git: 4286578bb1d4 - releng/12.4 - ssh: Apply CVE-2023-38408 fix from OpenSSH 9.3p2
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 01 Aug 2023 20:06:25 UTC
The branch releng/12.4 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=4286578bb1d432301ba7de49855d5c53289da5f4
commit 4286578bb1d432301ba7de49855d5c53289da5f4
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-08-01 14:40:42 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-08-01 19:47:00 +0000
ssh: Apply CVE-2023-38408 fix from OpenSSH 9.3p2
Approved by: so
Security: FreeBSD-SA-23:08.ssh
Security: CVE-2023-38408
---
crypto/openssh/ssh-agent.1 | 45 ++++++++++++++++++++++++++++++++++++++++++--
crypto/openssh/ssh-agent.c | 29 +++++++++++++++++++++++-----
crypto/openssh/ssh-pkcs11.c | 6 ++----
crypto/openssh/sshd_config | 2 +-
crypto/openssh/sshd_config.5 | 2 +-
crypto/openssh/version.h | 2 +-
6 files changed, 72 insertions(+), 14 deletions(-)
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
index 8844b2eb45e8..a0ea506bdc93 100644
--- a/crypto/openssh/ssh-agent.1
+++ b/crypto/openssh/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.75 2022/10/07 06:00:58 jmc Exp $
.\" $FreeBSD$
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: October 7 2022 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@@ -47,11 +47,13 @@
.Op Fl \&Ddx
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
+.Op Fl O Ar option
.Op Fl P Ar allowed_providers
.Op Fl t Ar life
.Nm ssh-agent
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
+.Op Fl O Ar option
.Op Fl P Ar allowed_providers
.Op Fl t Ar life
.Ar command Op Ar arg ...
@@ -103,6 +105,45 @@ The default is
Kill the current agent (given by the
.Ev SSH_AGENT_PID
environment variable).
+.It Fl O Ar option
+Specify an option when starting
+.Nm .
+Currently two options are supported:
+.Cm allow-remote-pkcs11
+and
+.Cm no-restrict-websafe .
+.Pp
+The
+.Cm allow-remote-pkcs11
+option allows clients of a forwarded
+.Nm
+to load PKCS#11 or FIDO provider libraries.
+By default only local clients may perform this operation.
+Note that signalling that a
+.Nm
+client remote is performed by
+.Xr ssh 1 ,
+and use of other tools to forward access to the agent socket may circumvent
+this restriction.
+.Pp
+The
+.Cm no-restrict-websafe ,
+instructs
+.Nm
+to permit signatures using FIDO keys that might be web authentication
+requests.
+By default,
+.Nm
+refuses signature requests for FIDO keys where the key application string
+does not start with
+.Dq ssh:
+and when the data to be signed does not appear to be a
+.Xr ssh 1
+user authentication request or a
+.Xr ssh-keygen 1
+signature.
+The default behaviour prevents forwarded access to a FIDO key from also
+implicitly forwarding the ability to authenticate to websites.
.It Fl P Ar allowed_providers
Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
authenticator middleware shared libraries that may be used with the
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index 2c2c7a639907..0e218390a21c 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.292 2022/09/17 10:11:29 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.293 2022/10/07 06:00:58 jmc Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -172,6 +172,12 @@ char socket_dir[PATH_MAX];
/* Pattern-list of allowed PKCS#11/Security key paths */
static char *allowed_providers;
+/*
+ * Allows PKCS11 providers or SK keys that use non-internal providers to
+ * be added over a remote connection (identified by session-bind@openssh.com).
+ */
+static int remote_add_provider;
+
/* locking */
#define LOCK_SIZE 32
#define LOCK_SALT_SIZE 16
@@ -1249,6 +1255,12 @@ process_add_identity(SocketEntry *e)
if (strcasecmp(sk_provider, "internal") == 0) {
debug_f("internal provider");
} else {
+ if (e->nsession_ids != 0 && !remote_add_provider) {
+ verbose("failed add of SK provider \"%.100s\": "
+ "remote addition of providers is disabled",
+ sk_provider);
+ goto out;
+ }
if (realpath(sk_provider, canonical_provider) == NULL) {
verbose("failed provider \"%.100s\": "
"realpath: %s", sk_provider,
@@ -1412,6 +1424,11 @@ process_add_smartcard_key(SocketEntry *e)
error_f("failed to parse constraints");
goto send;
}
+ if (e->nsession_ids != 0 && !remote_add_provider) {
+ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+ "providers is disabled", provider);
+ goto send;
+ }
if (realpath(provider, canonical_provider) == NULL) {
verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
provider, strerror(errno));
@@ -2015,9 +2032,9 @@ usage(void)
{
fprintf(stderr,
"usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
- " [-P allowed_providers] [-t life]\n"
- " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
- " [-t life] command [arg ...]\n"
+ " [-O option] [-P allowed_providers] [-t life]\n"
+ " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
+ " [-P allowed_providers] [-t life] command [arg ...]\n"
" ssh-agent [-c | -s] -k\n");
exit(1);
}
@@ -2077,7 +2094,9 @@ main(int ac, char **av)
break;
case 'O':
if (strcmp(optarg, "no-restrict-websafe") == 0)
- restrict_websafe = 0;
+ restrict_websafe = 0;
+ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
+ remote_add_provider = 1;
else
fatal("Unknown -O option");
break;
diff --git a/crypto/openssh/ssh-pkcs11.c b/crypto/openssh/ssh-pkcs11.c
index b2e2b32a5078..9e48c134e411 100644
--- a/crypto/openssh/ssh-pkcs11.c
+++ b/crypto/openssh/ssh-pkcs11.c
@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
error("dlopen %s failed: %s", provider_id, dlerror());
goto fail;
}
- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
- goto fail;
- }
+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
p = xcalloc(1, sizeof(*p));
p->name = xstrdup(provider_id);
p->handle = handle;
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 33c6e9a3b130..14a58ef4ddbb 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -106,7 +106,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
-#VersionAddendum FreeBSD-20221019
+#VersionAddendum FreeBSD-20230719
# no default banner path
#Banner none
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 34dc3648ed26..dd8623d9b4dd 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1822,7 +1822,7 @@ The default is
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
-.Qq FreeBSD-20221019 .
+.Qq FreeBSD-20230719 .
The value
.Cm none
may be used to disable this.
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index 30539ed442ca..3f7069aba20f 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -6,4 +6,4 @@
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-#define SSH_VERSION_FREEBSD "FreeBSD-20221019"
+#define SSH_VERSION_FREEBSD "FreeBSD-20230719"