Ubuntu
openssh package

Merge ~3v1n0/ubuntu/+source/openssh:ubuntu/devel into ubuntu/+source/openssh:ubuntu/devel

  1. Git
  2. lp:~3v1n0/ubuntu/+source/openssh
  3. ubuntu/devel
  4. Merge into ubuntu/devel
Proposed by Marco Trevisan (Treviño)
Status: Merged
Merged at revision: 8edf97430e2d0a5cdd6307ddea91206f335f1488
Proposed branch: ~3v1n0/ubuntu/+source/openssh:ubuntu/devel
Merge into: ubuntu/+source/openssh:ubuntu/devel
Diff against target: 426 lines (+388/-0)
6 files modified
debian/patches/auth-Add-KbdintResult-definition-to-define-result-values-.patch (+106/-0)
debian/patches/auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch (+73/-0)
debian/patches/auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch (+23/-0)
debian/patches/auth-pam-Immediately-report-interactive-instructions-to-c.patch (+73/-0)
debian/patches/series (+5/-0)
debian/patches/sshconnect2-Write-kbd-interactive-service-info-and-instru.patch (+108/-0)
Reviewer Review Type Date Requested Status
Julian Andres Klode (community) Approve
Tobias Heider (community) Approve
Canonical Server Reporter Pending
git-ubuntu import Pending
Review via email: mp+460160@code.launchpad.net

Description of the change

Cherry-pick upstream proposed and partially approved patches (one maintainer already did, but we need the final merge) [1] to fix usage of SSHd and ssh client with PAM modules that use interactive messages and requests.

[1] https://github.com/openssh/openssh-portable/pull/452

To post a comment you must log in.
Revision history for this message
Tobias Heider (tobhe) :
review: Approve
Revision history for this message
Julian Andres Klode (juliank) wrote :

This is a bit awkward because it has no changelog but I semi-sponsored it with my signoff line

review: Approve
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote (last edit ):

Julian, I didn't add the changelog because I wasn't sure how the team manages it. For example in desktop, we generate it at upload time using gbp dch, so I was thinking the uploader would have done the same.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/patches/auth-Add-KbdintResult-definition-to-define-result-values-.patch b/debian/patches/auth-Add-KbdintResult-definition-to-define-result-values-.patch
0new file mode 1006440new file mode 100644
index 0000000..90880ec
--- /dev/null
+++ b/debian/patches/auth-Add-KbdintResult-definition-to-define-result-values-.patch
@@ -0,0 +1,106 @@
1From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= <mail@3v1n0.net>
2Date: Tue, 17 Oct 2023 04:04:13 +0200
3Subject: auth: Add KbdintResult definition to define result values explicitly
4
5kbdint result vfunc may return various values, so use an enum to make it
6clearer what each result means without having to dig into the struct
7documentation.
8
9Origin: https://github.com/openssh/openssh-portable/pull/452
10---
11 auth-bsdauth.c | 2 +-
12 auth-pam.c | 10 +++++-----
13 auth.h | 5 +++++
14 auth2-chall.c | 4 ++--
15 4 files changed, 13 insertions(+), 8 deletions(-)
16
17diff --git a/auth-bsdauth.c b/auth-bsdauth.c
18index d124e99..ca41735 100644
19--- a/auth-bsdauth.c
20+++ b/auth-bsdauth.c
21@@ -111,7 +111,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
22 authctxt->as = NULL;
23 debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok);
24
25- return (authok == 0) ? -1 : 0;
26+ return (authok == 0) ? KbdintResultFailure : KbdintResultSuccess;
27 }
28
29 static void
30diff --git a/auth-pam.c b/auth-pam.c
31index b49d415..86137a1 100644
32--- a/auth-pam.c
33+++ b/auth-pam.c
34@@ -990,15 +990,15 @@ sshpam_respond(void *ctx, u_int num, char **resp)
35 switch (ctxt->pam_done) {
36 case 1:
37 sshpam_authenticated = 1;
38- return (0);
39+ return KbdintResultSuccess;
40 case 0:
41 break;
42 default:
43- return (-1);
44+ return KbdintResultFailure;
45 }
46 if (num != 1) {
47 error("PAM: expected one response, got %u", num);
48- return (-1);
49+ return KbdintResultFailure;
50 }
51 if ((buffer = sshbuf_new()) == NULL)
52 fatal("%s: sshbuf_new failed", __func__);
53@@ -1015,10 +1015,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
54 }
55 if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) {
56 sshbuf_free(buffer);
57- return (-1);
58+ return KbdintResultFailure;
59 }
60 sshbuf_free(buffer);
61- return (1);
62+ return KbdintResultAgain;
63 }
64
65 static void
66diff --git a/auth.h b/auth.h
67index d16dc66..0f1ae29 100644
68--- a/auth.h
69+++ b/auth.h
70@@ -51,6 +51,7 @@ struct sshauthopt;
71 typedef struct Authctxt Authctxt;
72 typedef struct Authmethod Authmethod;
73 typedef struct KbdintDevice KbdintDevice;
74+typedef int KbdintResult;
75
76 struct Authctxt {
77 sig_atomic_t success;
78@@ -112,6 +113,10 @@ struct Authmethod {
79 int *enabled;
80 };
81
82+#define KbdintResultFailure -1
83+#define KbdintResultSuccess 0
84+#define KbdintResultAgain 1
85+
86 /*
87 * Keyboard interactive device:
88 * init_ctx returns: non NULL upon success
89diff --git a/auth2-chall.c b/auth2-chall.c
90index 021df82..047d4e8 100644
91--- a/auth2-chall.c
92+++ b/auth2-chall.c
93@@ -331,11 +331,11 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
94 free(response);
95
96 switch (res) {
97- case 0:
98+ case KbdintResultSuccess:
99 /* Success! */
100 authenticated = authctxt->valid ? 1 : 0;
101 break;
102- case 1:
103+ case KbdintResultAgain:
104 /* Authentication needs further interaction */
105 if (send_userauth_info_request(ssh) == 1)
106 authctxt->postponed = 1;
diff --git a/debian/patches/auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch b/debian/patches/auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch
0new file mode 100644107new file mode 100644
index 0000000..8deffea
--- /dev/null
+++ b/debian/patches/auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch
@@ -0,0 +1,73 @@
1From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= <mail@3v1n0.net>
2Date: Mon, 16 Oct 2023 21:15:45 +0200
3Subject: auth-pam: Add an enum to define the PAM done status
4
5Makes things more readable and easier to extend
6
7Origin: https://github.com/openssh/openssh-portable/pull/452
8---
9 auth-pam.c | 17 +++++++++++------
10 1 file changed, 11 insertions(+), 6 deletions(-)
11
12diff --git a/auth-pam.c b/auth-pam.c
13index 86137a1..2129163 100644
14--- a/auth-pam.c
15+++ b/auth-pam.c
16@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t;
17 #define pthread_join fake_pthread_join
18 #endif
19
20+typedef int SshPamDone;
21+#define SshPamError -1
22+#define SshPamNone 0
23+#define SshPamAuthenticated 1
24+
25 struct pam_ctxt {
26 sp_pthread_t pam_thread;
27 int pam_psock;
28 int pam_csock;
29- int pam_done;
30+ SshPamDone pam_done;
31 };
32
33 static void sshpam_free_ctx(void *);
34@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info,
35 **prompts = NULL;
36 *num = 0;
37 **echo_on = 0;
38- ctxt->pam_done = -1;
39+ ctxt->pam_done = SshPamError;
40 free(msg);
41 sshbuf_free(buffer);
42 return 0;
43@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info,
44 import_environments(buffer);
45 *num = 0;
46 **echo_on = 0;
47- ctxt->pam_done = 1;
48+ ctxt->pam_done = SshPamAuthenticated;
49 free(msg);
50 sshbuf_free(buffer);
51 return (0);
52@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info,
53 *num = 0;
54 **echo_on = 0;
55 free(msg);
56- ctxt->pam_done = -1;
57+ ctxt->pam_done = SshPamError;
58 sshbuf_free(buffer);
59 return (-1);
60 }
61@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
62
63 debug2("PAM: %s entering, %u responses", __func__, num);
64 switch (ctxt->pam_done) {
65- case 1:
66+ case SshPamAuthenticated:
67 sshpam_authenticated = 1;
68 return KbdintResultSuccess;
69- case 0:
70+ case SshPamNone:
71 break;
72 default:
73 return KbdintResultFailure;
diff --git a/debian/patches/auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch b/debian/patches/auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch
0new file mode 10064474new file mode 100644
index 0000000..ea7fe20
--- /dev/null
+++ b/debian/patches/auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch
@@ -0,0 +1,23 @@
1From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= <mail@3v1n0.net>
2Date: Tue, 17 Oct 2023 04:35:17 +0200
3Subject: auth-pam: Add debugging information when we receive PAM messages
4
5Origin: https://github.com/openssh/openssh-portable/pull/452
6---
7 auth-pam.c | 3 +++
8 1 file changed, 3 insertions(+)
9
10diff --git a/auth-pam.c b/auth-pam.c
11index 2129163..7a72e72 100644
12--- a/auth-pam.c
13+++ b/auth-pam.c
14@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
15 break;
16 case PAM_ERROR_MSG:
17 case PAM_TEXT_INFO:
18+ debug3("PAM: Got message of type %d: %s",
19+ PAM_MSG_MEMBER(msg, i, msg_style),
20+ PAM_MSG_MEMBER(msg, i, msg));
21 if ((r = sshbuf_put_cstring(buffer,
22 PAM_MSG_MEMBER(msg, i, msg))) != 0)
23 fatal("%s: buffer error: %s",
diff --git a/debian/patches/auth-pam-Immediately-report-interactive-instructions-to-c.patch b/debian/patches/auth-pam-Immediately-report-interactive-instructions-to-c.patch
0new file mode 10064424new file mode 100644
index 0000000..f8f00bf
--- /dev/null
+++ b/debian/patches/auth-pam-Immediately-report-interactive-instructions-to-c.patch
@@ -0,0 +1,73 @@
1From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= <mail@3v1n0.net>
2Date: Tue, 17 Oct 2023 04:27:32 +0200
3Subject: auth-pam: Immediately report interactive instructions to clients
4
5SSH keyboard-interactive authentication method supports instructions but
6sshd didn't show them until an user prompt was requested.
7
8This is quite inconvenient for various PAM modules that need to notify
9an user without requiring for their explicit input.
10
11So, properly implement RFC4256 making instructions to be shown to users
12when they are requested from PAM.
13
14Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
15
16Origin: https://github.com/openssh/openssh-portable/pull/452
17---
18 auth-pam.c | 21 ++++++++++++---------
19 1 file changed, 12 insertions(+), 9 deletions(-)
20
21diff --git a/auth-pam.c b/auth-pam.c
22index 7a72e72..b756f0e 100644
23--- a/auth-pam.c
24+++ b/auth-pam.c
25@@ -140,6 +140,7 @@ typedef int SshPamDone;
26 #define SshPamError -1
27 #define SshPamNone 0
28 #define SshPamAuthenticated 1
29+#define SshPamAgain 2
30
31 struct pam_ctxt {
32 sp_pthread_t pam_thread;
33@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info,
34 **prompts = NULL;
35 plen = 0;
36 *echo_on = xmalloc(sizeof(u_int));
37+ ctxt->pam_done = SshPamNone;
38+
39 while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) {
40 if (++nmesg > PAM_MAX_NUM_MSG)
41 fatal_f("too many query messages");
42@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info,
43 return (0);
44 case PAM_ERROR_MSG:
45 case PAM_TEXT_INFO:
46- /* accumulate messages */
47- len = plen + mlen + 2;
48- **prompts = xreallocarray(**prompts, 1, len);
49- strlcpy(**prompts + plen, msg, len - plen);
50- plen += mlen;
51- strlcat(**prompts + plen, "\n", len - plen);
52- plen++;
53- free(msg);
54- break;
55+ *num = 0;
56+ free(*info);
57+ *info = msg; /* Steal the message */
58+ msg = NULL;
59+ ctxt->pam_done = SshPamAgain;
60+ sshbuf_free(buffer);
61+ return (0);
62 case PAM_ACCT_EXPIRED:
63 case PAM_MAXTRIES:
64 if (type == PAM_ACCT_EXPIRED)
65@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp)
66 return KbdintResultSuccess;
67 case SshPamNone:
68 break;
69+ case SshPamAgain:
70+ return KbdintResultAgain;
71 default:
72 return KbdintResultFailure;
73 }
diff --git a/debian/patches/series b/debian/patches/series
index 42a873f..aba5430 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,8 @@ systemd-socket-activation.patch
28broken-zero-call-used-regs.patch28broken-zero-call-used-regs.patch
29socket-activation-documentation.patch29socket-activation-documentation.patch
30test-set-UsePAM-no-on-some-tests.patch30test-set-UsePAM-no-on-some-tests.patch
31auth-Add-KbdintResult-definition-to-define-result-values-.patch
32auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch
33auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch
34auth-pam-Immediately-report-interactive-instructions-to-c.patch
35sshconnect2-Write-kbd-interactive-service-info-and-instru.patch
diff --git a/debian/patches/sshconnect2-Write-kbd-interactive-service-info-and-instru.patch b/debian/patches/sshconnect2-Write-kbd-interactive-service-info-and-instru.patch
31new file mode 10064436new file mode 100644
index 0000000..238b98a
--- /dev/null
+++ b/debian/patches/sshconnect2-Write-kbd-interactive-service-info-and-instru.patch
@@ -0,0 +1,108 @@
1From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= <mail@3v1n0.net>
2Date: Tue, 17 Oct 2023 06:12:03 +0200
3Subject: sshconnect2: Write kbd-interactive service,
4 info and instructions as utf-8
5MIME-Version: 1.0
6Content-Type: text/plain; charset="utf-8"
7Content-Transfer-Encoding: 8bit
8
9As per the previous server change now the keyboard-interactive service
10and instruction values could be reported as soon as they are available
11and so they're not prompts anymore and not parsed like them.
12
13While this was already supported by the SSH client, these messages were
14not properly written as the escaped sequences they contained were not
15correctly reported.
16
17So for example a message containing "\" was represented as "\\" and
18similarly for all the other C escape sequences.
19
20This was leading to more problems when it come to utf-8 chars, as they
21were only represented by their octal representation.
22
23This was easily testable by adding a line like the one below to the
24sshd PAM service:
25 auth requisite pam_echo.so Hello SSHD! Want some 🍕?
26
27Which was causing this to be written instead:
28 Hello SSHD! Want some \360\237\215\225?
29
30To handle this, instead of simply using fmprintf, we're using the notifier
31in a way can be exposed to users in the proper format and UI.
32
33Origin: https://github.com/openssh/openssh-portable/pull/452
34---
35 sshconnect2.c | 33 ++++++++++++++++++++++++---------
36 1 file changed, 24 insertions(+), 9 deletions(-)
37
38diff --git a/sshconnect2.c b/sshconnect2.c
39index cb584ad..7b9959d 100644
40--- a/sshconnect2.c
41+++ b/sshconnect2.c
42@@ -1231,6 +1231,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
43 char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL;
44 char prompt[256];
45 const char *host;
46+ size_t info_len;
47 int r;
48
49 debug2("input_userauth_passwd_changereq");
50@@ -1240,11 +1241,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
51 "no authentication context");
52 host = options.host_key_alias ? options.host_key_alias : authctxt->host;
53
54- if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 ||
55+ if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 ||
56 (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
57 goto out;
58- if (strlen(info) > 0)
59- logit("%s", info);
60+ if (info_len > 0) {
61+ struct notifier_ctx *notifier = NULL;
62+ debug_f("input_userauth_passwd_changereq info: %s", info);
63+ notifier = notify_start(0, "%s", info);
64+ notify_complete(notifier, NULL);
65+ }
66 if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
67 (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
68 (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
69@@ -2098,8 +2103,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
70 Authctxt *authctxt = ssh->authctxt;
71 char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL;
72 char *display_prompt = NULL, *response = NULL;
73+ struct notifier_ctx *notifier = NULL;
74 u_char echo = 0;
75 u_int num_prompts, i;
76+ size_t name_len, inst_len;
77 int r;
78
79 debug2_f("entering");
80@@ -2109,14 +2116,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
81
82 authctxt->info_req_seen = 1;
83
84- if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
85- (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 ||
86+ if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 ||
87+ (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 ||
88 (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
89 goto out;
90- if (strlen(name) > 0)
91- logit("%s", name);
92- if (strlen(inst) > 0)
93- logit("%s", inst);
94+ if (name_len > 0) {
95+ debug_f("kbd int name: %s", name);
96+ notifier = notify_start(0, "%s", name);
97+ notify_complete(notifier, NULL);
98+ notifier = NULL;
99+ }
100+ if (inst_len > 0) {
101+ debug_f("kbd int inst: %s", inst);
102+ notifier = notify_start(0, "%s", inst);
103+ notify_complete(notifier, NULL);
104+ notifier = NULL;
105+ }
106
107 if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0)
108 goto out;

Subscribers

People subscribed via source and target branches