From 11e8ed5ff4bf9930b321186c3e606b3320784a38 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Wed, 28 Dec 2016 19:14:24 -0500 Subject: [PATCH 1/4] Revert "Revert "openssh: security 7.3p1 -> 7.4p1"" This reverts commit 661b5a9875cbc37310da5ee53b47a1d121bb5660. --- ...H-1380296-NEWKEYS-null-pointer-deref.patch | 37 ------------------- pkgs/tools/networking/openssh/default.nix | 6 +-- .../openssh/fix-CVE-2016-8858.patch | 11 ------ 3 files changed, 2 insertions(+), 52 deletions(-) delete mode 100644 pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch delete mode 100644 pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch diff --git a/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch b/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch deleted file mode 100644 index 665eff8645303a..00000000000000 --- a/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --git a/kex.c b/kex.c -index 50c7a0f..823668b 100644 ---- a/kex.c -+++ b/kex.c -@@ -419,6 +419,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt) - ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); - if ((r = sshpkt_get_end(ssh)) != 0) - return r; -+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) -+ return r; - kex->done = 1; - sshbuf_reset(kex->peer); - /* sshbuf_reset(kex->my); */ -diff --git a/packet.c b/packet.c -index d6dad2d..f96566b 100644 ---- a/packet.c -+++ b/packet.c -@@ -38,7 +38,7 @@ - */ - - #include "includes.h" -- -+ - #include /* MIN roundup */ - #include - #include "openbsd-compat/sys-queue.h" -@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - return r; - return SSH_ERR_PROTOCOL_ERROR; - } -- if (*typep == SSH2_MSG_NEWKEYS) -- r = ssh_set_newkeys(ssh, MODE_IN); -- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) -+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) - r = ssh_packet_enable_delayed_compress(ssh); - else - r = 0; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 064f68947b80b8..ce323bae4e7886 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -29,11 +29,11 @@ stdenv.mkDerivation rec { # Please ensure that openssh_with_kerberos still builds when # bumping the version here! name = "openssh-${version}"; - version = "7.3p1"; + version = "7.4p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz"; + sha256 = "1l8r3x4fr2kb6xm95s7kjdif1wp6f94d4kljh4qjj9109shw87qv"; }; prePatch = optionalString hpnSupport @@ -44,13 +44,11 @@ stdenv.mkDerivation rec { patches = [ - ./RH-1380296-NEWKEYS-null-pointer-deref.patch ./locale_archive.patch ./fix-host-key-algorithms-plus.patch # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch - ./fix-CVE-2016-8858.patch ] ++ optional withGssapiPatches gssapiSrc; diff --git a/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch deleted file mode 100644 index e526161083c0d1..00000000000000 --- a/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -u -r1.126 -r1.127 ---- ssh/kex.c 2016/09/28 21:44:52 1.126 -+++ ssh/kex.c 2016/10/10 19:28:48 1.127 -@@ -461,6 +461,7 @@ - if (kex == NULL) - return SSH_ERR_INVALID_ARGUMENT; - -+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); - ptr = sshpkt_ptr(ssh, &dlen); - if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) - return r; From 8ed4c8b73bee52f04499500020d4a0a750501789 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Thu, 29 Dec 2016 09:49:19 -0500 Subject: [PATCH 2/4] openssh: 7.4p1 no longer backgrounds when systemd is starting it. --- nixos/modules/services/networking/ssh/sshd.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 073391ffdbbc6e..80659f19c5979b 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -264,8 +264,7 @@ in StandardInput = "socket"; } else { Restart = "always"; - Type = "forking"; - PIDFile = "/run/sshd.pid"; + Type = "simple"; }); }; @@ -322,8 +321,6 @@ in services.openssh.extraConfig = mkOrder 0 '' - PidFile /run/sshd.pid - Protocol 2 UsePAM yes From bf659128a031842a479ea1cda8ca62772b23e6de Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Thu, 29 Dec 2016 09:49:43 -0500 Subject: [PATCH 3/4] openssh: test that startWhenNeeded works --- nixos/tests/openssh.nix | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 390363b88e218b..2915449968897d 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -35,6 +35,18 @@ in { ]; }; + server_lazy = + { config, pkgs, ... }: + + { + services.openssh = { enable = true; startWhenNeeded = true; }; + security.pam.services.sshd.limits = + [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; + }; + client = { config, pkgs, ... }: { }; @@ -50,6 +62,8 @@ in { subtest "manual-authkey", sub { $server->succeed("mkdir -m 700 /root/.ssh"); $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); + $server_lazy->succeed("mkdir -m 700 /root/.ssh"); + $server_lazy->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); $client->succeed("mkdir -m 700 /root/.ssh"); $client->copyFileFromHost("key", "/root/.ssh/id_ed25519"); @@ -58,6 +72,10 @@ in { $client->waitForUnit("network.target"); $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2"); $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024"); + + $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2"); + $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024"); + }; subtest "configured-authkey", sub { @@ -66,6 +84,11 @@ in { $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . " -o StrictHostKeyChecking=no -i privkey.snakeoil" . " server true"); + + $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . + " -o StrictHostKeyChecking=no -i privkey.snakeoil" . + " server_lazy true"); + }; ''; }) From 0163f0c4276bccae683cf076903c8c304f1a0802 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 29 Dec 2016 22:51:07 +0100 Subject: [PATCH 4/4] openssh: update the gssapi patch Only building was tested. --- pkgs/tools/networking/openssh/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index ce323bae4e7886..1c66900c06b715 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -19,8 +19,10 @@ let # **please** update this patch when you update to a new openssh release. gssapiSrc = fetchpatch { - url = "https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian/patches/gssapi.patch?id=477bb7636238c106f8cd7c868a8c0c5eabcfb3db"; - sha256 = "1kcx2rw6z7y591vr60ww2m2civ0cx6f6awdpi66p1sric9b65si3"; + name = "openssh-gssapi.patch"; + url = "https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian" + + "/patches/gssapi.patch?id=255b8554a50b5c75fca63f76b1ac837c0d4fb7aa"; + sha256 = "0yg9iq7vb2fkvy36ar0jxk29pkw0h3dhv5vn8qncc3pgwx3617n2"; }; in