sync from sp1

(cherry picked from commit c9ca9cd82558ea419c793bc6d372bbc1ac52519f)

backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch

@@ -0,0 +1,41 @@
+From a0b5816f8f1f645acdf74f7bc11b34455ec30bac Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Mar 2022 02:31:25 +0000
+Subject: [PATCH] upstream: ssh-keygen -Y check-novalidate requires namespace
+ or SEGV
+
+will ensue. Patch from Mateusz Adamowski via GHPR#307
+
+OpenBSD-Commit-ID: 99e8ec38f9feb38bce6de240335be34aedeba5fd
+Reference:https://github.com/openssh/openssh-portable/commit/a0b5816f8f1f645acdf74f7bc11b34455ec30bac
+Conflict:NA
+---
+ ssh-keygen.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index d2b4781..9559f70 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-keygen.c,v 1.398 2020/02/07 03:27:54 djm Exp $ */
++/* $OpenBSD: ssh-keygen.c,v 1.449 2022/03/18 02:31:25 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -3405,6 +3405,12 @@ main(int argc, char **argv)
+ 			return sig_sign(identity_file, cert_principals,
+ 			    argc, argv);
+ 		} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
++           if (cert_principals == NULL ||
++               *cert_principals == '\0') {
++               error("Too few arguments for check-novalidate: "
++                   "missing namespace");
++               exit(1);
++           }
+ 			if (ca_key_path == NULL) {
+ 				error("Too few arguments for check-novalidate: "
+ 				      "missing signature file");
+-- 
+2.23.0
+

openssh.spec

@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 22
+%global openssh_release 28
 
 Name:           openssh
 Version:        8.2p1
@@ -29,6 +29,7 @@ Source12:       sshd-keygen@.service
 Source13:       sshd-keygen
 Source14:       sshd.tmpfiles
 Source15:       sshd-keygen.target
+Source16:       ssh-keygen-bash-completion.sh
 Patch0:         openssh-6.7p1-coverity.patch
 Patch1:         openssh-7.6p1-audit.patch
 Patch2:         openssh-7.1p2-audit-race-condition.patch
@@ -97,14 +98,17 @@ Patch64:        backport-CVE-2021-41617-2.patch
 Patch65:        backport-CVE-2021-28041.patch
 Patch66:        backport-change-convtime-form-returning-long-to-returning-int.patch
 Patch67:        backport-change-types-in-convtime-unit-test-to-int-to-match.patch
-Patch68:        backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
-Patch69:        set-ssh-config.patch
-Patch70:        backport-fix-CVE-2023-38408-upstream-terminate-process.patch
-Patch71:        backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
+Patch68:        feature-add-SMx-support.patch
+Patch69:        backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
+Patch70:        backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
+Patch71:        backport-fix-CVE-2023-38408-upstream-terminate-process.patch
+Patch72:        set-ssh-config.patch
+Patch73:        backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
-Requires:       openssh-server = %{version}-%{release} %{name}-help
+Requires:       openssh-server = %{version}-%{release}
+Requires:       openssl-libs >= 1:1.1.1f-1
 
 BuildRequires:  gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators
 BuildRequires:  zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel fipscheck-devel >= 1.3.0
@@ -274,6 +278,8 @@ popd
 %patch69 -p1
 %patch70 -p1
 %patch71 -p1
+%patch72 -p1
+%patch73 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-0.10.3
@@ -354,6 +360,7 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/bash_completion.d
 
 %make_install
 
@@ -377,6 +384,7 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
+install -m644 %{SOURCE16} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
 
 ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@@ -415,6 +423,7 @@ getent passwd sshd >/dev/null || \
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
 %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
+%attr(0644,root,root) %{_sysconfdir}/bash_completion.d/ssh-keygen-bash-completion.sh
 
 %files clients
 %attr(0755,root,root) %{_bindir}/ssh
@@ -480,58 +489,97 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
-* Mon Dec 25 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-22
+* Mon Dec 25 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-28
 - Type:CVE
 - CVE:CVE-2023-51385
 - SUG:NA
 - DESC:fix CVE-2023-51385
 
-* Wed Aug 02 2023 wangqia <wangqia@uniontech.com> - 8.2p1-21
-- CVE:CVE-2023-38408
-
-* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-20
+* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-27
 - Type:CVE
 - CVE:CVE-2023-38408
 - SUG:NA
-- DESC:fix CVE-2023-38408
+- DESC:fix CVE-2023-38408 and set ssh default config
 
-* Tue Feb 28 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-19
-- Type:bugfix
-- CVE:NA
-- SUG:NA
-- DESC:set default ssh_config
-
-* Mon Jan 09 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-18
+* Mon Jan 09 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-26
 - Type:bugfix
 - CVE:
 - SUG:NA
 - DESC:fix possible NULL deref when built without FIDO
 
-* Fri Jan 06 2023 renmingshuai<renmingshuai@hauwei.com> - 8.2p1-17
-- Type:requirement
-- CVE:NA
-- SUG:NA
-- DESC:enable make tests
-
-* Tue Feb 8 2022 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-16
+* Tue Jan 03 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-25
 - Type:bugfix
-- CVE:NA
+- CVE:
 - SUG:NA
-- DESC:change convtime from returning long to returning int
+- DESC:always make tests
 
-* Wed Dec 15 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-15
+* Mon Nov 28 2022 renmingshuai<renmingshuai@huawei.cn> - 8.2P1-24
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:ssh-keygen -Y check-novalidate requires namespace or SEGV
+
+* Fri Sep 9 2022 lvfei<lvfei@kylinos.cn> - 8.2P1-23
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC: remove require openssh-help version
+
+* Thu Sep 8 2022 licihua<licihua@huawei.com> - 8.2P1-22
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC: define openssh-develp version
+
+* Wed Sep 5 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-21
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:add require openssl version
+
+* Mon Sep 5 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-20
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:set ssh_config
+
+* Mon Sep 5 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-19
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:add ssh-keygen bash completion
+
+* Sat Sep 3 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-18
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:modify After=network.target in sshd.service
+
+* Thu Sep 1 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-17
+- Type:requirement
+- CVE:
+- SUG:NA
+- DESC:add SMx support in openssh
+
+* Tue Feb 8 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-16
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:change convtime form returning long to returning int
+
+* Wed Dec 15 2021 renmingshuai<renmingshuai@huawei.com> - 8.2P1-15
 - Type:cves
 - CVE:CVE-2021-28041
 - SUG:NA
 - DESC:fix CVE-2021-28041
 
-* Sat Oct 09 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-14
+* Sat Oct 09 2021 renmingshuai<renmingshuai@huawei.com> - 8.2P1-14
 - Type:bugfix
 - CVE:CVE-2021-41617
 - SUG:NA
 - DESC:fix CVE-2021-41617
 
-* Sat Aug 7 2021 seuzw<930zhaowei@163.com> - 8.2P1-13
+* Mon Aug 09 2021 chxssg<chxssg@qq.com> - 8.2P1-13
 - Type:bugfix
 - CVE:NA
 - SUG:NA
@@ -543,28 +591,28 @@ getent passwd sshd >/dev/null || \
 - SUG:NA
 - DESC:add strict-scp-check for check command injection
 
-* Wed Jul 21 2021 panchenbo<panchenbo@uniontech.com> - 8.2P1-11
+* Mon Jul 12 2021 panchenbo<panchenbo@uniontech.com> - 8.2P1-11
 - fix pam_ssh_agent_auth.8.gz conflicts
 
-* Fri May 21 2021 renmingshuai<renmingshuai@huawei.com> - 8.2P1-10
-- Type:cves
-- ID:NA
-- SUG:NA
-- DESC:fix /etc/ssh generate key file access permission error
-
-* Tue Jan 12 2021 yuboyun<yuboyun@huawei.com> - 8.2P1-9
+* Tue Jan 12 2021 yuboyun<yuboyun@huawei.com> - 8.2P1-10
 - Type:cves
 - ID:CVE-2020-14145
 - SUG:NA
 - DESC:Fix CVE-2020-14145
 
-* Wed Nov 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-8
+* Fri Dec 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-9
 - Type:bugfix
 - CVE:NA
 - SUG:NA
-- DESC:adjust pam_ssh_agent_auth release number
+- DESC:update key file permissions to 600
 
-* Tue Nov 17 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-7
+* Wed Dec 09 2020 quanhongfei<quanhongfei@huawei.com> - 8.2P1-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix /etc/ssh/ generate key file access premission error
+
+* Wed Nov 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-7
 - Type:bugfix
 - CVE:NA
 - SUG:NA

set-ssh-config.patch

@@ -21,7 +21,7 @@ index df22e2f..46b0987 100644
 +	ForwardX11Trusted yes
 +	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-+	SendEnv LC_IDENTIFIACTION LC_ALL_LANGUAGE
++	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 +	SendEnv XMODIFIERS
 +
  Include /etc/ssh/ssh_config.d/*.conf

ssh-keygen-bash-completion.sh

@@ -0,0 +1,63 @@
+# ssh-keygen(1) completion                                 -*- shell-script -*-
+
+_ssh_keygen()
+{
+    local cur prev words cword
+    _init_completion -n = || return
+
+    case $prev in
+        -*[abCIJjMNnrPSVWz])
+            return
+            ;;
+        -*E)
+            COMPREPLY=( $(compgen -W 'md5 sha256' -- "$cur") )
+            return
+            ;;
+        -*[FR])
+            # TODO: trim this down to actual entries in known hosts files
+            _known_hosts_real -- "$cur"
+            return
+            ;;
+        -*D)
+            _filedir so
+            return
+            ;;
+        -*[fGKsT])
+            _filedir
+            return
+            ;;
+        -*m)
+            COMPREPLY=( $(compgen -W 'PEM PKCS8 RFC4716' -- "$cur") )
+            return
+            ;;
+        -*O)
+            if [[ $cur != *=* ]]; then
+                COMPREPLY=( $(compgen -W 'clear force-command=
+                    no-agent-forwarding no-port-forwarding no-pty no-user-rc
+                    no-x11-forwarding permit-agent-forwarding
+                    permit-port-forwarding permit-pty permit-user-rc
+                    permit-x11-forwarding source-address=' -- "$cur") )
+                [[ $COMPREPLY == *= ]] && compopt -o nospace
+            fi
+            return
+            ;;
+        -*t)
+            local protocols=$(_xfunc ssh _ssh_query "$1" protocol-version)
+            local types='dsa ecdsa ed25519 rsa sm2'
+            if [[ $protocols == *1* ]]; then
+                types+=' rsa1'
+            fi
+            COMPREPLY=( $(compgen -W "$types" -- "$cur") )
+            return
+            ;;
+    esac
+
+    if [[ $cur == -* ]]; then
+        local opts=$(_parse_usage "$1" "-?")
+        [[ -z "$opts" ]] && opts=$(_parse_help "$1" "-?")  # OpenSSH < 7
+        COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
+    fi
+} &&
+complete -F _ssh_keygen ssh-keygen
+
+# ex: filetype=sh

sshd.service

@@ -1,7 +1,8 @@
+# /usr/lib/systemd/system/sshd.service
 [Unit]
 Description=OpenSSH server daemon
 Documentation=man:sshd(8) man:sshd_config(5)
-After=network.target sshd-keygen.target
+After=network-online.target sshd-keygen.target
 Wants=sshd-keygen.target
 
 [Service]