From 88b814575016ae9685851aa0d78f613e7d15d700 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Thu, 20 Aug 2015 10:36:06 -0700 Subject: [PATCH] openssh: 6.9p1 -> 7.1p1 This intentionally leaves out support for using existing dsa keys as they are insecure and should not be enabled by default. If you need this support, please make the changes in your ssh_config and sshd_config. --- pkgs/tools/networking/openssh/default.nix | 6 +- .../openssh/openssh-6.9p1-security-7.0.patch | 65 ------------------- 2 files changed, 3 insertions(+), 68 deletions(-) delete mode 100644 pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 2004e453a0d9..50d53bdff2cd 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -17,11 +17,11 @@ let in with stdenv.lib; stdenv.mkDerivation rec { - name = "openssh-6.9p1"; + name = "openssh-7.1p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf"; + sha256 = "0a44mnr8bvw41zg83xh4sb55d8nds29j95gxvxk5qg863lnns2pw"; }; prePatch = optionalString hpnSupport @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; - patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch]; + patches = [ ./locale_archive.patch ]; buildInputs = [ zlib openssl libedit pkgconfig pam ] ++ optional withKerberos [ kerberos ]; diff --git a/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch b/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch deleted file mode 100644 index 02e9eb3a9739..000000000000 --- a/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch +++ /dev/null @@ -1,65 +0,0 @@ -http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d - -diff --git a/sshpty.c b/sshpty.c -index 7bb7641..15da8c6 100644 ---- a/sshpty.c -+++ b/sshpty.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ -+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty) - /* Determine the group to make the owner of the tty. */ - grp = getgrnam("tty"); - gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; -- mode = (grp != NULL) ? 0622 : 0600; -+ mode = (grp != NULL) ? 0620 : 0600; - - /* - * Change owner and mode of the tty as required. -diff --git a/monitor.c b/monitor.c -index b410965..f1b873d 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; - int - mm_answer_pam_init_ctx(int sock, Buffer *m) - { -- - debug3("%s", __func__); -- authctxt->user = buffer_get_string(m, NULL); - sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); - sshpam_authok = NULL; - buffer_clear(m); -@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) - int - mm_answer_pam_free_ctx(int sock, Buffer *m) - { -+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; - - debug3("%s", __func__); - (sshpam_device.free_ctx)(sshpam_ctxt); -+ sshpam_ctxt = sshpam_authok = NULL; - buffer_clear(m); - mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); - auth_method = "keyboard-interactive"; - auth_submethod = "pam"; -- return (sshpam_authok == sshpam_ctxt); -+ return r; - } - #endif - -diff --git a/monitor_wrap.c b/monitor_wrap.c -index e6217b3..eac421b 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) - - debug3("%s", __func__); - buffer_init(&m); -- buffer_put_cstring(&m, authctxt->user); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); - debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);