In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Submitted by: hrs
Obtained from: Heimdal
Security: FreeBSD-SA-17:05.heimdal
Security: CVE-2017-11103
Adjust notification points slightly to catch all auth failures,
rather than just the ones caused by bad usernames.
Modify notification point for bad usernames to send new type of
BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
Add guards to allow library headers to expose the enum of action values.
Reviewed by: des
Approved by: des
Sponsored by: The FreeBSD Foundation
Linking with lld fails as it contains a relative address, however the data
this address is for may be relocated from the shared object to the main
executable.
Fix this by adding the hidden attribute. This stops moving this value to
the main executable. It seems this is implicit upstream as it uses a
version script.
Approved by: jkim
Sponsored by: DARPA, AFRL
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.
Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no
This will unbreak the build if libwrap has been removed from the system
MFC after: 2 weeks
PR: 210141
Submitted by: kpect@protonmail.com
Differential Revision: D9049
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file. This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.
Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().
Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.
Reviewed by: des
Approved by: des
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D7051
if we didn't find any of them. This reduces log spam about key files for
deprecated algorithms, which we look for but don't generate.
PR: 208254
MFC after: 3 days
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA. Now is a good time to catch up.
MFC after: 3 days
Relnotes: yes
Upstream commit r24759 (efed563) prefixed some symbols with rk_, but
introduced 6 duplicate symbols in the version script (because the
rk_-prefixed versions of the symbols were already present).
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.
Requested by: des
PR: 210479 (related)
Approved by: re (marius)
Sponsored by: The FreeBSD Foundation
Reviewed by: rpaulo
Approved by: rpaulo (earlier version of changes)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5915
Some consumers actually use this definition.
We probably need some procedure to ensure that SHLIB_VERSION_NUMBER
is updated whenever we change the library version in
secure/lib/libssl/Makefile.
If krb5_make_principal fails, tmp_creds.server may remain a pointer to freed
memory and then be double-freed. After freeing it the first time, initialize
it to NULL, which causes subsequent krb5_free_principal calls to do the right
thing.
Reported by: Coverity
CID: 1273430
Sponsored by: EMC / Isilon Storage Division
Re-apply r99054 by des in 2002. This was accidentally dropped
by the update to OpenSSH 6.5p1 (r261320).
This change is actually taken from r387082 of
ports/security/openssh-portable/files/patch-ssh.c
PR: 198043
Differential Revision: https://reviews.freebsd.org/D3103
Reviewed by: des
Approved by: kib (mentor)
MFC after: 3 days
Relnotes: yes
Sponsored by: Dell Inc.
The use of CHAN_TCP_WINDOW_DEFAULT here was fixed in upstream OpenSSH
in CVS 1.4810, git 5baa170d771de9e95cf30b4c469ece684244cf3e:
- dtucker@cvs.openbsd.org 2007/12/28 22:34:47
[clientloop.c]
Use the correct packet maximum sizes for remote port and agent forwarding.
Prevents the server from killing the connection if too much data is queued
and an excessively large packet gets sent. bz #1360, ok djm@.
The change was lost due to the the way the original upstream HPN patch
modified this code. It was re-adding the original OpenSSH code and never
was properly fixed to use the new value.
MFC after: 2 weeks