kiwi/klara-ww2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: kiwi:f035f378a62c169c4abeb827827a2e1d585e06c9
Branches Tags
kiwi:main
..
compare: kiwi:main
Branches Tags
kiwi:main

18 Commits
f035f378a6 ... main

Author SHA1 Message Date
Xavier Beaudouin
713b5d7dbb 9.3 2024-10-08 15:12:26 +02:00
Xavier Beaudouin
752fa07dd9 Oups 2024-10-08 15:11:57 +02:00
Xavier Beaudouin
5a010bc915 Update 2024-10-08 15:07:11 +02:00
Xavier Beaudouin
bfe724e9fe Type patch 2024-10-08 15:05:03 +02:00
Xavier Beaudouin
4791a89071 Fix 2024-10-08 14:46:14 +02:00
Xavier Beaudouin
e076a989d8 Try SA-23:02 2024-10-08 14:40:51 +02:00
Xavier Beaudouin
3cfb2ab8d6 Fix 2024-10-08 12:06:09 +02:00
Xavier Beaudouin
ea9f08f64b Patch 2 2024-10-08 12:03:31 +02:00
Xavier Beaudouin
d0416b71a4 Added patch 2024-10-08 10:53:25 +02:00
Xavier Beaudouin
1b2c8330ff Going back to openssh 8.8 2024-10-08 09:54:55 +02:00
Xavier Beaudouin
09e08245c5 Bump version id 2024-10-07 17:50:55 +02:00
Xavier Beaudouin
a61e3278a0 Fix CVE 2024-10-07 17:46:18 +02:00
Xavier Beaudouin
f3766011fd Try without this one 2024-10-07 17:33:59 +02:00
Xavier Beaudouin
7fc412d3b3 Backport SA + CVE 2024-10-07 17:31:24 +02:00
Xavier Beaudouin
ce9923924e 9.6 fails -> 9.3 2024-10-07 16:27:41 +02:00
Xavier Beaudouin
c469356292 9.6 2024-10-07 16:19:51 +02:00
Xavier Beaudouin
317bd8d30d openssh 9-2 2024-10-07 16:14:21 +02:00
Xavier Beaudouin
457a80ca77 Update openssh 9.0 2024-10-07 16:09:16 +02:00
19 changed files with 363 additions and 241 deletions
Expand all files Collapse all files

20
security/openssh-portable/Makefile
View File

@ -1,15 +1,14 @@
# Created by: dwcjr@inethouston.net
PORTNAME= openssh
DISTVERSION= 8.8p1
DISTVERSION= 9.3p2
PORTREVISION= 1
PORTEPOCH= 1
PORTEPOCH= 3
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
PKGNAMESUFFIX?= -portable
MAINTAINER= bdrewery@FreeBSD.org
COMMENT= The portable version of OpenBSD's OpenSSH
WWW= https://www.openssh.com/portable.html
LICENSE= OPENSSH
LICENSE_NAME= OpenSSH Licenses
@ -67,6 +66,8 @@ BLACKLISTD_DESC= FreeBSD blacklistd(8) support
OPTIONS_SUB= yes
PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config
TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
LDNS_CONFIGURE_WITH= ldns=${LOCALBASE}
@ -100,21 +101,22 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif
# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
# pull from.
GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2
GSSAPI_DEBIAN_VERSION= 9.4p1
GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1
# - Debian does not use a versioned filename so we trick fetch to make one for
# us with the ?<anything>=/ trick.
PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
# Bump this when updating the patch location
GSSAPI_UPDATE_DATE= 20200607
PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c
GSSAPI_DISTVERSION= 9.4p1
PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c
.endif

8
security/openssh-portable/distinfo
View File

@ -1,3 +1,5 @@
TIMESTAMP = 1634059537
SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9
SIZE (openssh-8.8p1.tar.gz) = 1815060
TIMESTAMP = 1695396338
SHA256 (openssh-9.3p2.tar.gz) = 200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
SIZE (openssh-9.3p2.tar.gz) = 1835850
SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 9492c1db4307aa3fe6e12d77fff01376bf275af2980ae55b926a505aae9e9b14
SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131674

8
security/openssh-portable/files/extra-patch-blacklistd
View File

@ -351,15 +351,15 @@
if (use_privsep) {
if (privsep_preauth(ssh) == 1)
--- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800
+++ Makefile.in 2020-11-16 16:28:28.083007000 -0800
@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS)
--- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700
+++ Makefile.in 2022-10-09 10:50:06.401377000 -0700
@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
@UNSUPPORTED_ALGORITHMS@
+LIBSSH_OBJS+= blacklist.o
+
all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS)
all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
$(LIBSSH_OBJS): Makefile.in config.h
--- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800

19
security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c Normal file
View File

@ -0,0 +1,19 @@
--- auth2-gss.c.orig 2022-03-03 10:56:35.668672000 -0800
+++ auth2-gss.c 2022-03-03 11:03:16.048838000 -0800
@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct
* The 'gssapi_keyex' userauth mechanism.
*/
static int
-userauth_gsskeyex(struct ssh *ssh)
+userauth_gsskeyex(struct ssh *ssh, const char *method)
{
Authctxt *authctxt = ssh->authctxt;
int r, authenticated = 0;
@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh
Authmethod method_gsskeyex = {
"gssapi-keyex",
+ NULL,
userauth_gsskeyex,
&options.gss_authentication
};

12
security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
View File

@ -1,12 +0,0 @@
Avoid free(const char*)
--- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800
+++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800
@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh)
/* Fall back to specified host if we are using proxy command
* and can not use DNS on that socket */
if (strcmp(gss_host, "UNKNOWN") == 0) {
- gss_host = authctxt->host;
+ gss_host = xstrdup(authctxt->host);
}
} else {
gss_host = xstrdup(authctxt->host);

95
security/openssh-portable/files/extra-patch-hpn
View File

@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ (tasota@gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
--- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700
@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
--- channels.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ channels.c 2023-02-03 10:45:34.136793000 -0800
@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels *
/* Setup helper */
static void channel_handler_init(struct ssh_channels *sc);
@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* -- channel core */
void
@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
c->local_window = window;
c->local_window_max = window;
c->local_maxpacket = maxpack;
@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c->remote_name = xstrdup(remote_name);
c->ctl_chan = -1;
c->delayed = 1; /* prevent call to channel_post handler */
@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
FD_SET(c->sock, writeset);
@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int
fatal_fr(r, "channel %i", c->self);
}
+#ifdef HPN_ENABLED
@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
+
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
channel_pre_listener(struct ssh *ssh, Channel *c)
{
@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c->local_consumed = 0;
}
return 1;
@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
return addr;
}
@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
static int
channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
struct Forward *fwd, int *allocated_listen_port,
@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
}
/* Allocate a channel number for the socket. */
@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ * window size.
+ */
+ if (!hpn_disabled)
+ c = channel_new(ssh, "port listener", type, sock, sock, -1,
+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ c = channel_new(ssh, "port listener", type, sock, sock,
+ -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1);
+ else
+#endif
c = channel_new(ssh, "port listener", type, sock, sock, -1,
c = channel_new(ssh, "port-listener", type, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "port listener", 1);
@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ 0, "X11 inet listener", 1);
+ else
+#endif
nc = channel_new(ssh, "x11 listener",
nc = channel_new(ssh, "x11-listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
--- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700
@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
free(cipher_list);
return 0;
}
--- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700
@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
--- work/openssh/clientloop.c.orig 2022-02-23 03:31:11.000000000 -0800
+++ work/openssh/clientloop.c 2022-03-02 12:53:47.624273000 -0800
@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c = channel_new(ssh, "x11",
SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
__func__, ssh_err(r));
return NULL;
}
@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
else
debug2_fr(r, "ssh_agent_bind_hostkey");
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new(ssh, "authentication agent connection",
@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c = channel_new(ssh, "authentication agent connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
@ -1119,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sshpkt_fatal(ssh, r, "banner exchange");
/* Put the connection into non-blocking mode. */
--- work/openssh/sshconnect2.c.orig 2021-08-19 21:03:49.000000000 -0700
+++ work/openssh/sshconnect2.c 2021-09-08 10:02:03.037982000 -0700
@@ -84,7 +84,13 @@
--- work/openssh/sshconnect2.c.orig 2023-03-15 14:28:19.000000000 -0700
+++ work/openssh/sshconnect2.c 2023-05-19 14:20:01.965073000 -0700
@@ -83,7 +83,13 @@ extern Options options;
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
@ -1135,29 +1135,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/*
* SSH2 key exchange
*/
@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
return ret;
}
+static char *myproposal[PROPOSAL_MAX];
+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
void
ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
const struct ssh_conn_info *cinfo)
{
- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
char *s, *all_key;
int r, use_known_hosts_order = 0;
@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
fatal_fr(r, "kex_assemble_namelist");
free(all_key);
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
fatal_f("kex_names_cat");
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
@ -1169,11 +1147,16 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ * tty allocated.
+ */
+ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
+ char *myproposal[PROPOSAL_MAX];
+ char *s = NULL;
+ const char *none_cipher = "none";
+
+ if (!tty_flag) { /* no null on tty sessions */
+ debug("Requesting none rekeying...");
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
+ kex_proposal_populate_entries(ssh, myproposal, s, none_cipher,
+ options.macs,
+ compression_alg_list(options.compression),
+ options.hostkeyalgorithms);
+ kex_prop2buf(ssh->kex->my, myproposal);
+ packet_request_rekeying();
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
@ -1286,11 +1269,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
--- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700
--- version.h.orig 2023-07-18 23:31:34.000000000 -0700
+++ version.h 2023-07-21 07:27:08.311422000 -0700
@@ -4,3 +4,4 @@
#define SSH_PORTABLE "p1"
#define SSH_PORTABLE "p2"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_HPN "-hpn14v15"
--- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700

20
security/openssh-portable/files/extra-patch-hpn-compat
View File

@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
------------------------------------------------------------------------
--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700
+++ readconf.c 2021-04-27 11:25:24.222034000 -0700
@@ -316,6 +316,12 @@ static struct {
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
--- readconf.c.orig 2023-02-03 11:17:45.506822000 -0800
+++ readconf.c 2023-02-03 11:30:14.894959000 -0800
@@ -323,6 +323,12 @@ static struct {
{ "knownhostscommand", oKnownHostsCommand },
{ "requiredrsasize", oRequiredRSASize },
{ "enableescapecommandline", oEnableEscapeCommandline },
+ { "hpndisabled", oDeprecated },
+ { "hpnbuffersize", oDeprecated },
+ { "tcprcvbufpoll", oDeprecated },
@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
{ NULL, oBadOption }
};
--- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800
+++ servconf.c 2020-03-21 17:01:18.011062000 -0700
--- servconf.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ servconf.c 2023-02-03 11:31:00.387624000 -0800
@@ -695,6 +695,10 @@ static struct {
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
+ { "noneenabled", sUnsupported, SSHCFG_ALL },
+ { "hpndisabled", sDeprecated, SSHCFG_ALL },
+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL },

31
security/openssh-portable/files/extra-patch-pam-sshd_config Normal file
View File

@ -0,0 +1,31 @@
--- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000
+++ sshd_config 2022-02-11 19:20:45.334738000 +0000
@@ -55,8 +55,8 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# To enable tunneled clear text passwords, change to yes here!
+#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -72,7 +72,7 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
@@ -81,7 +81,7 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+#UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes

12
security/openssh-portable/files/extra-patch-tcpwrappers
View File

@ -83,11 +83,9 @@ index 0ade557..045f149 100644
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);
diff --git configure.ac configure.ac
index f48ba4a..66fbe82 100644
--- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700
+++ configure.ac 2019-07-02 20:58:48.627832000 -0700
@@ -1494,6 +1494,62 @@ else
--- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800
+++ configure.ac 2022-03-02 12:47:49.958341000 -0800
@@ -1599,6 +1599,62 @@ else
AC_MSG_RESULT([no])
fi
@ -150,11 +148,11 @@ index f48ba4a..66fbe82 100644
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG"
@@ -5593,6 +5649,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"

42
security/openssh-portable/files/openssh.in
View File

@ -22,6 +22,16 @@ load_rc_config ${name}
: ${openssh_enable:="NO"}
: ${openssh_skipportscheck="NO"}
# These only control ssh-keygen automatically generating host keys.
: ${openssh_dsa_enable="YES"}
: ${openssh_dsa_flags=""}
: ${openssh_rsa_enable="YES"}
: ${openssh_rsa_flags=""}
: ${openssh_ecdsa_enable="YES"}
: ${openssh_ecdsa_flags=""}
: ${openssh_ed25519_enable="YES"}
: ${openssh_ed25519_flags=""}
command=%%PREFIX%%/sbin/sshd
extra_commands="configtest reload keygen"
start_precmd="${name}_checks"
@ -33,10 +43,16 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
openssh_keygen()
{
if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
-f %%ETCDIR%%/ssh_host_rsa_key -a \
-f %%ETCDIR%%/ssh_host_ecdsa_key -a \
-f %%ETCDIR%%/ssh_host_ed25519_key ]; then
local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
checkyesno openssh_dsa_enable || skip_dsa=y
checkyesno openssh_rsa_enable || skip_rsa=y
checkyesno openssh_ecdsa_enable || skip_ecdsa=y
checkyesno openssh_ed25519_enable || skip_ed25519=y
if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
\( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
\( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
\( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
return 0
fi
@ -50,8 +66,8 @@ openssh_keygen()
echo "You already have a DSA host key" \
"in %%ETCDIR%%/ssh_host_dsa_key"
echo "Skipping protocol version 2 DSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t dsa \
elif checkyesno openssh_dsa_enable; then
%%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \
-f %%ETCDIR%%/ssh_host_dsa_key -N ''
fi
@ -59,8 +75,8 @@ openssh_keygen()
echo "You already have a RSA host key" \
"in %%ETCDIR%%/ssh_host_rsa_key"
echo "Skipping protocol version 2 RSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t rsa \
elif checkyesno openssh_rsa_enable; then
%%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \
-f %%ETCDIR%%/ssh_host_rsa_key -N ''
fi
@ -68,8 +84,8 @@ openssh_keygen()
echo "You already have a Elliptic Curve DSA host key" \
"in %%ETCDIR%%/ssh_host_ecdsa_key"
echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t ecdsa \
elif checkyesno openssh_ecdsa_enable; then
%%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \
-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
fi
@ -77,8 +93,8 @@ openssh_keygen()
echo "You already have a Elliptic Curve ED25519 host key" \
"in %%ETCDIR%%/ssh_host_ed25519_key"
echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t ed25519 \
elif checkyesno openssh_ed25519_enable; then
%%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \
-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
fi
}
@ -156,7 +172,7 @@ openssh_checks()
fi
fi
run_rc_command keygen
openssh_keygen
openssh_configtest
}

49
security/openssh-portable/files/patch-FreeBSD-cap_cache_tzdata Normal file
View File

@ -0,0 +1,49 @@
diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
new file mode 100644
index 000000000000..bf3889265b77
--- /dev/null
+++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
@@ -0,0 +1,43 @@
+commit fc3c19a9fceeea48a9259ac3833a125804342c0e
+Author: Ed Maste <emaste@FreeBSD.org>
+Date: Sat Oct 6 21:32:55 2018 +0000
+
+ sshd: address capsicum issues
+
+ * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
+ capability mode.
+ * Cache timezone data via caph_cache_tzdata() as we cannot access the
+ timezone file.
+ * Reverse resolve hostname before entering capability mode.
+
+ PR: 231172
+ Submitted by: naito.yuichiro@gmail.com
+ Reviewed by: cem, des
+ Approved by: re (rgrimes)
+ MFC after: 3 weeks
+ Differential Revision: https://reviews.freebsd.org/D17128
+
+Notes:
+ svn path=/head/; revision=339216
+
+diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
+index 5f41d526292b..f728abd18250 100644
+--- sandbox-capsicum.c
++++ sandbox-capsicum.c
+@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <capsicum_helpers.h>
+
+ #include "log.h"
+ #include "monitor.h"
+@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
+ struct rlimit rl_zero;
+ cap_rights_t rights;
+
++ caph_cache_tzdata();
++
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+
+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

69
security/openssh-portable/files/patch-FreeBSD-logincap Normal file
View File

@ -0,0 +1,69 @@
(pulled from the PR)
commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8
Author: Ed Maste <emaste@FreeBSD.org>
Date: Tue Aug 31 15:30:50 2021 -0400
openssh: simplify login class restrictions
Login class-based restrictions were introduced in 5b400a39b8ad. The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fcee, bd393de91cc3, and
e8c56fba2926.
During an attempt to upstream the work a much simpler approach was
suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.
Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from: https://github.com/openssh/openssh-portable/pull/262
Reviewed by: allanjude, kevans
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31760
--- auth.c
+++ auth.c
@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
{
#ifdef HAVE_LOGIN_CAP
extern login_cap_t *lc;
+#ifdef HAVE_AUTH_HOSTOK
+ const char *from_host, *from_ip;
+#endif
#ifdef BSD_AUTH
auth_session_t *as;
#endif
@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
debug("unable to get login class: %s", user);
return (NULL);
}
+#ifdef HAVE_AUTH_HOSTOK
+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+ from_ip = ssh_remote_ipaddr(ssh);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ debug("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ return (NULL);
+ }
+#endif /* HAVE_AUTH_HOSTOK */
+#ifdef HAVE_AUTH_TIMEOK
+ if (!auth_timeok(lc, time(NULL))) {
+ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
+ return (NULL);
+ }
+#endif /* HAVE_AUTH_TIMEOK */
#ifdef BSD_AUTH
if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
--- configure.ac
+++ configure.ac
@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG])
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \
+ auth_hostok \
+ auth_timeok \
Blowfish_initstate \
Blowfish_expandstate \
Blowfish_expand0state \

47
security/openssh-portable/files/patch-auth2.c
View File

@ -1,47 +0,0 @@
--- UTC
r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/auth2.c
Apply class-imposed login restrictions.
--- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700
+++ auth2.c 2020-11-16 13:55:25.222771000 -0800
@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
int r, authenticated = 0;
double tstart = monotime_double();
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
+#endif
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
"not allowed: (%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
+ if (authctxt->pw != NULL &&
+ (lc = login_getpwclass(authctxt->pw)) != NULL) {
+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+ from_ip = ssh_remote_ipaddr(ssh);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ ssh_packet_disconnect(ssh, "Logins not available right now.");
+ }
+ login_close(lc);
+ }
+#endif /* HAVE_LOGIN_CAP */
+
/* reset state */
auth2_challenge_stop(ssh);

25
security/openssh-portable/files/patch-platform-tracing.c
View File

@ -1,25 +0,0 @@
--- platform-tracing.c.orig 2021-09-26 07:03:19.000000000 -0700
+++ platform-tracing.c 2021-10-15 10:08:20.537813000 -0700
@@ -16,6 +16,10 @@
#include "includes.h"
+#if defined(HAVE_PROCCTL)
+#include <string.h>
+#include <unistd.h>
+#endif
#include <sys/types.h>
#ifdef HAVE_SYS_PROCCTL_H
#include <sys/procctl.h>
@@ -40,8 +44,9 @@ platform_disable_tracing(int strict)
/* On FreeBSD, we should make this process untraceable */
int disable_trace = PROC_TRACE_CTL_DISABLE;
- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
- fatal("unable to make the process untraceable");
+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
+ fatal("unable to make the process untraceable: %s for pid %d",
+ strerror(errno), (int)getpid());
#endif
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */

28
security/openssh-portable/files/patch-ssh-agent.c
View File

@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
--- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700
@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
--- ssh-agent.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ ssh-agent.c 2023-02-03 10:55:34.277561000 -0800
@@ -188,11 +188,28 @@ static int restrict_websafe = 1;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
@ -27,17 +27,19 @@ disconnected.
static void
close_socket(SocketEntry *e)
{
size_t i;
+ int last = 0;
+
+ if (e->type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount - 1);
+ if (--xcount == 0)
+ last = 1;
+ }
+
close(e->fd);
sshbuf_free(e->input);
sshbuf_free(e->output);
@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
@@ -205,6 +222,8 @@ close_socket(SocketEntry *e)
memset(e, '\0', sizeof(*e));
e->fd = -1;
e->type = AUTH_UNUSED;
@ -46,7 +48,7 @@ disconnected.
}
static void
@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd)
debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@ -57,16 +59,16 @@ disconnected.
set_nonblock(fd);
if (fd > max_fd)
@@ -1360,7 +1383,7 @@ static void
@@ -1990,7 +2013,7 @@ usage(void)
usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
" [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
" [-t life] command [arg ...]\n"
@@ -1394,6 +1417,7 @@ main(int ac, char **av)
" [-O option] [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
" [-P allowed_providers] [-t life] command [arg ...]\n"
@@ -2024,6 +2047,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
@ -74,7 +76,7 @@ disconnected.
platform_disable_tracing(0); /* strict=no */
@@ -1405,7 +1429,7 @@ main(int ac, char **av)
@@ -2035,7 +2059,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
@ -83,7 +85,7 @@ disconnected.
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1454,6 +1478,9 @@ main(int ac, char **av)
@@ -2084,6 +2108,9 @@ main(int ac, char **av)
fprintf(stderr, "Invalid lifetime\n");
usage();
}

35
security/openssh-portable/files/patch-sshd_config
View File

@ -1,5 +1,8 @@
--- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700
+++ sshd_config 2021-09-07 12:34:49.372652000 -0700
!!!
!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option.
!!!
--- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000
+++ sshd_config 2022-02-11 18:52:31.639435000 +0000
@@ -10,6 +10,9 @@
# possible, but leave them commented. Uncommented options override the
# default value.
@ -20,33 +23,7 @@
#AuthorizedPrincipalsFile none
@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# To enable tunneled clear text passwords, change to yes here!
+#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+#UsePAM yes
@@ -84,7 +86,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no

26
security/openssh-portable/files/patch-sshd_config.5
View File

@ -1,8 +1,8 @@
--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700
+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700
@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
The list of available key types may also be obtained using
.Qq ssh -Q key .
--- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000
+++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000
@@ -701,7 +701,9 @@
.Qq ssh -Q HostbasedAcceptedAlgorithms .
This was formerly named HostbasedAcceptedKeyTypes.
.It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
@ -11,7 +11,7 @@
with successful public key client host authentication is allowed
(host-based authentication).
The default is
@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
@@ -1277,7 +1279,23 @@
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@ -20,6 +20,7 @@
+.Nm sshd
+was built without PAM support, in which case the default is
.Cm yes .
+.Pp
+Note that if
+.Cm ChallengeResponseAuthentication
+is
@ -34,7 +35,7 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
@@ -1232,6 +1251,13 @@ and
@@ -1416,6 +1434,13 @@
.Cm ethernet .
The default is
.Cm no .
@ -48,12 +49,15 @@
.Pp
Independent of this setting, the permissions of the selected
.Xr tun 4
@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
@@ -1774,12 +1799,19 @@
.Xr sshd 8
as a non-root user.
The default is
-.Cm no .
+.Cm yes .
+.Cm yes ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
.Cm no .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
@ -66,7 +70,7 @@
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
@@ -1512,7 +1541,7 @@ The argument must be
@@ -1793,7 +1825,7 @@
or
.Cm no .
The default is

2
security/openssh-portable/pkg-descr
View File

@ -11,5 +11,3 @@ The portable OpenSSH follows development of the official version, but releases
are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
The official OpenBSD source will never use the 'p' suffix, but will instead
increment the version number when they hit 'stable spots' in their development.
WWW: https://www.openssh.com/portable.html

56
security/patch-9.8-cves Normal file
View File

@ -0,0 +1,56 @@
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
Damien Miller djm at mindrot.org
Mon Jul 1 18:21:11 AEST 2024
Previous message (by thread): Announce: OpenSSH 9.8 released
Next message (by thread): Announce: OpenSSH 9.8 released
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
prevent exploitation of this bug is to disable the login grace timer
by setting LoginGraceTime=0 in sshd_config. This will however make
it much easier for an attacker to deny service to sshd.
Similarly, the much more minor keystroke timing bug can be avoided
by disabling the feature using ObscureKeystrokeTiming=0.
Some users will understandably prefer to patch their OpenSSH rather
than upgrade to the newest version, so here are minimal patches for
both problems.
1) Critical race condition in sshd
2) Minor logic error in ObscureKeystrokeTiming
--- log.c.orig 2024-07-02 09:05:35.023051000 -0700
+++ log.c 2024-07-02 09:05:54.881067000 -0700
@@ -451,12 +451,14 @@ sshsigdie(const char *file, const char *func, int line
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#ifdef SYSLOG_R_SAFE_IN_SIGHAND
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}
--- clientloop.c.orig 2024-07-02 09:06:09.736347000 -0700
+++ clientloop.c 2024-07-02 09:06:41.414979000 -0700
@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct tim
if (timespeccmp(&now, &chaff_until, >=)) {
/* Stop if there have been no keystrokes for a while */
stop_reason = "chaff time expired";
- } else if (timespeccmp(&now, &next_interval, >=)) {
- /* Otherwise if we were due to send, then send chaff */
+ } else if (timespeccmp(&now, &next_interval, >=) &&
+ !ssh_packet_have_data_to_write(ssh)) {
+ /* If due to send but have no data, then send chaff */
if (send_chaff(ssh))
nchaff++;
}