From 61026a2af1198336a10d20df79d61f75e4a3bfaa Mon Sep 17 00:00:00 2001 From: Bryan Drewery Date: Tue, 24 May 2022 16:08:14 -0700 Subject: security/openssh-portable: Fix some capsicum issues - Brings in latest changes from base. See patches for details. - Version 9.0 is being worked on but I wanted to fix this issue before proceeding with bigger changes. PR: 263753 (cherry picked from commit 272dd07a309c086a4bc97dc015ef7faf4fbf89ca) --- security/openssh-portable/Makefile | 2 +- .../files/patch-FreeBSD-caph_cache_tzdata | 43 ++++++++++++++ .../openssh-portable/files/patch-FreeBSD-logincap | 69 ++++++++++++++++++++++ security/openssh-portable/files/patch-auth2.c | 47 --------------- 4 files changed, 113 insertions(+), 48 deletions(-) create mode 100644 security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata create mode 100644 security/openssh-portable/files/patch-FreeBSD-logincap delete mode 100644 security/openssh-portable/files/patch-auth2.c diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 75f4d206e817..f55a7bd0c630 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,7 +2,7 @@ PORTNAME= openssh DISTVERSION= 8.9p1 -PORTREVISION= 3 +PORTREVISION= 4 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata new file mode 100644 index 000000000000..bf3889265b77 --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata @@ -0,0 +1,43 @@ +commit fc3c19a9fceeea48a9259ac3833a125804342c0e +Author: Ed Maste +Date: Sat Oct 6 21:32:55 2018 +0000 + + sshd: address capsicum issues + + * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in + capability mode. + * Cache timezone data via caph_cache_tzdata() as we cannot access the + timezone file. + * Reverse resolve hostname before entering capability mode. + + PR: 231172 + Submitted by: naito.yuichiro@gmail.com + Reviewed by: cem, des + Approved by: re (rgrimes) + MFC after: 3 weeks + Differential Revision: https://reviews.freebsd.org/D17128 + +Notes: + svn path=/head/; revision=339216 + +diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c +index 5f41d526292b..f728abd18250 100644 +--- sandbox-capsicum.c ++++ sandbox-capsicum.c +@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$"); + #include + #include + #include ++#include + + #include "log.h" + #include "monitor.h" +@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box) + struct rlimit rl_zero; + cap_rights_t rights; + ++ caph_cache_tzdata(); ++ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap new file mode 100644 index 000000000000..78d772e8a024 --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-logincap @@ -0,0 +1,69 @@ +(pulled from the PR) + +commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8 +Author: Ed Maste +Date: Tue Aug 31 15:30:50 2021 -0400 + + openssh: simplify login class restrictions + + Login class-based restrictions were introduced in 5b400a39b8ad. The + code was adapted for sshd's Capsicum sandbox and received many changes + over time, including at least fc3c19a9fcee, bd393de91cc3, and + e8c56fba2926. + + During an attempt to upstream the work a much simpler approach was + suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with + future updates. + + Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) + Obtained from: https://github.com/openssh/openssh-portable/pull/262 + Reviewed by: allanjude, kevans + MFC after: 2 weeks + Differential Revision: https://reviews.freebsd.org/D31760 + + +--- auth.c ++++ auth.c +@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user) + { + #ifdef HAVE_LOGIN_CAP + extern login_cap_t *lc; ++#ifdef HAVE_AUTH_HOSTOK ++ const char *from_host, *from_ip; ++#endif + #ifdef BSD_AUTH + auth_session_t *as; + #endif +@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user) + debug("unable to get login class: %s", user); + return (NULL); + } ++#ifdef HAVE_AUTH_HOSTOK ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ debug("Denied connection for %.200s from %.200s [%.200s].", ++ pw->pw_name, from_host, from_ip); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_HOSTOK */ ++#ifdef HAVE_AUTH_TIMEOK ++ if (!auth_timeok(lc, time(NULL))) { ++ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_TIMEOK */ + #ifdef BSD_AUTH + if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || + auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { +--- configure.ac ++++ configure.ac +@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG]) + + dnl Checks for library functions. Please keep in alphabetical order + AC_CHECK_FUNCS([ \ ++ auth_hostok \ ++ auth_timeok \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c deleted file mode 100644 index 38d366aeaf71..000000000000 --- a/security/openssh-portable/files/patch-auth2.c +++ /dev/null @@ -1,47 +0,0 @@ ---- UTC -r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/auth2.c - -Apply class-imposed login restrictions. - ---- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ auth2.c 2020-11-16 13:55:25.222771000 -0800 -@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct - char *user = NULL, *service = NULL, *method = NULL, *style = NULL; - int r, authenticated = 0; - double tstart = monotime_double(); -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+ const char *from_host, *from_ip; -+#endif - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct - "not allowed: (%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL && -+ (lc = login_getpwclass(authctxt->pw)) != NULL) { -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ ssh_packet_disconnect(ssh, "Logins not available right now."); -+ } -+ login_close(lc); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - /* reset state */ - auth2_challenge_stop(ssh); - -- cgit v1.2.3