Attachment 2475 Details for Bug 2277 – config-add-option-to-customize-moduli-file-location.patch

[patch] config-add-option-to-customize-moduli-file-location.patch

0001-config-add-option-to-customize-moduli-file-location.patch (text/plain), 8.04 KB, created by Alon Bar-Lev on 2014-09-17 00:05:06 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Alon Bar-Lev

Created: 2014-09-17 00:05:06 AEST

Size: 8.04 KB

patch

obsolete

>From db80e7a5ef1fe14fcc60d3181c35ed2febcdbde5 Mon Sep 17 00:00:00 2001
>From: Alon Bar-Lev <alon.barlev@gmail.com>
>Date: Tue, 16 Sep 2014 16:40:46 +0300
>Subject: [PATCH] config: add option to customize moduli file location
>
>Currently all files can be customized via sshd_config, however, the
>moduli file cannot.
>
>Running sshd in unprivileged context requires customization of all
>resources, especially when some distributions sets the moduli as world
>unreadable.
>
>Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
>---
> dh.c           |  9 ++++++---
> dh.h           |  2 +-
> kexgexs.c      |  5 ++++-
> monitor.c      |  5 ++++-
> monitor_wrap.c |  3 ++-
> monitor_wrap.h |  2 +-
> servconf.c     | 11 ++++++++++-
> servconf.h     |  1 +
> sshd_config.0  |  4 ++++
> sshd_config.5  |  3 +++
> 10 files changed, 36 insertions(+), 9 deletions(-)
>
>diff --git a/dh.c b/dh.c
>index 3331cda..116acb1 100644
>--- a/dh.c
>+++ b/dh.c
>@@ -142,7 +142,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
> }
> 
> DH *
>-choose_dh(int min, int wantbits, int max)
>+choose_dh(int min, int wantbits, int max, const char *moduli_file)
> {
> 	FILE *f;
> 	char line[4096];
>@@ -150,10 +150,13 @@ choose_dh(int min, int wantbits, int max)
> 	int linenum;
> 	struct dhgroup dhg;
> 
>-	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
>+	if (moduli_file == NULL)
>+		moduli_file = _PATH_DH_MODULI;
>+
>+	if ((f = fopen(moduli_file, "r")) == NULL &&
> 	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
> 		logit("WARNING: %s does not exist, using fixed modulus",
>-		    _PATH_DH_MODULI);
>+		    moduli_file);
> 		return (dh_new_group14());
> 	}
> 
>diff --git a/dh.h b/dh.h
>index 48f7b68..19e3d44 100644
>--- a/dh.h
>+++ b/dh.h
>@@ -32,7 +32,7 @@ struct dhgroup {
> 	BIGNUM *p;
> };
> 
>-DH	*choose_dh(int, int, int);
>+DH	*choose_dh(int, int, int, const char *);
> DH	*dh_new_group_asc(const char *, const char *);
> DH	*dh_new_group(BIGNUM *, BIGNUM *);
> DH	*dh_new_group1(void);
>diff --git a/kexgexs.c b/kexgexs.c
>index 770ad28..dfc66ef 100644
>--- a/kexgexs.c
>+++ b/kexgexs.c
>@@ -49,6 +49,9 @@
> #include "ssh-gss.h"
> #endif
> #include "monitor_wrap.h"
>+#include "servconf.h"
>+
>+extern ServerOptions options;
> 
> void
> kexgex_server(Kex *kex)
>@@ -98,7 +101,7 @@ kexgex_server(Kex *kex)
> 		    omin, onbits, omax);
> 
> 	/* Contact privileged parent */
>-	dh = PRIVSEP(choose_dh(min, nbits, max));
>+	dh = PRIVSEP(choose_dh(min, nbits, max, options.moduli_file));
> 	if (dh == NULL)
> 		packet_disconnect("Protocol error: no matching DH grp found");
> 
>diff --git a/monitor.c b/monitor.c
>index 531c4f9..3bec772 100644
>--- a/monitor.c
>+++ b/monitor.c
>@@ -635,10 +635,13 @@ mm_answer_moduli(int sock, Buffer *m)
> {
> 	DH *dh;
> 	int min, want, max;
>+	const char *moduli_file;
>+	u_int datlen;
> 
> 	min = buffer_get_int(m);
> 	want = buffer_get_int(m);
> 	max = buffer_get_int(m);
>+	moduli_file = buffer_get_string(m, &datlen);
> 
> 	debug3("%s: got parameters: %d %d %d",
> 	    __func__, min, want, max);
>@@ -649,7 +652,7 @@ mm_answer_moduli(int sock, Buffer *m)
> 
> 	buffer_clear(m);
> 
>-	dh = choose_dh(min, want, max);
>+	dh = choose_dh(min, want, max, moduli_file);
> 	if (dh == NULL) {
> 		buffer_put_char(m, 0);
> 		return (0);
>diff --git a/monitor_wrap.c b/monitor_wrap.c
>index 1a47e41..3c544c6 100644
>--- a/monitor_wrap.c
>+++ b/monitor_wrap.c
>@@ -175,7 +175,7 @@ mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m)
> }
> 
> DH *
>-mm_choose_dh(int min, int nbits, int max)
>+mm_choose_dh(int min, int nbits, int max, const char *moduli_file)
> {
> 	BIGNUM *p, *g;
> 	int success = 0;
>@@ -185,6 +185,7 @@ mm_choose_dh(int min, int nbits, int max)
> 	buffer_put_int(&m, min);
> 	buffer_put_int(&m, nbits);
> 	buffer_put_int(&m, max);
>+	buffer_put_string(&m, moduli_file, strlen(moduli_file)+1);
> 
> 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m);
> 
>diff --git a/monitor_wrap.h b/monitor_wrap.h
>index 18c2501..438af18 100644
>--- a/monitor_wrap.h
>+++ b/monitor_wrap.h
>@@ -39,7 +39,7 @@ struct Authctxt;
> 
> void mm_log_handler(LogLevel, const char *, void *);
> int mm_is_monitor(void);
>-DH *mm_choose_dh(int, int, int);
>+DH *mm_choose_dh(int, int, int, const char *);
> int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
> void mm_inform_authserv(char *, char *);
> struct passwd *mm_getpwnamallow(const char *);
>diff --git a/servconf.c b/servconf.c
>index 47ed815..5a0c9bd 100644
>--- a/servconf.c
>+++ b/servconf.c
>@@ -80,6 +80,7 @@ initialize_server_options(ServerOptions *options)
> 	options->num_host_key_files = 0;
> 	options->num_host_cert_files = 0;
> 	options->host_key_agent = NULL;
>+	options->moduli_file = NULL;
> 	options->pid_file = NULL;
> 	options->server_key_bits = -1;
> 	options->login_grace_time = -1;
>@@ -189,6 +190,8 @@ fill_default_server_options(ServerOptions *options)
> 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
> 	if (options->listen_addrs == NULL)
> 		add_listen_addr(options, NULL, 0);
>+	if (options->moduli_file == NULL)
>+		options->moduli_file = _PATH_DH_MODULI;
> 	if (options->pid_file == NULL)
> 		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
> 	if (options->server_key_bits == -1)
>@@ -335,7 +338,7 @@ typedef enum {
> 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
> 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
> 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
>-	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
>+	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sModuliFile, sPidFile,
> 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
> 	sMaxStartups, sMaxAuthTries, sMaxSessions,
> 	sBanner, sUseDNS, sHostbasedAuthentication,
>@@ -374,6 +377,7 @@ static struct {
> 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
> 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
> 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
>+	{ "modulifile", sModuliFile, SSHCFG_GLOBAL },
> 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
> 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
> 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
>@@ -1016,6 +1020,10 @@ process_server_config_line(ServerOptions *options, char *line,
> 		goto parse_filename;
> 		break;
> 
>+	case sModuliFile:
>+		charptr = &options->moduli_file;
>+		goto parse_filename;
>+
> 	case sPidFile:
> 		charptr = &options->pid_file;
> 		goto parse_filename;
>@@ -2029,6 +2037,7 @@ dump_config(ServerOptions *o)
> 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
> 
> 	/* string arguments */
>+	dump_cfg_string(sModuliFile, o->moduli_file);
> 	dump_cfg_string(sPidFile, o->pid_file);
> 	dump_cfg_string(sXAuthLocation, o->xauth_location);
> 	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
>diff --git a/servconf.h b/servconf.h
>index ab41f05..c98ef6d 100644
>--- a/servconf.h
>+++ b/servconf.h
>@@ -66,6 +66,7 @@ typedef struct {
> 	char   *host_cert_files[MAX_HOSTCERTS];	/* Files containing host certs. */
> 	int     num_host_cert_files;     /* Number of files for host certs. */
> 	char   *host_key_agent;		 /* ssh-agent socket for host keys. */
>+	char   *moduli_file;		 /* DH Moduli file. */
> 	char   *pid_file;	/* Where to put our pid */
> 	int     server_key_bits;/* Size of the server key. */
> 	int     login_grace_time;	/* Disconnect if no auth in this time
>diff --git a/sshd_config.0 b/sshd_config.0
>index f8af8c1..69747f7 100644
>--- a/sshd_config.0
>+++ b/sshd_config.0
>@@ -527,6 +527,10 @@ DESCRIPTION
>              increases linearly and all connection attempts are refused if the
>              number of unauthenticated connections reaches ``full'' (60).
> 
>+     ModuliFile
>+             Specifies where moduli file is located.  The default
>+             is /etc/ssh/moduli.
>+
>      PasswordAuthentication
>              Specifies whether password authentication is allowed.  The
>              default is ``yes''.
>diff --git a/sshd_config.5 b/sshd_config.5
>index 6126a7f..1b09c9f 100644
>--- a/sshd_config.5
>+++ b/sshd_config.5
>@@ -889,6 +889,9 @@ The probability increases linearly and all connection attempts
> are refused if the number of unauthenticated connections reaches
> .Dq full
> (60).
>+.It Cm ModuliFile
>+Specifies where moduli file is located.  The default is
>+.Pa /etc/ssh/moduli .
> .It Cm PasswordAuthentication
> Specifies whether password authentication is allowed.
> The default is
>-- 
>1.8.5.5
>

Actions: View | Diff

Attachments on bug 2277: 2475