<pre style='margin:0'>
Mihai Moldovan (Ionic) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/4adcdc8b8e606bb55f83b33a2c60362292a99066">https://github.com/macports/macports-ports/commit/4adcdc8b8e606bb55f83b33a2c60362292a99066</a></p>
<pre style="white-space: pre; background: #F8F8F8"><span style='display:block; white-space:pre;color:#808000;'>commit 4adcdc8b8e606bb55f83b33a2c60362292a99066
</span>Author: Mihai Moldovan <ionic@ionic.de>
AuthorDate: Fri Nov 8 23:15:57 2019 +0100
<span style='display:block; white-space:pre;color:#404040;'> net/openssh: fix sshd failure in non-debug mode. Revbump.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> This commit message is essentially just a copy of the source code comment.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> ssh_sandbox_child() has the side-effect of disabling opening new files.
</span><span style='display:block; white-space:pre;color:#404040;'> This is a security precaution to prevent the child process from leaking
</span><span style='display:block; white-space:pre;color:#404040;'> data or opening new sockets, but clashes with newer OpenSSL
</span><span style='display:block; white-space:pre;color:#404040;'> implementations.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Generally, OpenSSL wants to read new entropy from the system for each
</span><span style='display:block; white-space:pre;color:#404040;'> reseeding operation (and, by extension, through any operation that might
</span><span style='display:block; white-space:pre;color:#404040;'> trigger an internal reseeding, like requesting random bytes).
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> The current OpenSSL port only enables the default set of system entropy
</span><span style='display:block; white-space:pre;color:#404040;'> - which means reading in data from crypto devices like /dev/{,u,s}random
</span><span style='display:block; white-space:pre;color:#404040;'> and /dev/hwrng.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> To speed things up, OpenSSL tries to open file descriptors to the listed
</span><span style='display:block; white-space:pre;color:#404040;'> devices and caches the result, i.e., the open file descriptor. Those are
</span><span style='display:block; white-space:pre;color:#404040;'> normally kept open UNLESS a reading error occurred OR no random bytes
</span><span style='display:block; white-space:pre;color:#404040;'> were returned.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> In a quite scary move, OpenSSL versions prior to 1.1.1 didn't fail when
</span><span style='display:block; white-space:pre;color:#404040;'> getting system entropy wasn't successful and also added some
</span><span style='display:block; white-space:pre;color:#404040;'> "pseudo-random" data like the PID, user id and current time to the
</span><span style='display:block; white-space:pre;color:#404040;'> entropy pool, which was often enough to seed the PRNG.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> More recent versions have a rewritten PRNG/DRBG core and, crucially,
</span><span style='display:block; white-space:pre;color:#404040;'> stricter rules when it comes to acquiring system entropy - this is now
</span><span style='display:block; white-space:pre;color:#404040;'> strictly required and no other data is mixed into the pool.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> OpenSSH generally tries (or intends) to leave crypto devices (which
</span><span style='display:block; white-space:pre;color:#404040;'> should one of the earliest open devices) alone and not close their FD on
</span><span style='display:block; white-space:pre;color:#404040;'> re-exec, but that doesn't seem to work. Although OpenSSL is initialized
</span><span style='display:block; white-space:pre;color:#404040;'> very early in the main() call chain, which SHOULD lead to open file
</span><span style='display:block; white-space:pre;color:#404040;'> descriptors to crypto devices, on a typical OS X/macOS system,
</span><span style='display:block; white-space:pre;color:#404040;'> /dev/urandom is opened as FD 6, which is above any FD that would be
</span><span style='display:block; white-space:pre;color:#404040;'> preserved after a re-exec operation.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> This leads to the child process having no open file descriptors to
</span><span style='display:block; white-space:pre;color:#404040;'> /dev/urandom, activating the sandbox, setting the number of open files
</span><span style='display:block; white-space:pre;color:#404040;'> to zero and subsequently effectively breaking OpenSSL 1.1.1+.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> We'll work around that by reseeding the PRNGs before enabling the
</span><span style='display:block; white-space:pre;color:#404040;'> sandbox, which has the side-effect of opening a file descriptor to
</span><span style='display:block; white-space:pre;color:#404040;'> /dev/urandom and keeping it open.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> There is a slight catch: errors in reading from the FD or a read count
</span><span style='display:block; white-space:pre;color:#404040;'> of zero (i.e., the device not returning any data) will lead to the FD
</span><span style='display:block; white-space:pre;color:#404040;'> being closed again without a way to be re-opened.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> We can take this risk, as this should realistically not happen. Even if
</span><span style='display:block; white-space:pre;color:#404040;'> it does, that only means that the child process will fail to read random
</span><span style='display:block; white-space:pre;color:#404040;'> data and hence terminate with an error - showing the same symptoms the
</span><span style='display:block; white-space:pre;color:#404040;'> workaround is intended to fix, but nothing worse.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Fixes: https://trac.macports.org/ticket/59497
</span>---
net/openssh/Portfile | 2 +-
...ssh-8.1p1-gsskex-all-20141021-mp-20191015.patch | 164 ++++++++++-----------
net/openssh/files/openssh-8.1p1-hpnssh14v18.diff | 116 +++++++--------
.../patch-sshd.c-apple-sandbox-named-external.diff | 66 ++++++++-
4 files changed, 205 insertions(+), 143 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/Portfile b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 4c7853d..857ede6 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -6,7 +6,7 @@ PortGroup compiler_blacklist_versions 1.0
</span>
name openssh
version 8.1p1
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 7
</span> categories net
platforms darwin
maintainers nomaintainer
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch b/net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index 08cae5f..4a5502a 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -89,7 +89,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> create mode 100644 kexgsss.c
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ChangeLog.gssapi 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ChangeLog.gssapi 2019-11-08 15:37:23.000000000 +0100
</span> @@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -204,8 +204,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in 2019-11-08 15:37:23.000000000 +0100
</span> @@ -87,6 +87,7 @@ LIBOPENSSH_OBJS=\
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -231,8 +231,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o sftp-realpath.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth-krb5.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-krb5.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth-krb5.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-krb5.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -280,8 +280,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
return (krb5_cc_resolve(ctx, ccname, ccache));
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2-gss.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2-gss.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2-gss.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2-gss.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -373,8 +373,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -73,6 +73,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -391,8 +391,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> &method_gssapi,
#endif
&method_passwd,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c 2019-11-08 14:18:24.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -112,6 +112,10 @@
#include "ssherr.h"
#include "hostfile.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -424,8 +424,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* Buffer input from the connection. */
client_process_net_input(ssh, readset);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/config.h.in 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/config.h.in 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/config.h.in 2019-10-09 02:39:34.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/config.h.in 2019-11-08 15:37:23.000000000 +0100
</span> @@ -1884,6 +1884,9 @@
/* Use btmp to log bad logins */
#undef USE_BTMP
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -446,8 +446,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* Define if you have Solaris process contracts */
#undef USE_SOLARIS_PROCESS_CONTRACTS
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/configure.ac 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/configure.ac 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/configure.ac 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/configure.ac 2019-11-08 15:37:23.000000000 +0100
</span> @@ -667,6 +667,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -479,8 +479,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4],
AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-genr.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-genr.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-genr.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-genr.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -857,8 +857,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +}
+
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv-krb5.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv-krb5.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv-krb5.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv-krb5.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -995,8 +995,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> };
#endif /* KRB5 */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1293,8 +1293,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> }
/* Privileged */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -55,11 +55,16 @@
#include "misc.h"
#include "dispatch.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1415,8 +1415,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> free(kex->failed_choice);
free(kex->hostkey_alg);
free(kex->name);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.h 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.h 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -102,6 +102,15 @@ enum kex_exchange {
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1482,7 +1482,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgssc.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgssc.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -0,0 +1,405 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1890,7 +1890,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgsss.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgsss.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -0,0 +1,345 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2237,8 +2237,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + return r;
+}
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *
int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2469,8 +2469,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.h 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.h 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -63,6 +63,9 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2481,8 +2481,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> };
struct ssh;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2558,8 +2558,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +}
+
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.h 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.h 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2572,8 +2572,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif
#ifdef USE_PAM
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -67,6 +67,7 @@
#include "uidswap.h"
#include "myproposal.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2704,8 +2704,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif /* GSSAPI */
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -40,7 +40,13 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2720,8 +2720,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2019-11-08 14:18:25.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -64,6 +64,7 @@
#include "auth.h"
#include "myproposal.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2837,8 +2837,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.h 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.h 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -126,8 +126,11 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2851,8 +2851,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-gss.h 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-gss.h 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-gss.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-gss.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
/*
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2969,8 +2969,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif /* GSSAPI */
#endif /* _SSH_GSS_H */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config 2019-10-17 01:07:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config 2019-11-08 15:37:17.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config 2019-11-08 15:37:23.000000000 +0100
</span> @@ -24,6 +24,8 @@ Host *
# HostbasedAuthentication no
# GSSAPIAuthentication no
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2980,8 +2980,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> # BatchMode no
# CheckHostIP yes
# AddressFamily any
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config.5 2019-10-17 01:11:33.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config.5 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config.5 2019-11-08 15:37:17.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config.5 2019-11-08 15:37:23.000000000 +0100
</span> @@ -1,4 +1,4 @@
-.\"
+kex-gss\n.\"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3055,8 +3055,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> .It Cm HashKnownHosts
Indicates that
.Xr ssh 1
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -77,14 +77,13 @@
#include "keychain.h"
int found_in_keychain = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3288,8 +3288,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif /* GSSAPI */
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2019-11-08 15:36:59.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -123,6 +123,10 @@
#include "version.h"
#include "ssherr.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3301,7 +3301,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -803,8 +807,8 @@ notify_hostkeys(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -865,8 +869,8 @@ notify_hostkeys(struct ssh *ssh)
</span> }
debug3("%s: sent %u hostkeys", __func__, nkeys);
if (nkeys == 0)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3312,7 +3312,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1780,7 +1784,8 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1842,7 +1846,8 @@ main(int ac, char **av)
</span> free(fp);
}
accumulate_host_timing_secret(cfg, NULL);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3322,7 +3322,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> logit("sshd: no hostkeys available -- exiting.");
exit(1);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2076,6 +2081,60 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2138,6 +2143,60 @@ main(int ac, char **av)
</span> rdomain == NULL ? "" : "\"");
free(laddr);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3383,7 +3383,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2272,6 +2331,48 @@ do_ssh2_kex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2334,6 +2393,48 @@ do_ssh2_kex(struct ssh *ssh)
</span> myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3432,7 +3432,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2287,7 +2388,18 @@ do_ssh2_kex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2349,7 +2450,18 @@ do_ssh2_kex(struct ssh *ssh)
</span> # ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
# endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3452,8 +3452,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
kex->load_host_public_key=&get_hostkey_public_by_type;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2019-10-17 01:12:36.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2019-10-17 01:16:01.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config 2019-11-08 15:37:17.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config 2019-11-08 15:37:23.000000000 +0100
</span> @@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# GSSAPI options
#GSSAPIAuthentication no
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3463,8 +3463,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.5 2019-10-17 01:13:42.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.5 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config.5 2019-11-08 15:37:17.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config.5 2019-11-08 15:37:23.000000000 +0100
</span> @@ -659,6 +659,11 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default is
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3508,8 +3508,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> .It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a list of comma-separated patterns.
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.c 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -145,6 +145,7 @@ static const struct keytype keytypes[] =
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3527,8 +3527,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> continue;
if (!include_sigonly && kt->sigonly)
continue;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.h 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.h 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -65,6 +65,7 @@ enum sshkey_types {
KEY_ED25519_CERT,
KEY_XMSS,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3537,8 +3537,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> KEY_UNSPEC
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.c 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3671,7 +3671,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> * Returns pid on success, 0 on failure.
* The child stdout and stderr maybe captured, left attached or sent to
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-compat.c 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-compat.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -0,0 +1,174 @@
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3848,7 +3848,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + }
+}
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-compat.h 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-compat.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3884,8 +3884,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +const char *auth_get_canonical_hostname(struct ssh *, int);
+
+#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.h 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.h 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.h 2019-11-08 15:37:23.000000000 +0100
</span> @@ -40,6 +40,8 @@
#include <krb5.h>
#endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3904,8 +3904,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> HostStatus
check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
const char *, const char *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kexdh.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexdh.c 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kexdh.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexdh.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -48,13 +48,23 @@ kex_dh_keygen(struct kex *kex)
{
switch (kex->kex_type) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3930,8 +3930,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> kex->dh = dh_new_group16();
break;
case KEX_DH_GRP18_SHA512:
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kexgen.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgen.c 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kexgen.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgen.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -44,7 +44,7 @@
static int input_kex_gen_init(int, u_int32_t, struct ssh *);
static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3941,8 +3941,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> kex_gen_hash(
int hash_alg,
const struct sshbuf *client_version,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/session.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/session.c 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/session.c 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/session.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -2689,13 +2689,19 @@ do_cleanup(struct ssh *ssh, Authctxt *au
#ifdef KRB5
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3965,8 +3965,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif
/* remove agent socket */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh.1 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh.1 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.1 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.1 2019-11-08 15:37:23.000000000 +0100
</span> @@ -497,7 +497,13 @@ For full details of the options listed b
.It GatewayPorts
.It GlobalKnownHostsFile
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3990,8 +3990,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> .Ar key
(key types),
.Ar key-cert
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh.c 2019-10-17 01:02:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh.c 2019-10-17 01:16:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.c 2019-11-08 15:37:23.000000000 +0100
</span> @@ -736,6 +736,8 @@ main(int ac, char **av)
cp = mac_alg_list('\n');
else if (strcmp(optarg, "kex") == 0)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-8.1p1-hpnssh14v18.diff b/net/openssh/files/openssh-8.1p1-hpnssh14v18.diff
</span><span style='display:block; white-space:pre;color:#808080;'>index 97b7b8e..2715228 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/openssh-8.1p1-hpnssh14v18.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-8.1p1-hpnssh14v18.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,5 +1,5 @@
</span> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/HPN-README 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/HPN-README 2019-11-08 15:37:59.000000000 +0100
</span> @@ -0,0 +1,130 @@
+Notes:
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -131,8 +131,8 @@
</span> + (tasota@gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in 2019-10-17 01:16:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in 2019-11-08 15:37:59.000000000 +0100
</span> @@ -43,7 +43,7 @@ LD=@LD@
CFLAGS=@CFLAGS@
OBJCFLAGS=@OBJCFLAGS@
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -151,8 +151,8 @@
</span> compat.o fatal.o hostfile.o \
log.o match.o moduli.o nchan.o packet.o \
readpass.o ttymodes.o xmalloc.o addrmatch.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2.c 2019-10-17 01:16:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -58,6 +58,7 @@
#endif
#include "monitor_wrap.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -183,7 +183,7 @@
</span>
if ((style = strchr(user, ':')) != NULL)
--- a/canohost.h 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/canohost.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/canohost.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -19,7 +19,7 @@ char *get_peer_ipaddr(int);
int get_peer_port(int);
char *get_local_ipaddr(int);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -193,8 +193,8 @@
</span>
#endif /* _CANOHOST_H */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.c 2019-10-17 01:16:54.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.c 2019-11-08 14:18:24.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -220,6 +220,9 @@ static int rdynamic_connect_finish(struc
/* Setup helper */
static void channel_handler_init(struct ssh_channels *sc);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -356,8 +356,8 @@
</span> nc->single_connection = single_connection;
(*chanids)[n] = nc->self;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.h 2019-10-17 01:16:54.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.h 2019-11-08 14:18:24.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -150,8 +150,10 @@ struct Channel {
u_int local_window_max;
u_int local_consumed;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -378,7 +378,7 @@
</span> +
#endif
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher-ctr-mt.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher-ctr-mt.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -0,0 +1,660 @@
+/*
+ * OpenSSH Multi-threaded AES-CTR Cipher
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1041,7 +1041,7 @@
</span> +
+#endif /* defined(WITH_OPENSSL) */
--- a/cipher.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1115,7 +1115,7 @@
</span> return 0;
}
--- a/cipher.h 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -50,7 +50,9 @@
struct sshcipher;
struct sshcipher_ctx;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1136,8 +1136,8 @@
</span>
u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2019-10-17 01:16:54.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -1619,9 +1619,11 @@ client_request_x11(struct ssh *ssh, cons
sock = x11_connect_display(ssh);
if (sock < 0)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1184,7 +1184,7 @@
</span> if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
channel_register_filter(ssh, c->self, sys_tun_infilter,
--- a/compat.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/compat.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/compat.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -150,6 +150,13 @@ compat_datafellows(const char *version)
debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1200,7 +1200,7 @@
</span> }
}
--- a/compat.h 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/compat.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/compat.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -62,6 +62,7 @@
#define SSH_BUG_CURVE25519PAD 0x10000000
#define SSH_BUG_HOSTKEYS 0x20000000
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1209,8 +1209,8 @@
</span>
u_int compat_datafellows(const char *);
int proto_spec(const char *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.c 2019-10-17 01:16:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -58,6 +58,7 @@
#include "ssherr.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1268,7 +1268,7 @@
</span> need = dh_need = 0;
for (mode = 0; mode < MODE_MAX; mode++) {
--- a/log.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/log.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/log.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -46,6 +46,12 @@
#include <syslog.h>
#include <unistd.h>
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1283,7 +1283,7 @@
</span> # include <vis.h>
#endif
--- a/packet.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/packet.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/packet.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -265,6 +265,9 @@ ssh_alloc_session_state(void)
return NULL;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1427,7 +1427,7 @@
</span> + return ssh->state->send_context;
+}
--- a/packet.h 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/packet.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/packet.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -86,6 +86,11 @@ struct ssh {
/* APP data */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1464,7 +1464,7 @@
</span> /* new API */
int sshpkt_start(struct ssh *ssh, u_char type);
--- a/progressmeter.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/progressmeter.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/progressmeter.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -68,6 +68,8 @@ static const char *file; /* name of the
static off_t start_pos; /* initial position of transfer */
static off_t end_pos; /* ending position of transfer */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1526,8 +1526,8 @@
</span> }
/*ARGSUSED*/
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2019-10-17 01:16:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -67,6 +67,7 @@
#include "uidswap.h"
#include "myproposal.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1669,8 +1669,8 @@
</span> if (options->control_master == -1)
options->control_master = 0;
if (options->control_persist == -1) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2019-10-17 01:16:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -50,6 +50,10 @@ typedef struct {
int strict_host_key_checking; /* Strict host key checking. */
int compression; /* Compress packets in both directions. */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1695,7 +1695,7 @@
</span> int identities_only;
int server_alive_interval;
--- a/sandbox-seccomp-filter.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sandbox-seccomp-filter.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sandbox-seccomp-filter.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -203,6 +203,9 @@ static const struct sock_filter preauth_
#ifdef __NR_geteuid32
SC_ALLOW(__NR_geteuid32),
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1717,7 +1717,7 @@
</span> SC_ALLOW(__NR_time),
#endif
--- a/scp.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/scp.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/scp.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -1066,7 +1066,7 @@ source(int argc, char **argv)
off_t i, statbytes;
size_t amt, nr;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1727,8 +1727,8 @@
</span> int len;
for (indx = 0; indx < argc; ++indx) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2019-10-17 01:16:55.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -64,6 +64,7 @@
#include "auth.h"
#include "myproposal.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1867,8 +1867,8 @@
</span> case sHostbasedAuthentication:
intptr = &options->hostbased_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.h 2019-10-17 01:16:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.h 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -183,6 +183,11 @@ typedef struct {
char *adm_forced_command;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1882,7 +1882,7 @@
</span> int permit_tun;
--- a/serverloop.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/serverloop.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/serverloop.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -343,6 +343,7 @@ process_input(struct ssh *ssh, fd_set *r
!= 0)
fatal("%s: ssh_packet_process_incoming: %s",
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1927,7 +1927,7 @@
</span> debug("session open failed, free channel %d", c->self);
channel_free(ssh, c);
--- a/serverloop.h 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/serverloop.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/serverloop.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -20,7 +20,6 @@
*/
#ifndef SERVERLOOP_H
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1936,8 +1936,8 @@
</span> struct ssh;
void server_loop2(struct ssh *, Authctxt *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/session.c 2019-10-17 01:16:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/session.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/session.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/session.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -97,6 +97,7 @@
#include "sftp.h"
#include "atomicio.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1989,7 +1989,7 @@
</span>
/*
--- a/sftp.1 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sftp.1 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sftp.1 2019-11-08 15:37:59.000000000 +0100
</span> @@ -286,7 +286,8 @@ diagnostic messages from
Specify how many requests may be outstanding at any one time.
Increasing this may slightly improve file transfer speed
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2001,7 +2001,7 @@
</span> Recursively copy entire directories when uploading and downloading.
Note that
--- a/sftp.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sftp.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sftp.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -71,7 +71,7 @@ typedef void EditLine;
#include "sftp-client.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2011,8 +2011,8 @@
</span>
/* File to read commands from */
FILE* infile;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh.c 2019-10-17 01:16:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -960,6 +960,10 @@ main(int ac, char **av)
break;
case 'T':
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2163,7 +2163,7 @@
</span> if (!options.control_persist)
ssh_init_stdio_forwarding(ssh);
--- a/ssh_api.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_api.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_api.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -389,7 +389,10 @@ _ssh_read_banner(struct ssh *ssh, struct
}
debug("Remote protocol version %d.%d, remote software version %.100s",
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2177,7 +2177,7 @@
</span> if (remote_major == 1 && remote_minor == 99) {
remote_major = 2;
--- a/ssh_api.h 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_api.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_api.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -29,6 +29,7 @@
#include "ssh.h"
#include "ssh2.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2187,7 +2187,7 @@
</span> struct kex_params {
char *proposal[PROPOSAL_MAX];
--- a/sshbuf.h 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshbuf.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshbuf.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -28,7 +28,7 @@
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2198,7 +2198,7 @@
</span> #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
#define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
--- a/sshconnect.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -359,6 +359,30 @@ check_ifaddrs(const char *ifname, int af
#endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2240,8 +2240,8 @@
</span> /* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && options.bind_interface == NULL)
return sock;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c 2019-10-17 01:16:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c 2019-11-08 15:37:59.000000000 +0100
</span> @@ -88,6 +88,13 @@ extern char *server_version_string;
extern Options options;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2322,9 +2322,9 @@
</span> debug("Authentication succeeded (%s).", authctxt.method->name);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2019-10-17 01:16:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -957,6 +957,8 @@ listen_on_addrs(struct listenaddr *la)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2019-11-08 15:37:59.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1019,6 +1019,8 @@ listen_on_addrs(struct listenaddr *la)
</span> int ret, listen_sock;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2333,7 +2333,7 @@
</span>
for (ai = la->addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1002,6 +1004,11 @@ listen_on_addrs(struct listenaddr *la)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1064,6 +1066,11 @@ listen_on_addrs(struct listenaddr *la)
</span>
debug("Bind to port %s on %s.", strport, ntop);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2345,7 +2345,7 @@
</span> /* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1643,6 +1650,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1705,6 +1712,13 @@ main(int ac, char **av)
</span> /* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2359,7 +2359,7 @@
</span> /* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2076,6 +2090,9 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2138,6 +2152,9 @@ main(int ac, char **av)
</span> rdomain == NULL ? "" : "\"");
free(laddr);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2369,7 +2369,7 @@
</span> /*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2182,7 +2199,45 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2244,7 +2261,45 @@ main(int ac, char **av)
</span> /* Try to send all our hostkeys to the client */
notify_hostkeys(ssh);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2415,7 +2415,7 @@
</span> do_authenticated(ssh, authctxt);
/* The connection has been terminated. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2251,6 +2306,9 @@ do_ssh2_kex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2313,6 +2368,9 @@ do_ssh2_kex(struct ssh *ssh)
</span> struct kex *kex;
int r;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2425,8 +2425,8 @@
</span> myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
options.kex_algorithms);
myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2019-10-17 01:17:00.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config 2019-11-08 15:37:33.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config 2019-11-08 15:37:59.000000000 +0100
</span> @@ -111,6 +111,19 @@ AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2448,7 +2448,7 @@
</span> #Match User anoncvs
# X11Forwarding no
--- a/version.h 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/version.h 2019-10-17 01:17:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/version.h 2019-11-08 15:37:59.000000000 +0100
</span> @@ -3,4 +3,5 @@
#define SSH_VERSION "OpenSSH_8.1"
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff b/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;color:#808080;'>index 9427f84..8190b34 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,10 +1,72 @@
</span> --- a/sshd.c 2019-10-09 02:31:03.000000000 +0200
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2019-10-11 11:43:52.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -534,10 +534,17 @@ privsep_preauth(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2019-11-08 15:35:54.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -534,10 +534,79 @@ privsep_preauth(struct ssh *ssh)
</span> /* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ssh_sandbox_child() has the side-effect of disabling opening
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * new files. This is a security precaution to prevent the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * child process from leaking data or opening new sockets, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * clashes with newer OpenSSL implementations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Generally, OpenSSL wants to read new entropy from the system
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * for each reseeding operation (and, by extension, through any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * operation that might trigger an internal reseeding, like
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * requesting random bytes).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * The current OpenSSL port only enables the default set of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * system entropy - which means reading in data from crypto
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * devices like /dev/{,u,s}random and /dev/hwrng.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * To speed things up, OpenSSL tries to open file descriptors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * to the listed devices and caches the result, i.e., the open
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * file descriptor. Those are normally kept open UNLESS a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * reading error occurred OR no random bytes were returned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * In a quite scary move, OpenSSL versions prior to 1.1.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * didn't fail when getting system entropy wasn't successful
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * and also added some "pseudo-random" data like the PID,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * user id and current time to the entropy pool, which was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * often enough to seed the PRNG.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * More recent versions have a rewritten PRNG/DRBG core and,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * crucially, stricter rules when it comes to acquiring system
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * entropy - this is now strictly required and no other data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * is mixed into the pool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * OpenSSH generally tries (or intends) to leave crypto devices
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (which should one of the earliest open devices) alone and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * not close their FD on re-exec, but that doesn't seem to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * work. Although OpenSSL is initialized very early in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * main() call chain, which SHOULD lead to open file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * descriptors to crypto devices, on a typical OS X/macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * system, /dev/urandom is opened as FD 6, which is above any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * FD that would be preserved after a re-exec operation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * This leads to the child process having no open file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * descriptors to /dev/urandom, activating the sandbox,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * setting the number of open files to zero and subsequently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * effectively breaking OpenSSL 1.1.1+.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We'll work around that by reseeding the PRNGs before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * enabling the sandbox, which has the side-effect of opening
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * a file descriptor to /dev/urandom and keeping it open.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * There is a slight catch: errors in reading from the FD or a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * read count of zero (i.e., the device not returning any data)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * will lead to the FD being closed again without a way to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * re-opened.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We can take this risk, as this should realistically not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * happen. Even if it does, that only means that the child
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * process will fail to read random data and hence terminate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * with an error - showing the same symptoms the workaround
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * is intended to fix, but nothing worse.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ reseed_prngs();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + /* We need to do this before we chroot() so we can read sshd.sb and libsandbox.dylib */
+ if (box != NULL)
+ ssh_sandbox_child(box);
</pre><pre style='margin:0'>
</pre>