diff options
| author | edef <edef@edef.eu> | 2019-06-20 17:15:33 +0000 |
|---|---|---|
| committer | edef <edef@edef.eu> | 2019-07-31 12:19:36 +0000 |
| commit | 9fe10288f01984963faf47e21bf1bae4d7d37962 (patch) | |
| tree | 5a483dc651a9797749e83711e7a3a0892d6f51e5 /pkgs/tools/networking/openssh | |
| parent | ffd9bf7e2929ec94ee3f8f3ec7b0d889eec302b4 (diff) | |
| download | nixpkgs-9fe10288f01984963faf47e21bf1bae4d7d37962.tar nixpkgs-9fe10288f01984963faf47e21bf1bae4d7d37962.tar.gz nixpkgs-9fe10288f01984963faf47e21bf1bae4d7d37962.tar.bz2 nixpkgs-9fe10288f01984963faf47e21bf1bae4d7d37962.tar.lz nixpkgs-9fe10288f01984963faf47e21bf1bae4d7d37962.tar.xz nixpkgs-9fe10288f01984963faf47e21bf1bae4d7d37962.tar.zst nixpkgs-9fe10288f01984963faf47e21bf1bae4d7d37962.zip | |
openssh: use ssh-keysign from PATH
ssh-keysign is used for host-based authentication, and is designed to be used as SUID-root program. OpenSSH defaults to referencing it from libexec, which cannot be made SUID in Nix.
Diffstat (limited to 'pkgs/tools/networking/openssh')
| -rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 2 | ||||
| -rw-r--r-- | pkgs/tools/networking/openssh/ssh-keysign.patch | 29 |
2 files changed, 31 insertions, 0 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 6ce574b9cdc..24adb554bc1 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -50,6 +50,8 @@ stdenv.mkDerivation rec { url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch; sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds"; }) + + ./ssh-keysign.patch ] ++ optional withGssapiPatches (assert withKerberos; gssapiPatch); diff --git a/pkgs/tools/networking/openssh/ssh-keysign.patch b/pkgs/tools/networking/openssh/ssh-keysign.patch new file mode 100644 index 00000000000..7258f4a4db1 --- /dev/null +++ b/pkgs/tools/networking/openssh/ssh-keysign.patch @@ -0,0 +1,29 @@ +diff --git a/pathnames.h b/pathnames.h +index cb44caa4..354fdf05 100644 +--- a/pathnames.h ++++ b/pathnames.h +@@ -124,7 +124,7 @@ + + /* Location of ssh-keysign for hostbased authentication */ + #ifndef _PATH_SSH_KEY_SIGN +-#define _PATH_SSH_KEY_SIGN "/usr/libexec/ssh-keysign" ++#define _PATH_SSH_KEY_SIGN "ssh-keysign" + #endif + + /* Location of ssh-pkcs11-helper to support keys in tokens */ +diff --git a/sshconnect2.c b/sshconnect2.c +index dffee90b..e9a86e59 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -1879,7 +1879,7 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp, + closefrom(sock + 1); + debug3("%s: [child] pid=%ld, exec %s", + __func__, (long)getpid(), _PATH_SSH_KEY_SIGN); +- execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL); ++ execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL); + fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN, + strerror(errno)); + } +-- +2.22.0 + |