Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: open...@packages.debian.org
Control: affects -1 + src:openssh
User: release.debian....@packages.debian.org
Usertags: pu
I have a set of OpenSSH fixes that I think are worth including in the
next stable update, all of which fix regressions from bullseye:
* Minor security fix to creation of template directories (#1001186,
#1064898)
* The gssapi-keyex authentication method was declared incorrectly and
was thus unusable
(https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2053146)
* The combination of GSS-API key exchange and public key authentication
broke in some situations (#1041521, #1088248)
In addition, although this isn't a regression, I agree with the reporter
of #1088873 that backporting the sntrup761x25519-sha512 alias for that
post-quantum key algorithm is likely to be helpful for configuration
management and interoperability.
The most delicate parts here are the GSS-API key exchange patches, and
so I thought it was best to also backport the autopkgtest that we added
earlier this year to cover this area. I found that invaluable in making
sure that I hadn't missed anything substantial.
The changes are all individually rather small (especially if you
discount some git-dpm noise in debian/patches/) and have been in testing
for some time. As mentioned above, the GSS-API key exchange parts are
the most delicate, but they don't affect people who aren't using that
feature; the other changes are close to trivial.
Of course I'll update the first line of the changelog to "bookworm"
before uploading.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Thanks,
--
Colin Watson (he/him) [cjwat...@debian.org]
diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2023-12-19 12:55:10.000000000 +0000
+++ openssh-9.2p1/debian/.git-dpm 2024-03-03 19:27:10.000000000 +0000
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-14c4d6f0fa446414d1c38ad083107576d0ae3032
-14c4d6f0fa446414d1c38ad083107576d0ae3032
+253c4c0047bd8258e21388cf8ad6fe3b1172c1da
+253c4c0047bd8258e21388cf8ad6fe3b1172c1da
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2024-06-22 20:38:08.000000000 +0100
+++ openssh-9.2p1/debian/changelog 2024-03-03 19:27:10.000000000 +0000
@@ -1,3 +1,19 @@
+openssh (1:9.2p1-2+deb12u4) UNRELEASED; urgency=medium
+
+ * Always use the internal mkdtemp implementation, since it substitutes
+ more randomness into the template string than glibc's version (closes:
+ #1001186, #1064898).
+ * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
+ (LP: #2053146).
+ * Import ssh-gssapi autopkgtest from 1:9.8p1-4.
+ * Don't prefer host-bound public key signatures if there was no initial
+ host key, as is the case when using GSS-API key exchange (closes:
+ #1041521, #1088248).
+ * Make sntrup761x25519-sha512 key exchange algorithm available without the
+ @openssh.com suffix too (closes: #1088873).
+
+ -- Colin Watson <cjwat...@debian.org> Sun, 03 Mar 2024 19:27:10 +0000
+
openssh (1:9.2p1-2+deb12u3) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-28531.patch
openssh-9.2p1/debian/patches/CVE-2023-28531.patch
--- openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From d1461c936223751e723662115b12bb0e9ba96f65 Mon Sep 17 00:00:00 2001
+From 3551a0444621320cc1eaa0dba7d127b6ee67d0b7 Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Thu, 9 Mar 2023 06:58:26 +0000
Subject: upstream: include destination constraints for smartcard keys too.
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch
openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From dee3878689aef5365955442869be02d420b65ea6 Mon Sep 17 00:00:00 2001
+From 443d99e0bd3156c424b502fffcb621552607d9c6 Mon Sep 17 00:00:00 2001
From: Damien Miller <d...@mindrot.org>
Date: Thu, 13 Jul 2023 12:09:34 +1000
Subject: terminate pkcs11 process for bad libraries
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch
openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 5c06b89189eb27f692b900526d60bf744918511e Mon Sep 17 00:00:00 2001
+From e9aced930c69f1f38bffe28a2396661c92b2a23a Mon Sep 17 00:00:00 2001
From: Damien Miller <d...@mindrot.org>
Date: Fri, 7 Jul 2023 13:30:15 +1000
Subject: disallow remote addition of FIDO/PKCS11 keys
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch
openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 29c7785a3673101b3af8f6f712795fa128e52ddd Mon Sep 17 00:00:00 2001
+From f881f358de9432fe4524c4bc156a0911164631a3 Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Wed, 19 Jul 2023 14:02:27 +0000
Subject: upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch
openssh-9.2p1/debian/patches/CVE-2023-48795.patch
--- openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 9148d0a8031d89f53f045b63ac3a709611d94778 Mon Sep 17 00:00:00 2001
+From c78d5a0d5c30c345377ff5a1ca5ddbd27ab4fbe2 Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Mon, 18 Dec 2023 14:45:17 +0000
Subject: upstream: implement "strict key exchange" in ssh and sshd
@@ -385,7 +385,7 @@
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
(r = sshpkt_put_cstring(ssh, buf)) != 0 ||
diff --git a/sshconnect2.c b/sshconnect2.c
-index cb6a94e76..3e5f69470 100644
+index a08de66c0..4a7a573d8 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -250,7 +250,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
*hostaddr, u_short port,
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51384.patch
openssh-9.2p1/debian/patches/CVE-2023-51384.patch
--- openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From d5be669c872a313a71d60babee64f3a80340dc51 Mon Sep 17 00:00:00 2001
+From 01ada7980c52efffa52d0947efd23783245e70c4 Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Mon, 18 Dec 2023 14:46:12 +0000
Subject: upstream: apply destination constraints to all p11 keys
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51385.patch
openssh-9.2p1/debian/patches/CVE-2023-51385.patch
--- openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2023-12-19
12:55:10.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 14c4d6f0fa446414d1c38ad083107576d0ae3032 Mon Sep 17 00:00:00 2001
+From de0609ea68651da8720b6e858f5b45599e361ee3 Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Mon, 18 Dec 2023 14:47:44 +0000
Subject: upstream: ban user/hostnames with most shell metacharacters
diff -Nru
openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
---
openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
2024-06-22 20:38:08.000000000 +0100
+++
openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
2024-03-03 19:27:10.000000000 +0000
@@ -1,8 +1,7 @@
-From 96af055c9d7bfd2e974e0ef889848fa401057c0d Mon Sep 17 00:00:00 2001
+From 30e67756d4b5853f133d0ba4572e928a4ef5bff6 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <car...@debian.org>
Date: Sat, 22 Jun 2024 21:33:03 +0200
-Subject: [PATCH] Disable async-signal-unsafe code from the sshsigdie()
- function
+Subject: Disable async-signal-unsafe code from the sshsigdie() function
Address signal handler race condition: if a client does not authenticate
within LoginGraceTime seconds (120 by default, 600 in old OpenSSH
@@ -15,8 +14,14 @@
service (crash), and possibly execute arbitrary code")
Signed-off-by: Salvatore Bonaccorso <car...@debian.org>
+
+Patch-Name: Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
---
+ log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/log.c b/log.c
+index bdc4b6515..4d49c2e50 100644
--- a/log.c
+++ b/log.c
@@ -452,12 +452,14 @@ void
diff -Nru openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch
openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch
--- openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch
2023-12-19 12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch
2024-03-03 19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 374a21e4acc5b06719640c0d6b82afdf4182b900 Mon Sep 17 00:00:00 2001
+From dee22f6f22efc21f49e55620c978023f43cf336d Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <tpo_...@sourcepole.ch>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff -Nru openssh-9.2p1/debian/patches/conch-ssh-rsa.patch
openssh-9.2p1/debian/patches/conch-ssh-rsa.patch
--- openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 2df31e50f4cd159978c99055ed2d54b98a5ec7e4 Mon Sep 17 00:00:00 2001
+From 617a61aac72c5446e99e0f2207a563a6369aa9d9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Tue, 15 Feb 2022 18:25:35 +0000
Subject: Work around RSA SHA-2 signature issues in conch
diff -Nru openssh-9.2p1/debian/patches/debian-banner.patch
openssh-9.2p1/debian/patches/debian-banner.patch
--- openssh-9.2p1/debian/patches/debian-banner.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/debian-banner.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 2d3ac49df11f0aed81f35ce9588eb2c578ec98f2 Mon Sep 17 00:00:00 2001
+From 250ea677f62ee37a800e49d5d68683eb4ff241f7 Mon Sep 17 00:00:00 2001
From: Kees Cook <k...@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
diff -Nru openssh-9.2p1/debian/patches/debian-config.patch
openssh-9.2p1/debian/patches/debian-config.patch
--- openssh-9.2p1/debian/patches/debian-config.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/debian-config.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From aedb5d2ee2799e3a95b6913721533d2c42c496b3 Mon Sep 17 00:00:00 2001
+From 177b212b6b237dbca4c4f29feb69db959a2ecb81 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
diff -Nru openssh-9.2p1/debian/patches/dnssec-sshfp.patch
openssh-9.2p1/debian/patches/dnssec-sshfp.patch
--- openssh-9.2p1/debian/patches/dnssec-sshfp.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/dnssec-sshfp.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 25f54fd79c7dc62d5ffaa7ebdc2e3de86a031084 Mon Sep 17 00:00:00 2001
+From b19054b02f64d320194f86e305a9d97053c9ab01 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff -Nru openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch
openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch
--- openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 4202164dacce1c368f7e6e5c02b3080486deddbf Mon Sep 17 00:00:00 2001
+From fc51509b693b1b31ad48b93019da576edb905e13 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
diff -Nru openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch
openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch
--- openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 0b0ba78b1a3a0a7fd2d0d72f508d225c04df5aa7 Mon Sep 17 00:00:00 2001
+From 1de37afc2ed154a3db9d2a99e9c6b0b5c302e522 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vu...@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
diff -Nru openssh-9.2p1/debian/patches/gssapi.patch
openssh-9.2p1/debian/patches/gssapi.patch
--- openssh-9.2p1/debian/patches/gssapi.patch 2023-12-19 12:55:09.000000000
+0000
+++ openssh-9.2p1/debian/patches/gssapi.patch 2024-03-03 19:27:10.000000000
+0000
@@ -1,4 +1,4 @@
-From 61798b25a23b55d72a86a35062106cc3fc0ab834 Mon Sep 17 00:00:00 2001
+From 03e7fd7bd4470a1322fa8da42789577cc5b1d7ec Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <si...@sxw.org.uk>
Date: Sun, 9 Feb 2014 16:09:48 +0000
Subject: GSSAPI key exchange support
@@ -21,14 +21,14 @@
Author: Jakub Jelen <jje...@redhat.com>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2023-01-02
+Last-Updated: 2024-12-03
Patch-Name: gssapi.patch
---
Makefile.in | 5 +-
README.md | 36 +++
auth.c | 94 +-------
- auth2-gss.c | 56 ++++-
+ auth2-gss.c | 57 ++++-
auth2.c | 2 +
canohost.c | 91 ++++++++
canohost.h | 3 +
@@ -58,13 +58,13 @@
ssh.c | 6 +-
ssh_config | 2 +
ssh_config.5 | 57 +++++
- sshconnect2.c | 156 ++++++++++++-
+ sshconnect2.c | 160 ++++++++++++-
sshd.c | 62 ++++-
sshd_config | 2 +
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 39 files changed, 2765 insertions(+), 164 deletions(-)
+ 39 files changed, 2769 insertions(+), 165 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
@@ -256,7 +256,7 @@
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
diff --git a/auth2-gss.c b/auth2-gss.c
-index 2062609d9..4566d425c 100644
+index 2062609d9..a3f46ebf3 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
@@ -276,7 +276,7 @@
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
-+userauth_gsskeyex(struct ssh *ssh)
++userauth_gsskeyex(struct ssh *ssh, const char *method)
+{
+ Authctxt *authctxt = ssh->authctxt;
+ int r, authenticated = 0;
@@ -337,12 +337,13 @@
else
logit("GSSAPI MIC check failed");
-@@ -327,6 +371,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh
*ssh)
+@@ -327,6 +371,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh
*ssh)
return 0;
}
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
++ NULL,
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
@@ -3712,7 +3713,7 @@
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index 58fe98db2..cb6a94e76 100644
+index 58fe98db2..a08de66c0 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -81,8 +81,6 @@
@@ -3954,6 +3955,17 @@
#endif /* GSSAPI */
static int
+@@ -1356,7 +1502,9 @@ sign_and_send_pubkey(struct ssh *ssh, Identity *id)
+
+ /* prefer host-bound pubkey signatures if supported by server */
+ if ((ssh->kex->flags & KEX_HAS_PUBKEY_HOSTBOUND) != 0 &&
+- (options.pubkey_authentication & SSH_PUBKEY_AUTH_HBOUND) != 0) {
++ (options.pubkey_authentication & SSH_PUBKEY_AUTH_HBOUND) != 0 &&
++ /* initial_hostkey may be NULL with GSS-API key exchange */
++ ssh->kex->initial_hostkey != NULL) {
+ hostbound = 1;
+ method = "publickey-hostbound-...@openssh.com";
+ }
diff --git a/sshd.c b/sshd.c
index 6321936c0..6ad9a845a 100644
--- a/sshd.c
diff -Nru openssh-9.2p1/debian/patches/keepalive-extensions.patch
openssh-9.2p1/debian/patches/keepalive-extensions.patch
--- openssh-9.2p1/debian/patches/keepalive-extensions.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/keepalive-extensions.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From dbc7024bb9fe29a5d2bd398219ae2fc5668826b8 Mon Sep 17 00:00:00 2001
+From 88e35da8605f70f062e5aafd223098e158425aa4 Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <r...@greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
diff -Nru openssh-9.2p1/debian/patches/maxhostnamelen.patch
openssh-9.2p1/debian/patches/maxhostnamelen.patch
--- openssh-9.2p1/debian/patches/maxhostnamelen.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/maxhostnamelen.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 36b00b5f4d96d6d9db3fd9e418bd2d1f66e8e7fe Mon Sep 17 00:00:00 2001
+From 7f723a24e810b326747cacfecb4e4ae915a65840 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.sign...@gmail.com>
Date: Fri, 5 Nov 2021 23:22:53 +0000
Subject: Define MAXHOSTNAMELEN on GNU/Hurd
diff -Nru openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch
openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch
--- openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch
2023-12-19 12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch
2024-03-03 19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From e797fa7ecced95a0b7f27b000e467ffb31934d28 Mon Sep 17 00:00:00 2001
+From faaa7e24f0440213fab3558ffbd8119c04f4ae12 Mon Sep 17 00:00:00 2001
From: Scott Moser <smo...@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff -Nru openssh-9.2p1/debian/patches/no-openssl-version-status.patch
openssh-9.2p1/debian/patches/no-openssl-version-status.patch
--- openssh-9.2p1/debian/patches/no-openssl-version-status.patch
2023-12-19 12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/no-openssl-version-status.patch
2024-03-03 19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From c7c2ce00f07135457dbd924cfe962e03a2b0ab62 Mon Sep 17 00:00:00 2001
+From 5d1c32cb181d5b4392210ddbf2ff84fcda79a89c Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <k...@roeckx.be>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
diff -Nru openssh-9.2p1/debian/patches/openbsd-docs.patch
openssh-9.2p1/debian/patches/openbsd-docs.patch
--- openssh-9.2p1/debian/patches/openbsd-docs.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/openbsd-docs.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From f8033f154f0fe23f974f67ba2f8a29754a5044af Mon Sep 17 00:00:00 2001
+From e76555b386bf0a09ac60b4de7cd46960ca736164 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
diff -Nru openssh-9.2p1/debian/patches/package-versioning.patch
openssh-9.2p1/debian/patches/package-versioning.patch
--- openssh-9.2p1/debian/patches/package-versioning.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/package-versioning.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 720ad1a8e62ff52438766b49f8413ac55b17f570 Mon Sep 17 00:00:00 2001
+From 62a119032fb35d2494730603d01ea384e144f82a Mon Sep 17 00:00:00 2001
From: Matthew Vernon <matt...@debian.org>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
diff -Nru openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
--- openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
2023-12-19 12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
2024-03-03 19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 74edce484429249265baaee1e8a5d1785ee7afa7 Mon Sep 17 00:00:00 2001
+From d6b66b9c06a5a8491c7e0887185a4651b31acae0 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Tue, 7 Feb 2023 23:55:19 +0000
Subject: Remove spurious ssh-agent options
diff -Nru openssh-9.2p1/debian/patches/restore-authorized_keys2.patch
openssh-9.2p1/debian/patches/restore-authorized_keys2.patch
--- openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From b2cc972d55fcc3c3df709a340ce3019fec9880c4 Mon Sep 17 00:00:00 2001
+From 58c39c93aef24277b9125185d70d38f958fa054c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
diff -Nru openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch
openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch
--- openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 8cee1ce3e07ac7904468ab8076ad5595048fb4c9 Mon Sep 17 00:00:00 2001
+From b43542890d0f92850e5c8bbd30f62204791fce98 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
diff -Nru openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch
openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch
--- openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 8aea1d66b4ba0afd6cb4b25991bfb683d951c6e2 Mon Sep 17 00:00:00 2001
+From 60b3b7a847fcf97259c137d3fc0c25ae5a49650d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff -Nru openssh-9.2p1/debian/patches/scp-quoting.patch
openssh-9.2p1/debian/patches/scp-quoting.patch
--- openssh-9.2p1/debian/patches/scp-quoting.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/scp-quoting.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 501d8554b6792531778d6b3b9344f8e55d84df29 Mon Sep 17 00:00:00 2001
+From 3e9d83c98093d1485e33eb94f8449c2b0683ebc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcar...@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
diff -Nru openssh-9.2p1/debian/patches/selinux-role.patch
openssh-9.2p1/debian/patches/selinux-role.patch
--- openssh-9.2p1/debian/patches/selinux-role.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/selinux-role.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From a1b3f6592e7ef61f5d9544fc652ae44f8c47bd2e Mon Sep 17 00:00:00 2001
+From 07fb0a9e6b42cdb0225517609e60165beb268ceb Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <sriva...@debian.org>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
diff -Nru openssh-9.2p1/debian/patches/series
openssh-9.2p1/debian/patches/series
--- openssh-9.2p1/debian/patches/series 2024-06-22 20:38:08.000000000 +0100
+++ openssh-9.2p1/debian/patches/series 2024-03-03 19:27:10.000000000 +0000
@@ -34,3 +34,4 @@
CVE-2023-51384.patch
CVE-2023-51385.patch
Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
+sntrup761x25519-sha512.patch
diff -Nru openssh-9.2p1/debian/patches/shell-path.patch
openssh-9.2p1/debian/patches/shell-path.patch
--- openssh-9.2p1/debian/patches/shell-path.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/shell-path.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From b364a18c85a959fdfd0a5a2c497482809cadf29f Mon Sep 17 00:00:00 2001
+From 695ba53a206de76d33d734ba359c4203088368cb Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff -Nru openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch
openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch
--- openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 1970-01-01
01:00:00.000000000 +0100
+++ openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 2024-03-03
19:27:10.000000000 +0000
@@ -0,0 +1,95 @@
+From 253c4c0047bd8258e21388cf8ad6fe3b1172c1da Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" <d...@openbsd.org>
+Date: Thu, 22 Aug 2024 23:11:30 +0000
+Subject: upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned,
+ so
+
+we can make the algorithm available without the @openssh.com suffix too. ok
+markus@ deraadt@
+
+OpenBSD-Commit-ID: eeed8fcde688143a737729d3d56d20ab4353770f
+
+Origin: backport,
https://anongit.mindrot.org/openssh.git/commit/?id=aee54878255d71bf93aa6e91bbd4eb1825c0d1b9
+Last-Update: 2024-12-03
+
+Patch-Name: sntrup761x25519-sha512.patch
+---
+ kex.c | 2 ++
+ kex.h | 3 ++-
+ myproposal.h | 1 +
+ ssh_config.5 | 2 +-
+ sshd_config.5 | 4 +++-
+ 5 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/kex.c b/kex.c
+index 0b4fc4767..e6fddd7d8 100644
+--- a/kex.c
++++ b/kex.c
+@@ -118,6 +118,8 @@ static const struct kexalg kexalgs[] = {
+ #ifdef USE_SNTRUP761X25519
+ { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
+ SSH_DIGEST_SHA512 },
++ { KEX_SNTRUP761X25519_SHA512_OLD, KEX_KEM_SNTRUP761X25519_SHA512, 0,
++ SSH_DIGEST_SHA512 },
+ #endif
+ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
+ { NULL, 0, -1, -1},
+diff --git a/kex.h b/kex.h
+index 99b47435f..84bace10b 100644
+--- a/kex.h
++++ b/kex.h
+@@ -62,7 +62,8 @@
+ #define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
+ #define KEX_CURVE25519_SHA256 "curve25519-sha256"
+ #define KEX_CURVE25519_SHA256_OLD "curve25519-sha...@libssh.org"
+-#define KEX_SNTRUP761X25519_SHA512
"sntrup761x25519-sha...@openssh.com"
++#define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512"
++#define KEX_SNTRUP761X25519_SHA512_OLD
"sntrup761x25519-sha...@openssh.com"
+
+ #define COMP_NONE 0
+ /* pre-auth compression (COMP_ZLIB) is only supported in the client */
+diff --git a/myproposal.h b/myproposal.h
+index ee6e9f741..0528cd783 100644
+--- a/myproposal.h
++++ b/myproposal.h
+@@ -25,6 +25,7 @@
+ */
+
+ #define KEX_SERVER_KEX \
++ "sntrup761x25519-sha512," \
+ "sntrup761x25519-sha...@openssh.com," \
+ "curve25519-sha256," \
+ "curve25519-sha...@libssh.org," \
+diff --git a/ssh_config.5 b/ssh_config.5
+index f8616c18b..12f1ff9e6 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -1261,7 +1261,7 @@ character, then the specified algorithms will be placed
at the head of the
+ default set.
+ The default is:
+ .Bd -literal -offset indent
+-sntrup761x25519-sha...@openssh.com,
++sntrup761x25519-sha512,sntrup761x25519-sha...@openssh.com,
+ curve25519-sha256,curve25519-sha...@libssh.org,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ diffie-hellman-group-exchange-sha256,
+diff --git a/sshd_config.5 b/sshd_config.5
+index 7fd8abf48..8e0b58ebf 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -1084,12 +1084,14 @@ ecdh-sha2-nistp384
+ .It
+ ecdh-sha2-nistp521
+ .It
++sntrup761x25519-sha512
++.It
+ sntrup761x25519-sha...@openssh.com
+ .El
+ .Pp
+ The default is:
+ .Bd -literal -offset indent
+-sntrup761x25519-sha...@openssh.com,
++sntrup761x25519-sha512,sntrup761x25519-sha...@openssh.com,
+ curve25519-sha256,curve25519-sha...@libssh.org,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ diffie-hellman-group-exchange-sha256,
diff -Nru openssh-9.2p1/debian/patches/ssh-agent-setgid.patch
openssh-9.2p1/debian/patches/ssh-agent-setgid.patch
--- openssh-9.2p1/debian/patches/ssh-agent-setgid.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/ssh-agent-setgid.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From bf54d67a00bf4d408f0e52236c4248cecfb5177f Mon Sep 17 00:00:00 2001
+From d5a2ba7af682ae724440edb5030094b19455fd98 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff -Nru openssh-9.2p1/debian/patches/ssh-argv0.patch
openssh-9.2p1/debian/patches/ssh-argv0.patch
--- openssh-9.2p1/debian/patches/ssh-argv0.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/ssh-argv0.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From b252064f6d116feca5d07dfe6dfd62ba005927bd Mon Sep 17 00:00:00 2001
+From 415984f4dba214dbd469af8bd5ba88a8eaf87bac Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
diff -Nru openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch
openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch
--- openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 3878210a9526dc6c78c48d959bab0afb0052b64f Mon Sep 17 00:00:00 2001
+From 29e019028843d1b63f95854f425b8efe69317b6a Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
diff -Nru openssh-9.2p1/debian/patches/syslog-level-silent.patch
openssh-9.2p1/debian/patches/syslog-level-silent.patch
--- openssh-9.2p1/debian/patches/syslog-level-silent.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/syslog-level-silent.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From ac80435d753ff39d9c6ded2f7535d770f257fc59 Mon Sep 17 00:00:00 2001
+From 3cd29305c77bb26eb4ec6b34078317eee6f9bf15 Mon Sep 17 00:00:00 2001
From: Natalie Amery <nmam...@chiark.greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
diff -Nru openssh-9.2p1/debian/patches/systemd-readiness.patch
openssh-9.2p1/debian/patches/systemd-readiness.patch
--- openssh-9.2p1/debian/patches/systemd-readiness.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/systemd-readiness.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 5d04f3ebd2825c03fa7c39e27c28bf3384345806 Mon Sep 17 00:00:00 2001
+From 5322641c953083906543314f0f6e6865cd2c12c5 Mon Sep 17 00:00:00 2001
From: Michael Biebl <bi...@debian.org>
Date: Mon, 21 Dec 2015 16:08:47 +0000
Subject: Add systemd readiness notification support
diff -Nru openssh-9.2p1/debian/patches/systemd-socket-activation.patch
openssh-9.2p1/debian/patches/systemd-socket-activation.patch
--- openssh-9.2p1/debian/patches/systemd-socket-activation.patch
2023-12-19 12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/systemd-socket-activation.patch
2024-03-03 19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From 4cedd1c9acac0fba598db2eaf43278dfe8e53ef0 Mon Sep 17 00:00:00 2001
+From 00457e91987f0212cf851f74e8cb266e01b7f347 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langa...@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
diff -Nru openssh-9.2p1/debian/patches/user-group-modes.patch
openssh-9.2p1/debian/patches/user-group-modes.patch
--- openssh-9.2p1/debian/patches/user-group-modes.patch 2023-12-19
12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/patches/user-group-modes.patch 2024-03-03
19:27:10.000000000 +0000
@@ -1,4 +1,4 @@
-From ad9efda53c54f37dbd429c16db4be2946f27063e Mon Sep 17 00:00:00 2001
+From 603e2674118ba4136b73561941086a24a21ac7e8 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
diff -Nru openssh-9.2p1/debian/rules openssh-9.2p1/debian/rules
--- openssh-9.2p1/debian/rules 2023-12-19 12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/rules 2024-03-03 19:27:10.000000000 +0000
@@ -65,6 +65,9 @@
confflags += --with-libs=-lcrypt
endif
+# Always use the internal mkdtemp; see https://bugs.debian.org/1001186.
+confflags += ac_cv_func_mkdtemp=no
+
# Everything above here is common to the deb and udeb builds.
confflags_udeb := $(confflags)
diff -Nru openssh-9.2p1/debian/salsa-ci.yml openssh-9.2p1/debian/salsa-ci.yml
--- openssh-9.2p1/debian/salsa-ci.yml 2023-12-19 12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/salsa-ci.yml 2024-03-03 19:27:10.000000000 +0000
@@ -1,3 +1,11 @@
---
include:
-
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bookworm'
+ # This source package doesn't build on unstable for
+ # non-reproducibility-related reasons, and the salsa-ci pipeline doesn't
+ # currently support running reprotest on bookworm:
+ # https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/236
+ SALSA_CI_DISABLE_REPROTEST: 1
diff -Nru openssh-9.2p1/debian/tests/control openssh-9.2p1/debian/tests/control
--- openssh-9.2p1/debian/tests/control 2023-12-19 12:55:09.000000000 +0000
+++ openssh-9.2p1/debian/tests/control 2024-03-03 19:27:10.000000000 +0000
@@ -8,3 +8,10 @@
python3-twisted,
sudo,
sysvinit-utils,
+
+Tests: ssh-gssapi
+Restrictions: allow-stderr isolation-container needs-root
+Depends: krb5-admin-server,
+ krb5-kdc,
+ openssh-server,
+ sudo,
diff -Nru openssh-9.2p1/debian/tests/ssh-gssapi
openssh-9.2p1/debian/tests/ssh-gssapi
--- openssh-9.2p1/debian/tests/ssh-gssapi 1970-01-01 01:00:00.000000000
+0100
+++ openssh-9.2p1/debian/tests/ssh-gssapi 2024-03-03 19:27:10.000000000
+0000
@@ -0,0 +1,166 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+realm="EXAMPLE.FAKE"
+myhostname="sshd-gssapi.${realm,,}"
+testuser="testuser$$"
+testuser2="testuser$$-2"
+adduser --quiet --disabled-password --gecos "" "${testuser}"
+adduser --quiet --disabled-password --gecos "" "${testuser2}"
+password="secret"
+user_principal="${testuser}@${realm}"
+service_principal="host/${myhostname}"
+
+ssh-keygen -t ed25519 -N '' -f "$HOME/.ssh/id_ed25519"
+sudo -u "$testuser2" mkdir -m700 "/home/$testuser2/.ssh"
+cp "$HOME/.ssh/id_ed25519.pub" "/home/$testuser2/.ssh/authorized_keys"
+chown "$testuser2:" "/home/$testuser2/.ssh/authorized_keys"
+
+source debian/tests/util
+
+cleanup() {
+ if [ $? -ne 0 ]; then
+ echo "## Something failed"
+ echo
+ echo "## klist"
+ klist
+ echo
+ echo "## ssh server log"
+ journalctl -b -u ssh.service --lines 100
+ echo
+ echo "## Kerberos KDC logs"
+ journalctl -b -u krb5-kdc.service --lines 100
+ echo
+ echo "## Kerberos Admin server logs"
+ journalctl -b -u krb5-admin-server.service --lines 100
+ echo
+ echo "## Skipping cleanup to facilitate troubleshooting"
+ else
+ echo "## ALL TESTS PASSED"
+ echo "## Cleaning up"
+ rm -f /etc/krb5.keytab
+ rm -f /etc/ssh/sshd_config.d/gssapi.conf
+ rm -f /etc/ssh/ssh_config.d/gssapi.conf
+ rm -f /etc/ssh/ssh_config.d/dep8.conf
+ fi
+}
+
+trap cleanup EXIT
+
+setup() {
+ echo "## Setting up test environment"
+ adjust_hostname "${myhostname}"
+ echo "## Creating Kerberos realm ${realm}"
+ create_realm "${realm}" "${myhostname}"
+ echo "## Creating principals"
+ kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}"
+ kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}"
+ echo "## Extracting service principal ${service_principal}"
+ kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}"
+ cat > /etc/ssh/ssh_config.d/dep8.conf <<EOF
+Host *
+ StrictHostKeyChecking no
+ UserKnownHostsFile /dev/null
+EOF
+ echo "## Adjusting /etc/krb5.conf"
+ cat > /etc/krb5.conf <<EOF
+[libdefaults]
+ default_realm = ${realm}
+ rdns = false
+ forwardable = true
+ dns_lookup_kdc = false
+ dns_uri_lookup = false
+ dns_lookup_realm = false
+
+[realms]
+ ${realm} = {
+ kdc = ${myhostname}
+ admin_server = ${myhostname}
+ }
+EOF
+}
+
+configure_sshd() {
+ local auth_method="${1}"
+
+ if [ "${auth_method}" = "gssapi-with-mic" ]; then
+ # server
+ echo "## Configuring sshd for ${auth_method} authentication"
+ cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange no
+GSSAPICleanupCredentials yes
+EOF
+ # client
+ cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+ GSSAPIAuthentication yes
+ GSSAPIKeyExchange no
+EOF
+ elif [ "${auth_method}" = "gssapi-keyex" ]; then
+ # server
+ echo "## Configuring sshd for ${auth_method} authentication"
+ cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+GSSAPICleanupCredentials yes
+EOF
+ # client
+ cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+ GSSAPIAuthentication yes
+ GSSAPIKeyExchange yes
+EOF
+ else
+ echo "## ERROR: unknown auth_method \"${auth_method}\""
+ return 1
+ fi
+ echo "## Restarting ssh"
+ systemctl restart ssh.service
+}
+
+_test_ssh_login() {
+ local initial_auth_method="${1}"
+ local user="${2}"
+ local final_auth_method="${3}"
+ local cursor
+
+ kdestroy 2>/dev/null || :
+ configure_sshd "${initial_auth_method}" || return $?
+ cursor="$(journalctl -u ssh.service --lines=1 --show-cursor | sed -n
's/^-- cursor: //p')"
+ echo "## Obtaining TGT"
+ echo "${password}" | timeout --verbose 30 kinit "${user_principal}" ||
return $?
+ klist
+ echo
+ echo "## ssh'ing into localhost using ${initial_auth_method} auth"
+ timeout --verbose 30 ssh "${user}@${myhostname}" date || return $?
+ echo
+ echo "## checking that we got a service ticket for ssh (host/)"
+ klist | grep -F "${service_principal}" || return $?
+ echo
+ echo "## Checking ssh logs to confirm ${final_auth_method} auth was used"
+ journalctl -u ssh.service --after-cursor="$cursor" --grep "Accepted
${final_auth_method}"
+}
+
+test_gssapi_login() {
+ _test_ssh_login gssapi-with-mic "${testuser}" gssapi-with-mic
+}
+
+test_gssapi_keyex_login() {
+ _test_ssh_login gssapi-keyex "${testuser}" gssapi-keyex
+}
+
+test_gssapi_keyex_pubkey_fallback() {
+ # GSS-API key exchange for the wrong user, falling back to public key
+ # authentication for the right user.
+ _test_ssh_login gssapi-keyex "${testuser2}" publickey
+}
+
+setup
+echo "## TESTS"
+echo
+run_test test_gssapi_login
+run_test test_gssapi_keyex_login
+run_test test_gssapi_keyex_pubkey_fallback
diff -Nru openssh-9.2p1/debian/tests/util openssh-9.2p1/debian/tests/util
--- openssh-9.2p1/debian/tests/util 1970-01-01 01:00:00.000000000 +0100
+++ openssh-9.2p1/debian/tests/util 2024-03-03 19:27:10.000000000 +0000
@@ -0,0 +1,76 @@
+# Copyright 2018 Canonical Ltd.
+# This code is licensed under the same terms as MIT Kerberos.
+
+set -e
+
+adjust_hostname() {
+ local myhostname="$1"
+
+ echo "${myhostname}" > /etc/hostname
+ hostname "${myhostname}"
+ if ! grep -qE "${myhostname}" /etc/hosts; then
+ # just so it's resolvable
+ echo "127.0.1.10 ${myhostname}" >> /etc/hosts
+ fi
+}
+
+create_realm() {
+ local realm_name="$1"
+ local kerberos_server="$2"
+
+ # start fresh
+ rm -rf /var/lib/krb5kdc/*
+ rm -rf /etc/krb5kdc/*
+ rm -f /etc/krb5.keytab
+
+ # setup some defaults
+ cat > /etc/krb5kdc/kdc.conf <<EOF
+[kdcdefaults]
+ kdc_ports = 750,88
+[realms]
+ ${realm_name} = {
+ database_name = /var/lib/krb5kdc/principal
+ admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
+ acl_file = /etc/krb5kdc/kadm5.acl
+ key_stash_file = /etc/krb5kdc/stash
+ kdc_ports = 750,88
+ max_life = 10h 0m 0s
+ max_renewable_life = 7d 0h 0m 0s
+ default_principal_flags = +preauth
+ }
+EOF
+
+ cat > /etc/krb5.conf <<EOF
+[libdefaults]
+ default_realm = ${realm_name}
+ rdns = false
+
+[realms]
+ ${realm_name} = {
+ kdc = ${kerberos_server}
+ admin_server = ${kerberos_server}
+ }
+EOF
+ echo "# */admin *" > /etc/krb5kdc/kadm5.acl
+
+ # create the realm
+ kdb5_util create -s -P secretpassword
+
+ # restart services
+ systemctl restart krb5-kdc.service krb5-admin-server.service
+}
+
+run_test() {
+ local testfunc="${1}"
+ local -i result=0
+ shift
+ echo "## TEST ${testfunc}"
+ "${testfunc}" "${@}" || result=$?
+ if [ ${result} -ne 0 ]; then
+ echo "## FAIL ${testfunc}"
+ else
+ echo "## PASS ${testfunc}"
+ fi
+ echo
+ return ${result}
+}
