From 011c00b91f0452732673ae17ed0b4f135a626f4f671c49f20d8ef4cfa5001cc5 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 25 Jul 2008 02:29:14 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=18 --- openssh-5.0p1.tar.bz2 | 3 - ...fix.diff => openssh-5.1p1-askpass-fix.diff | 0 ...1-audit.patch => openssh-5.1p1-audit.patch | 36 ++++---- ...rm.diff => openssh-5.1p1-blocksigalrm.diff | 6 +- ...iff => openssh-5.1p1-default-protocol.diff | 0 ...5.0p1-eal3.diff => openssh-5.1p1-eal3.diff | 22 ++--- ...engines.diff => openssh-5.1p1-engines.diff | 36 ++++---- ...c-fix.patch => openssh-5.1p1-gcc-fix.patch | 0 ...tm.patch => openssh-5.1p1-gssapimitm.patch | 32 +++---- ...m-fix2.diff => openssh-5.1p1-pam-fix2.diff | 6 +- ...m-fix3.diff => openssh-5.1p1-pam-fix3.diff | 2 +- ...h-5.0p1-pts.diff => openssh-5.1p1-pts.diff | 6 +- ...ix.diff => openssh-5.1p1-saveargv-fix.diff | 4 +- ...ale.diff => openssh-5.1p1-send_locale.diff | 4 +- ...1-tmpdir.diff => openssh-5.1p1-tmpdir.diff | 2 +- ...0p1-xauth.diff => openssh-5.1p1-xauth.diff | 2 +- ...f => openssh-5.1p1-xauthlocalhostname.diff | 14 +-- openssh-5.0p1.dif => openssh-5.1p1.dif | 6 +- openssh-5.1p1.tar.bz2 | 3 + openssh-askpass-gnome.spec | 8 +- openssh-gssapi_krb5-fix.patch | 18 ---- openssh.changes | 84 +++++++++++++++++ openssh.spec | 91 +++++++++++++++++-- 23 files changed, 264 insertions(+), 121 deletions(-) delete mode 100644 openssh-5.0p1.tar.bz2 rename openssh-5.0p1-askpass-fix.diff => openssh-5.1p1-askpass-fix.diff (100%) rename openssh-5.0p1-audit.patch => openssh-5.1p1-audit.patch (91%) rename openssh-5.0p1-blocksigalrm.diff => openssh-5.1p1-blocksigalrm.diff (94%) rename openssh-5.0p1-default-protocol.diff => openssh-5.1p1-default-protocol.diff (100%) rename openssh-5.0p1-eal3.diff => openssh-5.1p1-eal3.diff (76%) rename openssh-5.0p1-engines.diff => openssh-5.1p1-engines.diff (84%) rename openssh-5.0p1-gcc-fix.patch => openssh-5.1p1-gcc-fix.patch (100%) rename openssh-5.0p1-gssapimitm.patch => openssh-5.1p1-gssapimitm.patch (95%) rename openssh-5.0p1-pam-fix2.diff => openssh-5.1p1-pam-fix2.diff (88%) rename openssh-5.0p1-pam-fix3.diff => openssh-5.1p1-pam-fix3.diff (93%) rename openssh-5.0p1-pts.diff => openssh-5.1p1-pts.diff (77%) rename openssh-5.0p1-saveargv-fix.diff => openssh-5.1p1-saveargv-fix.diff (91%) rename openssh-5.0p1-send_locale.diff => openssh-5.1p1-send_locale.diff (95%) rename openssh-5.0p1-tmpdir.diff => openssh-5.1p1-tmpdir.diff (96%) rename openssh-5.0p1-xauth.diff => openssh-5.1p1-xauth.diff (97%) rename openssh-5.0p1-xauthlocalhostname.diff => openssh-5.1p1-xauthlocalhostname.diff (91%) rename openssh-5.0p1.dif => openssh-5.1p1.dif (94%) create mode 100644 openssh-5.1p1.tar.bz2 delete mode 100644 openssh-gssapi_krb5-fix.patch diff --git a/openssh-5.0p1.tar.bz2 b/openssh-5.0p1.tar.bz2 deleted file mode 100644 index 23a926a..0000000 --- a/openssh-5.0p1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fafd3e0fe129d372340f17906bcdee4150823c2435fe8e85208b23df27ee3d4b -size 810512 diff --git a/openssh-5.0p1-askpass-fix.diff b/openssh-5.1p1-askpass-fix.diff similarity index 100% rename from openssh-5.0p1-askpass-fix.diff rename to openssh-5.1p1-askpass-fix.diff diff --git a/openssh-5.0p1-audit.patch b/openssh-5.1p1-audit.patch similarity index 91% rename from openssh-5.0p1-audit.patch rename to openssh-5.1p1-audit.patch index fe7893f..fe26cf3 100644 --- a/openssh-5.0p1-audit.patch +++ b/openssh-5.1p1-audit.patch @@ -1,7 +1,7 @@ # add support for Linux audit (FATE #120269) ================================================================================ ---- openssh-4.7p1/Makefile.in -+++ openssh-4.7p1/Makefile.in +--- openssh-5.1p1/Makefile.in ++++ openssh-5.1p1/Makefile.in @@ -44,6 +44,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ @@ -10,7 +10,7 @@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ AR=@AR@ -@@ -136,7 +137,7 @@ +@@ -137,7 +138,7 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) @@ -19,9 +19,9 @@ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ---- openssh-4.7p1/auth.c -+++ openssh-4.7p1/auth.c -@@ -286,6 +286,12 @@ +--- openssh-5.1p1/auth.c ++++ openssh-5.1p1/auth.c +@@ -287,6 +287,12 @@ get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif #endif @@ -34,7 +34,7 @@ #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); -@@ -492,6 +498,10 @@ +@@ -533,6 +539,10 @@ record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -45,9 +45,9 @@ #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ ---- openssh-4.7p1/config.h.in -+++ openssh-4.7p1/config.h.in -@@ -1334,6 +1334,9 @@ +--- openssh-5.1p1/config.h.in ++++ openssh-5.1p1/config.h.in +@@ -1388,6 +1388,9 @@ /* Define if you want SELinux support. */ #undef WITH_SELINUX @@ -57,9 +57,9 @@ /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN ---- openssh-4.7p1/configure.ac -+++ openssh-4.7p1/configure.ac -@@ -3216,6 +3216,20 @@ +--- openssh-5.1p1/configure.ac ++++ openssh-5.1p1/configure.ac +@@ -3314,6 +3314,20 @@ fi ] ) @@ -80,7 +80,7 @@ # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, -@@ -4036,6 +4050,7 @@ +@@ -4134,6 +4148,7 @@ echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" @@ -88,8 +88,8 @@ echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" ---- openssh-4.7p1/loginrec.c -+++ openssh-4.7p1/loginrec.c +--- openssh-5.1p1/loginrec.c ++++ openssh-5.1p1/loginrec.c @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" @@ -174,8 +174,8 @@ /** ** Low-level libutil login() functions **/ ---- openssh-4.7p1/loginrec.h -+++ openssh-4.7p1/loginrec.h +--- openssh-5.1p1/loginrec.h ++++ openssh-5.1p1/loginrec.h @@ -127,5 +127,9 @@ char *line_abbrevname(char *dst, const char *src, int dstsize); diff --git a/openssh-5.0p1-blocksigalrm.diff b/openssh-5.1p1-blocksigalrm.diff similarity index 94% rename from openssh-5.0p1-blocksigalrm.diff rename to openssh-5.1p1-blocksigalrm.diff index 6e51b7e..81f4c95 100644 --- a/openssh-5.0p1-blocksigalrm.diff +++ b/openssh-5.1p1-blocksigalrm.diff @@ -8,7 +8,7 @@ static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; -@@ -314,6 +315,7 @@ +@@ -336,6 +337,7 @@ char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; @@ -16,7 +16,7 @@ int saved_errno = errno; if (level > log_level) -@@ -365,6 +367,14 @@ +@@ -387,6 +389,14 @@ snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { @@ -31,7 +31,7 @@ #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); syslog_r(pri, &sdata, "%.500s", fmtbuf); -@@ -374,6 +384,7 @@ +@@ -396,6 +406,7 @@ syslog(pri, "%.500s", fmtbuf); closelog(); #endif diff --git a/openssh-5.0p1-default-protocol.diff b/openssh-5.1p1-default-protocol.diff similarity index 100% rename from openssh-5.0p1-default-protocol.diff rename to openssh-5.1p1-default-protocol.diff diff --git a/openssh-5.0p1-eal3.diff b/openssh-5.1p1-eal3.diff similarity index 76% rename from openssh-5.0p1-eal3.diff rename to openssh-5.1p1-eal3.diff index 54cd896..001113a 100644 --- a/openssh-5.0p1-eal3.diff +++ b/openssh-5.1p1-eal3.diff @@ -1,6 +1,6 @@ ---- openssh-4.6p1/sshd.8 -+++ openssh-4.6p1/sshd.8 -@@ -739,7 +739,7 @@ +--- openssh-5.1p1/sshd.8 ++++ openssh-5.1p1/sshd.8 +@@ -785,7 +785,7 @@ The file format is described in .Xr moduli 5 . .Pp @@ -9,7 +9,7 @@ See .Xr motd 5 . .Pp -@@ -752,7 +752,7 @@ +@@ -798,7 +798,7 @@ refused. The file should be world-readable. .Pp @@ -18,8 +18,8 @@ This file is used in exactly the same way as .Pa hosts.equiv , but allows host-based authentication without permitting login with -@@ -828,8 +828,7 @@ - .Xr ssh-keygen 1 , +@@ -875,8 +875,7 @@ + .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , -.Xr login.conf 5 , @@ -28,9 +28,9 @@ .Xr sshd_config 5 , .Xr inetd 8 , .Xr sftp-server 8 ---- openssh-4.6p1/sshd_config.5 -+++ openssh-4.6p1/sshd_config.5 -@@ -167,9 +167,6 @@ +--- openssh-5.1p1/sshd_config.5 ++++ openssh-5.1p1/sshd_config.5 +@@ -177,9 +177,6 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed. @@ -39,8 +39,8 @@ -are supported. The default is .Dq yes . - .It Cm Ciphers -@@ -382,7 +379,7 @@ + .It Cm ChrootDirectory +@@ -438,7 +435,7 @@ .Pp .Pa /etc/hosts.equiv and diff --git a/openssh-5.0p1-engines.diff b/openssh-5.1p1-engines.diff similarity index 84% rename from openssh-5.0p1-engines.diff rename to openssh-5.1p1-engines.diff index fea79b6..841fa60 100644 --- a/openssh-5.0p1-engines.diff +++ b/openssh-5.1p1-engines.diff @@ -1,5 +1,5 @@ ---- openssh-4.9p1/ssh-add.c -+++ openssh-4.9p1/ssh-add.c +--- openssh-5.1p1/ssh-add.c ++++ openssh-5.1p1/ssh-add.c @@ -43,6 +43,7 @@ #include @@ -19,8 +19,8 @@ /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); if (ac == NULL) { ---- openssh-4.9p1/ssh-agent.c -+++ openssh-4.9p1/ssh-agent.c +--- openssh-5.1p1/ssh-agent.c ++++ openssh-5.1p1/ssh-agent.c @@ -52,6 +52,7 @@ #include #include @@ -29,7 +29,7 @@ #include #include -@@ -1063,6 +1064,10 @@ +@@ -1076,6 +1077,10 @@ SSLeay_add_all_algorithms(); @@ -40,8 +40,8 @@ __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); ---- openssh-4.9p1/ssh-keygen.c -+++ openssh-4.9p1/ssh-keygen.c +--- openssh-5.1p1/ssh-keygen.c ++++ openssh-5.1p1/ssh-keygen.c @@ -22,6 +22,7 @@ #include #include @@ -50,7 +50,7 @@ #include #include -@@ -1072,6 +1073,11 @@ +@@ -1099,6 +1100,11 @@ __progname = ssh_get_progname(argv[0]); SSLeay_add_all_algorithms(); @@ -62,8 +62,8 @@ log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); init_rng(); ---- openssh-4.9p1/ssh-keysign.c -+++ openssh-4.9p1/ssh-keysign.c +--- openssh-5.1p1/ssh-keysign.c ++++ openssh-5.1p1/ssh-keysign.c @@ -38,6 +38,7 @@ #include #include @@ -84,17 +84,17 @@ for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); ---- openssh-4.9p1/ssh.c -+++ openssh-4.9p1/ssh.c +--- openssh-5.1p1/ssh.c ++++ openssh-5.1p1/ssh.c @@ -73,6 +73,7 @@ - #include #include #include "openbsd-compat/openssl-compat.h" + #include "openbsd-compat/sys-queue.h" +#include #include "xmalloc.h" #include "ssh.h" -@@ -561,6 +562,10 @@ +@@ -562,6 +563,10 @@ SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); @@ -105,9 +105,9 @@ /* Initialize the command to execute on remote host. */ buffer_init(&command); ---- openssh-4.9p1/sshd.c -+++ openssh-4.9p1/sshd.c -@@ -76,6 +76,7 @@ +--- openssh-5.1p1/sshd.c ++++ openssh-5.1p1/sshd.c +@@ -77,6 +77,7 @@ #include #include #include "openbsd-compat/openssl-compat.h" @@ -115,7 +115,7 @@ #ifdef HAVE_SECUREWARE #include -@@ -1465,6 +1466,10 @@ +@@ -1416,6 +1417,10 @@ SSLeay_add_all_algorithms(); diff --git a/openssh-5.0p1-gcc-fix.patch b/openssh-5.1p1-gcc-fix.patch similarity index 100% rename from openssh-5.0p1-gcc-fix.patch rename to openssh-5.1p1-gcc-fix.patch diff --git a/openssh-5.0p1-gssapimitm.patch b/openssh-5.1p1-gssapimitm.patch similarity index 95% rename from openssh-5.0p1-gssapimitm.patch rename to openssh-5.1p1-gssapimitm.patch index db768fc..b8539fe 100644 --- a/openssh-5.0p1-gssapimitm.patch +++ b/openssh-5.1p1-gssapimitm.patch @@ -46,7 +46,7 @@ Index: auth2-gss.c #endif /* GSSAPI */ --- auth2.c +++ auth2.c -@@ -65,6 +65,7 @@ +@@ -70,6 +70,7 @@ extern Authmethod method_hostbased; #ifdef GSSAPI extern Authmethod method_gssapi; @@ -54,7 +54,7 @@ Index: auth2-gss.c #endif Authmethod *authmethods[] = { -@@ -72,6 +73,7 @@ +@@ -77,6 +78,7 @@ &method_pubkey, #ifdef GSSAPI &method_gssapi, @@ -73,7 +73,7 @@ Index: auth2-gss.c oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, -@@ -164,9 +164,11 @@ +@@ -165,9 +165,11 @@ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, @@ -85,7 +85,7 @@ Index: auth2-gss.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -445,6 +447,10 @@ +@@ -447,6 +449,10 @@ case oGssDelegateCreds: intptr = &options->gss_deleg_creds; goto parse_flag; @@ -96,7 +96,7 @@ Index: auth2-gss.c case oBatchMode: intptr = &options->batch_mode; -@@ -1011,6 +1017,7 @@ +@@ -1017,6 +1023,7 @@ options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; @@ -104,7 +104,7 @@ Index: auth2-gss.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1101,6 +1108,8 @@ +@@ -1108,6 +1115,8 @@ options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; @@ -125,7 +125,7 @@ Index: auth2-gss.c int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ --- servconf.c +++ servconf.c -@@ -91,6 +91,7 @@ +@@ -93,6 +93,7 @@ options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; @@ -133,7 +133,7 @@ Index: auth2-gss.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -207,6 +208,8 @@ +@@ -211,6 +212,8 @@ options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; @@ -142,16 +142,16 @@ Index: auth2-gss.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -291,7 +294,7 @@ +@@ -299,7 +302,7 @@ sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, + sUsePrivilegeSeparation, sAllowAgentForwarding, sDeprecated, sUnsupported -@@ -352,9 +355,11 @@ +@@ -360,9 +363,11 @@ #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -163,7 +163,7 @@ Index: auth2-gss.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -878,6 +883,10 @@ +@@ -885,6 +890,10 @@ case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; @@ -176,7 +176,7 @@ Index: auth2-gss.c intptr = &options->password_authentication; --- servconf.h +++ servconf.h -@@ -91,6 +91,7 @@ +@@ -92,6 +92,7 @@ * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ @@ -202,7 +202,7 @@ Index: auth2-gss.c +>>>>>>> --- sshconnect2.c +++ sshconnect2.c -@@ -243,6 +243,10 @@ +@@ -246,6 +246,10 @@ userauth_gssapi, &options.gss_authentication, NULL}, @@ -213,7 +213,7 @@ Index: auth2-gss.c #endif {"hostbased", userauth_hostbased, -@@ -577,7 +581,9 @@ +@@ -587,7 +591,9 @@ if (status == GSS_S_COMPLETE) { /* send either complete or MIC, depending on mechanism */ @@ -226,7 +226,7 @@ Index: auth2-gss.c } else { --- sshd_config +++ sshd_config -@@ -73,6 +73,13 @@ +@@ -74,6 +74,13 @@ #GSSAPIAuthentication no #GSSAPICleanupCredentials yes diff --git a/openssh-5.0p1-pam-fix2.diff b/openssh-5.1p1-pam-fix2.diff similarity index 88% rename from openssh-5.0p1-pam-fix2.diff rename to openssh-5.1p1-pam-fix2.diff index 6122a4a..519ef0e 100644 --- a/openssh-5.0p1-pam-fix2.diff +++ b/openssh-5.1p1-pam-fix2.diff @@ -1,6 +1,6 @@ --- sshd_config +++ sshd_config -@@ -53,7 +53,7 @@ +@@ -58,7 +58,7 @@ #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! @@ -9,12 +9,12 @@ #PermitEmptyPasswords no # Change to no to disable s/key passwords -@@ -78,7 +78,7 @@ +@@ -83,7 +83,7 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -#UsePAM no +UsePAM yes + #AllowAgentForwarding yes #AllowTcpForwarding yes - #GatewayPorts no diff --git a/openssh-5.0p1-pam-fix3.diff b/openssh-5.1p1-pam-fix3.diff similarity index 93% rename from openssh-5.0p1-pam-fix3.diff rename to openssh-5.1p1-pam-fix3.diff index da7bb7f..3944982 100644 --- a/openssh-5.0p1-pam-fix3.diff +++ b/openssh-5.1p1-pam-fix3.diff @@ -1,6 +1,6 @@ --- auth-pam.c +++ auth-pam.c -@@ -785,7 +785,9 @@ +@@ -786,7 +786,9 @@ fatal("Internal error: PAM auth " "succeeded when it should have " "failed"); diff --git a/openssh-5.0p1-pts.diff b/openssh-5.1p1-pts.diff similarity index 77% rename from openssh-5.0p1-pts.diff rename to openssh-5.1p1-pts.diff index 142ee18..3b6db35 100644 --- a/openssh-5.0p1-pts.diff +++ b/openssh-5.1p1-pts.diff @@ -1,6 +1,6 @@ --- loginrec.c -+++ loginrec.c 2008-04-18 17:58:59.585065028 +0200 -@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li) ++++ loginrec.c +@@ -549,7 +549,7 @@ * 1. The full filename (including '/dev') * 2. The stripped name (excluding '/dev') * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 @@ -9,7 +9,7 @@ * * Form 3 is used on some systems to identify a .tmp.? entry when * attempting to remove it. Typically both addition and removal is -@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s +@@ -610,6 +610,10 @@ if (strncmp(src, "tty", 3) == 0) src += 3; #endif diff --git a/openssh-5.0p1-saveargv-fix.diff b/openssh-5.1p1-saveargv-fix.diff similarity index 91% rename from openssh-5.0p1-saveargv-fix.diff rename to openssh-5.1p1-saveargv-fix.diff index 0ff56ca..781681d 100644 --- a/openssh-5.0p1-saveargv-fix.diff +++ b/openssh-5.1p1-saveargv-fix.diff @@ -1,6 +1,6 @@ --- sshd.c +++ sshd.c -@@ -358,6 +358,7 @@ +@@ -305,6 +305,7 @@ static void sighup_restart(void) { @@ -8,7 +8,7 @@ logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); -@@ -1318,7 +1319,11 @@ +@@ -1270,7 +1271,11 @@ #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ compat_init_setproctitle(ac, av); diff --git a/openssh-5.0p1-send_locale.diff b/openssh-5.1p1-send_locale.diff similarity index 95% rename from openssh-5.0p1-send_locale.diff rename to openssh-5.1p1-send_locale.diff index ddf1643..ddfce1a 100644 --- a/openssh-5.0p1-send_locale.diff +++ b/openssh-5.1p1-send_locale.diff @@ -1,6 +1,6 @@ --- ssh_config +++ ssh_config -@@ -62,4 +62,7 @@ +@@ -63,4 +63,7 @@ # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. # GSSAPIEnableMITMAttack no @@ -11,7 +11,7 @@ +SendEnv LC_IDENTIFICATION LC_ALL --- sshd_config +++ sshd_config -@@ -112,6 +112,11 @@ +@@ -119,6 +119,11 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server diff --git a/openssh-5.0p1-tmpdir.diff b/openssh-5.1p1-tmpdir.diff similarity index 96% rename from openssh-5.0p1-tmpdir.diff rename to openssh-5.1p1-tmpdir.diff index d03ec2b..688d35a 100644 --- a/openssh-5.0p1-tmpdir.diff +++ b/openssh-5.1p1-tmpdir.diff @@ -1,6 +1,6 @@ --- ssh-agent.c +++ ssh-agent.c -@@ -1126,8 +1126,18 @@ +@@ -1159,8 +1159,18 @@ parent_pid = getpid(); if (agentsocket == NULL) { diff --git a/openssh-5.0p1-xauth.diff b/openssh-5.1p1-xauth.diff similarity index 97% rename from openssh-5.0p1-xauth.diff rename to openssh-5.1p1-xauth.diff index 5cde110..0fea6db 100644 --- a/openssh-5.0p1-xauth.diff +++ b/openssh-5.1p1-xauth.diff @@ -1,6 +1,6 @@ --- session.c +++ session.c -@@ -2250,8 +2250,41 @@ +@@ -2487,8 +2487,41 @@ session_close(Session *s) { u_int i; diff --git a/openssh-5.0p1-xauthlocalhostname.diff b/openssh-5.1p1-xauthlocalhostname.diff similarity index 91% rename from openssh-5.0p1-xauthlocalhostname.diff rename to openssh-5.1p1-xauthlocalhostname.diff index 4e64221..dadf833 100644 --- a/openssh-5.0p1-xauthlocalhostname.diff +++ b/openssh-5.1p1-xauthlocalhostname.diff @@ -1,6 +1,6 @@ --- session.c +++ session.c -@@ -997,7 +997,7 @@ +@@ -1104,7 +1104,7 @@ } static char ** @@ -9,7 +9,7 @@ { char buf[256]; u_int i, envsize; -@@ -1184,6 +1184,8 @@ +@@ -1291,6 +1291,8 @@ for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -18,7 +18,7 @@ return env; } -@@ -1192,7 +1194,7 @@ +@@ -1299,7 +1301,7 @@ * first in this order). */ static void @@ -27,7 +27,7 @@ { FILE *f = NULL; char cmd[1024]; -@@ -1246,12 +1248,20 @@ +@@ -1353,12 +1355,20 @@ options.xauth_location); f = popen(cmd, "w"); if (f) { @@ -48,7 +48,7 @@ } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1537,6 +1547,7 @@ +@@ -1644,6 +1654,7 @@ { extern char **environ; char **env; @@ -56,7 +56,7 @@ char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; -@@ -1602,7 +1613,7 @@ +@@ -1710,7 +1721,7 @@ * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -65,7 +65,7 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1666,7 +1677,7 @@ +@@ -1778,7 +1789,7 @@ closefrom(STDERR_FILENO + 1); if (!options.use_login) diff --git a/openssh-5.0p1.dif b/openssh-5.1p1.dif similarity index 94% rename from openssh-5.0p1.dif rename to openssh-5.1p1.dif index 8de8a82..378d000 100644 --- a/openssh-5.0p1.dif +++ b/openssh-5.1p1.dif @@ -24,8 +24,8 @@ # PasswordAuthentication yes --- sshd_config +++ sshd_config -@@ -82,7 +82,7 @@ - +@@ -88,7 +88,7 @@ + #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no @@ -35,7 +35,7 @@ #PrintMotd yes --- sshlogin.c +++ sshlogin.c -@@ -126,6 +126,7 @@ +@@ -125,6 +125,7 @@ li = login_alloc_entry(pid, user, host, tty); login_set_addr(li, addr, addrlen); diff --git a/openssh-5.1p1.tar.bz2 b/openssh-5.1p1.tar.bz2 new file mode 100644 index 0000000..295527f --- /dev/null +++ b/openssh-5.1p1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bbe533aa4d2d083011035e3b63e558eaf8db83f7b062410a2035aeb822904472 +size 835720 diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 1fc8963..f0fd735 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,5 +1,5 @@ # -# spec file for package openssh-askpass-gnome (Version 5.0p1) +# spec file for package openssh-askpass-gnome (Version 5.1p1) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -15,8 +15,8 @@ Name: openssh-askpass-gnome BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files License: BSD 3-Clause Group: Productivity/Networking/SSH -Version: 5.0p1 -Release: 5 +Version: 5.1p1 +Release: 1 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH @@ -31,7 +31,6 @@ Patch21: %{_name}-%{version}-gssapimitm.patch Patch26: %{_name}-%{version}-eal3.diff Patch27: %{_name}-%{version}-engines.diff Patch28: %{_name}-%{version}-blocksigalrm.diff -Patch42: %{_name}-gssapi_krb5-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -74,7 +73,6 @@ Authors: %patch26 -p1 %patch27 -p1 %patch28 -%patch42 %build %{?suse_update_config:%{suse_update_config}} diff --git a/openssh-gssapi_krb5-fix.patch b/openssh-gssapi_krb5-fix.patch deleted file mode 100644 index 4f6d9c4..0000000 --- a/openssh-gssapi_krb5-fix.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- configure.ac -+++ configure.ac -@@ -3283,7 +3283,14 @@ - K5LIBS="-lgssapi $K5LIBS" ], - [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, - [ AC_DEFINE(GSSAPI) -- K5LIBS="-lgssapi_krb5 $K5LIBS" ], -+ K5LIBS="-lgssapi_krb5 $K5LIBS" ] -+ AC_CHECK_LIB(gssapi_krb5, gss_krb5_copy_ccache, [ -+ K5LIBS="-lgssapi_krb5 $K5LIBS" -+ ], [ -+ AC_MSG_WARN([Cannot find -lgssapi_krb5 with gss_krb5_copy_ccache()]) -+ ], -+ $K5LIBS -+ ), - AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), - $K5LIBS) - ], diff --git a/openssh.changes b/openssh.changes index 46712dd..74c4ae9 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,87 @@ +------------------------------------------------------------------- +Tue Jul 22 20:39:29 CEST 2008 - anicka@suse.cz + +- update to 5.1p1 + * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly + other platforms) when X11UseLocalhost=no + * Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) + and ssh-keygen(1). Visual fingerprinnt display is controlled by a new + ssh_config(5) option "VisualHostKey". + * sshd_config(5) now supports CIDR address/masklen matching in "Match + address" blocks, with a fallback to classic wildcard matching. + * sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys + from="..." restrictions, also with a fallback to classic wildcard + matching. + * Added an extended test mode (-T) to sshd(8) to request that it write + its effective configuration to stdout and exit. Extended test mode + also supports the specification of connection parameters (username, + source address and hostname) to test the application of + sshd_config(5) Match rules. + * ssh(1) now prints the number of bytes transferred and the overall + connection throughput for SSH protocol 2 sessions when in verbose + mode (previously these statistics were displayed for protocol 1 + connections only). + * sftp-server(8) now supports extension methods statvfs@openssh.com and + fstatvfs@openssh.com that implement statvfs(2)-like operations. + * sftp(1) now has a "df" command to the sftp client that uses the + statvfs@openssh.com to produce a df(1)-like display of filesystem + space and inode utilisation (requires statvfs@openssh.com support on + the server) + * Added a MaxSessions option to sshd_config(5) to allow control of the + number of multiplexed sessions supported over a single TCP connection. + This allows increasing the number of allowed sessions above the + previous default of 10, disabling connection multiplexing + (MaxSessions=1) or disallowing login/shell/subsystem sessions + entirely (MaxSessions=0). + * Added a no-more-sessions@openssh.com global request extension that is + sent from ssh(1) to sshd(8) when the client knows that it will never + request another session (i.e. when session multiplexing is disabled). + This allows a server to disallow further session requests and + terminate the session in cases where the client has been hijacked. + * ssh-keygen(1) now supports the use of the -l option in combination + with -F to search for a host in ~/.ssh/known_hosts and display its + fingerprint. + * ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of + "rsa1". + * Added an AllowAgentForwarding option to sshd_config(8) to control + whether authentication agent forwarding is permitted. Note that this + is a loose control, as a client may install their own unofficial + forwarder. + * ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving + network data, resulting in a ~10% speedup + * ssh(1) and sshd(8) will now try additional addresses when connecting + to a port forward destination whose DNS name resolves to more than + one address. The previous behaviour was to try the only first address + and give up if that failed. (bz#383) + * ssh(1) and sshd(8) now support signalling that channels are + half-closed for writing, through a channel protocol extension + notification "eow@openssh.com". This allows propagation of closed + file descriptors, so that commands such as: + "ssh -2 localhost od /bin/ls | true" + do not send unnecessary data over the wire. (bz#85) + * sshd(8): increased the default size of ssh protocol 1 ephemeral keys + from 768 to 1024 bits. + * When ssh(1) has been requested to fork after authentication + ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until + after replies for any -R forwards have been seen. Allows for robust + detection of -R forward failure when using -f. (bz#92) + * "Match group" blocks in sshd_config(5) now support negation of + groups. E.g. "Match group staff,!guests" (bz#1315) + * sftp(1) and sftp-server(8) now allow chmod-like operations to set + set[ug]id/sticky bits. (bz#1310) + * The MaxAuthTries option is now permitted in sshd_config(5) match + blocks. + * Multiplexed ssh(1) sessions now support a subset of the ~ escapes + that are available to a primary connection. (bz#1331) + * ssh(1) connection multiplexing will now fall back to creating a new + connection in most error cases. (bz#1439 bz#1329) + * Added some basic interoperability tests against Twisted Conch. + * Documented OpenSSH's extensions to and deviations from the published + SSH protocols (the PROTOCOL file in the distribution) + * Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent). + * bugfixes +- remove gssapi_krb5-fix patch + ------------------------------------------------------------------- Fri Apr 18 17:53:30 CEST 2008 - werner@suse.de diff --git a/openssh.spec b/openssh.spec index 55b54a2..6cc7473 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,5 +1,5 @@ # -# spec file for package openssh (Version 5.0p1) +# spec file for package openssh (Version 5.1p1) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -29,8 +29,8 @@ Requires: /bin/netstat PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions Conflicts: nonfreessh AutoReqProv: on -Version: 5.0p1 -Release: 4 +Version: 5.1p1 +Release: 1 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -58,7 +58,6 @@ Patch36: %{name}-%{version}-xauthlocalhostname.diff Patch37: %{name}-%{version}-tmpdir.diff Patch40: %{name}-%{version}-xauth.diff Patch41: %{name}-%{version}-gcc-fix.patch -Patch42: %{name}-gssapi_krb5-fix.patch Patch43: %{name}-%{version}-default-protocol.diff Patch44: %{name}-%{version}-audit.patch Patch45: %{name}-%{version}-pts.diff @@ -148,7 +147,6 @@ Authors: %patch37 %patch40 %patch41 -%patch42 %patch43 %patch44 -p1 %patch45 @@ -252,7 +250,7 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %dir %attr(755,root,root) /var/lib/sshd -%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS +%doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS %attr(0755,root,root) %dir /etc/ssh %attr(0600,root,root) %config(noreplace) /etc/ssh/moduli %verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config @@ -294,6 +292,87 @@ rm -rf $RPM_BUILD_ROOT %config %_appdefdir/SshAskpass %changelog +* Tue Jul 22 2008 anicka@suse.cz +- update to 5.1p1 + * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly + other platforms) when X11UseLocalhost=no + * Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) + and ssh-keygen(1). Visual fingerprinnt display is controlled by a new + ssh_config(5) option "VisualHostKey". + * sshd_config(5) now supports CIDR address/masklen matching in "Match + address" blocks, with a fallback to classic wildcard matching. + * sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys + from="..." restrictions, also with a fallback to classic wildcard + matching. + * Added an extended test mode (-T) to sshd(8) to request that it write + its effective configuration to stdout and exit. Extended test mode + also supports the specification of connection parameters (username, + source address and hostname) to test the application of + sshd_config(5) Match rules. + * ssh(1) now prints the number of bytes transferred and the overall + connection throughput for SSH protocol 2 sessions when in verbose + mode (previously these statistics were displayed for protocol 1 + connections only). + * sftp-server(8) now supports extension methods statvfs@openssh.com and + fstatvfs@openssh.com that implement statvfs(2)-like operations. + * sftp(1) now has a "df" command to the sftp client that uses the + statvfs@openssh.com to produce a df(1)-like display of filesystem + space and inode utilisation (requires statvfs@openssh.com support on + the server) + * Added a MaxSessions option to sshd_config(5) to allow control of the + number of multiplexed sessions supported over a single TCP connection. + This allows increasing the number of allowed sessions above the + previous default of 10, disabling connection multiplexing + (MaxSessions=1) or disallowing login/shell/subsystem sessions + entirely (MaxSessions=0). + * Added a no-more-sessions@openssh.com global request extension that is + sent from ssh(1) to sshd(8) when the client knows that it will never + request another session (i.e. when session multiplexing is disabled). + This allows a server to disallow further session requests and + terminate the session in cases where the client has been hijacked. + * ssh-keygen(1) now supports the use of the -l option in combination + with -F to search for a host in ~/.ssh/known_hosts and display its + fingerprint. + * ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of + "rsa1". + * Added an AllowAgentForwarding option to sshd_config(8) to control + whether authentication agent forwarding is permitted. Note that this + is a loose control, as a client may install their own unofficial + forwarder. + * ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving + network data, resulting in a ~10%% speedup + * ssh(1) and sshd(8) will now try additional addresses when connecting + to a port forward destination whose DNS name resolves to more than + one address. The previous behaviour was to try the only first address + and give up if that failed. (bz#383) + * ssh(1) and sshd(8) now support signalling that channels are + half-closed for writing, through a channel protocol extension + notification "eow@openssh.com". This allows propagation of closed + file descriptors, so that commands such as: + "ssh -2 localhost od /bin/ls | true" + do not send unnecessary data over the wire. (bz#85) + * sshd(8): increased the default size of ssh protocol 1 ephemeral keys + from 768 to 1024 bits. + * When ssh(1) has been requested to fork after authentication + ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until + after replies for any -R forwards have been seen. Allows for robust + detection of -R forward failure when using -f. (bz#92) + * "Match group" blocks in sshd_config(5) now support negation of + groups. E.g. "Match group staff,!guests" (bz#1315) + * sftp(1) and sftp-server(8) now allow chmod-like operations to set + set[ug]id/sticky bits. (bz#1310) + * The MaxAuthTries option is now permitted in sshd_config(5) match + blocks. + * Multiplexed ssh(1) sessions now support a subset of the ~ escapes + that are available to a primary connection. (bz#1331) + * ssh(1) connection multiplexing will now fall back to creating a new + connection in most error cases. (bz#1439 bz#1329) + * Added some basic interoperability tests against Twisted Conch. + * Documented OpenSSH's extensions to and deviations from the published + SSH protocols (the PROTOCOL file in the distribution) + * Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent). + * bugfixes +- remove gssapi_krb5-fix patch * Fri Apr 18 2008 werner@suse.de - Handle pts slave lines like utemper * Wed Apr 09 2008 anicka@suse.cz