Version in base suite: 9.2p1-2+deb12u3 Base version: openssh_9.2p1-2+deb12u3 Target version: openssh_9.2p1-2+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssh/openssh_9.2p1-2+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssh/openssh_9.2p1-2+deb12u4.dsc .git-dpm | 4 changelog | 16 patches/CVE-2023-28531.patch | 2 patches/CVE-2023-38408-1.patch | 2 patches/CVE-2023-38408-2.patch | 2 patches/CVE-2023-38408-3.patch | 2 patches/CVE-2023-48795.patch | 4 patches/CVE-2023-51384.patch | 2 patches/CVE-2023-51385.patch | 2 patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch | 11 patches/authorized-keys-man-symlink.patch | 2 patches/conch-ssh-rsa.patch | 2 patches/debian-banner.patch | 2 patches/debian-config.patch | 2 patches/dnssec-sshfp.patch | 2 patches/doc-hash-tab-completion.patch | 2 patches/gnome-ssh-askpass2-icon.patch | 2 patches/gssapi.patch | 30 + patches/keepalive-extensions.patch | 2 patches/maxhostnamelen.patch | 2 patches/mention-ssh-keygen-on-keychange.patch | 2 patches/no-openssl-version-status.patch | 2 patches/openbsd-docs.patch | 2 patches/package-versioning.patch | 2 patches/remove-spurious-ssh-agent-options.patch | 2 patches/restore-authorized_keys2.patch | 2 patches/restore-tcp-wrappers.patch | 2 patches/revert-ipqos-defaults.patch | 2 patches/scp-quoting.patch | 2 patches/selinux-role.patch | 2 patches/series | 1 patches/shell-path.patch | 2 patches/sntrup761x25519-sha512.patch | 95 +++++ patches/ssh-agent-setgid.patch | 2 patches/ssh-argv0.patch | 2 patches/ssh-vulnkey-compat.patch | 2 patches/syslog-level-silent.patch | 2 patches/systemd-readiness.patch | 2 patches/systemd-socket-activation.patch | 2 patches/user-group-modes.patch | 2 rules | 3 salsa-ci.yml | 8 tests/control | 7 tests/ssh-gssapi | 166 ++++++++++ tests/util | 76 ++++ 45 files changed, 438 insertions(+), 49 deletions(-) diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm --- openssh-9.2p1/debian/.git-dpm 2023-12-19 12:55:10.000000000 +0000 +++ openssh-9.2p1/debian/.git-dpm 2024-12-08 00:14:54.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -14c4d6f0fa446414d1c38ad083107576d0ae3032 -14c4d6f0fa446414d1c38ad083107576d0ae3032 +253c4c0047bd8258e21388cf8ad6fe3b1172c1da +253c4c0047bd8258e21388cf8ad6fe3b1172c1da cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188 cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188 openssh_9.2p1.orig.tar.gz diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog --- openssh-9.2p1/debian/changelog 2024-06-22 19:38:08.000000000 +0000 +++ openssh-9.2p1/debian/changelog 2024-12-08 00:14:54.000000000 +0000 @@ -1,3 +1,19 @@ +openssh (1:9.2p1-2+deb12u4) bookworm; urgency=medium + + * Always use the internal mkdtemp implementation, since it substitutes + more randomness into the template string than glibc's version (closes: + #1001186, #1064898). + * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1 + (LP: #2053146). + * Import ssh-gssapi autopkgtest from 1:9.8p1-4. + * Don't prefer host-bound public key signatures if there was no initial + host key, as is the case when using GSS-API key exchange (closes: + #1041521, #1088248). + * Make sntrup761x25519-sha512 key exchange algorithm available without the + @openssh.com suffix too (closes: #1088873). + + -- Colin Watson Sun, 08 Dec 2024 00:14:54 +0000 + openssh (1:9.2p1-2+deb12u3) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru openssh-9.2p1/debian/patches/CVE-2023-28531.patch openssh-9.2p1/debian/patches/CVE-2023-28531.patch --- openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From d1461c936223751e723662115b12bb0e9ba96f65 Mon Sep 17 00:00:00 2001 +From 3551a0444621320cc1eaa0dba7d127b6ee67d0b7 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 9 Mar 2023 06:58:26 +0000 Subject: upstream: include destination constraints for smartcard keys too. diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch --- openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From dee3878689aef5365955442869be02d420b65ea6 Mon Sep 17 00:00:00 2001 +From 443d99e0bd3156c424b502fffcb621552607d9c6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 13 Jul 2023 12:09:34 +1000 Subject: terminate pkcs11 process for bad libraries diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch --- openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 5c06b89189eb27f692b900526d60bf744918511e Mon Sep 17 00:00:00 2001 +From e9aced930c69f1f38bffe28a2396661c92b2a23a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 7 Jul 2023 13:30:15 +1000 Subject: disallow remote addition of FIDO/PKCS11 keys diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch --- openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 29c7785a3673101b3af8f6f712795fa128e52ddd Mon Sep 17 00:00:00 2001 +From f881f358de9432fe4524c4bc156a0911164631a3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 19 Jul 2023 14:02:27 +0000 Subject: upstream: Ensure FIDO/PKCS11 libraries contain expected symbols diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch openssh-9.2p1/debian/patches/CVE-2023-48795.patch --- openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 9148d0a8031d89f53f045b63ac3a709611d94778 Mon Sep 17 00:00:00 2001 +From c78d5a0d5c30c345377ff5a1ca5ddbd27ab4fbe2 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Dec 2023 14:45:17 +0000 Subject: upstream: implement "strict key exchange" in ssh and sshd @@ -385,7 +385,7 @@ (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || (r = sshpkt_put_cstring(ssh, buf)) != 0 || diff --git a/sshconnect2.c b/sshconnect2.c -index cb6a94e76..3e5f69470 100644 +index a08de66c0..4a7a573d8 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -250,7 +250,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51384.patch openssh-9.2p1/debian/patches/CVE-2023-51384.patch --- openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From d5be669c872a313a71d60babee64f3a80340dc51 Mon Sep 17 00:00:00 2001 +From 01ada7980c52efffa52d0947efd23783245e70c4 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Dec 2023 14:46:12 +0000 Subject: upstream: apply destination constraints to all p11 keys diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51385.patch openssh-9.2p1/debian/patches/CVE-2023-51385.patch --- openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2023-12-19 12:55:10.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 14c4d6f0fa446414d1c38ad083107576d0ae3032 Mon Sep 17 00:00:00 2001 +From de0609ea68651da8720b6e858f5b45599e361ee3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Dec 2023 14:47:44 +0000 Subject: upstream: ban user/hostnames with most shell metacharacters diff -Nru openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch --- openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch 2024-06-22 19:38:08.000000000 +0000 +++ openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,8 +1,7 @@ -From 96af055c9d7bfd2e974e0ef889848fa401057c0d Mon Sep 17 00:00:00 2001 +From 30e67756d4b5853f133d0ba4572e928a4ef5bff6 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 22 Jun 2024 21:33:03 +0200 -Subject: [PATCH] Disable async-signal-unsafe code from the sshsigdie() - function +Subject: Disable async-signal-unsafe code from the sshsigdie() function Address signal handler race condition: if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH @@ -15,8 +14,14 @@ service (crash), and possibly execute arbitrary code") Signed-off-by: Salvatore Bonaccorso + +Patch-Name: Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch --- + log.c | 2 ++ + 1 file changed, 2 insertions(+) +diff --git a/log.c b/log.c +index bdc4b6515..4d49c2e50 100644 --- a/log.c +++ b/log.c @@ -452,12 +452,14 @@ void diff -Nru openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch --- openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 374a21e4acc5b06719640c0d6b82afdf4182b900 Mon Sep 17 00:00:00 2001 +From dee22f6f22efc21f49e55620c978023f43cf336d Mon Sep 17 00:00:00 2001 From: Tomas Pospisek Date: Sun, 9 Feb 2014 16:10:07 +0000 Subject: Install authorized_keys(5) as a symlink to sshd(8) diff -Nru openssh-9.2p1/debian/patches/conch-ssh-rsa.patch openssh-9.2p1/debian/patches/conch-ssh-rsa.patch --- openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 2df31e50f4cd159978c99055ed2d54b98a5ec7e4 Mon Sep 17 00:00:00 2001 +From 617a61aac72c5446e99e0f2207a563a6369aa9d9 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 15 Feb 2022 18:25:35 +0000 Subject: Work around RSA SHA-2 signature issues in conch diff -Nru openssh-9.2p1/debian/patches/debian-banner.patch openssh-9.2p1/debian/patches/debian-banner.patch --- openssh-9.2p1/debian/patches/debian-banner.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/debian-banner.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 2d3ac49df11f0aed81f35ce9588eb2c578ec98f2 Mon Sep 17 00:00:00 2001 +From 250ea677f62ee37a800e49d5d68683eb4ff241f7 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 9 Feb 2014 16:10:06 +0000 Subject: Add DebianBanner server configuration option diff -Nru openssh-9.2p1/debian/patches/debian-config.patch openssh-9.2p1/debian/patches/debian-config.patch --- openssh-9.2p1/debian/patches/debian-config.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/debian-config.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From aedb5d2ee2799e3a95b6913721533d2c42c496b3 Mon Sep 17 00:00:00 2001 +From 177b212b6b237dbca4c4f29feb69db959a2ecb81 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:18 +0000 Subject: Various Debian-specific configuration changes diff -Nru openssh-9.2p1/debian/patches/dnssec-sshfp.patch openssh-9.2p1/debian/patches/dnssec-sshfp.patch --- openssh-9.2p1/debian/patches/dnssec-sshfp.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/dnssec-sshfp.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 25f54fd79c7dc62d5ffaa7ebdc2e3de86a031084 Mon Sep 17 00:00:00 2001 +From b19054b02f64d320194f86e305a9d97053c9ab01 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:01 +0000 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf diff -Nru openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch --- openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 4202164dacce1c368f7e6e5c02b3080486deddbf Mon Sep 17 00:00:00 2001 +From fc51509b693b1b31ad48b93019da576edb905e13 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:11 +0000 Subject: Document that HashKnownHosts may break tab-completion diff -Nru openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch --- openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 0b0ba78b1a3a0a7fd2d0d72f508d225c04df5aa7 Mon Sep 17 00:00:00 2001 +From 1de37afc2ed154a3db9d2a99e9c6b0b5c302e522 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Sun, 9 Feb 2014 16:10:16 +0000 Subject: Give the ssh-askpass-gnome window a default icon diff -Nru openssh-9.2p1/debian/patches/gssapi.patch openssh-9.2p1/debian/patches/gssapi.patch --- openssh-9.2p1/debian/patches/gssapi.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/gssapi.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 61798b25a23b55d72a86a35062106cc3fc0ab834 Mon Sep 17 00:00:00 2001 +From 03e7fd7bd4470a1322fa8da42789577cc5b1d7ec Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Sun, 9 Feb 2014 16:09:48 +0000 Subject: GSSAPI key exchange support @@ -21,14 +21,14 @@ Author: Jakub Jelen Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 -Last-Updated: 2023-01-02 +Last-Updated: 2024-12-03 Patch-Name: gssapi.patch --- Makefile.in | 5 +- README.md | 36 +++ auth.c | 94 +------- - auth2-gss.c | 56 ++++- + auth2-gss.c | 57 ++++- auth2.c | 2 + canohost.c | 91 ++++++++ canohost.h | 3 + @@ -58,13 +58,13 @@ ssh.c | 6 +- ssh_config | 2 + ssh_config.5 | 57 +++++ - sshconnect2.c | 156 ++++++++++++- + sshconnect2.c | 160 ++++++++++++- sshd.c | 62 ++++- sshd_config | 2 + sshd_config.5 | 30 +++ sshkey.c | 8 +- sshkey.h | 1 + - 39 files changed, 2765 insertions(+), 164 deletions(-) + 39 files changed, 2769 insertions(+), 165 deletions(-) create mode 100644 kexgssc.c create mode 100644 kexgsss.c create mode 100644 ssh-null.c @@ -256,7 +256,7 @@ * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this diff --git a/auth2-gss.c b/auth2-gss.c -index 2062609d9..4566d425c 100644 +index 2062609d9..a3f46ebf3 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,7 +1,7 @@ @@ -276,7 +276,7 @@ + * The 'gssapi_keyex' userauth mechanism. + */ +static int -+userauth_gsskeyex(struct ssh *ssh) ++userauth_gsskeyex(struct ssh *ssh, const char *method) +{ + Authctxt *authctxt = ssh->authctxt; + int r, authenticated = 0; @@ -337,12 +337,13 @@ else logit("GSSAPI MIC check failed"); -@@ -327,6 +371,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) +@@ -327,6 +371,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) return 0; } +Authmethod method_gsskeyex = { + "gssapi-keyex", ++ NULL, + userauth_gsskeyex, + &options.gss_authentication +}; @@ -3712,7 +3713,7 @@ Indicates that .Xr ssh 1 diff --git a/sshconnect2.c b/sshconnect2.c -index 58fe98db2..cb6a94e76 100644 +index 58fe98db2..a08de66c0 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -81,8 +81,6 @@ @@ -3954,6 +3955,17 @@ #endif /* GSSAPI */ static int +@@ -1356,7 +1502,9 @@ sign_and_send_pubkey(struct ssh *ssh, Identity *id) + + /* prefer host-bound pubkey signatures if supported by server */ + if ((ssh->kex->flags & KEX_HAS_PUBKEY_HOSTBOUND) != 0 && +- (options.pubkey_authentication & SSH_PUBKEY_AUTH_HBOUND) != 0) { ++ (options.pubkey_authentication & SSH_PUBKEY_AUTH_HBOUND) != 0 && ++ /* initial_hostkey may be NULL with GSS-API key exchange */ ++ ssh->kex->initial_hostkey != NULL) { + hostbound = 1; + method = "publickey-hostbound-v00@openssh.com"; + } diff --git a/sshd.c b/sshd.c index 6321936c0..6ad9a845a 100644 --- a/sshd.c diff -Nru openssh-9.2p1/debian/patches/keepalive-extensions.patch openssh-9.2p1/debian/patches/keepalive-extensions.patch --- openssh-9.2p1/debian/patches/keepalive-extensions.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/keepalive-extensions.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From dbc7024bb9fe29a5d2bd398219ae2fc5668826b8 Mon Sep 17 00:00:00 2001 +From 88e35da8605f70f062e5aafd223098e158425aa4 Mon Sep 17 00:00:00 2001 From: Richard Kettlewell Date: Sun, 9 Feb 2014 16:09:52 +0000 Subject: Various keepalive extensions diff -Nru openssh-9.2p1/debian/patches/maxhostnamelen.patch openssh-9.2p1/debian/patches/maxhostnamelen.patch --- openssh-9.2p1/debian/patches/maxhostnamelen.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/maxhostnamelen.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 36b00b5f4d96d6d9db3fd9e418bd2d1f66e8e7fe Mon Sep 17 00:00:00 2001 +From 7f723a24e810b326747cacfecb4e4ae915a65840 Mon Sep 17 00:00:00 2001 From: Svante Signell Date: Fri, 5 Nov 2021 23:22:53 +0000 Subject: Define MAXHOSTNAMELEN on GNU/Hurd diff -Nru openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch --- openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From e797fa7ecced95a0b7f27b000e467ffb31934d28 Mon Sep 17 00:00:00 2001 +From faaa7e24f0440213fab3558ffbd8119c04f4ae12 Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Sun, 9 Feb 2014 16:10:03 +0000 Subject: Mention ssh-keygen in ssh fingerprint changed warning diff -Nru openssh-9.2p1/debian/patches/no-openssl-version-status.patch openssh-9.2p1/debian/patches/no-openssl-version-status.patch --- openssh-9.2p1/debian/patches/no-openssl-version-status.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/no-openssl-version-status.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From c7c2ce00f07135457dbd924cfe962e03a2b0ab62 Mon Sep 17 00:00:00 2001 +From 5d1c32cb181d5b4392210ddbf2ff84fcda79a89c Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 9 Feb 2014 16:10:14 +0000 Subject: Don't check the status field of the OpenSSL version diff -Nru openssh-9.2p1/debian/patches/openbsd-docs.patch openssh-9.2p1/debian/patches/openbsd-docs.patch --- openssh-9.2p1/debian/patches/openbsd-docs.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/openbsd-docs.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From f8033f154f0fe23f974f67ba2f8a29754a5044af Mon Sep 17 00:00:00 2001 +From e76555b386bf0a09ac60b4de7cd46960ca736164 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:09 +0000 Subject: Adjust various OpenBSD-specific references in manual pages diff -Nru openssh-9.2p1/debian/patches/package-versioning.patch openssh-9.2p1/debian/patches/package-versioning.patch --- openssh-9.2p1/debian/patches/package-versioning.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/package-versioning.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 720ad1a8e62ff52438766b49f8413ac55b17f570 Mon Sep 17 00:00:00 2001 +From 62a119032fb35d2494730603d01ea384e144f82a Mon Sep 17 00:00:00 2001 From: Matthew Vernon Date: Sun, 9 Feb 2014 16:10:05 +0000 Subject: Include the Debian version in our identification diff -Nru openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch --- openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 74edce484429249265baaee1e8a5d1785ee7afa7 Mon Sep 17 00:00:00 2001 +From d6b66b9c06a5a8491c7e0887185a4651b31acae0 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 7 Feb 2023 23:55:19 +0000 Subject: Remove spurious ssh-agent options diff -Nru openssh-9.2p1/debian/patches/restore-authorized_keys2.patch openssh-9.2p1/debian/patches/restore-authorized_keys2.patch --- openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From b2cc972d55fcc3c3df709a340ce3019fec9880c4 Mon Sep 17 00:00:00 2001 +From 58c39c93aef24277b9125185d70d38f958fa054c Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 5 Mar 2017 02:02:11 +0000 Subject: Restore reading authorized_keys2 by default diff -Nru openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch --- openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 8cee1ce3e07ac7904468ab8076ad5595048fb4c9 Mon Sep 17 00:00:00 2001 +From b43542890d0f92850e5c8bbd30f62204791fce98 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 7 Oct 2014 13:22:41 +0100 Subject: Restore TCP wrappers support diff -Nru openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch --- openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 8aea1d66b4ba0afd6cb4b25991bfb683d951c6e2 Mon Sep 17 00:00:00 2001 +From 60b3b7a847fcf97259c137d3fc0c25ae5a49650d Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 8 Apr 2019 10:46:29 +0100 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP diff -Nru openssh-9.2p1/debian/patches/scp-quoting.patch openssh-9.2p1/debian/patches/scp-quoting.patch --- openssh-9.2p1/debian/patches/scp-quoting.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/scp-quoting.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 501d8554b6792531778d6b3b9344f8e55d84df29 Mon Sep 17 00:00:00 2001 +From 3e9d83c98093d1485e33eb94f8449c2b0683ebc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= Date: Sun, 9 Feb 2014 16:09:59 +0000 Subject: Adjust scp quoting in verbose mode diff -Nru openssh-9.2p1/debian/patches/selinux-role.patch openssh-9.2p1/debian/patches/selinux-role.patch --- openssh-9.2p1/debian/patches/selinux-role.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/selinux-role.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From a1b3f6592e7ef61f5d9544fc652ae44f8c47bd2e Mon Sep 17 00:00:00 2001 +From 07fb0a9e6b42cdb0225517609e60165beb268ceb Mon Sep 17 00:00:00 2001 From: Manoj Srivastava Date: Sun, 9 Feb 2014 16:09:49 +0000 Subject: Handle SELinux authorisation roles diff -Nru openssh-9.2p1/debian/patches/series openssh-9.2p1/debian/patches/series --- openssh-9.2p1/debian/patches/series 2024-06-22 19:38:08.000000000 +0000 +++ openssh-9.2p1/debian/patches/series 2024-12-08 00:14:54.000000000 +0000 @@ -34,3 +34,4 @@ CVE-2023-51384.patch CVE-2023-51385.patch Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch +sntrup761x25519-sha512.patch diff -Nru openssh-9.2p1/debian/patches/shell-path.patch openssh-9.2p1/debian/patches/shell-path.patch --- openssh-9.2p1/debian/patches/shell-path.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/shell-path.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From b364a18c85a959fdfd0a5a2c497482809cadf29f Mon Sep 17 00:00:00 2001 +From 695ba53a206de76d33d734ba359c4203088368cb Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:00 +0000 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand diff -Nru openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch --- openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 2024-12-08 00:14:54.000000000 +0000 @@ -0,0 +1,95 @@ +From 253c4c0047bd8258e21388cf8ad6fe3b1172c1da Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 22 Aug 2024 23:11:30 +0000 +Subject: upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned, + so + +we can make the algorithm available without the @openssh.com suffix too. ok +markus@ deraadt@ + +OpenBSD-Commit-ID: eeed8fcde688143a737729d3d56d20ab4353770f + +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=aee54878255d71bf93aa6e91bbd4eb1825c0d1b9 +Last-Update: 2024-12-03 + +Patch-Name: sntrup761x25519-sha512.patch +--- + kex.c | 2 ++ + kex.h | 3 ++- + myproposal.h | 1 + + ssh_config.5 | 2 +- + sshd_config.5 | 4 +++- + 5 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/kex.c b/kex.c +index 0b4fc4767..e6fddd7d8 100644 +--- a/kex.c ++++ b/kex.c +@@ -118,6 +118,8 @@ static const struct kexalg kexalgs[] = { + #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, ++ { KEX_SNTRUP761X25519_SHA512_OLD, KEX_KEM_SNTRUP761X25519_SHA512, 0, ++ SSH_DIGEST_SHA512 }, + #endif + #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ + { NULL, 0, -1, -1}, +diff --git a/kex.h b/kex.h +index 99b47435f..84bace10b 100644 +--- a/kex.h ++++ b/kex.h +@@ -62,7 +62,8 @@ + #define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" + #define KEX_CURVE25519_SHA256 "curve25519-sha256" + #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org" +-#define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512@openssh.com" ++#define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512" ++#define KEX_SNTRUP761X25519_SHA512_OLD "sntrup761x25519-sha512@openssh.com" + + #define COMP_NONE 0 + /* pre-auth compression (COMP_ZLIB) is only supported in the client */ +diff --git a/myproposal.h b/myproposal.h +index ee6e9f741..0528cd783 100644 +--- a/myproposal.h ++++ b/myproposal.h +@@ -25,6 +25,7 @@ + */ + + #define KEX_SERVER_KEX \ ++ "sntrup761x25519-sha512," \ + "sntrup761x25519-sha512@openssh.com," \ + "curve25519-sha256," \ + "curve25519-sha256@libssh.org," \ +diff --git a/ssh_config.5 b/ssh_config.5 +index f8616c18b..12f1ff9e6 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1261,7 +1261,7 @@ character, then the specified algorithms will be placed at the head of the + default set. + The default is: + .Bd -literal -offset indent +-sntrup761x25519-sha512@openssh.com, ++sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com, + curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, +diff --git a/sshd_config.5 b/sshd_config.5 +index 7fd8abf48..8e0b58ebf 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1084,12 +1084,14 @@ ecdh-sha2-nistp384 + .It + ecdh-sha2-nistp521 + .It ++sntrup761x25519-sha512 ++.It + sntrup761x25519-sha512@openssh.com + .El + .Pp + The default is: + .Bd -literal -offset indent +-sntrup761x25519-sha512@openssh.com, ++sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com, + curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, diff -Nru openssh-9.2p1/debian/patches/ssh-agent-setgid.patch openssh-9.2p1/debian/patches/ssh-agent-setgid.patch --- openssh-9.2p1/debian/patches/ssh-agent-setgid.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/ssh-agent-setgid.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From bf54d67a00bf4d408f0e52236c4248cecfb5177f Mon Sep 17 00:00:00 2001 +From d5a2ba7af682ae724440edb5030094b19455fd98 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:13 +0000 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) diff -Nru openssh-9.2p1/debian/patches/ssh-argv0.patch openssh-9.2p1/debian/patches/ssh-argv0.patch --- openssh-9.2p1/debian/patches/ssh-argv0.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/ssh-argv0.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From b252064f6d116feca5d07dfe6dfd62ba005927bd Mon Sep 17 00:00:00 2001 +From 415984f4dba214dbd469af8bd5ba88a8eaf87bac Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:10 +0000 Subject: ssh(1): Refer to ssh-argv0(1) diff -Nru openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch --- openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 3878210a9526dc6c78c48d959bab0afb0052b64f Mon Sep 17 00:00:00 2001 +From 29e019028843d1b63f95854f425b8efe69317b6a Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:50 +0000 Subject: Accept obsolete ssh-vulnkey configuration options diff -Nru openssh-9.2p1/debian/patches/syslog-level-silent.patch openssh-9.2p1/debian/patches/syslog-level-silent.patch --- openssh-9.2p1/debian/patches/syslog-level-silent.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/syslog-level-silent.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From ac80435d753ff39d9c6ded2f7535d770f257fc59 Mon Sep 17 00:00:00 2001 +From 3cd29305c77bb26eb4ec6b34078317eee6f9bf15 Mon Sep 17 00:00:00 2001 From: Natalie Amery Date: Sun, 9 Feb 2014 16:09:54 +0000 Subject: "LogLevel SILENT" compatibility diff -Nru openssh-9.2p1/debian/patches/systemd-readiness.patch openssh-9.2p1/debian/patches/systemd-readiness.patch --- openssh-9.2p1/debian/patches/systemd-readiness.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/systemd-readiness.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 5d04f3ebd2825c03fa7c39e27c28bf3384345806 Mon Sep 17 00:00:00 2001 +From 5322641c953083906543314f0f6e6865cd2c12c5 Mon Sep 17 00:00:00 2001 From: Michael Biebl Date: Mon, 21 Dec 2015 16:08:47 +0000 Subject: Add systemd readiness notification support diff -Nru openssh-9.2p1/debian/patches/systemd-socket-activation.patch openssh-9.2p1/debian/patches/systemd-socket-activation.patch --- openssh-9.2p1/debian/patches/systemd-socket-activation.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/systemd-socket-activation.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From 4cedd1c9acac0fba598db2eaf43278dfe8e53ef0 Mon Sep 17 00:00:00 2001 +From 00457e91987f0212cf851f74e8cb266e01b7f347 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 1 Sep 2022 16:03:37 +0100 Subject: Support systemd socket activation diff -Nru openssh-9.2p1/debian/patches/user-group-modes.patch openssh-9.2p1/debian/patches/user-group-modes.patch --- openssh-9.2p1/debian/patches/user-group-modes.patch 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/patches/user-group-modes.patch 2024-12-08 00:14:54.000000000 +0000 @@ -1,4 +1,4 @@ -From ad9efda53c54f37dbd429c16db4be2946f27063e Mon Sep 17 00:00:00 2001 +From 603e2674118ba4136b73561941086a24a21ac7e8 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:58 +0000 Subject: Allow harmless group-writability diff -Nru openssh-9.2p1/debian/rules openssh-9.2p1/debian/rules --- openssh-9.2p1/debian/rules 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/rules 2024-12-08 00:14:54.000000000 +0000 @@ -65,6 +65,9 @@ confflags += --with-libs=-lcrypt endif +# Always use the internal mkdtemp; see https://bugs.debian.org/1001186. +confflags += ac_cv_func_mkdtemp=no + # Everything above here is common to the deb and udeb builds. confflags_udeb := $(confflags) diff -Nru openssh-9.2p1/debian/salsa-ci.yml openssh-9.2p1/debian/salsa-ci.yml --- openssh-9.2p1/debian/salsa-ci.yml 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/salsa-ci.yml 2024-12-08 00:14:54.000000000 +0000 @@ -1,3 +1,11 @@ --- include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm' + # This source package doesn't build on unstable for + # non-reproducibility-related reasons, and the salsa-ci pipeline doesn't + # currently support running reprotest on bookworm: + # https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/236 + SALSA_CI_DISABLE_REPROTEST: 1 diff -Nru openssh-9.2p1/debian/tests/control openssh-9.2p1/debian/tests/control --- openssh-9.2p1/debian/tests/control 2023-12-19 12:55:09.000000000 +0000 +++ openssh-9.2p1/debian/tests/control 2024-12-08 00:14:54.000000000 +0000 @@ -8,3 +8,10 @@ python3-twisted, sudo, sysvinit-utils, + +Tests: ssh-gssapi +Restrictions: allow-stderr isolation-container needs-root +Depends: krb5-admin-server, + krb5-kdc, + openssh-server, + sudo, diff -Nru openssh-9.2p1/debian/tests/ssh-gssapi openssh-9.2p1/debian/tests/ssh-gssapi --- openssh-9.2p1/debian/tests/ssh-gssapi 1970-01-01 00:00:00.000000000 +0000 +++ openssh-9.2p1/debian/tests/ssh-gssapi 2024-12-08 00:14:54.000000000 +0000 @@ -0,0 +1,166 @@ +#!/bin/bash + +set -e +set -o pipefail + +realm="EXAMPLE.FAKE" +myhostname="sshd-gssapi.${realm,,}" +testuser="testuser$$" +testuser2="testuser$$-2" +adduser --quiet --disabled-password --gecos "" "${testuser}" +adduser --quiet --disabled-password --gecos "" "${testuser2}" +password="secret" +user_principal="${testuser}@${realm}" +service_principal="host/${myhostname}" + +ssh-keygen -t ed25519 -N '' -f "$HOME/.ssh/id_ed25519" +sudo -u "$testuser2" mkdir -m700 "/home/$testuser2/.ssh" +cp "$HOME/.ssh/id_ed25519.pub" "/home/$testuser2/.ssh/authorized_keys" +chown "$testuser2:" "/home/$testuser2/.ssh/authorized_keys" + +source debian/tests/util + +cleanup() { + if [ $? -ne 0 ]; then + echo "## Something failed" + echo + echo "## klist" + klist + echo + echo "## ssh server log" + journalctl -b -u ssh.service --lines 100 + echo + echo "## Kerberos KDC logs" + journalctl -b -u krb5-kdc.service --lines 100 + echo + echo "## Kerberos Admin server logs" + journalctl -b -u krb5-admin-server.service --lines 100 + echo + echo "## Skipping cleanup to facilitate troubleshooting" + else + echo "## ALL TESTS PASSED" + echo "## Cleaning up" + rm -f /etc/krb5.keytab + rm -f /etc/ssh/sshd_config.d/gssapi.conf + rm -f /etc/ssh/ssh_config.d/gssapi.conf + rm -f /etc/ssh/ssh_config.d/dep8.conf + fi +} + +trap cleanup EXIT + +setup() { + echo "## Setting up test environment" + adjust_hostname "${myhostname}" + echo "## Creating Kerberos realm ${realm}" + create_realm "${realm}" "${myhostname}" + echo "## Creating principals" + kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}" + kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}" + echo "## Extracting service principal ${service_principal}" + kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}" + cat > /etc/ssh/ssh_config.d/dep8.conf < /etc/krb5.conf < /etc/ssh/sshd_config.d/gssapi.conf < /etc/ssh/ssh_config.d/gssapi.conf < /etc/ssh/sshd_config.d/gssapi.conf < /etc/ssh/ssh_config.d/gssapi.conf </dev/null || : + configure_sshd "${initial_auth_method}" || return $? + cursor="$(journalctl -u ssh.service --lines=1 --show-cursor | sed -n 's/^-- cursor: //p')" + echo "## Obtaining TGT" + echo "${password}" | timeout --verbose 30 kinit "${user_principal}" || return $? + klist + echo + echo "## ssh'ing into localhost using ${initial_auth_method} auth" + timeout --verbose 30 ssh "${user}@${myhostname}" date || return $? + echo + echo "## checking that we got a service ticket for ssh (host/)" + klist | grep -F "${service_principal}" || return $? + echo + echo "## Checking ssh logs to confirm ${final_auth_method} auth was used" + journalctl -u ssh.service --after-cursor="$cursor" --grep "Accepted ${final_auth_method}" +} + +test_gssapi_login() { + _test_ssh_login gssapi-with-mic "${testuser}" gssapi-with-mic +} + +test_gssapi_keyex_login() { + _test_ssh_login gssapi-keyex "${testuser}" gssapi-keyex +} + +test_gssapi_keyex_pubkey_fallback() { + # GSS-API key exchange for the wrong user, falling back to public key + # authentication for the right user. + _test_ssh_login gssapi-keyex "${testuser2}" publickey +} + +setup +echo "## TESTS" +echo +run_test test_gssapi_login +run_test test_gssapi_keyex_login +run_test test_gssapi_keyex_pubkey_fallback diff -Nru openssh-9.2p1/debian/tests/util openssh-9.2p1/debian/tests/util --- openssh-9.2p1/debian/tests/util 1970-01-01 00:00:00.000000000 +0000 +++ openssh-9.2p1/debian/tests/util 2024-12-08 00:14:54.000000000 +0000 @@ -0,0 +1,76 @@ +# Copyright 2018 Canonical Ltd. +# This code is licensed under the same terms as MIT Kerberos. + +set -e + +adjust_hostname() { + local myhostname="$1" + + echo "${myhostname}" > /etc/hostname + hostname "${myhostname}" + if ! grep -qE "${myhostname}" /etc/hosts; then + # just so it's resolvable + echo "127.0.1.10 ${myhostname}" >> /etc/hosts + fi +} + +create_realm() { + local realm_name="$1" + local kerberos_server="$2" + + # start fresh + rm -rf /var/lib/krb5kdc/* + rm -rf /etc/krb5kdc/* + rm -f /etc/krb5.keytab + + # setup some defaults + cat > /etc/krb5kdc/kdc.conf < /etc/krb5.conf < /etc/krb5kdc/kadm5.acl + + # create the realm + kdb5_util create -s -P secretpassword + + # restart services + systemctl restart krb5-kdc.service krb5-admin-server.service +} + +run_test() { + local testfunc="${1}" + local -i result=0 + shift + echo "## TEST ${testfunc}" + "${testfunc}" "${@}" || result=$? + if [ ${result} -ne 0 ]; then + echo "## FAIL ${testfunc}" + else + echo "## PASS ${testfunc}" + fi + echo + return ${result} +}