openssh bugs - Jun 2015 - [Bug 2408] New: Expose authentication information to PAM

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

            Bug ID: 2408
           Summary: Expose authentication information to PAM
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dgy.jr92 at gmail.com

It would be beneficial if sshd could expose details about the
previously successful authentications to the loaded PAM modules when
PAM authentication is used (typically the last method in the chain).
E.g. sshd could set a PAM environment variable that holds the useful
information, like this:

SSH_USER_AUTH=hostbased RSA
SHA256:Iw75Ex+Re8WyIjqHEukxHtwz2weTFTBLPD2J9doYEfU, publickey CA
ED25519 SHA256:rLKEbjpoN2+kuMQB7EiPqaeHut65ZfSe/z1EaWtKEmk Cert ID
djm at mindrot.org Serial 27908739, password

This way, a smart PAM stack could make decisions based upon the
previously successful authentication methods and/or the supplied
credentials. For example, one might want to invoke different PAM
modules when the user has been successfully authenticated via GSS-API
than otherwise. (For more detailed description of my particular use
case, please check out:
http://serverfault.com/questions/690038/openssh-two-factor-authentication-combined-with-kerberos-public-key)

You can also find some rudimental, PoC code that shows what I've been
playing with as a start:
https://github.com/dgyuri92/openssh-portable/tree/f/pam_auth_list

For further questions about the idea, please feel free to contact me
via e-mail. Thanks a lot.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Vincent Brillault <git at lerya.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |git at lerya.net

--- Comment #1 from Vincent Brillault <git at lerya.net> ---
Created attachment 2754
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2754&action=edit
Expose successful auth methods via environments (pam and shell)

The attached patch exposes the authentication methods that were
successful during the authentication to PAM via a PAM environment
variable and to the child shell via an environment variable.

It is inspired from the PoC written by Gy?rgy Demarcsek and the
comments he received but uses a different architecture:
- Any Authmethod can fill a "last_details" variable in the Authctxt in
case of success. It should fill it with details about the credentials
(e.g. RSA fingerprint)
- After each success, userauth_finish at auth2.c aggregate the method used
plus, if existing, this data into a "auth_details" variable in the
Authctxt
- When creating a new PAM session, export "auth_details" as
"SSH_USER_AUTH"
- When creating a shell session, export "auth_details" as
"SSH_USER_AUTH", overriding if necessary the value coming from PAM
- Support Privilege Separation (in a somehow degraded form)

I've in fact written 8 atomic patches (aggregated into this one). They
are available, with some comments in the commit, on Github:
https://github.com/openssh/openssh-portable/compare/master...Feandil:master

This patch have been tested on a openssh-7.1p1 with the publickey and
keyboard-interactive methods and considering the following Privilege
Separation cases: Off, On, Sandbox (seccomp).

Some improvement could be build on top of this patch:
- Under Privilege Separation, expose details from key authentication
- In auth2-gss (in particular gss-serv-krb5) expose details about the
credentials (e.g. the kerberos principal)

However these improvement seem more complex and could maybe be added in
a later patch?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Johan <johan at stromnet.se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |johan at stromnet.se

--- Comment #2 from Johan <johan at stromnet.se> ---
Hi,

just want to +1 for this feature, as this is something I'm looking for
as well.
In my case I'd like to use pam_google_authenticator for certain public
keys only.

Johan

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Vincent Brillault <git at lerya.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2754|0                           |1
        is obsolete|                            |

--- Comment #3 from Vincent Brillault <git at lerya.net> ---
Created attachment 2791
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2791&action=edit
Expose successful auth methods via environments (pam and shell)

New version of my patch:
- Rebased on latest openssh sources
- Fix a memory leak in pubkey_auth_info
- Rename/move the newly created function pubkey_format at auth.h to
sshkey_format_oneline at sshkey.h as it does not depend on auth.h at all
but is simply a sshkey function (added an argument for the fingerprint
hash)
- When using PrivSep, expose details from key authentication (by
extracting it from mm_answer_keyverify and using
sshkey_format_oneline at sshkey.h)

This new version makes the patch behave similarly with and without
privilege separation.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Vincent Brillault <git at lerya.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2791|0                           |1
        is obsolete|                            |

--- Comment #4 from Vincent Brillault <git at lerya.net> ---
Created attachment 2792
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2792&action=edit
Expose successful auth methods via environments (pam and shell)

Dear all,

Sorry for the spamming, but I just realized that it is possible to
expose the 'displayname" of gssapi authentication without a big
modification. This new patch now exposes it but unfortunately I was
only able to test a port of this patch on Centos sources and not this
one directly as the only kerberos-enabled system I have is a Centos
system.

This patch is now feature-complete with the feature I was thinking
about, but if you see an authentication method that I missed and could
also expose relevant information, please tell me.

In the end this patch creates two new functions, both returning  a
char* which needs to be freed:
- ssh_gssapi_get_displayname to get the displayname from a gssapi
session
- sshkey_format_oneline to format a ssh key as it was formated in
pubkey_auth_info
I'm not really good at naming and if anyone has better names for these
function, your advice would be appreciated.

Thanks in advance,
Vincent Brillault

PS: individual patches can be found on github:
https://github.com/openssh/openssh-portable/compare/master...CERN-CERT:master

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

nick.moriarty at york.ac.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nick.moriarty at york.ac.uk

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #5 from Jakub Jelen <jjelen at redhat.com> ---
This seems to be a reasonable way to communicate authentication details
with PAM and missing piece in the troublesome two factor authentication
in SSH. I didn't find any problem with this patch.

The only thought coming to my mind is possible disclosure of user data
to running application(s). I would also consider adding some knob to
turn this export off (ExportUserauthEnvironment ?) and turn it off by
default. Still, using 2FA is not too common in SSH deployment.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

--- Comment #6 from Vincent Brillault <git at lerya.net> ---
Created attachment 2812
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2812&action=edit
Also add a configuration option to control the exposure

Sorry for the delay. Adding an option to control the exposure of the
authentication methods (and its details) to both PAM and the final
shell session is a very good idea.

I've attached a new patch which should add that option, but I didn't
have time to test it yet. I will port it to our centos-based release
and test it.

This patch introduce a new option, ExposeAuthenticationMethods which
has 3 valid values:
- never: never expose the successful authentication methods
- pam-only: expose them (in details) to pam only, remove them from the
final environment (DEFAULT)
- pam-and-env: in addition to pam, expose them in the final session

Feel free to propose a better name or better values, they currently
sound awful (esp. "pam-and-env")

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Vincent Brillault <git at lerya.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2792|0                           |1
        is obsolete|                            |
   Attachment #2812|0                           |1
        is obsolete|                            |

--- Comment #8 from Vincent Brillault <git at lerya.net> ---
Created attachment 2846
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2846&action=edit
Expose successful auth methods via environments (pam and shell)

Sorry for the delay.

Here is a new version of the patch:
- Defining the parameter as SSHCFG_ALL, to be used in a Match block
- Setting default value to EXPOSE_AUTHMETH_NEVER (I don't have a strong
opinion on the default, 'pam-only' would simply the transition for me,
but I can adapt)

I'm adding a new version of the patch here in the ticket tracker, but
all the atomic patches are available on our Github repo
(https://github.com/CERN-CERT/openssh-portable) and the associated PR:
https://github.com/openssh/openssh-portable/pull/47

For Redhat/Centos 7 based openssh versions, we also have adapted
patches (used internally):
https://github.com/CERN-CERT/pam_2fa/tree/gh-pages/atomic

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Created attachment 2978
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2978&action=edit
Refactor authctxt information, provide SSH_USER_AUTH

There's a few overlapping pieces of information already managed via
authctxt - strings for auth_log() and the list of already-attempted
keys, etc. and I wanted to make the code less confusion and brittle.

So this refactors what's there and uses that refactoring to implement
SSH_USER_AUTH in the user and PAM environments. I haven't included a
sshd_config knob to control it. I don't think that it's necessary to
restrict its visibility to PAM at all, but I might add something to
control it ending up in the user environment. Note that I've added
filtering of the PAM environment copied back into the user's
environment to ensure that SSH_USER_AUTH doesn't "leak" if/when I
do
add such a knob.

The contents of SSH_USER_AUTH are a bit different to Vincent's patch.
The environment variable gets filled with a \n separated list of:

method[/submethod] [extra info]

For each authentication method that succeeded partially or completely.
Note that this might include authentication methods that didn't
actually contribute to the final success (e.g. if you had
"AuthenticationMethods publickey,password hostbased,password" and then
authenticated using publickey, hostbased, then password), but I don't
think this is a big problem.

For GSSAPI, the "extra info" is the displayname - identical to
Vincent's patch.

For public key and hostbased authentication it's the full key(s) used.
I figure that this is more general than fingerprints, since you can get
all of those via ssh-keygen anyway if you need them. In particular, it
permits the use of custom certificate extensions that can be read out
using "ssh-keygen -L" that would otherwise have been invisible.

Password and kbd-int have no extra information at present (though
kbd-int may set a /submethod).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2978|0                           |1
        is obsolete|                            |

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Created attachment 2980
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2980&action=edit
add ExposeAuthInfo option

This adds a knob (default=off) to control exposing SSH_AUTH_INFO via
the environment. It's still unconditionally sent to PAM though - are
there any cases where this would be harmful?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2846|0                           |1
        is obsolete|                            |
   Attachment #2980|0                           |1
        is obsolete|                            |
                 CC|                            |dtucker at zip.com.au
   Attachment #2999|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #11 from Damien Miller <djm at mindrot.org> ---
Created attachment 2999
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2999&action=edit
expose to PAM

User authentication information is now available via SSH_USER_AUTH when
sshd_config ExposeAuthInfo is enabled. The design drifted a little from
the last patch: the environment variable now points to a file that
contains the information rather than including it directly.

This patch implements the PAM part. The authentication information is
exposed to PAM session modules by a PAM environment variable
SSH_USER_AUTH_0, the "0" being a version number in case we ever need
to
change the format.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

--- Comment #12 from Damien Miller <djm at mindrot.org> ---
BTW the non-PAM part was committed in
https://anongit.mindrot.org/openssh.git/commit/?id=8f574959272ac7fe9239c4f5d10fd913f8920ab0

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2999|ok?(dtucker at zip.com.au)     |
              Flags|                            |
   Attachment #2999|0                           |1
        is obsolete|                            |
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
             Status|NEW                         |ASSIGNED
   Attachment #3022|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #13 from Damien Miller <djm at mindrot.org> ---
Created attachment 3022
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3022&action=edit
Expose SSH_AUTH_INFO_0 environment to both session and accounting
modules

This exposes SSH_AUTH_INFO_0 to PAM accounting modules as well as
session modules.

It also filters SSH_AUTH_INFO_0 from the PAM environment when reading
it back into the session environment to ensure it doesn't leak.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3022|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

--- Comment #14 from Darren Tucker <dtucker at zip.com.au> ---
Comment on attachment 3022
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3022
Expose SSH_AUTH_INFO_0 environment to both session and accounting
modules
>+	 * The enviornment variable is versioned. Please increment the
s/enviornment/environment/

otherwise ok.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #15 from Damien Miller <djm at mindrot.org> ---
Patch applied. This will be in OpenSSH 7.6

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

radoslaw at ejsmont.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---
                 CC|                            |radoslaw at ejsmont.net

--- Comment #16 from radoslaw at ejsmont.net ---
Hi,

I took a look at the original patch proposed by Gy?rgy and sources of
7.6 release. While the proposed patches expose auth info to PAM for
session and accounting modules, reading OPs sources and his use case
(https://cern-cert.github.io/pam_2fa/) I recon that the proposed patch
does not solve OPs problem. The initial idea behind this patch was to
allow PAM to detect successful authentication performed by openssh own
methods and decide which additional authentication methods were
required. The design was to allow users to log-in using PAM
keyboard-interactive (passwd, mysql, ldap, whatever) getting a proper
password prompt and 2FA (google, yubico, whatever) or using openssh own
mechanism (pubkey, gssapi), avoid password prompt and jump directly to
2FA prompt.  This use case requires exposure of SSH_AUTH_INFO within
auth module, not session or accounting.

Could Gy?rgy please comment on that?


Best,

Radek

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

--- Comment #17 from Radoslaw Ejsmont <radoslaw at ejsmont.net> ---
Created attachment 3089
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3089&action=edit
expose SSH_AUTH_INFO_0 to PAM auth

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3089|0                           |1
           is patch|                            |
   Attachment #3089|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

--- Comment #18 from Damien Miller <djm at mindrot.org> ---
I don't understand that patch at all. It seems to add another option
and a heap of parallel infrastructure to track information that sshd
already has in authctxt->session_info

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Radoslaw Ejsmont <radoslaw at ejsmont.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3089|0                           |1
        is obsolete|                            |

--- Comment #19 from Radoslaw Ejsmont <radoslaw at ejsmont.net> ---
Created attachment 3091
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3091&action=edit
Expose SSH_AUTH_INFO_0 to PAM auth

I have no doubt you did not understand the point of that patch. I
uploaded the wrong file! Sorry! My bsd :) Here is the correct one.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3091|0                           |1
           is patch|                            |
   Attachment #3091|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

--- Comment #20 from Damien Miller <djm at mindrot.org> ---
Hah :)

Have you checked whether this patch works? IIRC there was some
difficulty in exposing it to auth modules in some cases, possibly for
the keyboard-interactive case.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

--- Comment #21 from Radoslaw Ejsmont <radoslaw at ejsmont.net> ---
Hi!

I have tested it with publickey,keyboard-interactive:pam and
keyboard-interactive:pam on ubuntu xenial (compiled from patched Sid
source package). Works like a charm. Tested with pam_exec to see if
it's set and with a patched version (updated variable name) of
cern-cert pam_ssh_user_auth (https://github.com/CERN-CERT/pam_2fa).
Worked just fine.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

--- Comment #22 from Vincent Brillault <git at lerya.net> ---
Dear all,

Sorry for the long absence of comment.

We (CERN) have been using RedHat's patch (see e.g.
https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!openssh-7.4p1-expose-pam.patch)
and it's working perfectly for us (I need to update the github page). I
had seen yours commits in June (which made sense but I didn't have time
to review then) but completely missed your commits in July, thanks for
both and sorry for the absence of reply/review.

I've tried to take a look at the patches right now.

I understand that you have added "expose_authinfo" calls to the
do_pam_session & do_pam_account function to make sure that the data is
up to date at these points in time. I think this was missing in the
patch I submitted, thanks! However, as Radek found out, one important
step is missed: the authentication part of pam.

What is important for the 2FA case is that this variable is set when
calling pam_authenticate, to allow pam modules to make a choice
depending on what already happened. In my case (CERN), it's simply
skipping the standard password authentication part if there was a
successful authentication). Calling "expose_authinfo" just before the
pam thread is started, as proposed by Radek, should resolve this
problem. I have not tested it, but this is what my patch was doing (see
e.g.
https://bugzilla.mindrot.org/attachment.cgi?id=2846&action=diff#a/auth-pam.c_sec1)
and what RedHat is doing
(https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!openssh-7.4p1-expose-pam.patch#L184).

Sorry again and thanks for all your work,
Vincent

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3091|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #23 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 3091
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3091
Expose SSH_AUTH_INFO_0 to PAM auth

Looks ok to me. Darren?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3091|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

--- Comment #24 from Darren Tucker <dtucker at dtucker.net> ---
Comment on attachment 3091
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3091
Expose SSH_AUTH_INFO_0 to PAM auth
>+	 * The enviornment variable is versioned.
typo enviornment -> environment

otherwise OK.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |seroland86 at gmail.com

--- Comment #25 from Damien Miller <djm at mindrot.org> ---
*** Bug 2712 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2852
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #26 from Damien Miller <djm at mindrot.org> ---
Radoslaw's patch is applied and will be in OpenSSH 7.8.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |support at eggplantsd.com

--- Comment #27 from Damien Miller <djm at mindrot.org> ---
*** Bug 2934 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #28 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.