Home
My Posts

Archive
Login
Signup

Recent Posts

Free subdomains

Want your own xyz.kpaste.net sub-domain for your community? Just type the address into your browser address bar (foo.xyz.kpaste.net is also supported).

Suggestions/Bugs?

Email us at . Try to include as much info as possible.

About

Pastebin is a tool for collaborative debugging or editing.

 

Debian OpenSSH backport to Jessie
Posted by Anonymous on Sat 18th Feb 2023 11:12
raw | new post
modification of post by Anonymous (view diff)

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting: None Bash C C++ CSS Diff HTML mIRC Script Perl PHP Python Smarty XML ---------------------------- ABAP Actionscript ADA Apache Log AppleScript APT sources.list ASM ASP AutoIT Bash C C# C++ C++ (with QT) CSS Diff HTML INI (Config Files) Java Javascript Lua Make mIRC Script MySQL NSIS Perl PHP Python Q(uick)BASIC robots Ruby Ruby on Rails SDLBasic Smarty SQL TCL Text VB.NET Visual BASIC Visual Fox Pro Visual Prolog Windows Registry Files XML Xorg.conf

To highlight particular lines, prefix each line with {%HIGHLIGHT}
# Debian OpenSSH backport to Debian/Jessie # # git clone https://salsa.debian.org/ssh-team/openssh.git # cd openssh/ # patch -p1 <this_patch.patch # debuild -b -uc -us 2>&1 | tee buildlog.log # diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..204822d --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +configure -diff +aclocal.m4 -diff +config.guess -diff +aclocal.m4 -diff +config.guess -diff +config.sub -diff diff --git a/config.h.in b/config.h.in index f80d542..abb987a 100644 --- a/config.h.in +++ b/config.h.in @@ -984,6 +984,9 @@ /* Define to 1 if you have the `memmove' function. */ #undef HAVE_MEMMOVE +/* Define to 1 if you have the <memory.h> header file. */ +#undef HAVE_MEMORY_H + /* Define to 1 if you have the `memset_s' function. */ #undef HAVE_MEMSET_S @@ -1355,9 +1358,6 @@ /* Define to 1 if you have the <stdint.h> header file. */ #undef HAVE_STDINT_H -/* Define to 1 if you have the <stdio.h> header file. */ -#undef HAVE_STDIO_H - /* Define to 1 if you have the <stdlib.h> header file. */ #undef HAVE_STDLIB_H @@ -1478,6 +1478,9 @@ /* Define if you have syslen in utmpx.h */ #undef HAVE_SYSLEN_IN_UTMPX +/* Define if you want systemd support. */ +#undef HAVE_SYSTEMD + /* Define to 1 if you have the <sys/audit.h> header file. */ #undef HAVE_SYS_AUDIT_H @@ -1775,6 +1778,9 @@ /* Define if pututxline updates lastlog too */ #undef LASTLOG_WRITE_PUTUTXLINE +/* Define if you want TCP Wrappers support */ +#undef LIBWRAP + /* Define to whatever link() returns for "not supported" if it doesn't return EOPNOTSUPP. */ #undef LINK_OPNOTSUPP_ERRNO @@ -1979,9 +1985,7 @@ /* Prepend the address family to IP tunnel traffic */ #undef SSH_TUN_PREPEND_AF -/* Define to 1 if all of the C90 standard headers exist (not just the ones - required in a freestanding environment). This macro is provided for - backward compatibility; new code need not use it. */ +/* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* Define if you want a different $PATH for the superuser */ @@ -2008,6 +2012,9 @@ /* Use btmp to log bad logins */ #undef USE_BTMP +/* platform uses an in-memory credentials cache */ +#undef USE_CCAPI + /* Use libedit for sftp */ #undef USE_LIBEDIT @@ -2023,6 +2030,9 @@ /* Use PIPES instead of a socketpair() */ #undef USE_PIPES +/* platform has the Security Authorization Session API */ +#undef USE_SECURITY_SESSION_API + /* Define if you have Solaris privileges */ #undef USE_SOLARIS_PRIVS @@ -2081,6 +2091,11 @@ /* Define if xauth is found in your path */ #undef XAUTH_PATH +/* Enable large inode numbers on Mac OS X 10.5. */ +#ifndef _DARWIN_USE_64_BIT_INODE +# define _DARWIN_USE_64_BIT_INODE 1 +#endif + /* Number of bits in a file offset, on hosts where this is settable. */ #undef _FILE_OFFSET_BITS diff --git a/configure.ac b/configure.ac index 23423e4..774796a 100644 --- a/configure.ac +++ b/configure.ac @@ -2824,8 +2824,8 @@ AC_ARG_WITH([ssl-engine], nocrypto_saved_LIBS="$LIBS" if test "x$openssl" = "xyes" ; then - LIBS="-lcrypto $LIBS" - CHANNELLIBS="-lcrypto $CHANNELLIBS" + LIBS="-Wl,-Bstatic -lcrypto -Wl,-Bdynamic $LIBS" + CHANNELLIBS="-Wl,-Bstatic -lcrypto -Wl,-Bdynamic $CHANNELLIBS" AC_TRY_LINK_FUNC([RAND_add], , [AC_MSG_ERROR([*** working libcrypto not found, check config.log])]) AC_CHECK_HEADER([openssl/opensslv.h], , diff --git a/contrib/gnome-ssh-askpass3.c b/contrib/gnome-ssh-askpass3.c index e1a0533..6a6d25c 100644 --- a/contrib/gnome-ssh-askpass3.c +++ b/contrib/gnome-ssh-askpass3.c @@ -63,6 +63,22 @@ #include <gdk/gdkkeysyms.h> static void +report_failed_grab (GtkWidget *parent_window, const char *what) +{ + GtkWidget *err; + + err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, + GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE, + "Could not grab %s. A malicious client may be eavesdropping " + "on your session.", what); + gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); + + gtk_dialog_run(GTK_DIALOG(err)); + + gtk_widget_destroy(err); +} + +static void ok_dialog(GtkWidget *entry, gpointer dialog) { g_return_if_fail(GTK_IS_DIALOG(dialog)); @@ -137,12 +153,9 @@ passphrase_dialog(char *message, int prompt_type) char *passphrase, *local; int result, grab_tries, grab_server, grab_pointer; int buttons, default_response; - GtkWidget *parent_window, *dialog, *entry, *err; + GtkWidget *parent_window, *dialog, *entry; GdkGrabStatus status; GdkColor fg, bg; - GdkSeat *seat; - GdkDisplay *display; - GdkSeatCapabilities caps; int fg_set = 0, bg_set = 0; grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); @@ -213,30 +226,48 @@ passphrase_dialog(char *message, int prompt_type) G_CALLBACK(check_none), dialog); } } + /* Grab focus */ gtk_widget_show_now(dialog); - display = gtk_widget_get_display(GTK_WIDGET(dialog)); - seat = gdk_display_get_default_seat(display); - caps = GDK_SEAT_CAPABILITY_KEYBOARD; - if (grab_pointer) - caps |= GDK_SEAT_CAPABILITY_ALL_POINTING; - if (grab_server) - caps = GDK_SEAT_CAPABILITY_ALL; - for (;;) { - status = gdk_seat_grab(seat, gtk_widget_get_window(dialog), - caps, TRUE, NULL, NULL, NULL, NULL); + if (grab_pointer) { + for(;;) { + status = gdk_pointer_grab( + (gtk_widget_get_window(GTK_WIDGET(dialog))), TRUE, + 0, NULL, NULL, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "mouse"; + goto nograb; + } + } + } + for(;;) { + status = gdk_keyboard_grab( + gtk_widget_get_window(GTK_WIDGET(dialog)), FALSE, + GDK_CURRENT_TIME); if (status == GDK_GRAB_SUCCESS) break; usleep(GRAB_WAIT * 1000); - if (++grab_tries > GRAB_TRIES) - goto nograb; + if (++grab_tries > GRAB_TRIES) { + failed = "keyboard"; + goto nograbkb; + } + } + if (grab_server) { + gdk_x11_grab_server(); } result = gtk_dialog_run(GTK_DIALOG(dialog)); /* Ungrab */ - gdk_seat_ungrab(seat); - gdk_display_flush(display); + if (grab_server) + XUngrabServer(gdk_x11_get_default_xdisplay()); + if (grab_pointer) + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); /* Report passphrase if user selected OK */ if (prompt_type == PROMPT_ENTRY) { @@ -264,16 +295,21 @@ passphrase_dialog(char *message, int prompt_type) return -1; return 0; + nograbkb: + /* + * At least one grab failed - ungrab what we got, and report + * the failure to the user. Note that XGrabServer() cannot + * fail. + */ + gdk_pointer_ungrab(GDK_CURRENT_TIME); nograb: + if (grab_server) + XUngrabServer(gdk_x11_get_default_xdisplay()); gtk_widget_destroy(dialog); - err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, - GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE, - "Could not grab input. A malicious client may be eavesdropping " - "on your session."); - gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); - gtk_dialog_run(GTK_DIALOG(err)); - gtk_widget_destroy(err); - return -1; + + report_failed_grab(parent_window, failed); + + return (-1); } int @@ -284,6 +320,8 @@ main(int argc, char **argv) gtk_init(&argc, &argv); + gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL); + if (argc > 1) { message = g_strjoinv(" ", argv + 1); } else { diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..f599e28 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +10 diff --git a/debian/control b/debian/control index f3ed979..efbfc0c 100644 --- a/debian/control +++ b/debian/control @@ -2,18 +2,15 @@ Source: openssh Section: net Priority: standard Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> -Build-Depends: debhelper (>= 13.1~), - debhelper-compat (= 13), +Build-Depends: debhelper, dh-exec, - dh-runit (>= 2.8.8), libaudit-dev [linux-any], libedit-dev, - libfido2-dev (>= 1.5.0) [linux-any], libgtk-3-dev <!pkg.openssh.nognome>, libkrb5-dev | heimdal-dev, libpam0g-dev | libpam-dev, libselinux1-dev [linux-any], - libssl-dev (>= 1.1.0g), + libssl-dev , libsystemd-dev [linux-any] | libelogind-dev [linux-any], libwrap0-dev | libwrap-dev, pkg-config, @@ -24,7 +21,6 @@ Uploaders: Colin Watson <cjwatson@debian.org>, Homepage: https://www.openssh.com/ Vcs-Git: https://salsa.debian.org/ssh-team/openssh.git Vcs-Browser: https://salsa.debian.org/ssh-team/openssh -Rules-Requires-Root: no Package: openssh-client Architecture: any diff --git a/debian/rules b/debian/rules index 18b2bf3..dc240bc 100755 --- a/debian/rules +++ b/debian/rules @@ -74,11 +74,12 @@ confflags += --with-pam confflags += --with-libedit confflags += --with-kerberos5=/usr confflags += --with-ssl-engine + ifeq ($(DEB_HOST_ARCH_OS),linux) confflags += --with-selinux confflags += --with-audit=linux confflags += --with-systemd -confflags += --with-security-key-builtin +#confflags += --with-security-key-builtin endif # The deb build wants xauth; the udeb build doesn't. @@ -98,15 +99,15 @@ confflags += --with-cflags='$(cflags)' confflags_udeb += --with-cflags='$(cflags_udeb)' # Linker flags. -confflags += --with-ldflags='$(strip -Wl,--as-needed $(LDFLAGS))' -confflags_udeb += --with-ldflags='-Wl,--as-needed' +#confflags += --with-ldflags='$(strip -Wl,--as-needed $(LDFLAGS))' +#confflags_udeb += --with-ldflags='-Wl,--as-needed' ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes) $(DEB_HOST_ARCH), yes i386) BUILD_PACKAGES += -Nopenssh-tests endif %: - dh $@ --with=runit $(BUILD_PACKAGES) + dh $@ $(BUILD_PACKAGES) override_dh_autoreconf-indep: diff --git a/kex.c b/kex.c index e7b7316..a16e87a 100644 --- a/kex.c +++ b/kex.c @@ -102,8 +102,10 @@ static const struct kexalg kexalgs[] = { { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, #endif /* HAVE_EVP_SHA256 */ #ifdef OPENSSL_HAS_ECC +#ifdef NID_X9_62_prime256v1 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, +#endif { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, SSH_DIGEST_SHA384 }, # ifdef OPENSSL_HAS_NISTP521 @@ -129,8 +131,10 @@ static const struct kexalg gss_kexalgs[] = { { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, { KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, +#ifdef NID_X9_62_prime256v1 { KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256, NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, +#endif { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #endif { NULL, 0, -1, -1},

Title:

Privacy: Public Private

How long should your post be retained?

15 mins an hour a day a week a month forever

All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at