsystems; i++)
-@@ -1414,8 +1414,9 @@ process_server_config_line(ServerOptions
+@@ -1473,8 +1473,9 @@ process_server_config_line(ServerOptions *options, char *line,
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@@ -223,9 +235,10 @@ diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c
}
break;
-diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
---- openssh-6.3p1/serverloop.c.coverity 2013-07-18 08:12:45.000000000 +0200
-+++ openssh-6.3p1/serverloop.c 2013-10-07 13:43:36.620537138 +0200
+diff --git a/serverloop.c b/serverloop.c
+index 2f8e3a0..e03bc6c 100644
+--- a/serverloop.c
++++ b/serverloop.c
@@ -147,13 +147,13 @@ notify_setup(void)
static void
notify_parent(void)
@@ -253,7 +266,7 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
debug2("notify_done: reading");
}
-@@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea
+@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
* If we have buffered data, try to write some of that data
* to the program.
*/
@@ -262,7 +275,7 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
FD_SET(fdin, *writesetp);
}
notify_prepare(*readsetp);
-@@ -476,7 +476,7 @@ process_output(fd_set *writeset)
+@@ -477,7 +477,7 @@ process_output(fd_set *writeset)
int len;
/* Write buffered data to program stdin. */
@@ -271,7 +284,7 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen);
-@@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
set_nonblock(fdin);
set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */
@@ -280,7 +293,7 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
-@@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout);
@@ -289,7 +302,7 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
max_fd = MAX(max_fd, fderr);
#endif
-@@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
* If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin.
*/
@@ -298,7 +311,7 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
if (fdin != fdout)
close(fdin);
else
-@@ -739,15 +739,15 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
@@ -317,7 +330,7 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
close(fdin);
fdin = -1;
-@@ -946,7 +946,7 @@ server_input_window_size(int type, u_int
+@@ -947,7 +947,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
debug("Window change received.");
packet_check_eom();
@@ -326,7 +339,7 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
pty_change_window_size(fdin, row, col, xpixel, ypixel);
}
-@@ -1006,7 +1006,7 @@ server_request_tun(void)
+@@ -1007,7 +1007,7 @@ server_request_tun(void)
}
tun = packet_get_int();
@@ -335,10 +348,11 @@ diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done;
tun = forced_tun_device;
-diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
---- openssh-6.3p1/sftp-client.c.coverity 2013-07-26 00:40:00.000000000 +0200
-+++ openssh-6.3p1/sftp-client.c 2013-10-07 13:48:45.885027420 +0200
-@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
+diff --git a/sftp-client.c b/sftp-client.c
+index 2f5907c..3a2affd 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -151,7 +151,7 @@ get_msg(struct sftp_conn *conn, Buffer *m)
}
static void
@@ -347,7 +361,7 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
u_int len)
{
Buffer msg;
-@@ -165,7 +165,7 @@ send_string_request(struct sftp_conn *co
+@@ -167,7 +167,7 @@ send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
static void
send_string_attrs_request(struct sftp_conn *conn, u_int id, u_int code,
@@ -356,7 +370,7 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
Buffer msg;
-@@ -422,7 +422,7 @@ sftp_proto_version(struct sftp_conn *con
+@@ -429,7 +429,7 @@ sftp_proto_version(struct sftp_conn *conn)
}
int
@@ -365,16 +379,16 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
u_int id, status;
Buffer msg;
-@@ -447,7 +447,7 @@ do_close(struct sftp_conn *conn, char *h
+@@ -454,7 +454,7 @@ do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
static int
--do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
-+do_lsreaddir(struct sftp_conn *conn, const char *path, int printflag,
+-do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag,
++do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
SFTP_DIRENT ***dir)
{
Buffer msg;
-@@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
+@@ -577,7 +577,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag,
}
int
@@ -383,7 +397,7 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
return(do_lsreaddir(conn, path, 0, dir));
}
-@@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
+@@ -597,7 +597,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
}
int
@@ -392,16 +406,16 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
u_int status, id;
-@@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path
+@@ -612,7 +612,7 @@ do_rm(struct sftp_conn *conn, char *path)
}
int
--do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int printflag)
-+do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int printflag)
+-do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag)
++do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int print_flag)
{
u_int status, id;
-@@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p
+@@ -628,7 +628,7 @@ do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag)
}
int
@@ -410,7 +424,7 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
u_int status, id;
-@@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p
+@@ -644,7 +644,7 @@ do_rmdir(struct sftp_conn *conn, char *path)
}
Attrib *
@@ -419,7 +433,7 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
u_int id;
-@@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa
+@@ -658,7 +658,7 @@ do_stat(struct sftp_conn *conn, char *path, int quiet)
}
Attrib *
@@ -428,7 +442,16 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
u_int id;
-@@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h
+@@ -679,7 +679,7 @@ do_lstat(struct sftp_conn *conn, char *path, int quiet)
+
+ #ifdef notyet
+ Attrib *
+-do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
++do_fstat(struct sftp_conn *conn, const char *handle, u_int handle_len, int quiet)
+ {
+ u_int id;
+
+@@ -692,7 +692,7 @@ do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
#endif
int
@@ -437,7 +460,7 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
u_int status, id;
-@@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char
+@@ -709,7 +709,7 @@ do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
}
int
@@ -446,7 +469,7 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
Attrib *a)
{
u_int status, id;
-@@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char
+@@ -726,7 +726,7 @@ do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
}
char *
@@ -455,16 +478,16 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
Buffer msg;
u_int type, expected_id, count, id;
-@@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char
+@@ -775,7 +775,7 @@ do_realpath(struct sftp_conn *conn, char *path)
}
int
--do_rename(struct sftp_conn *conn, char *oldpath, char *newpath)
-+do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath)
+-do_rename(struct sftp_conn *conn, char *oldpath, char *newpath,
++do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath,
+ int force_legacy)
{
Buffer msg;
- u_int status, id;
-@@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char *
+@@ -811,7 +811,7 @@ do_rename(struct sftp_conn *conn, char *oldpath, char *newpath,
}
int
@@ -473,7 +496,7 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
Buffer msg;
u_int status, id;
-@@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char
+@@ -844,7 +844,7 @@ do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
}
int
@@ -482,61 +505,88 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
Buffer msg;
u_int status, id;
-@@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn
+@@ -876,7 +876,7 @@ do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
+ }
+
+ int
+-do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len)
++do_fsync(struct sftp_conn *conn, const char *handle, u_int handle_len)
+ {
+ Buffer msg;
+ u_int status, id;
+@@ -907,7 +907,7 @@ do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len)
+
+ #ifdef notyet
+ char *
+-do_readlink(struct sftp_conn *conn, char *path)
++do_readlink(struct sftp_conn *conn, const char *path)
+ {
+ Buffer msg;
+ u_int type, expected_id, count, id;
+@@ -1010,7 +1010,7 @@ do_fstatvfs(struct sftp_conn *conn, const char *handle, u_int handle_len,
+
+ static void
+ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
+- u_int len, char *handle, u_int handle_len)
++ u_int len, const char *handle, u_int handle_len)
+ {
+ Buffer msg;
+
+@@ -1026,7 +1026,7 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
}
int
-do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
+do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
- Attrib *a, int pflag, int resume)
+ Attrib *a, int preserve_flag, int resume_flag, int fsync_flag)
{
Attrib junk;
-@@ -1255,7 +1255,7 @@ do_download(struct sftp_conn *conn, char
+@@ -1308,7 +1308,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
}
static int
--download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
-+download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
- Attrib *dirattrib, int pflag, int printflag, int depth, int resume)
+-download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
++download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth,
+ Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag,
+ int fsync_flag)
{
- int i, ret = 0;
-@@ -1345,7 +1345,7 @@ download_dir_internal(struct sftp_conn *
+@@ -1400,7 +1400,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
}
int
-download_dir(struct sftp_conn *conn, char *src, char *dst,
+download_dir(struct sftp_conn *conn, const char *src, const char *dst,
- Attrib *dirattrib, int pflag, int printflag, int resume)
+ Attrib *dirattrib, int preserve_flag, int print_flag,
+ int resume_flag, int fsync_flag)
{
- char *src_canon;
-@@ -1363,7 +1363,7 @@ download_dir(struct sftp_conn *conn, cha
+@@ -1419,7 +1419,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst,
}
int
-do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
+do_upload(struct sftp_conn *conn, const char *local_path, const char *remote_path,
- int pflag)
+ int preserve_flag, int fsync_flag)
{
int local_fd;
-@@ -1548,7 +1548,7 @@ do_upload(struct sftp_conn *conn, char *
+@@ -1607,7 +1607,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
}
static int
--upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
-+upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
- int pflag, int printflag, int depth)
+-upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
++upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth,
+ int preserve_flag, int print_flag, int fsync_flag)
{
int ret = 0, status;
-@@ -1639,7 +1639,7 @@ upload_dir_internal(struct sftp_conn *co
+@@ -1700,7 +1700,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
}
int
--upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag,
-+upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int printflag,
- int pflag)
+-upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
++upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int preserve_flag,
+ int print_flag, int fsync_flag)
{
char *dst_canon;
-@@ -1656,7 +1656,7 @@ upload_dir(struct sftp_conn *conn, char
+@@ -1719,7 +1719,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
}
char *
@@ -545,10 +595,11 @@ diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
{
char *ret;
size_t len = strlen(p1) + strlen(p2) + 2;
-diff -up openssh-6.3p1/sftp-client.h.coverity openssh-6.3p1/sftp-client.h
---- openssh-6.3p1/sftp-client.h.coverity 2013-07-25 03:56:52.000000000 +0200
-+++ openssh-6.3p1/sftp-client.h 2013-10-07 13:45:10.108080813 +0200
-@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
+diff --git a/sftp-client.h b/sftp-client.h
+index ba92ad0..c085423 100644
+--- a/sftp-client.h
++++ b/sftp-client.h
+@@ -56,79 +56,79 @@ struct sftp_conn *do_init(int, int, u_int, u_int, u_int64_t);
u_int sftp_proto_version(struct sftp_conn *);
/* Close file referred to by 'handle' */
@@ -598,57 +649,60 @@ diff -up openssh-6.3p1/sftp-client.h.coverity openssh-6.3p1/sftp-client.h
int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
/* Rename 'oldpath' to 'newpath' */
--int do_rename(struct sftp_conn *, char *, char *);
-+int do_rename(struct sftp_conn *, const char *, const char *);
+-int do_rename(struct sftp_conn *, char *, char *m, int force_legacy);
++int do_rename(struct sftp_conn *, const char *, const char *m, int force_legacy);
/* Link 'oldpath' to 'newpath' */
-int do_hardlink(struct sftp_conn *, char *, char *);
+int do_hardlink(struct sftp_conn *, const char *, const char *);
--/* Rename 'oldpath' to 'newpath' */
+ /* Rename 'oldpath' to 'newpath' */
-int do_symlink(struct sftp_conn *, char *, char *);
-+/* Symlink 'oldpath' to 'newpath' */
+int do_symlink(struct sftp_conn *, const char *, const char *);
- /* XXX: add callbacks to do_download/do_upload so we can do progress meter */
+ /* Call fsync() on open file 'handle' */
+-int do_fsync(struct sftp_conn *conn, char *, u_int);
++int do_fsync(struct sftp_conn *conn, const char *, u_int);
-@@ -106,27 +106,27 @@ int do_symlink(struct sftp_conn *, char
+ /*
* Download 'remote_path' to 'local_path'. Preserve permissions and times
* if 'pflag' is set
*/
--int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int);
-+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
+-int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
++int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
/*
* Recursively download 'remote_directory' to 'local_directory'. Preserve
* times if 'pflag' is set
*/
--int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
-+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
+-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int,
++int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int,
+ int, int, int);
/*
* Upload 'local_path' to 'remote_path'. Preserve permissions and times
* if 'pflag' is set
*/
--int do_upload(struct sftp_conn *, char *, char *, int);
-+int do_upload(struct sftp_conn *, const char *, const char *, int);
+-int do_upload(struct sftp_conn *, char *, char *, int, int);
++int do_upload(struct sftp_conn *, const char *, const char *, int, int);
/*
* Recursively upload 'local_directory' to 'remote_directory'. Preserve
* times if 'pflag' is set
*/
--int upload_dir(struct sftp_conn *, char *, char *, int, int);
-+int upload_dir(struct sftp_conn *, const char *, const char *, int, int);
+-int upload_dir(struct sftp_conn *, char *, char *, int, int, int);
++int upload_dir(struct sftp_conn *, const char *, const char *, int, int, int);
/* Concatenate paths, taking care of slashes. Caller must free result. */
-char *path_append(char *, char *);
+char *path_append(const char *, const char *);
#endif
-diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
---- openssh-6.3p1/sftp.c.coverity 2013-07-25 03:56:52.000000000 +0200
-+++ openssh-6.3p1/sftp.c 2013-10-07 13:49:47.322727449 +0200
-@@ -213,7 +213,7 @@ killchild(int signo)
+diff --git a/sftp.c b/sftp.c
+index ad1f8c8..3987117 100644
+--- a/sftp.c
++++ b/sftp.c
+@@ -218,7 +218,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
@@ -657,7 +711,7 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
}
_exit(1);
-@@ -324,7 +324,7 @@ local_do_ls(const char *args)
+@@ -329,7 +329,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
@@ -666,7 +720,7 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
{
size_t len;
-@@ -342,7 +342,7 @@ path_strip(char *path, char *strip)
+@@ -347,7 +347,7 @@ path_strip(char *path, char *strip)
}
static char *
@@ -675,7 +729,7 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
{
char *abs_str;
-@@ -493,7 +493,7 @@ parse_df_flags(const char *cmd, char **a
+@@ -545,7 +545,7 @@ parse_no_flags(const char *cmd, char **argv, int argc)
}
static int
@@ -684,7 +738,7 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
{
struct stat sb;
-@@ -505,7 +505,7 @@ is_dir(char *path)
+@@ -557,7 +557,7 @@ is_dir(char *path)
}
static int
@@ -693,7 +747,7 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
{
Attrib *a;
-@@ -519,7 +519,7 @@ remote_is_dir(struct sftp_conn *conn, ch
+@@ -571,7 +571,7 @@ remote_is_dir(struct sftp_conn *conn, char *path)
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
@@ -702,25 +756,25 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
{
size_t l = strlen(pathname);
-@@ -527,7 +527,7 @@ pathname_is_dir(char *pathname)
+@@ -579,7 +579,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
- int pflag, int rflag, int resume)
+ int pflag, int rflag, int resume, int fflag)
{
char *abs_src = NULL;
-@@ -605,7 +605,7 @@ out:
+@@ -659,7 +659,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
- int pflag, int rflag)
+ int pflag, int rflag, int fflag)
{
char *tmp_dst = NULL;
-@@ -709,7 +709,7 @@ sdirent_comp(const void *aa, const void
+@@ -765,7 +765,7 @@ sdirent_comp(const void *aa, const void *bb)
/* sftp ls.1 replacement for directories */
static int
@@ -729,7 +783,7 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
{
int n;
u_int c = 1, colspace = 0, columns = 1;
-@@ -794,7 +794,7 @@ do_ls_dir(struct sftp_conn *conn, char *
+@@ -850,7 +850,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
/* sftp ls.1 replacement which handles path globs */
static int
@@ -738,7 +792,7 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
int lflag)
{
char *fname, *lname;
-@@ -875,7 +875,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
+@@ -931,7 +931,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
}
static int
@@ -747,10 +801,11 @@ diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
-diff -up openssh-6.3p1/ssh-agent.c.coverity openssh-6.3p1/ssh-agent.c
---- openssh-6.3p1/ssh-agent.c.coverity 2013-07-20 05:22:49.000000000 +0200
-+++ openssh-6.3p1/ssh-agent.c 2013-10-07 13:20:36.296298024 +0200
-@@ -1143,8 +1143,8 @@ main(int ac, char **av)
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 117fdde..2b50132 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1037,8 +1037,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
@@ -761,10 +816,11 @@ diff -up openssh-6.3p1/ssh-agent.c.coverity openssh-6.3p1/ssh-agent.c
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
-diff -up openssh-6.3p1/sshd.c.coverity openssh-6.3p1/sshd.c
---- openssh-6.3p1/sshd.c.coverity 2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.3p1/sshd.c 2013-10-07 13:20:36.296298024 +0200
-@@ -699,8 +699,10 @@ privsep_preauth(Authctxt *authctxt)
+diff --git a/sshd.c b/sshd.c
+index 773bb02..1eaa9f7 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -771,8 +771,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
@@ -776,7 +832,7 @@ diff -up openssh-6.3p1/sshd.c.coverity openssh-6.3p1/sshd.c
return 0;
}
-@@ -1345,6 +1347,9 @@ server_accept_loop(int *sock_in, int *so
+@@ -1439,6 +1441,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
if (num_listen_socks < 0)
break;
}
diff --git a/openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch b/openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
new file mode 100644
index 0000000..87434ce
--- /dev/null
+++ b/openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
@@ -0,0 +1,28 @@
+diff --git a/ChangeLog b/ChangeLog
+index 3887495..a4dc72f 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,9 @@
++20140823
++ - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
++ lastlog writing on platforms with high UIDs; bz#2263
++ - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
++ monitor, not preauth; bz#2263
++
+ 20140703
+ - OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2014/07/03 03:34:09
+diff --git a/monitor.c b/monitor.c
+index bdabe21..5a65114 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -501,6 +501,9 @@ monitor_child_postauth(struct monitor *pmonitor)
+ signal(SIGHUP, &monitor_child_handler);
+ signal(SIGTERM, &monitor_child_handler);
+ signal(SIGINT, &monitor_child_handler);
++#ifdef SIGXFSZ
++ signal(SIGXFSZ, SIG_IGN);
++#endif
+
+ if (compat20) {
+ mon_dispatch = mon_dispatch_postauth20;
diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch
new file mode 100644
index 0000000..a831a15
--- /dev/null
+++ b/openssh-6.6.1p1-selinux-contexts.patch
@@ -0,0 +1,118 @@
+diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+index 0077dd7..e3f2ced 100644
+--- a/openbsd-compat/port-linux-sshd.c
++++ b/openbsd-compat/port-linux-sshd.c
+@@ -31,6 +31,7 @@
+ #include "xmalloc.h"
+ #include "servconf.h"
+ #include "port-linux.h"
++#include "misc.h"
+ #include "key.h"
+ #include "hostfile.h"
+ #include "auth.h"
+@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname)
+ void
+ sshd_selinux_copy_context(void)
+ {
+- security_context_t *ctx;
++ char *ctx;
+
+ if (!sshd_selinux_enabled())
+ return;
+@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void)
+ }
+ }
+
++void
++sshd_selinux_change_privsep_preauth_context(void)
++{
++ int len;
++ char line[1024], *preauth_context = NULL, *cp, *arg;
++ const char *contexts_path;
++ FILE *contexts_file;
++
++ contexts_path = selinux_openssh_contexts_path();
++ if (contexts_path != NULL) {
++ if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
++ struct stat sb;
++
++ if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
++ while (fgets(line, sizeof(line), contexts_file)) {
++ /* Strip trailing whitespace */
++ for (len = strlen(line) - 1; len > 0; len--) {
++ if (strchr(" \t\r\n", line[len]) == NULL)
++ break;
++ line[len] = '\0';
++ }
++
++ if (line[0] == '\0')
++ continue;
++
++ cp = line;
++ arg = strdelim(&cp);
++ if (*arg == '\0')
++ arg = strdelim(&cp);
++
++ if (strcmp(arg, "privsep_preauth") == 0) {
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0') {
++ debug("%s: privsep_preauth is empty", __func__);
++ fclose(contexts_file);
++ return;
++ }
++ preauth_context = xstrdup(arg);
++ }
++ }
++ }
++ fclose(contexts_file);
++ }
++ }
++
++ if (preauth_context == NULL)
++ preauth_context = xstrdup("sshd_net_t");
++
++ ssh_selinux_change_context(preauth_context);
++ free(preauth_context);
++}
++
+ #endif
+ #endif
+
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 22ea8ef..1fc963d 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
+ strlcpy(newctx + len, newname, newlen - len);
+ if ((cx = index(cx + 1, ':')))
+ strlcat(newctx, cx, newlen);
+- debug3("%s: setting context from '%s' to '%s'", __func__,
++ debug("%s: setting context from '%s' to '%s'", __func__,
+ oldctx, newctx);
+ if (setcon(newctx) < 0)
+ switchlog("%s: setcon %s from %s failed with %s", __func__,
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index cb51f99..8b7cda2 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
+ void sshd_selinux_copy_context(void);
+ void sshd_selinux_setup_exec_context(char *);
+ int sshd_selinux_setup_env_variables(void);
++void sshd_selinux_change_privsep_preauth_context(void);
+ #endif
+
+ #ifdef LINUX_OOM_ADJUST
+diff --git a/sshd.c b/sshd.c
+index 512c7ed..3eee75a 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -637,7 +637,7 @@ privsep_preauth_child(void)
+ demote_sensitive_data();
+
+ #ifdef WITH_SELINUX
+- ssh_selinux_change_context("sshd_net_t");
++ sshd_selinux_change_privsep_preauth_context();
+ #endif
+
+ /* Change our root directory */
diff --git a/openssh-6.6.1p1-servconf-parser.patch b/openssh-6.6.1p1-servconf-parser.patch
new file mode 100644
index 0000000..b93f6f3
--- /dev/null
+++ b/openssh-6.6.1p1-servconf-parser.patch
@@ -0,0 +1,31 @@
+diff --git a/servconf.c b/servconf.c
+index b7f3294..bc1e909 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1550,7 +1550,7 @@ process_server_config_line(ServerOptions *options, char *line,
+ break;
+
+ case sForceCommand:
+- if (cp == NULL)
++ if (cp == NULL || *cp == '\0')
+ fatal("%.200s line %d: Missing argument.", filename,
+ linenum);
+ len = strspn(cp, WHITESPACE);
+@@ -1595,7 +1595,7 @@ process_server_config_line(ServerOptions *options, char *line,
+ break;
+
+ case sVersionAddendum:
+- if (cp == NULL)
++ if (cp == NULL || *cp == '\0')
+ fatal("%.200s line %d: Missing argument.", filename,
+ linenum);
+ len = strspn(cp, WHITESPACE);
+@@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line,
+ break;
+
+ case sAuthenticationMethods:
++ if (cp == NULL || *cp == '\0')
++ fatal("%.200s line %d: Missing argument.", filename, linenum);
+ if (*activep && options->num_auth_methods == 0) {
+ while ((arg = strdelim(&cp)) && *arg != '\0') {
+ if (options->num_auth_methods >=
diff --git a/openssh-6.6p1-audit.patch b/openssh-6.6p1-audit.patch
index b83b46a..7e0c0f4 100644
--- a/openssh-6.6p1-audit.patch
+++ b/openssh-6.6p1-audit.patch
@@ -486,7 +486,7 @@ index b3ee2f4..946f7fa 100644
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/audit.c b/audit.c
-index ced57fa..b806f03 100644
+index ced57fa..ab9fb82 100644
--- a/audit.c
+++ b/audit.c
@@ -28,6 +28,7 @@
@@ -507,7 +507,23 @@ index ced57fa..b806f03 100644
/*
* Care must be taken when using this since it WILL NOT be initialized when
-@@ -111,6 +115,40 @@ audit_event_lookup(ssh_audit_event_t ev)
+@@ -71,13 +75,10 @@ audit_classify_auth(const char *method)
+ const char *
+ audit_username(void)
+ {
+- static const char unknownuser[] = "(unknown user)";
+- static const char invaliduser[] = "(invalid user)";
++ static const char unknownuser[] = "(unknown)";
+
+- if (the_authctxt == NULL || the_authctxt->user == NULL)
++ if (the_authctxt == NULL || the_authctxt->user == NULL || !the_authctxt->valid)
+ return (unknownuser);
+- if (!the_authctxt->valid)
+- return (invaliduser);
+ return (the_authctxt->user);
+ }
+
+@@ -111,6 +112,40 @@ audit_event_lookup(ssh_audit_event_t ev)
return(event_lookup[i].name);
}
@@ -548,7 +564,7 @@ index ced57fa..b806f03 100644
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
-@@ -140,6 +178,17 @@ audit_event(ssh_audit_event_t event)
+@@ -140,6 +175,17 @@ audit_event(ssh_audit_event_t event)
}
/*
@@ -566,7 +582,7 @@ index ced57fa..b806f03 100644
* Called when a user session is started. Argument is the tty allocated to
* the session, or NULL if no tty was allocated.
*
-@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li)
+@@ -174,13 +220,91 @@ audit_session_close(struct logininfo *li)
/*
* This will be called when a user runs a non-interactive command. Note that
* it may be called multiple times for a single connection since SSH2 allows
@@ -795,6 +811,20 @@ index 5dad6c3..f225b0b 100644
}
/*
+diff --git a/auth.c b/auth.c
+index 420a85b..d613f8c 100644
+--- a/auth.c
++++ b/auth.c
+@@ -628,9 +628,6 @@ getpwnamallow(const char *user)
+ record_failed_login(user,
+ get_canonical_hostname(options.use_dns), "ssh");
+ #endif
+-#ifdef SSH_AUDIT_EVENTS
+- audit_event(SSH_INVALID_USER);
+-#endif /* SSH_AUDIT_EVENTS */
+ return (NULL);
+ }
+ if (!allowed_user(pw))
diff --git a/auth.h b/auth.h
index 4605588..f9d191c 100644
--- a/auth.h
@@ -880,7 +910,7 @@ index cb0f931..6d1c872 100644
match_principals_option(const char *principal_list, struct KeyCert *cert)
{
diff --git a/auth2.c b/auth2.c
-index 0f52b68..472a5b2 100644
+index 426dcd6..436cd60 100644
--- a/auth2.c
+++ b/auth2.c
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@@ -1143,7 +1173,7 @@ index fbe18c4..7dc7f43 100644
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff --git a/monitor.c b/monitor.c
-index aa70945..bdabe21 100644
+index 8b18086..5a65114 100644
--- a/monitor.c
+++ b/monitor.c
@@ -97,6 +97,7 @@
@@ -1221,7 +1251,7 @@ index aa70945..bdabe21 100644
#endif
{0, 0, NULL}
};
-@@ -1390,9 +1416,11 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1393,9 +1419,11 @@ mm_answer_keyverify(int sock, Buffer *m)
Key *key;
u_char *signature, *data, *blob;
u_int signaturelen, datalen, bloblen;
@@ -1233,7 +1263,7 @@ index aa70945..bdabe21 100644
blob = buffer_get_string(m, &bloblen);
signature = buffer_get_string(m, &signaturelen);
data = buffer_get_string(m, &datalen);
-@@ -1400,6 +1428,8 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1403,6 +1431,8 @@ mm_answer_keyverify(int sock, Buffer *m)
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__);
@@ -1242,7 +1272,7 @@ index aa70945..bdabe21 100644
key = key_from_blob(blob, bloblen);
if (key == NULL)
-@@ -1420,7 +1450,17 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1423,7 +1453,17 @@ mm_answer_keyverify(int sock, Buffer *m)
if (!valid_data)
fatal("%s: bad signature data blob", __func__);
@@ -1261,7 +1291,7 @@ index aa70945..bdabe21 100644
debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified");
-@@ -1473,6 +1513,12 @@ mm_session_close(Session *s)
+@@ -1476,6 +1516,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s);
}
@@ -1274,7 +1304,7 @@ index aa70945..bdabe21 100644
session_unused(s->self);
}
-@@ -1753,6 +1799,8 @@ mm_answer_term(int sock, Buffer *req)
+@@ -1756,6 +1802,8 @@ mm_answer_term(int sock, Buffer *req)
sshpam_cleanup();
#endif
@@ -1283,7 +1313,7 @@ index aa70945..bdabe21 100644
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
-@@ -1795,11 +1843,43 @@ mm_answer_audit_command(int socket, Buffer *m)
+@@ -1798,11 +1846,43 @@ mm_answer_audit_command(int socket, Buffer *m)
{
u_int len;
char *cmd;
@@ -1328,7 +1358,7 @@ index aa70945..bdabe21 100644
free(cmd);
return (0);
}
-@@ -1943,11 +2023,13 @@ mm_get_keystate(struct monitor *pmonitor)
+@@ -1946,11 +2026,13 @@ mm_get_keystate(struct monitor *pmonitor)
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@@ -1342,7 +1372,7 @@ index aa70945..bdabe21 100644
free(blob);
/* Now get sequence numbers for the packets */
-@@ -1993,6 +2075,21 @@ mm_get_keystate(struct monitor *pmonitor)
+@@ -1996,6 +2078,21 @@ mm_get_keystate(struct monitor *pmonitor)
}
buffer_free(&m);
@@ -1364,7 +1394,7 @@ index aa70945..bdabe21 100644
}
-@@ -2274,3 +2371,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
+@@ -2277,3 +2374,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
#endif /* GSSAPI */
@@ -1860,7 +1890,7 @@ index f8edf85..c36c812 100644
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
diff --git a/session.c b/session.c
-index e4add93..626a642 100644
+index df43592..b186ca1 100644
--- a/session.c
+++ b/session.c
@@ -138,7 +138,7 @@ extern int log_stderr;
@@ -1921,7 +1951,7 @@ index e4add93..626a642 100644
/* Force a password change */
if (s->authctxt->force_pwchange) {
-@@ -1932,6 +1947,7 @@ session_unused(int id)
+@@ -1933,6 +1948,7 @@ session_unused(int id)
sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL;
@@ -1929,7 +1959,7 @@ index e4add93..626a642 100644
sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id;
}
-@@ -2014,6 +2030,19 @@ session_open(Authctxt *authctxt, int chanid)
+@@ -2015,6 +2031,19 @@ session_open(Authctxt *authctxt, int chanid)
}
Session *
@@ -1949,7 +1979,7 @@ index e4add93..626a642 100644
session_by_tty(char *tty)
{
int i;
-@@ -2530,6 +2559,30 @@ session_exit_message(Session *s, int status)
+@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status)
chan_write_failed(c);
}
@@ -1980,7 +2010,7 @@ index e4add93..626a642 100644
void
session_close(Session *s)
{
-@@ -2538,6 +2591,10 @@ session_close(Session *s)
+@@ -2539,6 +2592,10 @@ session_close(Session *s)
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1)
session_pty_cleanup(s);
@@ -1991,7 +2021,7 @@ index e4add93..626a642 100644
free(s->term);
free(s->display);
free(s->x11_chanids);
-@@ -2752,6 +2809,15 @@ do_authenticated2(Authctxt *authctxt)
+@@ -2753,6 +2810,15 @@ do_authenticated2(Authctxt *authctxt)
server_loop2(authctxt);
}
@@ -2007,7 +2037,7 @@ index e4add93..626a642 100644
void
do_cleanup(Authctxt *authctxt)
{
-@@ -2800,5 +2866,5 @@ do_cleanup(Authctxt *authctxt)
+@@ -2801,5 +2867,5 @@ do_cleanup(Authctxt *authctxt)
* or if running in monitor.
*/
if (!use_privsep || mm_is_monitor())
@@ -2043,7 +2073,7 @@ index 6a2f35e..e9b312e 100644
void session_close(Session *);
void do_setusercontext(struct passwd *);
diff --git a/sshd.c b/sshd.c
-index 512c7ed..b561ec8 100644
+index 8a0740a..2813aa2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -119,6 +119,7 @@
diff --git a/openssh-6.6p1-gsissh.patch b/openssh-6.6p1-gsissh.patch
index f949f5f..9402ed5 100644
--- a/openssh-6.6p1-gsissh.patch
+++ b/openssh-6.6p1-gsissh.patch
@@ -1437,11 +1437,10 @@ diff -Nur openssh-6.6p1.orig/monitor.c openssh-6.6p1/monitor.c
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-@@ -267,6 +270,10 @@
- {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
+@@ -268,6 +271,9 @@
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
-+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
+ {MONITOR_REQ_GSSERR, MON_ISAUTH | MON_ONCE, mm_answer_gss_error},
+ {MONITOR_REQ_GSSMECHS, MON_ISAUTH, mm_answer_gss_indicate_mechs},
+ {MONITOR_REQ_GSSLOCALNAME, MON_ISAUTH, mm_answer_gss_localname},
@@ -2265,7 +2264,7 @@ diff -Nur openssh-6.6p1.orig/sshd_config openssh-6.6p1/sshd_config
--- openssh-6.6p1.orig/sshd_config 2014-07-14 19:49:55.160268455 +0200
+++ openssh-6.6p1/sshd_config 2014-07-15 06:37:02.657343409 +0200
@@ -90,10 +90,11 @@
- #KerberosUseKuserok no
+ #KerberosUseKuserok yes
# GSSAPI options
-GSSAPIAuthentication yes
diff --git a/openssh-6.6p1-gsskex.patch b/openssh-6.6p1-gsskex.patch
index 90e84d2..826acd4 100644
--- a/openssh-6.6p1-gsskex.patch
+++ b/openssh-6.6p1-gsskex.patch
@@ -1741,7 +1741,13 @@ index 229fada..aa70945 100644
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -258,6 +260,12 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -253,11 +255,18 @@ struct mon_table mon_dispatch_proto20[] = {
+ {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
+ {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
+ {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
++ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
+ #endif
+ {0, 0, NULL}
};
struct mon_table mon_dispatch_postauth20[] = {
@@ -1754,7 +1760,7 @@ index 229fada..aa70945 100644
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -366,6 +374,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -366,6 +375,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1765,7 +1771,7 @@ index 229fada..aa70945 100644
} else {
mon_dispatch = mon_dispatch_proto15;
-@@ -471,6 +483,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -471,6 +484,10 @@ monitor_child_postauth(struct monitor *pmonitor)
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1776,7 +1782,7 @@ index 229fada..aa70945 100644
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1866,6 +1882,13 @@ mm_get_kex(Buffer *m)
+@@ -1866,6 +1883,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -1790,7 +1796,7 @@ index 229fada..aa70945 100644
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
-@@ -2073,6 +2096,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -2073,6 +2097,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
OM_uint32 major;
u_int len;
@@ -1800,7 +1806,7 @@ index 229fada..aa70945 100644
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -2100,6 +2126,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2100,6 +2127,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -1810,7 +1816,7 @@ index 229fada..aa70945 100644
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2117,6 +2146,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2117,6 +2147,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1818,7 +1824,7 @@ index 229fada..aa70945 100644
}
return (0);
}
-@@ -2128,6 +2158,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -2128,6 +2159,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
OM_uint32 ret;
u_int len;
@@ -1828,7 +1834,7 @@ index 229fada..aa70945 100644
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -2154,7 +2187,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2154,7 +2188,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
{
int authenticated;
@@ -1841,7 +1847,7 @@ index 229fada..aa70945 100644
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -2167,5 +2204,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2167,5 +2205,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch
index d2d07b6..f7c5a1c 100644
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@@ -1,14 +1,16 @@
-diff -up openssh-6.6p1/auth-krb5.c.kuserok openssh-6.6p1/auth-krb5.c
---- openssh-6.6p1/auth-krb5.c.kuserok 2013-10-24 01:53:02.000000000 +0200
-+++ openssh-6.6p1/auth-krb5.c 2014-05-07 10:42:00.883534478 +0200
-@@ -54,6 +54,20 @@
+diff --git a/auth-krb5.c b/auth-krb5.c
+index 6c62bdf..11c8562 100644
+--- a/auth-krb5.c
++++ b/auth-krb5.c
+@@ -54,6 +54,21 @@
extern ServerOptions options;
+int
-+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
++ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client,
++ int k5login_exists)
+{
-+ if (options.use_kuserok)
++ if (options.use_kuserok || !k5login_exists)
+ return krb5_kuserok(krb5_ctx, krb5_user, client);
+ else {
+ char kuser[65];
@@ -22,40 +24,161 @@ diff -up openssh-6.6p1/auth-krb5.c.kuserok openssh-6.6p1/auth-krb5.c
static int
krb5_init(void *context)
{
-@@ -157,8 +171,7 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -157,8 +172,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
if (problem)
goto out;
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->pw->pw_name)) {
-+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) {
++ /* Use !options.use_kuserok here to make ssh_krb5_kuserok() not
++ * depend on the existance of .k5login */
++ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name, !options.use_kuserok)) {
problem = -1;
goto out;
}
-diff -up openssh-6.6p1/gss-serv-krb5.c.kuserok openssh-6.6p1/gss-serv-krb5.c
---- openssh-6.6p1/gss-serv-krb5.c.kuserok 2014-05-07 10:35:30.792053846 +0200
-+++ openssh-6.6p1/gss-serv-krb5.c 2014-05-07 10:35:30.801053812 +0200
-@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index 60de320..0a4930e 100644
+--- a/gss-serv-krb5.c
++++ b/gss-serv-krb5.c
+@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
int);
static krb5_context krb_context = NULL;
-+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
++extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *, int);
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -92,6 +93,103 @@ ssh_gssapi_krb5_init(void)
+ * Returns true if the user is OK to log in, otherwise returns 0
+ */
+
++/* The purpose of the function is to find out if a Kerberos principal is
++ * allowed to log in as the given local user. This is a general problem with
++ * Kerberized services because by design the Kerberos principals are
++ * completely independent from the local user names. This is one of the
++ * reasons why Kerberos is working well on different operating systems like
++ * Windows and UNIX/Linux. Nevertheless a relationship between a Kerberos
++ * principal and a local user name must be established because otherwise every
++ * access would be granted for every principal with a valid ticket.
++ *
++ * Since it is a general issue libkrb5 provides some functions for
++ * applications to find out about the relationship between the Kerberos
++ * principal and a local user name. They are krb5_kuserok() and
++ * krb5_aname_to_localname().
++ *
++ * krb5_kuserok() can be used to "Determine if a principal is authorized to
++ * log in as a local user" (from the MIT Kerberos documentation of this
++ * function). Which is exactly what we are looking for and should be the
++ * preferred choice. It accepts the Kerberos principal and a local user name
++ * and let libkrb5 or its plugins determine if they relate to each other or
++ * not.
++ *
++ * krb5_aname_to_localname() can use used to "Convert a principal name to a
++ * local name" (from the MIT Kerberos documentation of this function). It
++ * accepts a Kerberos principle and returns a local name and it is up to the
++ * application to do any additional checks. There are two issues using
++ * krb5_aname_to_localname(). First, since POSIX user names are case
++ * sensitive, the calling application in general has no other choice than
++ * doing a case-sensitive string comparison between the name returned by
++ * krb5_aname_to_localname() and the name used at the login prompt. When the
++ * users are provided by a case in-sensitive server, e.g. Active Directory,
++ * this might lead to login failures because the user typing the name at the
++ * login prompt might not be aware of the right case. Another issue might be
++ * caused if there are multiple alias names available for a single user. E.g.
++ * the canonical name of a user is user at group.department.example.com but there
++ * exists a shorter login name, e.g. user at example.com, to safe typing at the
++ * login prompt. Here krb5_aname_to_localname() can only return the canonical
++ * name, but if the short alias is used at the login prompt authentication
++ * will fail as well. All this can be avoided by using krb5_kuserok() and
++ * configuring krb5.conf or using a suitable plugin to meet the needs of the
++ * given environment.
++ *
++ * The Fedora and RHEL version of openssh contain two patches which modify the
++ * access control behavior:
++ * - openssh-6.6p1-kuserok.patch
++ * - openssh-6.6p1-force_krb.patch
++ *
++ * openssh-6.6p1-kuserok.patch adds a new option KerberosUseKuserok for
++ * sshd_config which controls if krb5_kuserok() is used to check if the
++ * principle is authorized or if krb5_aname_to_localname() should be used.
++ * The reason to add this patch was that krb5_kuserok() by default checks if
++ * a .k5login file exits in the users home-directory. With this the user can
++ * give access to his account for any given principal which might be
++ * in violation with company policies and it would be useful if this can be
++ * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does
++ * no only check .k5login but other sources as well and checking .k5login can
++ * be disabled for all applications in krb5.conf as well. With this new
++ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7
++ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the
++ * restrictions mentioned above.
++ *
++ * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when
++ * using GSSAPI authentication only commands configured in the .k5user can be
++ * executed. Here the wrong assumption that krb5_kuserok() only checks
++ * .k5login is made as well. In contrast ksu checks .k5login directly and
++ * does not use krb5_kuserok() which might be more useful for the given
++ * purpose. Additionally this patch is not synced with
++ * openssh-6.6p1-kuserok.patch.
++ *
++ * The current patch tries to restore the usage of krb5_kuserok() so that e.g.
++ * localauth plugins can be used. It does so by adding a forth parameter to
++ * ssh_krb5_kuserok() which indicates whether .k5login exists or not. If it
++ * does not exists krb5_kuserok() is called even if KerberosUseKuserok is set
++ * to 'no' because the intent of the option is to not check .k5login and if it
++ * does not exists krb5_kuserok() returns a result without checking .k5login.
++ * If .k5login does exists and KerberosUseKuserok is 'no' we fall back to
++ * krb5_aname_to_localname(). This is in my point of view an acceptable
++ * limitation and does not break the current behaviour.
++ *
++ * Additionally with this patch ssh_krb5_kuserok() is called in
++ * ssh_gssapi_krb5_cmdok() instead of only krb5_aname_to_localname() is
++ * neither .k5login nor .k5users exists to allow plugin evaluation via
++ * krb5_kuserok() as well.
++ *
++ * I tried to keep the patch as minimal as possible, nevertheless I see some
++ * areas for improvement which, if they make sense, have to be evaluated
++ * carefully because they might change existing behaviour and cause breaks
++ * during upgrade:
++ * - I wonder if disabling .k5login usage make sense in sshd or if it should
++ * be better disabled globally in krb5.conf
++ * - if really needed openssh-6.6p1-kuserok.patch should be fixed to really
++ * only disable checking .k5login and maybe .k5users
++ * - the ksu behaviour should be configurable and maybe check the .k5login and
++ * .k5users files directly like ksu itself does
++ * - to make krb5_aname_to_localname() more useful an option for sshd to use
++ * the canonical name (the one returned by getpwnam()) instead of the name
++ * given at the login prompt might be useful */
++
+ static int
+ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+ {
+@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
/* NOTE: .k5login and .k5users must opened as root, not the user,
* because if they are on a krb5-protected filesystem, user credentials
* to access these files aren't available yet. */
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
-+ if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) {
++ if (ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)
++ && k5login_exists) {
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
-diff -up openssh-6.6p1/servconf.c.kuserok openssh-6.6p1/servconf.c
---- openssh-6.6p1/servconf.c.kuserok 2014-05-07 10:35:30.783053881 +0200
-+++ openssh-6.6p1/servconf.c 2014-05-07 10:39:13.133189061 +0200
-@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
+@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
+ /* If both .k5login and .k5users DNE, self-login is ok. */
+ if (!k5login_exists && (access(file, F_OK) == -1)) {
+- return (krb5_aname_to_localname(krb_context, principal,
+- sizeof(kuser), kuser) == 0) &&
+- (strcmp(kuser, luser) == 0);
++ return ssh_krb5_kuserok(krb_context, principal, luser,
++ k5login_exists);
+ }
+ if ((fp = fopen(file, "r")) == NULL) {
+ int saved_errno = errno;
+diff --git a/servconf.c b/servconf.c
+index 68fb9ef..904c869 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
@@ -63,12 +186,12 @@ diff -up openssh-6.6p1/servconf.c.kuserok openssh-6.6p1/servconf.c
}
void
-@@ -312,6 +313,8 @@ fill_default_server_options(ServerOption
+@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options)
options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1)
options->show_patchlevel = 0;
+ if (options->use_kuserok == -1)
-+ options->use_kuserok = 0;
++ options->use_kuserok = 1;
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -95,7 +218,7 @@ diff -up openssh-6.6p1/servconf.c.kuserok openssh-6.6p1/servconf.c
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions
+@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions *options, char *line,
*activep = value;
break;
@@ -106,7 +229,7 @@ diff -up openssh-6.6p1/servconf.c.kuserok openssh-6.6p1/servconf.c
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
@@ -122,9 +245,10 @@ diff -up openssh-6.6p1/servconf.c.kuserok openssh-6.6p1/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-6.6p1/servconf.h.kuserok openssh-6.6p1/servconf.h
---- openssh-6.6p1/servconf.h.kuserok 2014-05-07 10:35:30.783053881 +0200
-+++ openssh-6.6p1/servconf.h 2014-05-07 10:35:30.802053808 +0200
+diff --git a/servconf.h b/servconf.h
+index 37cfa9b..5117dfa 100644
+--- a/servconf.h
++++ b/servconf.h
@@ -173,6 +173,7 @@ typedef struct {
int num_permitted_opens;
@@ -133,17 +257,30 @@ diff -up openssh-6.6p1/servconf.h.kuserok openssh-6.6p1/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
-diff -up openssh-6.6p1/sshd_config.5.kuserok openssh-6.6p1/sshd_config.5
---- openssh-6.6p1/sshd_config.5.kuserok 2014-05-07 10:35:30.786053870 +0200
-+++ openssh-6.6p1/sshd_config.5 2014-05-07 10:43:04.784285016 +0200
-@@ -697,6 +697,10 @@ Specifies whether to automatically destr
+diff --git a/sshd_config b/sshd_config
+index adfd7b1..e772ed5 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
+ #KerberosOrLocalPasswd yes
+ #KerberosTicketCleanup yes
+ #KerberosGetAFSToken no
++#KerberosUseKuserok yes
+
+ # GSSAPI options
+ GSSAPIAuthentication yes
+diff --git a/sshd_config.5 b/sshd_config.5
+index 1fb002d..e0e5fff 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -697,6 +697,10 @@ Specifies whether to automatically destroy the user's ticket cache
file on logout.
The default is
.Dq yes .
+.It Cm KerberosUseKuserok
+Specifies whether to look at .k5login file for user's aliases.
+The default is
-+.Dq no .
++.Dq yes .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
@@ -155,14 +292,3 @@ diff -up openssh-6.6p1/sshd_config.5.kuserok openssh-6.6p1/sshd_config.5
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
-diff -up openssh-6.6p1/sshd_config.kuserok openssh-6.6p1/sshd_config
---- openssh-6.6p1/sshd_config.kuserok 2014-05-07 10:35:30.803053804 +0200
-+++ openssh-6.6p1/sshd_config 2014-05-07 10:38:30.735354431 +0200
-@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
-+#KerberosUseKuserok no
-
- # GSSAPI options
- GSSAPIAuthentication yes
More information about the scm-commits
mailing list