+1 -1

pkgs/tools/networking/openssh/default.nix

reviewed

··· 30 30 export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" 31 31 ''; 32 32 33 33 - patches = [ ./locale_archive.patch ]; 33 33 + patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch]; 34 34 35 35 buildInputs = [ zlib openssl libedit pkgconfig pam ] 36 36 ++ optional withKerberos [ kerberos ];

+65

pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch

reviewed

··· 1 1 + http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d 2 2 + 3 3 + diff --git a/sshpty.c b/sshpty.c 4 4 + index 7bb7641..15da8c6 100644 5 5 + --- a/sshpty.c 6 6 + +++ b/sshpty.c 7 7 + @@ -1,4 +1,4 @@ 8 8 + -/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ 9 9 + +/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */ 10 10 + /* 11 11 + * Author: Tatu Ylonen <ylo@cs.hut.fi> 12 12 + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 13 13 + @@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty) 14 14 + /* Determine the group to make the owner of the tty. */ 15 15 + grp = getgrnam("tty"); 16 16 + gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; 17 17 + - mode = (grp != NULL) ? 0622 : 0600; 18 18 + + mode = (grp != NULL) ? 0620 : 0600; 19 19 + 20 20 + /* 21 21 + * Change owner and mode of the tty as required. 22 22 + diff --git a/monitor.c b/monitor.c 23 23 + index b410965..f1b873d 100644 24 24 + --- a/monitor.c 25 25 + +++ b/monitor.c 26 26 + @@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; 27 27 + int 28 28 + mm_answer_pam_init_ctx(int sock, Buffer *m) 29 29 + { 30 30 + - 31 31 + debug3("%s", __func__); 32 32 + - authctxt->user = buffer_get_string(m, NULL); 33 33 + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); 34 34 + sshpam_authok = NULL; 35 35 + buffer_clear(m); 36 36 + @@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) 37 37 + int 38 38 + mm_answer_pam_free_ctx(int sock, Buffer *m) 39 39 + { 40 40 + + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; 41 41 + 42 42 + debug3("%s", __func__); 43 43 + (sshpam_device.free_ctx)(sshpam_ctxt); 44 44 + + sshpam_ctxt = sshpam_authok = NULL; 45 45 + buffer_clear(m); 46 46 + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); 47 47 + auth_method = "keyboard-interactive"; 48 48 + auth_submethod = "pam"; 49 49 + - return (sshpam_authok == sshpam_ctxt); 50 50 + + return r; 51 51 + } 52 52 + #endif 53 53 + 54 54 + diff --git a/monitor_wrap.c b/monitor_wrap.c 55 55 + index e6217b3..eac421b 100644 56 56 + --- a/monitor_wrap.c 57 57 + +++ b/monitor_wrap.c 58 58 + @@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) 59 59 + 60 60 + debug3("%s", __func__); 61 61 + buffer_init(&m); 62 62 + - buffer_put_cstring(&m, authctxt->user); 63 63 + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); 64 64 + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); 65 65 + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);