Index: /branches/rel_apv_10_7_3/usr/click/bin/openssh/Makefile =================================================================== --- /branches/rel_apv_10_7_3/usr/click/bin/openssh/Makefile (revision 39810) +++ /branches/rel_apv_10_7_3/usr/click/bin/openssh/Makefile (working copy) @@ -1,5 +1,5 @@ ANROOT=${.CURDIR}/../../../../anroot -OPENSSH_FOLDER=openssh-10.0p2 +OPENSSH_FOLDER=openssh-10.1p1 .if defined(UOS_X86) || defined(KYLIN) Index: /branches/rel_apv_10_7_3/usr/click/bin/openssh/array.patch =================================================================== --- /branches/rel_apv_10_7_3/usr/click/bin/openssh/array.patch (revision 39810) +++ /branches/rel_apv_10_7_3/usr/click/bin/openssh/array.patch (working copy) @@ -1,17 +1,17 @@ diff --git a/Makefile.in b/Makefile.in -index 4617ceb..a1343d6 100644 +index 760fbaa..2cf60a5 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -74,7 +74,7 @@ MKDIR_P=@MKDIR_P@ +@@ -75,7 +75,7 @@ MKDIR_P=@MKDIR_P@ .SUFFIXES: .lo -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) synconfigd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE) - XMSS_OBJS=\ - ssh-xmss.o \ -@@ -183,8 +183,11 @@ MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out + LIBOPENSSH_OBJS=\ + ssh_api.o \ +@@ -176,8 +176,11 @@ MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 MANTYPE = @MANTYPE@ @@ -25,7 +25,7 @@ PATHSUBS = \ -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ -@@ -209,7 +212,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) +@@ -201,7 +204,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ @UNSUPPORTED_ALGORITHMS@ @@ -35,7 +35,7 @@ $(LIBSSH_OBJS): Makefile.in config.h $(SSHOBJS): Makefile.in config.h -@@ -231,13 +235,16 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +@@ -223,13 +227,16 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) @@ -56,7 +56,7 @@ scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/auth-passwd.c b/auth-passwd.c -index 347d91e..5eb8d36 100644 +index a9d7688..88e5b05 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -56,6 +56,21 @@ @@ -149,7 +149,7 @@ int hostbased_key_allowed(struct ssh *, struct passwd *, const char *, char *, struct sshkey *); diff --git a/auth2.c b/auth2.c -index 67dec88..65caf04 100644 +index b9bb46f..000697a 100644 --- a/auth2.c +++ b/auth2.c @@ -29,6 +29,10 @@ @@ -359,7 +359,7 @@ char * auth2_read_banner(void) { -@@ -284,26 +470,43 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) +@@ -284,25 +470,40 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -370,7 +370,6 @@ if (authctxt->attempt >= 1024) auth_maxtries_exceeded(ssh); -+ if (authctxt->attempt++ == 0) { - /* setup auth context */ - authctxt->pw = mm_getpwnamallow(ssh, user); @@ -408,11 +407,9 @@ #endif + } } -+ #ifdef USE_PAM if (options.use_pam) - mm_start_pam(ssh); -@@ -339,6 +542,33 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) +@@ -339,6 +540,33 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) authctxt->postponed = 0; authctxt->server_caused_failure = 0; @@ -446,11 +443,7 @@ /* try to authenticate user */ m = authmethod_lookup(authctxt, method); if (m != NULL && authctxt->failures < options.max_authtries) { -@@ -354,9 +584,34 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) - free(service); - free(user); - free(method); -+ +@@ -357,6 +585,30 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) return r; } @@ -481,7 +474,7 @@ void userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, const char *submethod) -@@ -398,6 +653,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, +@@ -398,6 +650,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, /* Log before sending the reply */ auth_log(ssh, authenticated, partial, method, submethod); @@ -489,7 +482,7 @@ /* Update information exposed to session */ if (authenticated || partial) -@@ -436,14 +692,49 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, +@@ -436,14 +689,49 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, (r = sshpkt_send(ssh)) != 0 || (r = ssh_packet_write_wait(ssh)) != 0) fatal_fr(r, "send success packet"); @@ -535,12 +528,12 @@ + } + } + } -+ + } ++ if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES); -@@ -459,6 +750,8 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, +@@ -459,6 +747,8 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, (r = sshpkt_send(ssh)) != 0 || (r = ssh_packet_write_wait(ssh)) != 0) fatal_fr(r, "send failure packet"); @@ -550,10 +543,10 @@ } } diff --git a/configure b/configure -index f68e94a..a930144 100755 +index 74539c8..afa2d99 100644 --- a/configure +++ b/configure -@@ -877,7 +877,7 @@ sbindir='${exec_prefix}/sbin' +@@ -883,7 +883,7 @@ sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' @@ -563,10 +556,10 @@ localstatedir='${prefix}/var' runstatedir='${localstatedir}/run' diff --git a/monitor.c b/monitor.c -index 5966b4f..b8ebe5c 100644 +index a9e854b..8d5e29c 100644 --- a/monitor.c +++ b/monitor.c -@@ -98,6 +98,39 @@ +@@ -88,6 +88,39 @@ #include "sk-api.h" #include "srclimit.h" @@ -606,7 +599,7 @@ #ifdef GSSAPI static Gssctxt *gsscontext = NULL; #endif -@@ -148,6 +181,9 @@ int mm_answer_audit_event(struct ssh *, int, struct sshbuf *); +@@ -141,6 +174,9 @@ int mm_answer_audit_event(struct ssh *, int, struct sshbuf *); int mm_answer_audit_command(struct ssh *, int, struct sshbuf *); #endif @@ -616,7 +609,7 @@ static Authctxt *authctxt; /* local state for key verify */ -@@ -215,6 +251,8 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -209,6 +245,8 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, #endif @@ -625,7 +618,7 @@ {0, 0, NULL} }; -@@ -235,6 +273,148 @@ struct mon_table mon_dispatch_postauth20[] = { +@@ -230,6 +268,148 @@ struct mon_table mon_dispatch_postauth20[] = { struct mon_table *mon_dispatch; @@ -774,7 +767,7 @@ /* Specifies if a certain message is allowed at the moment */ static void monitor_permit(struct mon_table *ent, enum monitor_reqtype type, int permit) -@@ -320,6 +500,8 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) +@@ -316,6 +496,8 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(ssh, auth_method)) authenticated = 0; @@ -783,7 +776,7 @@ #ifdef USE_PAM /* PAM needs to perform account checks after auth */ if (options.use_pam && authenticated) { -@@ -761,10 +943,17 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -855,10 +1037,17 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) sshbuf_reset(m); if (pwent == NULL) { @@ -805,7 +798,7 @@ } allowed = 1; -@@ -903,17 +1092,20 @@ int +@@ -997,17 +1186,20 @@ int mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) { static int call_count; @@ -829,16 +822,11 @@ freezero(passwd, plen); sshbuf_reset(m); -@@ -1979,4 +2171,3 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) - return (authenticated); - } - #endif /* GSSAPI */ -- diff --git a/monitor.h b/monitor.h -index fa48fc6..547725a 100644 +index 3f8a9be..d95f49e 100644 --- a/monitor.h +++ b/monitor.h -@@ -63,6 +63,8 @@ enum monitor_reqtype { +@@ -64,6 +64,8 @@ enum monitor_reqtype { MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, @@ -848,10 +836,10 @@ struct ssh; diff --git a/monitor_wrap.c b/monitor_wrap.c -index 5358c77..dde7e71 100644 +index 33494b7..211a1a8 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c -@@ -466,6 +466,8 @@ mm_auth_password(struct ssh *ssh, char *password) +@@ -467,6 +467,8 @@ mm_auth_password(struct ssh *ssh, char *password) if ((m = sshbuf_new()) == NULL) fatal_f("sshbuf_new failed"); @@ -860,7 +848,7 @@ if ((r = sshbuf_put_cstring(m, password)) != 0) fatal_fr(r, "assemble"); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, m); -@@ -1162,3 +1164,35 @@ server_get_connection_info(struct ssh *ssh, int populate, int use_dns) +@@ -1229,3 +1231,35 @@ server_get_connection_info(struct ssh *ssh, int populate, int use_dns) return &ci; } @@ -898,29 +886,21 @@ +} \ No newline at end of file diff --git a/monitor_wrap.h b/monitor_wrap.h -index e768036..4ef4bd5 100644 +index c872953..1da8d66 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h -@@ -95,9 +95,11 @@ int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); - int mm_bsdauth_respond(void *, u_int, char **); - - /* config / channels glue */ --void server_process_permitopen(struct ssh *); --void server_process_channel_timeouts(struct ssh *ssh); -+void server_process_permitopen(struct ssh *); -+void server_process_channel_timeouts(struct ssh *ssh); +@@ -110,4 +110,6 @@ void server_process_channel_timeouts(struct ssh *ssh); struct connection_info * -- server_get_connection_info(struct ssh *, int, int); -+ server_get_connection_info(struct ssh *, int, int); -+ -+void mm_lock_fastlog(struct ssh *, const char *, int, int); + server_get_connection_info(struct ssh *, int, int); ++void mm_lock_fastlog(struct ssh *, const char *, int, int); ++ #endif /* _MM_WRAP_H_ */ diff --git a/readconf.c b/readconf.c -index 3d9cc6d..7a9da2a 100644 +index d992059..3284c80 100644 --- a/readconf.c +++ b/readconf.c -@@ -169,6 +169,7 @@ typedef enum { +@@ -164,6 +164,7 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oRemoteCommand, @@ -928,7 +908,7 @@ oVisualHostKey, oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull, oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass, -@@ -299,6 +300,8 @@ static struct { +@@ -295,6 +296,8 @@ static struct { { "localcommand", oLocalCommand }, { "permitlocalcommand", oPermitLocalCommand }, { "remotecommand", oRemoteCommand }, @@ -937,7 +917,7 @@ { "visualhostkey", oVisualHostKey }, { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, -@@ -1995,6 +1998,11 @@ parse_pubkey_algos: +@@ -2065,6 +2068,11 @@ parse_pubkey_algos: charptr = &options->remote_command; goto parse_command; @@ -949,9 +929,9 @@ case oVisualHostKey: intptr = &options->visual_host_key; goto parse_flag; -@@ -2674,6 +2682,8 @@ initialize_options(Options * options) - options->known_hosts_command = NULL; +@@ -2797,6 +2805,8 @@ initialize_options(Options * options) options->required_rsa_size = -1; + options->warn_weak_crypto = -1; options->enable_escape_commandline = -1; + options->xpassword = NULL; + options->knownhost = 0; @@ -959,11 +939,11 @@ options->tag = NULL; options->channel_timeouts = NULL; diff --git a/readconf.h b/readconf.h -index 9447d5d..2d9a679 100644 +index 942149f..770e9f1 100644 --- a/readconf.h +++ b/readconf.h -@@ -186,6 +186,8 @@ typedef struct { - u_int num_channel_timeouts; +@@ -189,6 +189,8 @@ typedef struct { + char *version_addendum; char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ + char *xpassword; @@ -972,18 +952,18 @@ #define SSH_PUBKEY_AUTH_NO 0x00 diff --git a/servconf.c b/servconf.c -index 89b8413..1207e0a 100644 +index 48ec8c4..573d089 100644 --- a/servconf.c +++ b/servconf.c -@@ -213,6 +213,7 @@ initialize_server_options(ServerOptions *options) +@@ -212,6 +212,7 @@ initialize_server_options(ServerOptions *options) options->channel_timeouts = NULL; options->num_channel_timeouts = 0; options->unused_connection_timeout = -1; + options->synconfig = 0; options->sshd_session_path = NULL; + options->sshd_auth_path = NULL; options->refuse_connection = -1; - } -@@ -549,7 +550,7 @@ typedef enum { +@@ -547,7 +548,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosGetAFSToken, sPasswordAuthentication, @@ -992,7 +972,7 @@ sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, -@@ -661,6 +662,8 @@ static struct { +@@ -659,6 +660,8 @@ static struct { { "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, @@ -1001,7 +981,7 @@ { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, #ifdef DISABLE_LASTLOG -@@ -1395,6 +1398,8 @@ process_server_config_line_depth(ServerOptions *options, char *line, +@@ -1433,6 +1436,8 @@ process_server_config_line_depth(ServerOptions *options, char *line, break; case sListenAddress: @@ -1011,22 +991,24 @@ if (arg == NULL || *arg == '\0') fatal("%s line %d: missing address", diff --git a/servconf.h b/servconf.h -index 5089bc9..0917792 100644 +index 9beb90f..bca3edd 100644 --- a/servconf.h +++ b/servconf.h -@@ -247,6 +247,7 @@ typedef struct { +@@ -247,7 +247,8 @@ typedef struct { u_int num_channel_timeouts; int unused_connection_timeout; +- + int synconfig; - ++ char *sshd_session_path; + char *sshd_auth_path; diff --git a/session.c b/session.c -index c941511..9dff0e9 100644 +index f265fdc..434a619 100644 --- a/session.c +++ b/session.c -@@ -114,6 +114,11 @@ +@@ -110,6 +110,11 @@ #define mm_pty_allocate pty_allocate #endif @@ -1038,9 +1020,9 @@ #define IS_INTERNAL_SFTP(c) \ (!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \ (c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\0' || \ -@@ -177,6 +182,34 @@ static char *auth_info_file = NULL; +@@ -169,6 +174,34 @@ static char *auth_info_file = NULL; + /* Name and directory of socket for authentication agent forwarding. */ static char *auth_sock_name = NULL; - static char *auth_sock_dir = NULL; +extern int ext_authorize_level; +extern int ext_authenticated; @@ -1073,7 +1055,7 @@ /* removes the agent forwarding socket */ static void -@@ -715,6 +748,11 @@ do_exec(struct ssh *ssh, Session *s, const char *command) +@@ -677,6 +710,11 @@ do_exec(struct ssh *ssh, Session *s, const char *command) ssh_remote_port(ssh), s->self); @@ -1085,7 +1067,7 @@ #ifdef SSH_AUDIT_EVENTS if (command != NULL) mm_audit_run_command(command); -@@ -1010,7 +1048,15 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) +@@ -972,7 +1010,15 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) child_set_env(&env, &envsize, s->env[i].name, s->env[i].val); child_set_env(&env, &envsize, "USER", pw->pw_name); @@ -1102,7 +1084,7 @@ #ifdef _AIX child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif -@@ -1558,6 +1604,11 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1519,6 +1565,11 @@ do_child(struct ssh *ssh, Session *s, const char *command) */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; @@ -1110,15 +1092,15 @@ + if (strcmp(pw->pw_name, "ansync") == 0) { + shell = _PATH_BSHELL; + } -+ ++ /* * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf diff --git a/ssh.c b/ssh.c -index 0019281..83beb56 100644 +index 3b03108..122e206 100644 --- a/ssh.c +++ b/ssh.c -@@ -174,6 +174,8 @@ static int forward_confirms_pending = -1; +@@ -171,6 +171,8 @@ static int forward_confirms_pending = -1; extern int muxserver_sock; extern u_int muxclient_command; @@ -1127,7 +1109,7 @@ /* Prints a help message to the user. This function never returns. */ static void -@@ -746,7 +748,7 @@ main(int ac, char **av) +@@ -766,7 +768,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" @@ -1136,7 +1118,7 @@ switch (opt) { case '1': fatal("SSH protocol v.1 is no longer supported"); -@@ -879,6 +881,9 @@ main(int ac, char **av) +@@ -899,6 +901,9 @@ main(int ac, char **av) options.gss_authentication = 1; options.gss_deleg_creds = 1; break; @@ -1146,7 +1128,7 @@ case 'i': p = tilde_expand_filename(optarg, getuid()); if (stat(p, &st) == -1) -@@ -1755,8 +1760,12 @@ main(int ac, char **av) +@@ -1832,8 +1837,12 @@ main(int ac, char **av) ssh_signal(SIGCHLD, main_sigchld_handler); /* Log into the remote system. Never returns if the login fails. */ @@ -1162,10 +1144,10 @@ /* We no longer need the private host keys. Clear them now. */ if (sensitive_data.nkeys != 0) { diff --git a/sshconnect.c b/sshconnect.c -index 7cf6b63..e08b0be 100644 +index 912a520..7b29e2b 100644 --- a/sshconnect.c +++ b/sshconnect.c -@@ -69,6 +69,7 @@ +@@ -61,6 +61,7 @@ #include "ssherr.h" #include "authfd.h" #include "kex.h" @@ -1173,7 +1155,7 @@ struct sshkey *previous_host_key = NULL; -@@ -1128,6 +1129,8 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, +@@ -1120,6 +1121,8 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, logit("%s host key for IP address " "'%.128s' not in list of known hosts.", type, ip); @@ -1182,7 +1164,7 @@ else if (!add_host_to_hostfile(user_hostfiles[0], ip, host_key, options.hash_known_hosts)) logit("Failed to add the %s host key for IP " -@@ -1229,7 +1232,9 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, +@@ -1221,7 +1224,9 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, * If in "new" or "off" strict mode, add the key automatically * to the local known_hosts file. */ @@ -1193,7 +1175,7 @@ snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); hostp = hostline; if (options.hash_known_hosts) { -@@ -1250,7 +1255,9 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, +@@ -1242,7 +1247,9 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, hostp = host; } @@ -1204,16 +1186,16 @@ logit("Failed to add the host to the list of known " "hosts (%.500s).", user_hostfiles[0]); else -@@ -1614,7 +1621,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, - /* authenticate user */ - debug("Authenticating to %s:%d as '%s'", host, port, server_user); - ssh_kex2(ssh, host, hostaddr, port, cinfo); +@@ -1620,7 +1627,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, + ssh->kex->name != NULL && options.warn_weak_crypto && + !kex_is_pq_from_name(ssh->kex->name)) + warn_nonpq_kex(); - ssh_userauth2(ssh, local_user, server_user, host, sensitive); + ssh_userauth2(ssh, local_user, server_user, host, sensitive, NULL); free(local_user); free(host); } -@@ -1759,3 +1766,29 @@ maybe_add_key_to_agent(const char *authfile, struct sshkey *private, +@@ -1761,3 +1768,29 @@ maybe_add_key_to_agent(const char *authfile, struct sshkey *private, debug("could not add identity to agent: %s (%d)", authfile, r); close(auth_sock); } @@ -1245,20 +1227,20 @@ +} \ No newline at end of file diff --git a/sshconnect.h b/sshconnect.h -index 8b0466f..33c282d 100644 +index 3082701..f35aed9 100644 --- a/sshconnect.h +++ b/sshconnect.h -@@ -86,7 +86,7 @@ void ssh_kex2(struct ssh *ssh, char *, struct sockaddr *, u_short, +@@ -90,7 +90,7 @@ void ssh_kex2(struct ssh *ssh, char *, struct sockaddr *, u_short, const struct ssh_conn_info *); void ssh_userauth2(struct ssh *ssh, const char *, const char *, - char *, Sensitive *); -+ char *, Sensitive *, char *); ++ char *, Sensitive *, char *); int ssh_local_cmd(const char *); diff --git a/sshconnect2.c b/sshconnect2.c -index 11fcdea..bdcd1b9 100644 +index b3679c9..e7521ad 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -337,6 +337,7 @@ struct cauthctxt { @@ -1322,7 +1304,7 @@ #endif authctxt.agent_fd = -1; + authctxt.password = pass ? pass : NULL; -+ ++ if (authctxt.method == NULL) fatal_f("internal error: cannot send userauth none request"); @@ -1336,7 +1318,7 @@ authctxt->method = method; /* reset the per method handler */ -@@ -1043,8 +1045,13 @@ userauth_passwd(struct ssh *ssh) +@@ -1046,8 +1048,13 @@ userauth_passwd(struct ssh *ssh) if (authctxt->attempt_passwd != 1) error("Permission denied, please try again."); @@ -1352,7 +1334,7 @@ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 || (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 || -@@ -1055,7 +1062,8 @@ userauth_passwd(struct ssh *ssh) +@@ -1058,7 +1065,8 @@ userauth_passwd(struct ssh *ssh) (r = sshpkt_send(ssh)) != 0) fatal_fr(r, "send packet"); @@ -1363,10 +1345,10 @@ freezero(password, strlen(password)); diff --git a/sshd-session.c b/sshd-session.c -index c64eb29..ee4ab9e 100644 +index 8979f74..cc3fe4c 100644 --- a/sshd-session.c +++ b/sshd-session.c -@@ -109,6 +109,40 @@ +@@ -103,6 +103,40 @@ #include "srclimit.h" #include "dh.h" @@ -1407,7 +1389,7 @@ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2) -@@ -828,6 +862,173 @@ set_process_rdomain(struct ssh *ssh, const char *name) +@@ -804,6 +838,173 @@ set_process_rdomain(struct ssh *ssh, const char *name) #endif } @@ -1581,7 +1563,7 @@ /* * Main program for the daemon. */ -@@ -879,7 +1080,7 @@ main(int ac, char **av) +@@ -855,7 +1056,7 @@ main(int ac, char **av) /* Parse command-line arguments. */ while ((opt = getopt(ac, av, @@ -1590,7 +1572,7 @@ switch (opt) { case '4': options.address_family = AF_INET; -@@ -916,6 +1117,9 @@ main(int ac, char **av) +@@ -892,6 +1093,9 @@ main(int ac, char **av) case 'r': /* ignore */ break; @@ -1600,7 +1582,7 @@ case 'R': rexeced_flag = 1; break; -@@ -1035,6 +1239,12 @@ main(int ac, char **av) +@@ -1011,6 +1215,12 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag || debug_flag); @@ -1609,11 +1591,11 @@ + debug("uhi_shared_mem_attach() failed. "); + exit(1); + } -+ ++ /* Fetch our configuration */ if ((cfg = sshbuf_new()) == NULL) fatal("sshbuf_new config buf failed"); -@@ -1317,6 +1527,13 @@ main(int ac, char **av) +@@ -1295,6 +1505,13 @@ main(int ac, char **av) if (options.routing_domain != NULL) set_process_rdomain(ssh, options.routing_domain); @@ -1627,7 +1609,7 @@ #ifdef SSH_AUDIT_EVENTS audit_event(ssh, SSH_AUTH_SUCCESS); #endif -@@ -1363,6 +1580,9 @@ main(int ac, char **av) +@@ -1341,6 +1558,9 @@ main(int ac, char **av) finish_pam(); #endif /* USE_PAM */ @@ -1638,13 +1620,13 @@ mm_audit_event(ssh, SSH_CONNECTION_CLOSE); #endif diff --git a/sshd.c b/sshd.c -index 4a93e29..ff588d8 100644 +index 3c76b60..6892d6a 100644 --- a/sshd.c +++ b/sshd.c -@@ -94,6 +94,14 @@ - #include "addr.h" - #include "srclimit.h" - #include "atomicio.h" +@@ -91,6 +91,15 @@ + #endif + #include "monitor_wrap.h" + +#include +#include +#if defined(__linux__) @@ -1653,10 +1635,11 @@ +#include +#endif +#include - ++ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) -@@ -140,6 +148,27 @@ struct { + #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2) +@@ -136,6 +145,27 @@ struct { int have_ssh2_key; } sensitive_data; @@ -1684,7 +1667,7 @@ /* This is set to true when a signal is received. */ static volatile sig_atomic_t received_siginfo = 0; static volatile sig_atomic_t received_sigchld = 0; -@@ -905,6 +934,123 @@ server_listen(void) +@@ -904,6 +934,123 @@ server_listen(void) fatal("Cannot bind any address."); } @@ -1808,7 +1791,7 @@ /* * The main TCP accept loop. Note that, for the non-debug case, returns * from this function are in a forked subprocess. -@@ -927,6 +1073,14 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, +@@ -926,6 +1073,14 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, u_char rnd[256]; sigset_t nsigset, osigset; @@ -1823,7 +1806,7 @@ /* pipes connected to unauthenticated child sshd processes */ child_alloc(); startup_pollfd = xcalloc(options.max_startups, sizeof(int)); -@@ -1133,6 +1287,11 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, +@@ -1133,6 +1288,11 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, usleep(100 * 1000); continue; } @@ -1835,7 +1818,7 @@ if (unset_nonblock(*newsock) == -1) { close(*newsock); continue; -@@ -1346,7 +1507,7 @@ main(int ac, char **av) +@@ -1348,7 +1508,7 @@ main(int ac, char **av) /* Parse command-line arguments. */ args = argv_assemble(ac, av); /* logged later */ while ((opt = getopt(ac, av, @@ -1844,7 +1827,7 @@ switch (opt) { case '4': options.address_family = AF_INET; -@@ -1386,6 +1547,9 @@ main(int ac, char **av) +@@ -1388,6 +1548,9 @@ main(int ac, char **av) case 'r': logit("-r option is deprecated"); break; Index: /branches/rel_apv_10_7_3/usr/click/bin/openssh/build.sh =================================================================== --- /branches/rel_apv_10_7_3/usr/click/bin/openssh/build.sh (revision 39810) +++ /branches/rel_apv_10_7_3/usr/click/bin/openssh/build.sh (working copy) @@ -1,17 +1,17 @@ #!/usr/bin/env bash -if [ ! -d openssh-10.0p2 ] +if [ ! -d openssh-10.1p1 ] then - if [ -f openssh-10.0p2.tar.gz ] + if [ -f openssh-10.1p1.tar.gz ] then - tar -zxvf openssh-10.0p2.tar.gz - cd openssh-10.0p2 + tar -zxvf openssh-10.1p1.tar.gz + cd openssh-10.1p1 else echo "source tar.gz file not exist!" exit 1 fi else - cd openssh-10.0p2 + cd openssh-10.1p1 fi if [ Makefile -nt configure ] @@ -20,8 +20,9 @@ else patch -p1 < ../array.patch patch -p1 < ../weak_mac.patch - patch -p1 < ../CVE-2023-48795-mitigation.patch +# patch -p1 < ../CVE-2023-48795-mitigation.patch # OpenSSH 10.1p1 already fixed this, therefore no need for this patch patch -p1 < ../sshd-auth.patch + if [ $? -ne 0 ] then echo "array_patch failed!" @@ -29,6 +30,7 @@ fi export LD_LIBRARY_PATH=../../../lib/libopenssl-1.1.1:$LD_LIBRARY_PATH + chmod +x configure ./configure --with-ssl-dir=../../../lib/libopenssl-1.1.1 --prefix=/ca --with-sandbox=no CC='gcc' LDFLAGS='-Wl,-rpath=/ca/lib' CFLAGS='-g -idirafter ../../../../src/sys -idirafter ../../../../../src/sys -idirafter ../../../lib/libuinet-atcp/lib/libuinet/api_include -idirafter ../../../lib/libexauth' if [ $? -ne 0 ] then Index: /branches/rel_apv_10_7_3/usr/click/bin/openssh/openssh-10.1p1.tar.gz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/x-gzip Index: /branches/rel_apv_10_7_3/usr/click/bin/openssh/openssh-10.1p1.tar.gz =================================================================== --- /branches/rel_apv_10_7_3/usr/click/bin/openssh/openssh-10.1p1.tar.gz (revision 0) +++ /branches/rel_apv_10_7_3/usr/click/bin/openssh/openssh-10.1p1.tar.gz (working copy) Property changes on: usr/click/bin/openssh/openssh-10.1p1.tar.gz ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +application/x-gzip \ No newline at end of property