PR#1: Initial check in of Meta patches - rpms/openssh

		`@@ -0,0 +1,48 @@`
		`+ Index: b/channels.c`
		`+ ===================================================================`
		`+ --- b.orig/channels.c`
		`+ +++ b/channels.c`
		`+ @@ -3774,6 +3774,7 @@ int`
		`+ channel_setup_remote_fwd_listener(struct ssh ssh, struct Forward fwd,`
		`+ int allocated_listen_port, struct ForwardOptions fwd_opts)`
		`+ {`
		`+ + int success = 0;`
		`+ if (!check_rfwd_permission(ssh, fwd)) {`
		`+ ssh_packet_send_debug(ssh, "port forwarding refused");`
		`+ if (fwd->listen_path != NULL)`
		`+ @@ -3795,14 +3796,23 @@ channel_setup_remote_fwd_listener(struct`
		`+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));`
		`+ return 0;`
		`+ }`
		`+ - if (fwd->listen_path != NULL) {`
		`+ - return channel_setup_fwd_listener_streamlocal(ssh,`
		`+ + if (fwd->listen_path != NULL) {`
		`+ + success = channel_setup_fwd_listener_streamlocal(ssh,`
		`+ SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);`
		`+ } else {`
		`+ - return channel_setup_fwd_listener_tcpip(ssh,`
		`+ + success = channel_setup_fwd_listener_tcpip(ssh,`
		`+ SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,`
		`+ fwd_opts);`
		`+ }`
		`+ + logit("Remote forward request %s: listen=%s:%d connect=%s:%d"`
		`+ + " uid=%d",`
		`+ + success ? "succeeded" : "failed",`
		`+ + fwd->listen_host,`
		`+ + fwd->listen_port,`
		`+ + ssh_remote_ipaddr(ssh),`
		`+ + ssh_remote_port(ssh),`
		`+ + getuid());`
		`+ + return success;`
		`+ }`
		`+`
		`+ /*`
		`+ @@ -4593,7 +4603,7 @@ x11_create_display_inet(struct ssh *ssh,`
		`+ if ((errno != EINVAL) && (errno != EAFNOSUPPORT)`
		`+ #ifdef EPFNOSUPPORT`
		`+ && (errno != EPFNOSUPPORT)`
		`+ -#endif`
		`+ +#endif`
		`+ ) {`
		`+ error("socket: %.100s", strerror(errno));`
		`+ freeaddrinfo(aitop);`

fb87_080_logging_certificates.patch

file added

+182

		`@@ -0,0 +1,182 @@`
		`+ Index: b/auth2-pubkey.c`
		`+ ===================================================================`
		`+ --- b.orig/auth2-pubkey.c`
		`+ +++ b/auth2-pubkey.c`
		`+ @@ -389,6 +389,10 @@ check_principals_line(struct ssh *ssh, c`
		`+ continue;`
		`+ debug3("%s: matched principal \"%.100s\"",`
		`+ loc, cert->principals[i]);`
		`+ + verbose("Matched principal \"%.100s\" from %s against \"%.100s\" "`
		`+ + "from cert",`
		`+ + cp, loc, cert->principals[i]);`
		`+ +`
		`+ found = 1;`
		`+ slog_set_principal(cp);`
		`+ }`
		`+ @@ -432,6 +436,8 @@ process_principals(struct ssh *ssh, FILE`
		`+ found_principal = 1;`
		`+ }`
		`+ free(line);`
		`+ + if (!found_principal)`
		`+ + verbose("Did not match any principals from auth_principals_* files");`
		`+ return found_principal;`
		`+ }`
		`+`
		`+ @@ -710,7 +716,7 @@ check_authkey_line(struct ssh *ssh, stru`
		`+ &reason) != 0)`
		`+ goto fail_reason;`
		`+`
		`+ - verbose("Accepted certificate ID \"%s\" (serial %llu) "`
		`+ + verbose("Accepted cert ID \"%s\" (serial %llu) "`
		`+ "signed by CA %s %s found at %s",`
		`+ key->cert->key_id,`
		`+ (unsigned long long)key->cert->serial,`
		`+ @@ -780,7 +786,7 @@ static int`
		`+ user_cert_trusted_ca(struct ssh ssh, struct passwd pw, struct sshkey *key,`
		`+ struct sshauthopt **authoptsp)`
		`+ {`
		`+ - char ca_fp, principals_file = NULL;`
		`+ + char ca_fp, key_fp, *principals_file = NULL;`
		`+ const char *reason;`
		`+ struct sshauthopt principals_opts = NULL, cert_opts = NULL;`
		`+ struct sshauthopt *final_opts = NULL;`
		`+ @@ -796,11 +802,16 @@ user_cert_trusted_ca(struct ssh *ssh, st`
		`+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)`
		`+ return 0;`
		`+`
		`+ + key_fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);`
		`+ +`
		`+ if ((r = sshkey_in_file(key->cert->signature_key,`
		`+ options.trusted_user_ca_keys, 1, 0)) != 0) {`
		`+ debug2_fr(r, "CA %s %s is not listed in %s",`
		`+ sshkey_type(key->cert->signature_key), ca_fp,`
		`+ options.trusted_user_ca_keys);`
		`+ + verbose("CA %s %s is not listed in %s",`
		`+ + sshkey_type(key->cert->signature_key), ca_fp,`
		`+ + options.trusted_user_ca_keys);`
		`+ goto out;`
		`+ }`
		`+ /*`
		`+ @@ -851,6 +862,11 @@ user_cert_trusted_ca(struct ssh *ssh, st`
		`+ if ((final_opts = sshauthopt_merge(principals_opts,`
		`+ cert_opts, &reason)) == NULL) {`
		`+ fail_reason:`
		`+ + verbose("Rejected cert ID \"%s\" with signature "`
		`+ + "%s signed by %s CA %s via %s",`
		`+ + key->cert->key_id, key_fp,`
		`+ + sshkey_type(key->cert->signature_key), ca_fp,`
		`+ + options.trusted_user_ca_keys);`
		`+ error("%s", reason);`
		`+ auth_debug_add("%s", reason);`
		`+ goto out;`
		`+ @@ -858,9 +874,10 @@ user_cert_trusted_ca(struct ssh *ssh, st`
		`+ }`
		`+`
		`+ /* Success */`
		`+ - verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "`
		`+ - "%s CA %s via %s", key->cert->key_id,`
		`+ - (unsigned long long)key->cert->serial,`
		`+ + verbose("Accepted cert ID \"%s\" (serial %llu) with signature %s "`
		`+ + "signed by %s CA %s via %s",`
		`+ + key->cert->key_id,`
		`+ + (unsigned long long)key->cert->serial, key_fp,`
		`+ sshkey_type(key->cert->signature_key), ca_fp,`
		`+ options.trusted_user_ca_keys);`
		`+ if (authoptsp != NULL) {`
		`+ @@ -875,6 +892,7 @@ user_cert_trusted_ca(struct ssh *ssh, st`
		`+ sshauthopt_free(final_opts);`
		`+ free(principals_file);`
		`+ free(ca_fp);`
		`+ + free(key_fp);`
		`+ return ret;`
		`+ }`
		`+`
		`+ Index: b/regress/cert-logging.sh`
		`+ ===================================================================`
		`+ --- /dev/null`
		`+ +++ b/regress/cert-logging.sh`
		`+ @@ -0,0 +1,84 @@`
		`+ +tid="cert logging"`
		`+ +`
		`+ +CERT_ID="cert_id"`
		`+ +PRINCIPAL=$USER`
		`+ +SERIAL=0`
		`+ +`
		`+ +log_grep() {`
		`+ + if [ "$(grep -c -G "$1" "$TEST_SSHD_LOGFILE")" == "0" ]; then`
		`+ + return 1;`
		`+ + else`
		`+ + return 0;`
		`+ + fi`
		`+ +}`
		`+ +`
		`+ +cat << EOF >> $OBJ/sshd_config`
		`+ +TrustedUserCAKeys $OBJ/ssh-rsa.pub`
		`+ +Protocol 2`
		`+ +PubkeyAuthentication yes`
		`+ +AuthenticationMethods publickey`
		`+ +AuthorizedPrincipalsFile $OBJ/auth_principals`
		`+ +EOF`
		`+ +`
		`+ +if [ ! -f $OBJ/trusted_rsa ]; then`
		`+ + ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/trusted_rsa`
		`+ +fi`
		`+ +if [ ! -f $OBJ/untrusted_rsa ]; then`
		`+ + ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/untrusted_rsa`
		`+ +fi`
		`+ +`
		`+ +${SSHKEYGEN} -q -s $OBJ/ssh-rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/trusted_rsa.pub \|\|`
		`+ + fatal "Could not create trusted SSH cert"`
		`+ +`
		`+ +${SSHKEYGEN} -q -s $OBJ/untrusted_rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/untrusted_rsa.pub \|\|`
		`+ + fatal "Could not create untrusted SSH cert"`
		`+ +`
		`+ +CA_FP="$(${SSHKEYGEN} -l -E sha256 -f ssh-rsa \| cut -d' ' -f2)"`
		`+ +KEY_FP="$(${SSHKEYGEN} -l -E sha256 -f trusted_rsa \| cut -d' ' -f2)"`
		`+ +UNTRUSTED_CA_FP="$(${SSHKEYGEN} -l -E sha256 -f untrusted_rsa \| cut -d' ' -f2)"`
		`+ +`
		`+ +start_sshd`
		`+ +`
		`+ +`
		`+ +test_no_principals() {`
		`+ + echo > $OBJ/auth_principals`
		`+ + ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true \|\|`
		`+ + fatal "SSH failed"`
		`+ +`
		`+ + if ! log_grep 'Did not match any principals from auth_principals_\* files'; then`
		`+ + fail "No 'Did not match any principals' message"`
		`+ + fi`
		`+ +`
		`+ + if ! log_grep "Rejected cert ID \"$CERT_ID\" with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then`
		`+ + fail "No 'Rejected cert ID' message"`
		`+ + fi`
		`+ +}`
		`+ +`
		`+ +`
		`+ +test_with_principals() {`
		`+ + echo $USER > $OBJ/auth_principals`
		`+ + ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true \|\|`
		`+ + fatal "SSH failed"`
		`+ +`
		`+ + if ! log_grep "Matched principal \"$PRINCIPAL\" from $OBJ/auth_principals:1 against \"$PRINCIPAL\" from cert"; then`
		`+ + fail "No 'Matched principal' message"`
		`+ + fi`
		`+ + if ! log_grep "Accepted cert ID \"$CERT_ID\" (serial $SERIAL) with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then`
		`+ + fail "No 'Accepted cert ID' message"`
		`+ + fi`
		`+ +}`
		`+ +`
		`+ +`
		`+ +test_untrusted_cert() {`
		`+ + ${SSH} -F $OBJ/ssh_config -i $OBJ/untrusted_rsa-cert.pub somehost true \|\|`
		`+ + fatal "SSH failed"`
		`+ +`
		`+ + if ! log_grep "CA RSA $UNTRUSTED_CA_FP is not listed in $OBJ/ssh-rsa.pub"; then`
		`+ + fail "No 'CA is not listed' message"`
		`+ + fi`
		`+ +}`
		`+ +`
		`+ +`
		`+ +test_no_principals`
		`+ +test_with_principals`
		`+ +test_untrusted_cert`

fb87_090_logging_shell_cmd_pty.patch

file added

+73

		`@@ -0,0 +1,73 @@`
		`+ Index: b/session.c`
		`+ ===================================================================`
		`+ --- b.orig/session.c`
		`+ +++ b/session.c`
		`+ @@ -2049,6 +2049,8 @@ session_pty_req(struct ssh *ssh, Session`
		`+ return 0;`
		`+ }`
		`+ debug("session_pty_req: session %d alloc %s", s->self, s->tty);`
		`+ + verbose("Allocated pty %s for user %s session %d",`
		`+ + s->tty, s->pw->pw_name, s->self);`
		`+`
		`+ ssh_tty_parse_modes(ssh, s->ttyfd);`
		`+`
		`+ @@ -2148,6 +2150,7 @@ session_shell_req(struct ssh *ssh, Sessi`
		`+`
		`+ if ((r = sshpkt_get_end(ssh)) != 0)`
		`+ sshpkt_fatal(ssh, r, "%s: parse packet", __func__);`
		`+ + verbose("Shell Request for user %s", s->pw->pw_name);`
		`+ return do_exec(ssh, s, NULL) == 0;`
		`+ }`
		`+`
		`+ @@ -2163,6 +2166,7 @@ session_exec_req(struct ssh *ssh, Sessio`
		`+ sshpkt_fatal(ssh, r, "%s: parse packet", __func__);`
		`+`
		`+ slog_set_command(command);`
		`+ + verbose("Exec Request for user %s with command %s", s->pw->pw_name, command);`
		`+ success = do_exec(ssh, s, command) == 0;`
		`+ free(command);`
		`+ return success;`
		`+ Index: b/regress/session-req.sh`
		`+ ===================================================================`
		`+ --- /dev/null`
		`+ +++ b/regress/session-req.sh`
		`+ @@ -0,0 +1,39 @@`
		`+ +tid="session req"`
		`+ +`
		`+ +start_sshd`
		`+ +`
		`+ +test_user_shell_exec_req() {`
		`+ + session_shell_req_expected="Exec Request for user $USER with command true"`
		`+ + cnt=$(grep -c "$session_shell_req_expected" "$TEST_SSHD_LOGFILE")`
		`+ + if [ $cnt == "0" ]; then`
		`+ + fail "No exec request for user log lines found"`
		`+ + fi`
		`+ +}`
		`+ +`
		`+ +test_user_pty() {`
		`+ + session_pty_req_expected="Allocated pty .* for user $USER session .*"`
		`+ + line_count=$(grep -c "$session_req_expected" "$TEST_SSHD_LOGFILE")`
		`+ + if [ $line_count == "0" ]; then`
		`+ + fail "No Allocated pty for user session found in log lines"`
		`+ + fi`
		`+ +}`
		`+ +`
		`+ +test_user_shell_req() {`
		`+ + exit \| ${SSH} -F $OBJ/ssh_config somehost`
		`+ + if [ $? -ne 0 ]; then`
		`+ + fail "ssh connect with failed"`
		`+ + fi`
		`+ + session_shell_req_expected="Shell Request for user $USER"`
		`+ + line_count=$(grep -c "$session_shell_req_expected" "$TEST_SSHD_LOGFILE")`
		`+ + if [ $line_count == "0" ]; then`
		`+ + fail "No session request for user log lines found"`
		`+ + fi`
		`+ +}`
		`+ +`
		`+ +${SSH} -F $OBJ/ssh_config somehost true`
		`+ +if [ $? -ne 0 ]; then`
		`+ + fail "ssh connect with failed"`
		`+ +fi`
		`+ +test_user_shell_exec_req`
		`+ +test_user_pty`
		`+ +test_user_shell_req`

fb87_810_increase_ssh_cert_max_principals.patch

file added

+13

		`@@ -0,0 +1,13 @@`
		`+ Index: b/sshkey.h`
		`+ ===================================================================`
		`+ --- b.orig/sshkey.h`
		`+ +++ b/sshkey.h`
		`+ @@ -106,7 +106,7 @@ enum sshkey_private_format {`
		`+ /* key is stored in external hardware */`
		`+ #define SSHKEY_FLAG_EXT 0x0001`
		`+`
		`+ -#define SSHKEY_CERT_MAX_PRINCIPALS 256`
		`+ +#define SSHKEY_CERT_MAX_PRINCIPALS 1024`
		`+ /* XXX opaquify? */`
		`+ struct sshkey_cert {`
		`+ struct sshbuf certblob; / Kept around for use on wire */`

fb87_log_accept_env.patch

file added

+22

		`@@ -0,0 +1,22 @@`
		`+ diff --git a/session.c b/session.c`
		`+ --- a/session.c`
		`+ +++ b/session.c`
		`+ @@ -2106,16 +2106,16 @@`
		`+`
		`+ for (i = 0; i < options.num_accept_env; i++) {`
		`+ if (match_pattern(name, options.accept_env[i])) {`
		`+ - debug2("Setting env %d: %s=%s", s->num_env, name, val);`
		`+ + verbose("Setting env %d: %s=%s user=%s", s->num_env, name, val, s->pw->pw_name);`
		`+ s->env = xrecallocarray(s->env, s->num_env,`
		`+ s->num_env + 1, sizeof(*s->env));`
		`+ s->env[s->num_env].name = name;`
		`+ s->env[s->num_env].val = val;`
		`+ s->num_env++;`
		`+ return (1);`
		`+ }`
		`+ }`
		`+ - debug2("Ignoring env request %s: disallowed name", name);`
		`+ + verbose("Ignoring env request %s user=%s : disallowed name", name, s->pw->pw_name);`
		`+`
		`+ fail:`
		`+ free(name);`

fb87_log_auth_info.patch

file added

+216

		`@@ -0,0 +1,216 @@`
		`+ Index: b/regress/slog.sh`
		`+ ===================================================================`
		`+ --- b.orig/regress/slog.sh`
		`+ +++ b/regress/slog.sh`
		`+ @@ -1,41 +1,60 @@`
		`+ tid='structured log'`
		`+`
		`+ -port="4242"`
		`+ log_prefix="sshd_auth_msg:"`
		`+ -log_keys="server_ip server_port remote_ip remote_port pid session_id method cert_id cert_serial principal user session_state auth_successful _time command end_time duration auth_info client_version"`
		`+ +log_keys="server_ip server_port remote_ip remote_port pid session_id method cert_id cert_serial principal user session_state auth_successful command end_time duration auth_info client_version"`
		`+ do_log_json="yes"`
		`+ -test_config="$OBJ/sshd2_config"`
		`+ -old_config="$OBJ/sshd_config"`
		`+ -PIDFILE=$OBJ/pidfile`
		`+ -`
		`+ -cat << EOF > $test_config`
		`+ - #*:`
		`+ - StrictModes no`
		`+ - Port $port`
		`+ - AddressFamily inet`
		`+ - ListenAddress 127.0.0.1`
		`+ - #ListenAddress ::1`
		`+ - PidFile $PIDFILE`
		`+ - AuthorizedKeysFile $OBJ/authorized_keys_%u`
		`+ - LogLevel ERROR`
		`+ - AcceptEnv _XXX_TEST_*`
		`+ - AcceptEnv _XXX_TEST`
		`+ - HostKey $OBJ/host.ssh-ed25519`
		`+ - LogFormatPrefix $log_prefix`
		`+ - LogFormatJson $do_log_json`
		`+ - LogFormatKeys $log_keys`
		`+ +`
		`+ +AUTH_PRINC_FILE="$OBJ/auth_principals"`
		`+ +CA_FILE="$OBJ/ca-rsa"`
		`+ +IDENTITY_FILE="$OBJ/$USER-rsa"`
		`+ +CERT_ID=$USER`
		`+ +`
		`+ +cat << EOF >> $OBJ/sshd_config`
		`+ +TrustedUserCAKeys $CA_FILE.pub`
		`+ +PubkeyAuthentication yes`
		`+ +AuthenticationMethods publickey`
		`+ +AuthorizedPrincipalsFile $AUTH_PRINC_FILE`
		`+ +LogFormatPrefix $log_prefix`
		`+ +LogFormatJson $do_log_json`
		`+ +LogFormatKeys $log_keys`
		`+ EOF`
		`+`
		`+ +sed -i 's/DEBUG3/VERBOSE/g' $OBJ/sshd_config`
		`+`
		`+ -cp $test_config $old_config`
		`+ -start_sshd`
		`+ +cleanup() {`
		`+ + rm -f $CA_FILE{.pub,}`
		`+ + rm -f $IDENTITY_FILE{-cert.pub,.pub,}`
		`+ + rm -f $AUTH_PRINC_FILE`
		`+ + rm -f $TEST_SSHD_LOGFILE`
		`+ +}`
		`+ +`
		`+ +make_keys() {`
		`+ + local keytype=$1`
		`+ +`
		`+ + rm -f $IDENTITY_FILE{.pub,}`
		`+ + ${SSHKEYGEN} -q -t $keytype -C '' -N '' -f $IDENTITY_FILE \|\|`
		`+ + fatal 'Could not create keypair'`
		`+ +`
		`+ + cat $IDENTITY_FILE.pub > authorized_keys_$USER`
		`+ + ${SSHKEYGEN} -lf $IDENTITY_FILE`
		`+ +}`
		`+`
		`+ -${SSH} -F $OBJ/ssh_config somehost true`
		`+ -if [ $? -ne 0 ]; then`
		`+ - fail "ssh connect with failed"`
		`+ -fi`
		`+ +make_cert() {`
		`+ + local princs=$1`
		`+ + local certtype=$2`
		`+ + local serial=$3`
		`+`
		`+ -test_log_counts() {`
		`+ + rm -f $CA_FILE`
		`+ + rm -f "$IDENTITY_FILE-cert.pub"`
		`+ +`
		`+ + ${SSHKEYGEN} -q -t $certtype -C '' -N '' -f $CA_FILE \|\|`
		`+ + fatal 'Could not create CA key'`
		`+ +`
		`+ + ${SSHKEYGEN} -q -s $CA_FILE -I $CERT_ID -n "$princs" -z $serial "$IDENTITY_FILE.pub" \|\|`
		`+ + fatal "Could not create SSH cert"`
		`+ +}`
		`+ +`
		`+ +do_test_log_counts() {`
		`+ cnt=$(grep -c "$log_prefix" "$TEST_SSHD_LOGFILE")`
		`+ if [ $cnt -ne 2 ]; then`
		`+ fail "expected 2 structured logging lines, got $cnt"`
		`+ @@ -43,7 +62,10 @@ test_log_counts() {`
		`+ }`
		`+`
		`+ test_json_valid() {`
		`+ - which python &>/dev/null \|\| echo 'python not found in path, skipping tests'`
		`+ + if ! $(which python &>/dev/null) ; then`
		`+ + echo 'python not found in path, skipping JSON tests'`
		`+ + return 1`
		`+ + fi`
		`+`
		`+ loglines=$(cat "$TEST_SSHD_LOGFILE" \| grep "$log_prefix")`
		`+ first=$(echo "$loglines" \| head -n1)`
		`+ @@ -55,5 +77,72 @@ test_json_valid() {`
		`+ \|\| fail "invalid json structure $last"`
		`+ }`
		`+`
		`+ -test_log_counts`
		`+ -test_json_valid`
		`+ +# todo: first/last line`
		`+ +extract_key() {`
		`+ + local key=$1`
		`+ + loglines=$(cat "$TEST_SSHD_LOGFILE" \| grep "$log_prefix")`
		`+ + last=$(echo "$loglines" \| tail -n1)`
		`+ + json=${last:$(expr length $log_prefix)}`
		`+ +`
		`+ + val=$(echo $json \| python -c "import sys, json; print(json.load(sys.stdin)[\"$key\"])") \|\|`
		`+ + fail "error extracting $key from $json"`
		`+ + echo "$val"`
		`+ +}`
		`+ +`
		`+ +test_basic_logging() {`
		`+ + ${SSH} -F $OBJ/ssh_config -v -i "$IDENTITY_FILE" somehost true \|\|`
		`+ + fatal "SSH failed"`
		`+ +`
		`+ + do_test_log_counts`
		`+ + test_json_valid \|\| return 1`
		`+ +}`
		`+ +`
		`+ +extract_hash() {`
		`+ + local source=$1`
		`+ + echo $source \| sed "s/.$SHA256:[[:print:]]\{43\}$.$/\1/"`
		`+ +}`
		`+ +`
		`+ +test_auth_info() {`
		`+ + local keyfp=$1`
		`+ + local keytype=$2`
		`+ + local princ=$3`
		`+ + local serial=$4`
		`+ +`
		`+ + ${SSH} -F $OBJ/ssh_config -v -i "$IDENTITY_FILE" somehost true \|\|`
		`+ + fatal "SSH failed"`
		`+ +`
		`+ + auth_info=$(extract_key 'auth_info')`
		`+ + digest=$(extract_hash "$keyfp")`
		`+ +`
		`+ + [ -z "$keyfp" ] \|\| echo "$auth_info" \| grep -q "$digest" \|\|`
		`+ + echo "hash digest not found"`
		`+ + [ -z "$keytype" ] \|\| echo "$auth_info" \| grep -q "$keytype" \|\|`
		`+ + echo "keytype not found"`
		`+ + [ -z "$princ" ] \|\| echo "$auth_info" \| grep -q "$princ" \|\|`
		`+ + echo "princ not found"`
		`+ + [ -z "$serial" ] \|\| echo "$auth_info" \| grep -q "$serial" \|\|`
		`+ + echo "serial not found"`
		`+ +}`
		`+ +`
		`+ +test_cert_serial() {`
		`+ + local serial=$1`
		`+ + logged_serial=$(extract_key 'cert_serial')`
		`+ + [ $serial = $logged_serial ] \|\| fail 'cert serial mismatch'`
		`+ +}`
		`+ +`
		`+ +start_sshd`
		`+ +`
		`+ +keytype="RSA"`
		`+ +keyfp=$(make_keys $keytype)`
		`+ +test_basic_logging \|\| return`
		`+ +test_auth_info "$keyfp" "$keytype"`
		`+ +`
		`+ +rm authorized_keys_$USER # force cert auth`
		`+ +`
		`+ +princ="$USER"`
		`+ +echo $princ > $AUTH_PRINC_FILE`
		`+ +`
		`+ +serial='42'`
		`+ +make_cert "$princ" "$keytype" "$serial"`
		`+ +test_auth_info "$keyfp" "$keytype" "$princ" "$serial"`
		`+ +test_cert_serial "$serial"`
		`+ Index: b/auth.c`
		`+ ===================================================================`
		`+ --- b.orig/auth.c`
		`+ +++ b/auth.c`
		`+ @@ -351,6 +351,8 @@ auth_log(struct ssh *ssh, int authentica`
		`+ extra != NULL ? ": " : "",`
		`+ extra != NULL ? extra : "");`
		`+`
		`+ + if (extra != NULL)`
		`+ + slog_set_auth_info(extra);`
		`+ free(extra);`
		`+ slog_set_auth_data(authenticated, method, authctxt->user);`
		`+`
		`+ Index: b/auth2-pubkey.c`
		`+ ===================================================================`
		`+ --- b.orig/auth2-pubkey.c`
		`+ +++ b/auth2-pubkey.c`
		`+ @@ -722,7 +722,7 @@ check_authkey_line(struct ssh *ssh, stru`
		`+ (unsigned long long)key->cert->serial,`
		`+ sshkey_type(found), fp, loc);`
		`+`
		`+ - slog_set_cert_serial(key->cert->serial);`
		`+ + slog_set_cert_serial(key->cert->serial);`
		`+ success:`
		`+ if (finalopts == NULL)`
		`+ fatal_f("internal error: missing options");`
		`+ @@ -885,6 +885,8 @@ user_cert_trusted_ca(struct ssh *ssh, st`
		`+ final_opts = NULL;`
		`+ }`
		`+ slog_set_cert_id(key->cert->key_id);`
		`+ + slog_set_cert_serial(key->cert->serial);`
		`+ +`
		`+ ret = 1;`
		`+ out:`
		`+ sshauthopt_free(principals_opts);`

fb87_log_port_forwards.patch

file added

+24

		`@@ -0,0 +1,24 @@`
		`+ Index: b/serverloop.c`
		`+ ===================================================================`
		`+ --- b.orig/serverloop.c`
		`+ +++ b/serverloop.c`
		`+ @@ -433,6 +433,7 @@ server_request_direct_tcpip(struct ssh *`
		`+ char target = NULL, originator = NULL;`
		`+ u_int target_port = 0, originator_port = 0;`
		`+ int r;`
		`+ + uid_t user;`
		`+`
		`+ if ((r = sshpkt_get_cstring(ssh, &target, NULL)) != 0 \|\|`
		`+ (r = sshpkt_get_u32(ssh, &target_port)) != 0 \|\|`
		`+ @@ -451,6 +452,11 @@ server_request_direct_tcpip(struct ssh *`
		`+ goto out;`
		`+ }`
		`+`
		`+ + user = getuid();`
		`+ + logit("Tunnel: %s:%d -> %s:%d UID(%d) user %s",`
		`+ + originator, originator_port, target, target_port, user,`
		`+ + getpwuid(user)->pw_name);`
		`+ +`
		`+ debug_f("originator %s port %u, target %s port %u",`
		`+ originator, originator_port, target, target_port);`
		`+`

fb87_log_session_id.patch

file added

+141

		`@@ -0,0 +1,141 @@`
		`+ Index: b/sshd.c`
		`+ ===================================================================`
		`+ --- b.orig/sshd.c`
		`+ +++ b/sshd.c`
		`+ @@ -1420,6 +1420,8 @@ server_accept_loop(struct ssh *ssh, int`
		`+ options.log_level,`
		`+ options.log_facility,`
		`+ log_stderr);`
		`+ +`
		`+ + set_log_session_id(); // Set log session ID for this session`
		`+ if (rexec_flag)`
		`+ close(config_s[0]);`
		`+ else {`
		`+ Index: b/auth-pam.c`
		`+ ===================================================================`
		`+ --- b.orig/auth-pam.c`
		`+ +++ b/auth-pam.c`
		`+ @@ -766,7 +766,20 @@ sshpam_init(struct ssh ssh, Authctxt a`
		`+ return (-1);`
		`+ }`
		`+ #endif`
		`+ - return (0);`
		`+ + debug("PAM: setting PAM LOG_SESSION_ID to \"%s\"", get_log_session_id());`
		`+ + {`
		`+ + char log_session_id_env[HOST_NAME_MAX + 50];`
		`+ + snprintf(log_session_id_env, sizeof(log_session_id_env),`
		`+ + "LOG_SESSION_ID=%s", get_log_session_id());`
		`+ + sshpam_err = pam_putenv(sshpam_handle, log_session_id_env);`
		`+ + if (sshpam_err != PAM_SUCCESS) {`
		`+ + pam_end(sshpam_handle, sshpam_err);`
		`+ + sshpam_handle = NULL;`
		`+ + return (-1);`
		`+ + }`
		`+ + }`
		`+ +`
		`+ + return (0);`
		`+ }`
		`+`
		`+ static void`
		`+ Index: b/log.c`
		`+ ===================================================================`
		`+ --- b.orig/log.c`
		`+ +++ b/log.c`
		`+ @@ -410,17 +410,17 @@ do_log(LogLevel level, int force, const`
		`+ tmp_handler(level, force, fmtbuf, log_handler_ctx);`
		`+ log_handler = tmp_handler;`
		`+ } else if (log_on_stderr) {`
		`+ - snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",`
		`+ - (int)sizeof msgbuf - 3, fmtbuf);`
		`+ + snprintf(msgbuf, sizeof msgbuf, "%.*s session=%s\r\n",`
		`+ + (int)sizeof msgbuf - 3, fmtbuf, get_log_session_id());`
		`+ (void)write(log_stderr_fd, msgbuf, strlen(msgbuf));`
		`+ } else {`
		`+ #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)`
		`+ openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);`
		`+ - syslog_r(pri, &sdata, "%.500s", fmtbuf);`
		`+ + syslog_r(pri, &sdata, "%.500s session=%s", fmtbuf, get_log_session_id());`
		`+ closelog_r(&sdata);`
		`+ #else`
		`+ openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);`
		`+ - syslog(pri, "%.500s", fmtbuf);`
		`+ + syslog(pri, "%.500s session=%s", fmtbuf, get_log_session_id());`
		`+ closelog();`
		`+ #endif`
		`+ }`
		`+ @@ -452,6 +452,33 @@ sshlogdie(const char file, const char `
		`+ }`
		`+`
		`+ void`
		`+ +set_log_session_id()`
		`+ +{`
		`+ + struct timeval tv;`
		`+ + char hostname[HOST_NAME_MAX + 1];`
		`+ + char session_id[HOST_NAME_MAX + 20];`
		`+ + char *s;`
		`+ + if (gethostname(hostname, sizeof(hostname)) != 0) {`
		`+ + *hostname = '\0';`
		`+ + }`
		`+ + gettimeofday(&tv, NULL);`
		`+ + snprintf(session_id, sizeof(session_id), "%s:%x.%x",`
		`+ + hostname, tv.tv_sec, tv.tv_usec);`
		`+ + setenv("LOG_SESSION_ID", session_id, 1);`
		`+ +}`
		`+ +`
		`+ +const char *`
		`+ +get_log_session_id()`
		`+ +{`
		`+ + const char *id = getenv("LOG_SESSION_ID");`
		`+ + if (!id) {`
		`+ + set_log_session_id();`
		`+ + id = getenv("LOG_SESSION_ID");`
		`+ + }`
		`+ + return id;`
		`+ +}`
		`+ +`
		`+ +void`
		`+ sshsigdie(const char file, const char func, int line, int showfunc,`
		`+ LogLevel level, const char suffix, const char fmt, ...)`
		`+ {`
		`+ Index: b/regress/session-id.sh`
		`+ ===================================================================`
		`+ --- /dev/null`
		`+ +++ b/regress/session-id.sh`
		`+ @@ -0,0 +1,23 @@`
		`+ +tid="session id"`
		`+ +`
		`+ +start_sshd`
		`+ +`
		`+ +${SSH} -F $OBJ/ssh_config somehost true`
		`+ +if [ $? -ne 0 ]; then`
		`+ + fail "ssh connect with failed"`
		`+ +fi`
		`+ +`
		`+ +expected="session=$(hostname)"`
		`+ +`
		`+ +# grab the first session ID which will be stable across session`
		`+ +sessionid=$(grep -m1 $expected $TEST_SSHD_LOGFILE \| sed -E 's/.(session=.)/\1/')`
		`+ +`
		`+ +line_count=$(grep -c $expected $TEST_SSHD_LOGFILE)`
		`+ +if [ $line_count == "0" ]; then`
		`+ + fail "No session ID lines found"`
		`+ +fi`
		`+ +`
		`+ +stable_id_count=$(grep -c $sessionid $TEST_SSHD_LOGFILE)`
		`+ +if [ $line_count != $stable_id_count ]; then`
		`+ + fail 'Mismatching session ids found'`
		`+ +fi`
		`+ Index: b/log.h`
		`+ ===================================================================`
		`+ --- b.orig/log.h`
		`+ +++ b/log.h`
		`+ @@ -68,6 +68,9 @@ const char * log_level_name(LogLevel);`
		`+ void set_log_handler(log_handler_fn , void );`
		`+ void cleanup_exit(int) __attribute__((noreturn));`
		`+`
		`+ +void set_log_session_id();`
		`+ +const char * get_log_session_id();`
		`+ +`
		`+ void sshlog(const char , const char , int, int,`
		`+ LogLevel, const char , const char , ...)`
		`+ __attribute__((format(printf, 7, 8)));`

fb87_pass_principals_to_child.patch

file added

+224

		`@@ -0,0 +1,224 @@`
		`+ diff --git a/session.c b/session.c`
		`+ --- a/session.c`
		`+ +++ b/session.c`
		`+ @@ -98,6 +98,7 @@`
		`+ #include "atomicio.h"`
		`+ #include "slog.h"`
		`+`
		`+ +#define SSH_MAX_PUBKEY_BYTES 16384`
		`+`
		`+ #if defined(KRB5) && defined(USE_AFS)`
		`+ #include <kafs.h>`
		`+ @@ -990,11 +991,18 @@`
		`+ static char **`
		`+ do_setup_env(struct ssh ssh, Session s, const char *shell)`
		`+ {`
		`+ - char buf[256];`
		`+ + char buf[SSH_MAX_PUBKEY_BYTES];`
		`+ + char *pbuf = &buf[0];`
		`+ size_t n;`
		`+ u_int i, envsize;`
		`+ char ocp, cp, value, env, laddr;`
		`+ struct passwd *pw = s->pw;`
		`+ + Authctxt *authctxt = s->authctxt;`
		`+ + struct sshkey *key;`
		`+ + size_t len = 0;`
		`+ + ssize_t total = 0;`
		`+ + struct sshkey_cert *cert;`
		`+ +`
		`+ #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)`
		`+ char *path = NULL;`
		`+ #endif`
		`+ @@ -1188,9 +1196,57 @@`
		`+ child_set_env(&env, &envsize, "SSH_USER_AUTH", auth_info_file);`
		`+ if (s->ttyfd != -1)`
		`+ child_set_env(&env, &envsize, "SSH_TTY", s->tty);`
		`+ - if (original_command)`
		`+ + if (original_command) {`
		`+ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",`
		`+ original_command);`
		`+ + /*`
		`+ + * Set SSH_CERT_PRINCIPALS to be the principals on the ssh certificate.`
		`+ + * Only do so when a force command is present to prevent the client`
		`+ + * from changing the value of SSH_CERT_PRINCIPALS. For example, when a`
		`+ + * client is given shell access, the client can easily change the`
		`+ + * value of an environment variable by running, e.g.,`
		`+ + * ssh user@host.address 'SSH_CERT_PRINCIPALS=attacker env'`
		`+ + */`
		`+ +`
		`+ + if (authctxt->nprev_keys > 0) {`
		`+ + key = authctxt->prev_keys[authctxt->nprev_keys-1];`
		`+ + /* If a user was authorized by a certificate, set SSH_CERT_PRINCIPALS */`
		`+ + if (sshkey_is_cert(key)) {`
		`+ + cert = key->cert;`
		`+ +`
		`+ + for (i = 0; i < cert->nprincipals - 1; ++i) {`
		`+ + /*`
		`+ + * total: bytes written to buf so far`
		`+ + * 2: one for comma and one for '\0' to be added by snprintf`
		`+ + * We stop at the first principal overflowing buf.`
		`+ + */`
		`+ + if (total + strlen(cert->principals[i]) + 2 > SSH_MAX_PUBKEY_BYTES)`
		`+ + break;`
		`+ +`
		`+ + len = snprintf(pbuf, SSH_MAX_PUBKEY_BYTES-total, "%s,",`
		`+ + cert->principals[i]);`
		`+ + /* pbuf advances by len, the '\0' at the end will be overwritten */`
		`+ + pbuf += len;`
		`+ + total += len;`
		`+ + }`
		`+ +`
		`+ + if (total + strlen(cert->principals[i]) + 1 <= SSH_MAX_PUBKEY_BYTES) {`
		`+ + len = snprintf(pbuf, SSH_MAX_PUBKEY_BYTES-total, "%s",`
		`+ + cert->principals[i]);`
		`+ + total += len;`
		`+ + } else if (total > 0)`
		`+ + /*`
		`+ + * If we hit the overflow condition, remove the trailing comma.`
		`+ + * We only do so if the overflowing principal is not the first one on the`
		`+ + * certificate so that there is at least one principal in buf`
		`+ + */`
		`+ + buf[total-1] = '\0';`
		`+ +`
		`+ + if (total > 0)`
		`+ + child_set_env(&env, &envsize, "SSH_CERT_PRINCIPALS", buf);`
		`+ + }`
		`+ + }`
		`+ + }`
		`+`
		`+ if (debug_flag) {`
		`+ /* dump the environment */`
		`+ diff --git a/regress/cert-princ-env.sh b/regress/cert-princ-env.sh`
		`+ new file mode 100644`
		`+ --- /dev/null`
		`+ +++ b/regress/cert-princ-env.sh`
		`+ @@ -0,0 +1,129 @@`
		`+ +tid="cert principal env"`
		`+ +`
		`+ +# change to ecdsa`
		`+ +CERT_ID="$USER"`
		`+ +AUTH_PRINC_FILE="$OBJ/auth_principals"`
		`+ +CA_FILE="$OBJ/ca-rsa"`
		`+ +IDENTITY_FILE="$OBJ/$USER-rsa"`
		`+ +SSH_MAX_PUBKEY_BYTES=16384`
		`+ +`
		`+ +cat << EOF >> $OBJ/sshd_config`
		`+ +TrustedUserCAKeys $CA_FILE.pub`
		`+ +Protocol 2`
		`+ +PubkeyAuthentication yes`
		`+ +AuthenticationMethods publickey`
		`+ +AuthorizedPrincipalsFile $AUTH_PRINC_FILE`
		`+ +ForceCommand=/bin/env`
		`+ +EOF`
		`+ +`
		`+ +cleanup() {`
		`+ + rm -f $CA_FILE{.pub,}`
		`+ + rm -f $IDENTITY_FILE{-cert.pub,.pub,}`
		`+ + rm -f $AUTH_PRINC_FILE`
		`+ +}`
		`+ +`
		`+ +make_keys_and_certs() {`
		`+ + rm -f $CA_FILE{.pub,}`
		`+ + rm -f $IDENTITY_FILE{-cert.pub,.pub,}`
		`+ +`
		`+ + local princs=$1`
		`+ +`
		`+ + ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $CA_FILE \|\|`
		`+ + fatal 'Could not create CA key'`
		`+ +`
		`+ + ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $IDENTITY_FILE \|\|`
		`+ + fatal 'Could not create keypair'`
		`+ +`
		`+ + ${SSHKEYGEN} -q -s $CA_FILE -I $CERT_ID -n "$princs" -z "42" "$IDENTITY_FILE.pub" \|\|`
		`+ + fatal "Could not create SSH cert"`
		`+ +}`
		`+ +`
		`+ +test_with_expected_principals() {`
		`+ + local princs=$1`
		`+ +`
		`+ + out=$(${SSH} -E thlog -F $OBJ/ssh_config -i "$IDENTITY_FILE" somehost false) \|\|`
		`+ + fatal "SSH failed"`
		`+ +`
		`+ + echo "$out" \| grep -q "SSH_CERT_PRINCIPALS=$princs$" \|\|`
		`+ + fatal "SSH_CERT_PRINCIPALS has incorrect value"`
		`+ +}`
		`+ +`
		`+ +test_with_no_expected_principals() {`
		`+ + local princs=$1`
		`+ +`
		`+ + out=$(${SSH} -E thlog -F $OBJ/ssh_config -i "$IDENTITY_FILE" somehost false) \|\|`
		`+ + fatal "SSH failed"`
		`+ +`
		`+ + echo "$out" \| grep -vq "SSH_CERT_PRINCIPALS" \|\|`
		`+ + fatal "SSH_CERT_PRINCIPALS env should not be set"`
		`+ +`
		`+ + echo "$out" \| grep -vq "SSH_CERT_PRINCIPALS=$princs" \|\|`
		`+ + fatal "SSH_CERT_PRINCIPALS has incorrect value"`
		`+ +}`
		`+ +`
		`+ +`
		`+ +echo 'a' > $AUTH_PRINC_FILE`
		`+ +start_sshd`
		`+ +`
		`+ +principals="a,b,c,d"`
		`+ +make_keys_and_certs "$principals"`
		`+ +test_with_expected_principals "$principals"`
		`+ +`
		`+ +big_princ=$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 16381 \| head -n 1)`
		`+ +make_keys_and_certs "a,$big_princ"`
		`+ +test_with_expected_principals "a,$big_princ"`
		`+ +`
		`+ +# No room for two principals`
		`+ +big_princ=$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 16382 \| head -n 1)`
		`+ +make_keys_and_certs "a,$big_princ"`
		`+ +test_with_expected_principals "a"`
		`+ +`
		`+ +make_keys_and_certs "$big_princ,a"`
		`+ +test_with_expected_principals "$big_princ"`
		`+ +`
		`+ +big_princ=$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 16384 \| head -n 1)`
		`+ +make_keys_and_certs "a,$big_princ"`
		`+ +test_with_expected_principals "a"`
		`+ +`
		`+ +# principal too big for buffer`
		`+ +big_princ=$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w $SSH_MAX_PUBKEY_BYTES \| head -n 1)`
		`+ +make_keys_and_certs "$big_princ"`
		`+ +test_with_no_expected_principals "$big_princ"`
		`+ +`
		`+ +# no matching principals in certificate and auth princ file`
		`+ +principals="b,c,d"`
		`+ +make_keys_and_certs "$principals"`
		`+ +test_with_no_expected_principals "$principals"`
		`+ +`
		`+ +stop_sshd`
		`+ +`
		`+ +cat << EOF >> $OBJ/sshd_config`
		`+ +TrustedUserCAKeys $CA_FILE.pub`
		`+ +Protocol 2`
		`+ +PubkeyAuthentication yes`
		`+ +AuthenticationMethods publickey`
		`+ +AuthorizedPrincipalsFile $AUTH_PRINC_FILE`
		`+ +EOF`
		`+ +`
		`+ +start_sshd`
		`+ +`
		`+ +# no force command, no princpals`
		`+ +principals="a,b,c,d"`
		`+ +make_keys_and_certs "$principals"`
		`+ +test_with_no_expected_principals "$principals"`
		`+ +`
		`+ +stop_sshd`
		`+ +`
		`+ +cat << EOF >> $OBJ/sshd_config`
		`+ +Protocol 2`
		`+ +PubkeyAuthentication yes`
		`+ +AuthenticationMethods publickey`
		`+ +AuthorizedPrincipalsFile $AUTH_PRINC_FILE`
		`+ +EOF`
		`+ +`
		`+ +start_sshd`
		`+ +`
		`+ +# No TrustedUserCAKeys causes pubkey auth, no principals`
		`+ +principals="a,b,c,d"`
		`+ +make_keys_and_certs "$principals"`
		`+ +test_with_no_expected_principals "$principals"`

fb87_slog.patch

file added

+1148

The added file is too large to be shown here, see it at: fb87_slog.patch

openssh.spec

file modified

+59 -1

		`@@ -5,6 +5,10 @@`
		`%global WITH_SELINUX 0`
		`%endif`

		`+ # Useful development mode for porting patches from`
		`+ # a different release`
		`+ %global use_quilt 0`
		`+`
		`%global _hardened_build 1`

		`# OpenSSH privilege separation requires a user & group ID`
		`@@ -52,7 +56,7 @@`
		`# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1`
		`%global openssh_ver 8.7p1`
		`%global openssh_rel 19`
		`- %global hyperscale_rel 2`
		`+ %global hyperscale_rel 3`
		`%global pam_ssh_agent_ver 0.10.4`
		`%global pam_ssh_agent_rel 5`

		`@@ -77,6 +81,10 @@`
		`Source13: sshd-keygen`
		`Source15: sshd-keygen.target`
		`Source16: ssh-agent.service`
		`+ %if 0%{?facebook} && 0%{?use_quilt}`
		`+ Source17: series`
		`+ BuildRequires: quilt`
		`+ %endif`

		`#https://bugzilla.mindrot.org/show_bug.cgi?id=2581`
		`Patch100: openssh-6.7p1-coverity.patch`
		`@@ -257,6 +265,35 @@`
		`# c9s specific logic factored out of openssh-7.7p1-fips.patch`
		`Patch2000: openssh-7.7p1-fips-warning.patch`

		`+ %if 0%{?facebook} && !0%{?use_quilt}`
		`+ # Add a unique log session identifier to output messages for`
		`+ # each sshd process and its children.`
		`+ Patch2010: fb87_log_session_id.patch`
		`+ # Add structured logging`
		`+ Patch2011: fb87_slog.patch`
		`+ # Add a log entry when a session is started over a local forward port.`
		`+ Patch2012: fb87_log_port_forwards.patch`
		`+ # Add a log line when a session is started over a reverse port forward.`
		`+ Patch2013: fb87_070_logging_reverse_port_forward.patch`
		`+ # Increase ssh cert max principals from 256 to 1024.`
		`+ Patch2014: fb87_810_increase_ssh_cert_max_principals.patch`
		`+ # Output a line in the logs showing the command run, or shell request`
		`+ # and the user.`
		`+ Patch2015: fb87_090_logging_shell_cmd_pty.patch`
		`+ # Output a line in the logs showing which principal was matched when`
		`+ # certificate authentication was used.`
		`+ Patch2016: fb87_080_logging_certificates.patch`
		`+ # Add verbose logging for setting env variables.`
		`+ Patch2017: fb87_log_accept_env.patch`
		`+ # Set an environment variable SSH_CERT_PRINCIPALS in the child process`
		`+ # to be the full principal list of a user's SSH certificate when forced`
		`+ # command is present and the user is authenticated by the certificate.`
		`+ Patch2018: fb87_pass_principals_to_child.patch`
		`+ # Log extra authentication information to the auth_info structured`
		`+ # logging field, and add tests for pubkey and cert auth.`
		`+ Patch2019: fb87_log_auth_info.patch`
		`+ %endif`
		`+`
		`License: BSD`
		`Requires: /sbin/nologin`

		`@@ -462,6 +499,24 @@`

		`%patch100 -p1 -b .coverity`

		`+ %if 0%{?facebook} && !0%{?use_quilt}`
		`+ %patch2010 -p1 -b .log_session_id`
		`+ %patch2011 -p1 -b .slog`
		`+ %patch2012 -p1 -b .log_port_forwards`
		`+ %patch2013 -p1 -b .logging_reverse_port_forward`
		`+ %patch2014 -p1 -b .increase_ssh_cert_max_principals`
		`+ %patch2015 -p1 -b .logging_shell_cmd_pty`
		`+ %patch2016 -p1 -b .logging_certificates`
		`+ %patch2017 -p1 -b .log_accept_env`
		`+ %patch2018 -p1 -b .pass_principals_to_child`
		`+ %patch2019 -p1 -b .log_auth_info`
		`+ %endif`
		`+`
		`+ %if 0%{?facebook} && 0%{?use_quilt}`
		`+ ln -sf %{_sourcedir} patches`
		`+ quilt push -a`
		`+ %endif`
		`+`
		`autoreconf`
		`pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}`
		`autoreconf`
		`@@ -739,6 +794,9 @@`
		`%endif`

		`%changelog`
		`+ * Wed Aug 24 2022 Kent Peacock <kentp@fb.com> 8.7p1-19.3 + 0.10.4-5.3`
		`+ - Set up local developer strategy using quilt and incorporate Meta patches`
		`+`
		`* Wed Jul 20 2022 Davide Cavalca <dcavalca@centosproject.org> - 8.7p1-19.2 + 0.10.4-5.2`
		`- Refactor and reinstate FIPS patch for el8`

series

file added

+10

		`@@ -0,0 +1,10 @@`
		`+ fb87_log_session_id.patch`
		`+ fb87_slog.patch`
		`+ fb87_log_port_forwards.patch`
		`+ fb87_070_logging_reverse_port_forward.patch`
		`+ fb87_810_increase_ssh_cert_max_principals.patch`
		`+ fb87_090_logging_shell_cmd_pty.patch`
		`+ fb87_080_logging_certificates.patch`
		`+ fb87_log_accept_env.patch`
		`+ fb87_pass_principals_to_child.patch`
		`+ fb87_log_auth_info.patch`

kentpeacock commented 2 years ago

The changes involve creating a strategy to merge Meta's local patches using quilt to effectively modify imported patches where required in order to apply cleanly. Then, bring the patches into the openssh.spec file as normal patches. Provide a dual build mode to switch between %prep application and quilt application of patches under the control of %facebook_dev. The first 10 patches integrated using this approach are included. The %facebook_dev build mode uses rpmbuild directly, with %_topdir set to the base directory of the component.

rpms / openssh

Source Code

#1 Initial check in of Meta patches Merged 2 years ago by dcavalca. Opened 2 years ago by kentpeacock. rpms/ kentpeacock/openssh c9s-sig-hyperscale-meta into c9s-sig-hyperscale

Metadata

Changes Summary 12

#1 Initial check in of Meta patches

Merged 2 years ago by dcavalca. Opened 2 years ago by kentpeacock.

rpms/ kentpeacock/openssh c9s-sig-hyperscale-meta into c9s-sig-hyperscale