openssh: Apply some Fedora security backports

nixos-19.03
Eelco Dolstra 7 years ago
parent 401782cb67
commit 2d4b6405b3
  1. 2
      pkgs/tools/networking/openssh/default.nix
  2. 65
      pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch

@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
'';
patches = [ ./locale_archive.patch ];
patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch];
buildInputs = [ zlib openssl libedit pkgconfig pam ]
++ optional withKerberos [ kerberos ];

@ -0,0 +1,65 @@
http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d
diff --git a/sshpty.c b/sshpty.c
index 7bb7641..15da8c6 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
/* Determine the group to make the owner of the tty. */
grp = getgrnam("tty");
gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
- mode = (grp != NULL) ? 0622 : 0600;
+ mode = (grp != NULL) ? 0620 : 0600;
/*
* Change owner and mode of the tty as required.
diff --git a/monitor.c b/monitor.c
index b410965..f1b873d 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{
-
debug3("%s", __func__);
- authctxt->user = buffer_get_string(m, NULL);
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
sshpam_authok = NULL;
buffer_clear(m);
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
int
mm_answer_pam_free_ctx(int sock, Buffer *m)
{
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
debug3("%s", __func__);
(sshpam_device.free_ctx)(sshpam_ctxt);
+ sshpam_ctxt = sshpam_authok = NULL;
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
auth_method = "keyboard-interactive";
auth_submethod = "pam";
- return (sshpam_authok == sshpam_ctxt);
+ return r;
}
#endif
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e6217b3..eac421b 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
debug3("%s", __func__);
buffer_init(&m);
- buffer_put_cstring(&m, authctxt->user);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
Loading…
Cancel
Save