openssh: 6.9p1 -> 7.1p1
This intentionally leaves out support for using existing dsa keys as they are insecure and should not be enabled by default. If you need this support, please make the changes in your ssh_config and sshd_config.
This commit is contained in:
parent
3f1d497fbe
commit
88b8145750
2 changed files with 3 additions and 68 deletions
|
@ -17,11 +17,11 @@ let
|
|||
in
|
||||
with stdenv.lib;
|
||||
stdenv.mkDerivation rec {
|
||||
name = "openssh-6.9p1";
|
||||
name = "openssh-7.1p1";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
|
||||
sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf";
|
||||
sha256 = "0a44mnr8bvw41zg83xh4sb55d8nds29j95gxvxk5qg863lnns2pw";
|
||||
};
|
||||
|
||||
prePatch = optionalString hpnSupport
|
||||
|
@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
|
|||
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
|
||||
'';
|
||||
|
||||
patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch];
|
||||
patches = [ ./locale_archive.patch ];
|
||||
|
||||
buildInputs = [ zlib openssl libedit pkgconfig pam ]
|
||||
++ optional withKerberos [ kerberos ];
|
||||
|
|
|
@ -1,65 +0,0 @@
|
|||
http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d
|
||||
|
||||
diff --git a/sshpty.c b/sshpty.c
|
||||
index 7bb7641..15da8c6 100644
|
||||
--- a/sshpty.c
|
||||
+++ b/sshpty.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
|
||||
+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
|
||||
/* Determine the group to make the owner of the tty. */
|
||||
grp = getgrnam("tty");
|
||||
gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
|
||||
- mode = (grp != NULL) ? 0622 : 0600;
|
||||
+ mode = (grp != NULL) ? 0620 : 0600;
|
||||
|
||||
/*
|
||||
* Change owner and mode of the tty as required.
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index b410965..f1b873d 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
|
||||
int
|
||||
mm_answer_pam_init_ctx(int sock, Buffer *m)
|
||||
{
|
||||
-
|
||||
debug3("%s", __func__);
|
||||
- authctxt->user = buffer_get_string(m, NULL);
|
||||
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
|
||||
sshpam_authok = NULL;
|
||||
buffer_clear(m);
|
||||
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
|
||||
int
|
||||
mm_answer_pam_free_ctx(int sock, Buffer *m)
|
||||
{
|
||||
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
|
||||
|
||||
debug3("%s", __func__);
|
||||
(sshpam_device.free_ctx)(sshpam_ctxt);
|
||||
+ sshpam_ctxt = sshpam_authok = NULL;
|
||||
buffer_clear(m);
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
|
||||
auth_method = "keyboard-interactive";
|
||||
auth_submethod = "pam";
|
||||
- return (sshpam_authok == sshpam_ctxt);
|
||||
+ return r;
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index e6217b3..eac421b 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
|
||||
|
||||
debug3("%s", __func__);
|
||||
buffer_init(&m);
|
||||
- buffer_put_cstring(&m, authctxt->user);
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
|
||||
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
|
Loading…
Reference in a new issue