This commit is contained in:
parent
0ee0f71602
commit
011c00b91f
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:fafd3e0fe129d372340f17906bcdee4150823c2435fe8e85208b23df27ee3d4b
|
|
||||||
size 810512
|
|
@ -1,7 +1,7 @@
|
|||||||
# add support for Linux audit (FATE #120269)
|
# add support for Linux audit (FATE #120269)
|
||||||
================================================================================
|
================================================================================
|
||||||
--- openssh-4.7p1/Makefile.in
|
--- openssh-5.1p1/Makefile.in
|
||||||
+++ openssh-4.7p1/Makefile.in
|
+++ openssh-5.1p1/Makefile.in
|
||||||
@@ -44,6 +44,7 @@
|
@@ -44,6 +44,7 @@
|
||||||
CFLAGS=@CFLAGS@
|
CFLAGS=@CFLAGS@
|
||||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||||
@ -10,7 +10,7 @@
|
|||||||
SSHDLIBS=@SSHDLIBS@
|
SSHDLIBS=@SSHDLIBS@
|
||||||
LIBEDIT=@LIBEDIT@
|
LIBEDIT=@LIBEDIT@
|
||||||
AR=@AR@
|
AR=@AR@
|
||||||
@@ -136,7 +137,7 @@
|
@@ -137,7 +138,7 @@
|
||||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||||
@ -19,9 +19,9 @@
|
|||||||
|
|
||||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
--- openssh-4.7p1/auth.c
|
--- openssh-5.1p1/auth.c
|
||||||
+++ openssh-4.7p1/auth.c
|
+++ openssh-5.1p1/auth.c
|
||||||
@@ -286,6 +286,12 @@
|
@@ -287,6 +287,12 @@
|
||||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
@ -34,7 +34,7 @@
|
|||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
if (authenticated == 0 && !authctxt->postponed)
|
if (authenticated == 0 && !authctxt->postponed)
|
||||||
audit_event(audit_classify_auth(method));
|
audit_event(audit_classify_auth(method));
|
||||||
@@ -492,6 +498,10 @@
|
@@ -533,6 +539,10 @@
|
||||||
record_failed_login(user,
|
record_failed_login(user,
|
||||||
get_canonical_hostname(options.use_dns), "ssh");
|
get_canonical_hostname(options.use_dns), "ssh");
|
||||||
#endif
|
#endif
|
||||||
@ -45,9 +45,9 @@
|
|||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
audit_event(SSH_INVALID_USER);
|
audit_event(SSH_INVALID_USER);
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
--- openssh-4.7p1/config.h.in
|
--- openssh-5.1p1/config.h.in
|
||||||
+++ openssh-4.7p1/config.h.in
|
+++ openssh-5.1p1/config.h.in
|
||||||
@@ -1334,6 +1334,9 @@
|
@@ -1388,6 +1388,9 @@
|
||||||
/* Define if you want SELinux support. */
|
/* Define if you want SELinux support. */
|
||||||
#undef WITH_SELINUX
|
#undef WITH_SELINUX
|
||||||
|
|
||||||
@ -57,9 +57,9 @@
|
|||||||
/* Define to 1 if your processor stores words with the most significant byte
|
/* Define to 1 if your processor stores words with the most significant byte
|
||||||
first (like Motorola and SPARC, unlike Intel and VAX). */
|
first (like Motorola and SPARC, unlike Intel and VAX). */
|
||||||
#undef WORDS_BIGENDIAN
|
#undef WORDS_BIGENDIAN
|
||||||
--- openssh-4.7p1/configure.ac
|
--- openssh-5.1p1/configure.ac
|
||||||
+++ openssh-4.7p1/configure.ac
|
+++ openssh-5.1p1/configure.ac
|
||||||
@@ -3216,6 +3216,20 @@
|
@@ -3314,6 +3314,20 @@
|
||||||
fi ]
|
fi ]
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -80,7 +80,7 @@
|
|||||||
# Check whether user wants Kerberos 5 support
|
# Check whether user wants Kerberos 5 support
|
||||||
KRB5_MSG="no"
|
KRB5_MSG="no"
|
||||||
AC_ARG_WITH(kerberos5,
|
AC_ARG_WITH(kerberos5,
|
||||||
@@ -4036,6 +4050,7 @@
|
@@ -4134,6 +4148,7 @@
|
||||||
echo " OSF SIA support: $SIA_MSG"
|
echo " OSF SIA support: $SIA_MSG"
|
||||||
echo " KerberosV support: $KRB5_MSG"
|
echo " KerberosV support: $KRB5_MSG"
|
||||||
echo " SELinux support: $SELINUX_MSG"
|
echo " SELinux support: $SELINUX_MSG"
|
||||||
@ -88,8 +88,8 @@
|
|||||||
echo " Smartcard support: $SCARD_MSG"
|
echo " Smartcard support: $SCARD_MSG"
|
||||||
echo " S/KEY support: $SKEY_MSG"
|
echo " S/KEY support: $SKEY_MSG"
|
||||||
echo " TCP Wrappers support: $TCPW_MSG"
|
echo " TCP Wrappers support: $TCPW_MSG"
|
||||||
--- openssh-4.7p1/loginrec.c
|
--- openssh-5.1p1/loginrec.c
|
||||||
+++ openssh-4.7p1/loginrec.c
|
+++ openssh-5.1p1/loginrec.c
|
||||||
@@ -176,6 +176,10 @@
|
@@ -176,6 +176,10 @@
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "buffer.h"
|
#include "buffer.h"
|
||||||
@ -174,8 +174,8 @@
|
|||||||
/**
|
/**
|
||||||
** Low-level libutil login() functions
|
** Low-level libutil login() functions
|
||||||
**/
|
**/
|
||||||
--- openssh-4.7p1/loginrec.h
|
--- openssh-5.1p1/loginrec.h
|
||||||
+++ openssh-4.7p1/loginrec.h
|
+++ openssh-5.1p1/loginrec.h
|
||||||
@@ -127,5 +127,9 @@
|
@@ -127,5 +127,9 @@
|
||||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||||
|
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||||
static int log_on_stderr = 1;
|
static int log_on_stderr = 1;
|
||||||
@@ -314,6 +315,7 @@
|
@@ -336,6 +337,7 @@
|
||||||
char fmtbuf[MSGBUFSIZ];
|
char fmtbuf[MSGBUFSIZ];
|
||||||
char *txt = NULL;
|
char *txt = NULL;
|
||||||
int pri = LOG_INFO;
|
int pri = LOG_INFO;
|
||||||
@ -16,7 +16,7 @@
|
|||||||
int saved_errno = errno;
|
int saved_errno = errno;
|
||||||
|
|
||||||
if (level > log_level)
|
if (level > log_level)
|
||||||
@@ -365,6 +367,14 @@
|
@@ -387,6 +389,14 @@
|
||||||
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
|
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
|
||||||
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
|
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
|
||||||
} else {
|
} else {
|
||||||
@ -31,7 +31,7 @@
|
|||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||||
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
||||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||||
@@ -374,6 +384,7 @@
|
@@ -396,6 +406,7 @@
|
||||||
syslog(pri, "%.500s", fmtbuf);
|
syslog(pri, "%.500s", fmtbuf);
|
||||||
closelog();
|
closelog();
|
||||||
#endif
|
#endif
|
@ -1,6 +1,6 @@
|
|||||||
--- openssh-4.6p1/sshd.8
|
--- openssh-5.1p1/sshd.8
|
||||||
+++ openssh-4.6p1/sshd.8
|
+++ openssh-5.1p1/sshd.8
|
||||||
@@ -739,7 +739,7 @@
|
@@ -785,7 +785,7 @@
|
||||||
The file format is described in
|
The file format is described in
|
||||||
.Xr moduli 5 .
|
.Xr moduli 5 .
|
||||||
.Pp
|
.Pp
|
||||||
@ -9,7 +9,7 @@
|
|||||||
See
|
See
|
||||||
.Xr motd 5 .
|
.Xr motd 5 .
|
||||||
.Pp
|
.Pp
|
||||||
@@ -752,7 +752,7 @@
|
@@ -798,7 +798,7 @@
|
||||||
refused.
|
refused.
|
||||||
The file should be world-readable.
|
The file should be world-readable.
|
||||||
.Pp
|
.Pp
|
||||||
@ -18,8 +18,8 @@
|
|||||||
This file is used in exactly the same way as
|
This file is used in exactly the same way as
|
||||||
.Pa hosts.equiv ,
|
.Pa hosts.equiv ,
|
||||||
but allows host-based authentication without permitting login with
|
but allows host-based authentication without permitting login with
|
||||||
@@ -828,8 +828,7 @@
|
@@ -875,8 +875,7 @@
|
||||||
.Xr ssh-keygen 1 ,
|
.Xr ssh-keyscan 1 ,
|
||||||
.Xr chroot 2 ,
|
.Xr chroot 2 ,
|
||||||
.Xr hosts_access 5 ,
|
.Xr hosts_access 5 ,
|
||||||
-.Xr login.conf 5 ,
|
-.Xr login.conf 5 ,
|
||||||
@ -28,9 +28,9 @@
|
|||||||
.Xr sshd_config 5 ,
|
.Xr sshd_config 5 ,
|
||||||
.Xr inetd 8 ,
|
.Xr inetd 8 ,
|
||||||
.Xr sftp-server 8
|
.Xr sftp-server 8
|
||||||
--- openssh-4.6p1/sshd_config.5
|
--- openssh-5.1p1/sshd_config.5
|
||||||
+++ openssh-4.6p1/sshd_config.5
|
+++ openssh-5.1p1/sshd_config.5
|
||||||
@@ -167,9 +167,6 @@
|
@@ -177,9 +177,6 @@
|
||||||
By default, no banner is displayed.
|
By default, no banner is displayed.
|
||||||
.It Cm ChallengeResponseAuthentication
|
.It Cm ChallengeResponseAuthentication
|
||||||
Specifies whether challenge-response authentication is allowed.
|
Specifies whether challenge-response authentication is allowed.
|
||||||
@ -39,8 +39,8 @@
|
|||||||
-are supported.
|
-are supported.
|
||||||
The default is
|
The default is
|
||||||
.Dq yes .
|
.Dq yes .
|
||||||
.It Cm Ciphers
|
.It Cm ChrootDirectory
|
||||||
@@ -382,7 +379,7 @@
|
@@ -438,7 +435,7 @@
|
||||||
.Pp
|
.Pp
|
||||||
.Pa /etc/hosts.equiv
|
.Pa /etc/hosts.equiv
|
||||||
and
|
and
|
@ -1,5 +1,5 @@
|
|||||||
--- openssh-4.9p1/ssh-add.c
|
--- openssh-5.1p1/ssh-add.c
|
||||||
+++ openssh-4.9p1/ssh-add.c
|
+++ openssh-5.1p1/ssh-add.c
|
||||||
@@ -43,6 +43,7 @@
|
@@ -43,6 +43,7 @@
|
||||||
|
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
@ -19,8 +19,8 @@
|
|||||||
/* At first, get a connection to the authentication agent. */
|
/* At first, get a connection to the authentication agent. */
|
||||||
ac = ssh_get_authentication_connection();
|
ac = ssh_get_authentication_connection();
|
||||||
if (ac == NULL) {
|
if (ac == NULL) {
|
||||||
--- openssh-4.9p1/ssh-agent.c
|
--- openssh-5.1p1/ssh-agent.c
|
||||||
+++ openssh-4.9p1/ssh-agent.c
|
+++ openssh-5.1p1/ssh-agent.c
|
||||||
@@ -52,6 +52,7 @@
|
@@ -52,6 +52,7 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/md5.h>
|
#include <openssl/md5.h>
|
||||||
@ -29,7 +29,7 @@
|
|||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
@@ -1063,6 +1064,10 @@
|
@@ -1076,6 +1077,10 @@
|
||||||
|
|
||||||
SSLeay_add_all_algorithms();
|
SSLeay_add_all_algorithms();
|
||||||
|
|
||||||
@ -40,8 +40,8 @@
|
|||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
init_rng();
|
init_rng();
|
||||||
seed_rng();
|
seed_rng();
|
||||||
--- openssh-4.9p1/ssh-keygen.c
|
--- openssh-5.1p1/ssh-keygen.c
|
||||||
+++ openssh-4.9p1/ssh-keygen.c
|
+++ openssh-5.1p1/ssh-keygen.c
|
||||||
@@ -22,6 +22,7 @@
|
@@ -22,6 +22,7 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/pem.h>
|
#include <openssl/pem.h>
|
||||||
@ -50,7 +50,7 @@
|
|||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
@@ -1072,6 +1073,11 @@
|
@@ -1099,6 +1100,11 @@
|
||||||
__progname = ssh_get_progname(argv[0]);
|
__progname = ssh_get_progname(argv[0]);
|
||||||
|
|
||||||
SSLeay_add_all_algorithms();
|
SSLeay_add_all_algorithms();
|
||||||
@ -62,8 +62,8 @@
|
|||||||
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
||||||
|
|
||||||
init_rng();
|
init_rng();
|
||||||
--- openssh-4.9p1/ssh-keysign.c
|
--- openssh-5.1p1/ssh-keysign.c
|
||||||
+++ openssh-4.9p1/ssh-keysign.c
|
+++ openssh-5.1p1/ssh-keysign.c
|
||||||
@@ -38,6 +38,7 @@
|
@@ -38,6 +38,7 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
@ -84,17 +84,17 @@
|
|||||||
for (i = 0; i < 256; i++)
|
for (i = 0; i < 256; i++)
|
||||||
rnd[i] = arc4random();
|
rnd[i] = arc4random();
|
||||||
RAND_seed(rnd, sizeof(rnd));
|
RAND_seed(rnd, sizeof(rnd));
|
||||||
--- openssh-4.9p1/ssh.c
|
--- openssh-5.1p1/ssh.c
|
||||||
+++ openssh-4.9p1/ssh.c
|
+++ openssh-5.1p1/ssh.c
|
||||||
@@ -73,6 +73,7 @@
|
@@ -73,6 +73,7 @@
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
#include "openbsd-compat/sys-queue.h"
|
||||||
+#include <openssl/engine.h>
|
+#include <openssl/engine.h>
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
@@ -561,6 +562,10 @@
|
@@ -562,6 +563,10 @@
|
||||||
SSLeay_add_all_algorithms();
|
SSLeay_add_all_algorithms();
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
@ -105,9 +105,9 @@
|
|||||||
/* Initialize the command to execute on remote host. */
|
/* Initialize the command to execute on remote host. */
|
||||||
buffer_init(&command);
|
buffer_init(&command);
|
||||||
|
|
||||||
--- openssh-4.9p1/sshd.c
|
--- openssh-5.1p1/sshd.c
|
||||||
+++ openssh-4.9p1/sshd.c
|
+++ openssh-5.1p1/sshd.c
|
||||||
@@ -76,6 +76,7 @@
|
@@ -77,6 +77,7 @@
|
||||||
#include <openssl/md5.h>
|
#include <openssl/md5.h>
|
||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
@ -115,7 +115,7 @@
|
|||||||
|
|
||||||
#ifdef HAVE_SECUREWARE
|
#ifdef HAVE_SECUREWARE
|
||||||
#include <sys/security.h>
|
#include <sys/security.h>
|
||||||
@@ -1465,6 +1466,10 @@
|
@@ -1416,6 +1417,10 @@
|
||||||
|
|
||||||
SSLeay_add_all_algorithms();
|
SSLeay_add_all_algorithms();
|
||||||
|
|
@ -46,7 +46,7 @@ Index: auth2-gss.c
|
|||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
--- auth2.c
|
--- auth2.c
|
||||||
+++ auth2.c
|
+++ auth2.c
|
||||||
@@ -65,6 +65,7 @@
|
@@ -70,6 +70,7 @@
|
||||||
extern Authmethod method_hostbased;
|
extern Authmethod method_hostbased;
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
extern Authmethod method_gssapi;
|
extern Authmethod method_gssapi;
|
||||||
@ -54,7 +54,7 @@ Index: auth2-gss.c
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
Authmethod *authmethods[] = {
|
Authmethod *authmethods[] = {
|
||||||
@@ -72,6 +73,7 @@
|
@@ -77,6 +78,7 @@
|
||||||
&method_pubkey,
|
&method_pubkey,
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
&method_gssapi,
|
&method_gssapi,
|
||||||
@ -73,7 +73,7 @@ Index: auth2-gss.c
|
|||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||||
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
||||||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
||||||
@@ -164,9 +164,11 @@
|
@@ -165,9 +165,11 @@
|
||||||
#if defined(GSSAPI)
|
#if defined(GSSAPI)
|
||||||
{ "gssapiauthentication", oGssAuthentication },
|
{ "gssapiauthentication", oGssAuthentication },
|
||||||
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
||||||
@ -85,7 +85,7 @@ Index: auth2-gss.c
|
|||||||
#endif
|
#endif
|
||||||
{ "fallbacktorsh", oDeprecated },
|
{ "fallbacktorsh", oDeprecated },
|
||||||
{ "usersh", oDeprecated },
|
{ "usersh", oDeprecated },
|
||||||
@@ -445,6 +447,10 @@
|
@@ -447,6 +449,10 @@
|
||||||
case oGssDelegateCreds:
|
case oGssDelegateCreds:
|
||||||
intptr = &options->gss_deleg_creds;
|
intptr = &options->gss_deleg_creds;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@ -96,7 +96,7 @@ Index: auth2-gss.c
|
|||||||
|
|
||||||
case oBatchMode:
|
case oBatchMode:
|
||||||
intptr = &options->batch_mode;
|
intptr = &options->batch_mode;
|
||||||
@@ -1011,6 +1017,7 @@
|
@@ -1017,6 +1023,7 @@
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
options->gss_authentication = -1;
|
options->gss_authentication = -1;
|
||||||
options->gss_deleg_creds = -1;
|
options->gss_deleg_creds = -1;
|
||||||
@ -104,7 +104,7 @@ Index: auth2-gss.c
|
|||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->kbd_interactive_devices = NULL;
|
options->kbd_interactive_devices = NULL;
|
||||||
@@ -1101,6 +1108,8 @@
|
@@ -1108,6 +1115,8 @@
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_deleg_creds == -1)
|
if (options->gss_deleg_creds == -1)
|
||||||
options->gss_deleg_creds = 0;
|
options->gss_deleg_creds = 0;
|
||||||
@ -125,7 +125,7 @@ Index: auth2-gss.c
|
|||||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||||
--- servconf.c
|
--- servconf.c
|
||||||
+++ servconf.c
|
+++ servconf.c
|
||||||
@@ -91,6 +91,7 @@
|
@@ -93,6 +93,7 @@
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
options->gss_authentication=-1;
|
options->gss_authentication=-1;
|
||||||
options->gss_cleanup_creds = -1;
|
options->gss_cleanup_creds = -1;
|
||||||
@ -133,7 +133,7 @@ Index: auth2-gss.c
|
|||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
@@ -207,6 +208,8 @@
|
@@ -211,6 +212,8 @@
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_cleanup_creds == -1)
|
if (options->gss_cleanup_creds == -1)
|
||||||
options->gss_cleanup_creds = 1;
|
options->gss_cleanup_creds = 1;
|
||||||
@ -142,16 +142,16 @@ Index: auth2-gss.c
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -291,7 +294,7 @@
|
@@ -299,7 +302,7 @@
|
||||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||||
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||||
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
|
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
|
||||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||||
sUsePrivilegeSeparation,
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
sDeprecated, sUnsupported
|
sDeprecated, sUnsupported
|
||||||
@@ -352,9 +355,11 @@
|
@@ -360,9 +363,11 @@
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||||
@ -163,7 +163,7 @@ Index: auth2-gss.c
|
|||||||
#endif
|
#endif
|
||||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||||
@@ -878,6 +883,10 @@
|
@@ -885,6 +890,10 @@
|
||||||
case sGssCleanupCreds:
|
case sGssCleanupCreds:
|
||||||
intptr = &options->gss_cleanup_creds;
|
intptr = &options->gss_cleanup_creds;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@ -176,7 +176,7 @@ Index: auth2-gss.c
|
|||||||
intptr = &options->password_authentication;
|
intptr = &options->password_authentication;
|
||||||
--- servconf.h
|
--- servconf.h
|
||||||
+++ servconf.h
|
+++ servconf.h
|
||||||
@@ -91,6 +91,7 @@
|
@@ -92,6 +92,7 @@
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||||
@ -202,7 +202,7 @@ Index: auth2-gss.c
|
|||||||
+>>>>>>>
|
+>>>>>>>
|
||||||
--- sshconnect2.c
|
--- sshconnect2.c
|
||||||
+++ sshconnect2.c
|
+++ sshconnect2.c
|
||||||
@@ -243,6 +243,10 @@
|
@@ -246,6 +246,10 @@
|
||||||
userauth_gssapi,
|
userauth_gssapi,
|
||||||
&options.gss_authentication,
|
&options.gss_authentication,
|
||||||
NULL},
|
NULL},
|
||||||
@ -213,7 +213,7 @@ Index: auth2-gss.c
|
|||||||
#endif
|
#endif
|
||||||
{"hostbased",
|
{"hostbased",
|
||||||
userauth_hostbased,
|
userauth_hostbased,
|
||||||
@@ -577,7 +581,9 @@
|
@@ -587,7 +591,9 @@
|
||||||
|
|
||||||
if (status == GSS_S_COMPLETE) {
|
if (status == GSS_S_COMPLETE) {
|
||||||
/* send either complete or MIC, depending on mechanism */
|
/* send either complete or MIC, depending on mechanism */
|
||||||
@ -226,7 +226,7 @@ Index: auth2-gss.c
|
|||||||
} else {
|
} else {
|
||||||
--- sshd_config
|
--- sshd_config
|
||||||
+++ sshd_config
|
+++ sshd_config
|
||||||
@@ -73,6 +73,13 @@
|
@@ -74,6 +74,13 @@
|
||||||
#GSSAPIAuthentication no
|
#GSSAPIAuthentication no
|
||||||
#GSSAPICleanupCredentials yes
|
#GSSAPICleanupCredentials yes
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
--- sshd_config
|
--- sshd_config
|
||||||
+++ sshd_config
|
+++ sshd_config
|
||||||
@@ -53,7 +53,7 @@
|
@@ -58,7 +58,7 @@
|
||||||
#IgnoreRhosts yes
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
@ -9,12 +9,12 @@
|
|||||||
#PermitEmptyPasswords no
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
# Change to no to disable s/key passwords
|
||||||
@@ -78,7 +78,7 @@
|
@@ -83,7 +83,7 @@
|
||||||
# If you just want the PAM account and session checks to run without
|
# If you just want the PAM account and session checks to run without
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
-#UsePAM no
|
-#UsePAM no
|
||||||
+UsePAM yes
|
+UsePAM yes
|
||||||
|
|
||||||
|
#AllowAgentForwarding yes
|
||||||
#AllowTcpForwarding yes
|
#AllowTcpForwarding yes
|
||||||
#GatewayPorts no
|
|
@ -1,6 +1,6 @@
|
|||||||
--- auth-pam.c
|
--- auth-pam.c
|
||||||
+++ auth-pam.c
|
+++ auth-pam.c
|
||||||
@@ -785,7 +785,9 @@
|
@@ -786,7 +786,9 @@
|
||||||
fatal("Internal error: PAM auth "
|
fatal("Internal error: PAM auth "
|
||||||
"succeeded when it should have "
|
"succeeded when it should have "
|
||||||
"failed");
|
"failed");
|
@ -1,6 +1,6 @@
|
|||||||
--- loginrec.c
|
--- loginrec.c
|
||||||
+++ loginrec.c 2008-04-18 17:58:59.585065028 +0200
|
+++ loginrec.c
|
||||||
@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li)
|
@@ -549,7 +549,7 @@
|
||||||
* 1. The full filename (including '/dev')
|
* 1. The full filename (including '/dev')
|
||||||
* 2. The stripped name (excluding '/dev')
|
* 2. The stripped name (excluding '/dev')
|
||||||
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
||||||
@ -9,7 +9,7 @@
|
|||||||
*
|
*
|
||||||
* Form 3 is used on some systems to identify a .tmp.? entry when
|
* Form 3 is used on some systems to identify a .tmp.? entry when
|
||||||
* attempting to remove it. Typically both addition and removal is
|
* attempting to remove it. Typically both addition and removal is
|
||||||
@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s
|
@@ -610,6 +610,10 @@
|
||||||
if (strncmp(src, "tty", 3) == 0)
|
if (strncmp(src, "tty", 3) == 0)
|
||||||
src += 3;
|
src += 3;
|
||||||
#endif
|
#endif
|
@ -1,6 +1,6 @@
|
|||||||
--- sshd.c
|
--- sshd.c
|
||||||
+++ sshd.c
|
+++ sshd.c
|
||||||
@@ -358,6 +358,7 @@
|
@@ -305,6 +305,7 @@
|
||||||
static void
|
static void
|
||||||
sighup_restart(void)
|
sighup_restart(void)
|
||||||
{
|
{
|
||||||
@ -8,7 +8,7 @@
|
|||||||
logit("Received SIGHUP; restarting.");
|
logit("Received SIGHUP; restarting.");
|
||||||
close_listen_socks();
|
close_listen_socks();
|
||||||
close_startup_pipes();
|
close_startup_pipes();
|
||||||
@@ -1318,7 +1319,11 @@
|
@@ -1270,7 +1271,11 @@
|
||||||
#ifndef HAVE_SETPROCTITLE
|
#ifndef HAVE_SETPROCTITLE
|
||||||
/* Prepare for later setproctitle emulation */
|
/* Prepare for later setproctitle emulation */
|
||||||
compat_init_setproctitle(ac, av);
|
compat_init_setproctitle(ac, av);
|
@ -1,6 +1,6 @@
|
|||||||
--- ssh_config
|
--- ssh_config
|
||||||
+++ ssh_config
|
+++ ssh_config
|
||||||
@@ -62,4 +62,7 @@
|
@@ -63,4 +63,7 @@
|
||||||
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
||||||
# GSSAPIEnableMITMAttack no
|
# GSSAPIEnableMITMAttack no
|
||||||
|
|
||||||
@ -11,7 +11,7 @@
|
|||||||
+SendEnv LC_IDENTIFICATION LC_ALL
|
+SendEnv LC_IDENTIFICATION LC_ALL
|
||||||
--- sshd_config
|
--- sshd_config
|
||||||
+++ sshd_config
|
+++ sshd_config
|
||||||
@@ -112,6 +112,11 @@
|
@@ -119,6 +119,11 @@
|
||||||
# override default of no subsystems
|
# override default of no subsystems
|
||||||
Subsystem sftp /usr/libexec/sftp-server
|
Subsystem sftp /usr/libexec/sftp-server
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
--- ssh-agent.c
|
--- ssh-agent.c
|
||||||
+++ ssh-agent.c
|
+++ ssh-agent.c
|
||||||
@@ -1126,8 +1126,18 @@
|
@@ -1159,8 +1159,18 @@
|
||||||
parent_pid = getpid();
|
parent_pid = getpid();
|
||||||
|
|
||||||
if (agentsocket == NULL) {
|
if (agentsocket == NULL) {
|
@ -1,6 +1,6 @@
|
|||||||
--- session.c
|
--- session.c
|
||||||
+++ session.c
|
+++ session.c
|
||||||
@@ -2250,8 +2250,41 @@
|
@@ -2487,8 +2487,41 @@
|
||||||
session_close(Session *s)
|
session_close(Session *s)
|
||||||
{
|
{
|
||||||
u_int i;
|
u_int i;
|
@ -1,6 +1,6 @@
|
|||||||
--- session.c
|
--- session.c
|
||||||
+++ session.c
|
+++ session.c
|
||||||
@@ -997,7 +997,7 @@
|
@@ -1104,7 +1104,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
static char **
|
static char **
|
||||||
@ -9,7 +9,7 @@
|
|||||||
{
|
{
|
||||||
char buf[256];
|
char buf[256];
|
||||||
u_int i, envsize;
|
u_int i, envsize;
|
||||||
@@ -1184,6 +1184,8 @@
|
@@ -1291,6 +1291,8 @@
|
||||||
for (i = 0; env[i]; i++)
|
for (i = 0; env[i]; i++)
|
||||||
fprintf(stderr, " %.200s\n", env[i]);
|
fprintf(stderr, " %.200s\n", env[i]);
|
||||||
}
|
}
|
||||||
@ -18,7 +18,7 @@
|
|||||||
return env;
|
return env;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1192,7 +1194,7 @@
|
@@ -1299,7 +1301,7 @@
|
||||||
* first in this order).
|
* first in this order).
|
||||||
*/
|
*/
|
||||||
static void
|
static void
|
||||||
@ -27,7 +27,7 @@
|
|||||||
{
|
{
|
||||||
FILE *f = NULL;
|
FILE *f = NULL;
|
||||||
char cmd[1024];
|
char cmd[1024];
|
||||||
@@ -1246,12 +1248,20 @@
|
@@ -1353,12 +1355,20 @@
|
||||||
options.xauth_location);
|
options.xauth_location);
|
||||||
f = popen(cmd, "w");
|
f = popen(cmd, "w");
|
||||||
if (f) {
|
if (f) {
|
||||||
@ -48,7 +48,7 @@
|
|||||||
} else {
|
} else {
|
||||||
fprintf(stderr, "Could not run %s\n",
|
fprintf(stderr, "Could not run %s\n",
|
||||||
cmd);
|
cmd);
|
||||||
@@ -1537,6 +1547,7 @@
|
@@ -1644,6 +1654,7 @@
|
||||||
{
|
{
|
||||||
extern char **environ;
|
extern char **environ;
|
||||||
char **env;
|
char **env;
|
||||||
@ -56,7 +56,7 @@
|
|||||||
char *argv[ARGV_MAX];
|
char *argv[ARGV_MAX];
|
||||||
const char *shell, *shell0, *hostname = NULL;
|
const char *shell, *shell0, *hostname = NULL;
|
||||||
struct passwd *pw = s->pw;
|
struct passwd *pw = s->pw;
|
||||||
@@ -1602,7 +1613,7 @@
|
@@ -1710,7 +1721,7 @@
|
||||||
* Make sure $SHELL points to the shell from the password file,
|
* Make sure $SHELL points to the shell from the password file,
|
||||||
* even if shell is overridden from login.conf
|
* even if shell is overridden from login.conf
|
||||||
*/
|
*/
|
||||||
@ -65,7 +65,7 @@
|
|||||||
|
|
||||||
#ifdef HAVE_LOGIN_CAP
|
#ifdef HAVE_LOGIN_CAP
|
||||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||||
@@ -1666,7 +1677,7 @@
|
@@ -1778,7 +1789,7 @@
|
||||||
closefrom(STDERR_FILENO + 1);
|
closefrom(STDERR_FILENO + 1);
|
||||||
|
|
||||||
if (!options.use_login)
|
if (!options.use_login)
|
@ -24,8 +24,8 @@
|
|||||||
# PasswordAuthentication yes
|
# PasswordAuthentication yes
|
||||||
--- sshd_config
|
--- sshd_config
|
||||||
+++ sshd_config
|
+++ sshd_config
|
||||||
@@ -82,7 +82,7 @@
|
@@ -88,7 +88,7 @@
|
||||||
|
#AllowAgentForwarding yes
|
||||||
#AllowTcpForwarding yes
|
#AllowTcpForwarding yes
|
||||||
#GatewayPorts no
|
#GatewayPorts no
|
||||||
-#X11Forwarding no
|
-#X11Forwarding no
|
||||||
@ -35,7 +35,7 @@
|
|||||||
#PrintMotd yes
|
#PrintMotd yes
|
||||||
--- sshlogin.c
|
--- sshlogin.c
|
||||||
+++ sshlogin.c
|
+++ sshlogin.c
|
||||||
@@ -126,6 +126,7 @@
|
@@ -125,6 +125,7 @@
|
||||||
|
|
||||||
li = login_alloc_entry(pid, user, host, tty);
|
li = login_alloc_entry(pid, user, host, tty);
|
||||||
login_set_addr(li, addr, addrlen);
|
login_set_addr(li, addr, addrlen);
|
3
openssh-5.1p1.tar.bz2
Normal file
3
openssh-5.1p1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:bbe533aa4d2d083011035e3b63e558eaf8db83f7b062410a2035aeb822904472
|
||||||
|
size 835720
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh-askpass-gnome (Version 5.0p1)
|
# spec file for package openssh-askpass-gnome (Version 5.1p1)
|
||||||
#
|
#
|
||||||
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
# This file and all modifications and additions to the pristine
|
# This file and all modifications and additions to the pristine
|
||||||
@ -15,8 +15,8 @@ Name: openssh-askpass-gnome
|
|||||||
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
|
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
|
||||||
License: BSD 3-Clause
|
License: BSD 3-Clause
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Version: 5.0p1
|
Version: 5.1p1
|
||||||
Release: 5
|
Release: 1
|
||||||
Requires: openssh = %{version} openssh-askpass = %{version}
|
Requires: openssh = %{version} openssh-askpass = %{version}
|
||||||
AutoReqProv: on
|
AutoReqProv: on
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
@ -31,7 +31,6 @@ Patch21: %{_name}-%{version}-gssapimitm.patch
|
|||||||
Patch26: %{_name}-%{version}-eal3.diff
|
Patch26: %{_name}-%{version}-eal3.diff
|
||||||
Patch27: %{_name}-%{version}-engines.diff
|
Patch27: %{_name}-%{version}-engines.diff
|
||||||
Patch28: %{_name}-%{version}-blocksigalrm.diff
|
Patch28: %{_name}-%{version}-blocksigalrm.diff
|
||||||
Patch42: %{_name}-gssapi_krb5-fix.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -74,7 +73,6 @@ Authors:
|
|||||||
%patch26 -p1
|
%patch26 -p1
|
||||||
%patch27 -p1
|
%patch27 -p1
|
||||||
%patch28
|
%patch28
|
||||||
%patch42
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%{?suse_update_config:%{suse_update_config}}
|
%{?suse_update_config:%{suse_update_config}}
|
||||||
|
@ -1,18 +0,0 @@
|
|||||||
--- configure.ac
|
|
||||||
+++ configure.ac
|
|
||||||
@@ -3283,7 +3283,14 @@
|
|
||||||
K5LIBS="-lgssapi $K5LIBS" ],
|
|
||||||
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
|
|
||||||
[ AC_DEFINE(GSSAPI)
|
|
||||||
- K5LIBS="-lgssapi_krb5 $K5LIBS" ],
|
|
||||||
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ]
|
|
||||||
+ AC_CHECK_LIB(gssapi_krb5, gss_krb5_copy_ccache, [
|
|
||||||
+ K5LIBS="-lgssapi_krb5 $K5LIBS"
|
|
||||||
+ ], [
|
|
||||||
+ AC_MSG_WARN([Cannot find -lgssapi_krb5 with gss_krb5_copy_ccache()])
|
|
||||||
+ ],
|
|
||||||
+ $K5LIBS
|
|
||||||
+ ),
|
|
||||||
AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
|
|
||||||
$K5LIBS)
|
|
||||||
],
|
|
@ -1,3 +1,87 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 22 20:39:29 CEST 2008 - anicka@suse.cz
|
||||||
|
|
||||||
|
- update to 5.1p1
|
||||||
|
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
|
||||||
|
other platforms) when X11UseLocalhost=no
|
||||||
|
* Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
|
||||||
|
and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
|
||||||
|
ssh_config(5) option "VisualHostKey".
|
||||||
|
* sshd_config(5) now supports CIDR address/masklen matching in "Match
|
||||||
|
address" blocks, with a fallback to classic wildcard matching.
|
||||||
|
* sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
|
||||||
|
from="..." restrictions, also with a fallback to classic wildcard
|
||||||
|
matching.
|
||||||
|
* Added an extended test mode (-T) to sshd(8) to request that it write
|
||||||
|
its effective configuration to stdout and exit. Extended test mode
|
||||||
|
also supports the specification of connection parameters (username,
|
||||||
|
source address and hostname) to test the application of
|
||||||
|
sshd_config(5) Match rules.
|
||||||
|
* ssh(1) now prints the number of bytes transferred and the overall
|
||||||
|
connection throughput for SSH protocol 2 sessions when in verbose
|
||||||
|
mode (previously these statistics were displayed for protocol 1
|
||||||
|
connections only).
|
||||||
|
* sftp-server(8) now supports extension methods statvfs@openssh.com and
|
||||||
|
fstatvfs@openssh.com that implement statvfs(2)-like operations.
|
||||||
|
* sftp(1) now has a "df" command to the sftp client that uses the
|
||||||
|
statvfs@openssh.com to produce a df(1)-like display of filesystem
|
||||||
|
space and inode utilisation (requires statvfs@openssh.com support on
|
||||||
|
the server)
|
||||||
|
* Added a MaxSessions option to sshd_config(5) to allow control of the
|
||||||
|
number of multiplexed sessions supported over a single TCP connection.
|
||||||
|
This allows increasing the number of allowed sessions above the
|
||||||
|
previous default of 10, disabling connection multiplexing
|
||||||
|
(MaxSessions=1) or disallowing login/shell/subsystem sessions
|
||||||
|
entirely (MaxSessions=0).
|
||||||
|
* Added a no-more-sessions@openssh.com global request extension that is
|
||||||
|
sent from ssh(1) to sshd(8) when the client knows that it will never
|
||||||
|
request another session (i.e. when session multiplexing is disabled).
|
||||||
|
This allows a server to disallow further session requests and
|
||||||
|
terminate the session in cases where the client has been hijacked.
|
||||||
|
* ssh-keygen(1) now supports the use of the -l option in combination
|
||||||
|
with -F to search for a host in ~/.ssh/known_hosts and display its
|
||||||
|
fingerprint.
|
||||||
|
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
|
||||||
|
"rsa1".
|
||||||
|
* Added an AllowAgentForwarding option to sshd_config(8) to control
|
||||||
|
whether authentication agent forwarding is permitted. Note that this
|
||||||
|
is a loose control, as a client may install their own unofficial
|
||||||
|
forwarder.
|
||||||
|
* ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
|
||||||
|
network data, resulting in a ~10% speedup
|
||||||
|
* ssh(1) and sshd(8) will now try additional addresses when connecting
|
||||||
|
to a port forward destination whose DNS name resolves to more than
|
||||||
|
one address. The previous behaviour was to try the only first address
|
||||||
|
and give up if that failed. (bz#383)
|
||||||
|
* ssh(1) and sshd(8) now support signalling that channels are
|
||||||
|
half-closed for writing, through a channel protocol extension
|
||||||
|
notification "eow@openssh.com". This allows propagation of closed
|
||||||
|
file descriptors, so that commands such as:
|
||||||
|
"ssh -2 localhost od /bin/ls | true"
|
||||||
|
do not send unnecessary data over the wire. (bz#85)
|
||||||
|
* sshd(8): increased the default size of ssh protocol 1 ephemeral keys
|
||||||
|
from 768 to 1024 bits.
|
||||||
|
* When ssh(1) has been requested to fork after authentication
|
||||||
|
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
|
||||||
|
after replies for any -R forwards have been seen. Allows for robust
|
||||||
|
detection of -R forward failure when using -f. (bz#92)
|
||||||
|
* "Match group" blocks in sshd_config(5) now support negation of
|
||||||
|
groups. E.g. "Match group staff,!guests" (bz#1315)
|
||||||
|
* sftp(1) and sftp-server(8) now allow chmod-like operations to set
|
||||||
|
set[ug]id/sticky bits. (bz#1310)
|
||||||
|
* The MaxAuthTries option is now permitted in sshd_config(5) match
|
||||||
|
blocks.
|
||||||
|
* Multiplexed ssh(1) sessions now support a subset of the ~ escapes
|
||||||
|
that are available to a primary connection. (bz#1331)
|
||||||
|
* ssh(1) connection multiplexing will now fall back to creating a new
|
||||||
|
connection in most error cases. (bz#1439 bz#1329)
|
||||||
|
* Added some basic interoperability tests against Twisted Conch.
|
||||||
|
* Documented OpenSSH's extensions to and deviations from the published
|
||||||
|
SSH protocols (the PROTOCOL file in the distribution)
|
||||||
|
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
|
||||||
|
* bugfixes
|
||||||
|
- remove gssapi_krb5-fix patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Apr 18 17:53:30 CEST 2008 - werner@suse.de
|
Fri Apr 18 17:53:30 CEST 2008 - werner@suse.de
|
||||||
|
|
||||||
|
91
openssh.spec
91
openssh.spec
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh (Version 5.0p1)
|
# spec file for package openssh (Version 5.1p1)
|
||||||
#
|
#
|
||||||
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
# This file and all modifications and additions to the pristine
|
# This file and all modifications and additions to the pristine
|
||||||
@ -29,8 +29,8 @@ Requires: /bin/netstat
|
|||||||
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
|
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
|
||||||
Conflicts: nonfreessh
|
Conflicts: nonfreessh
|
||||||
AutoReqProv: on
|
AutoReqProv: on
|
||||||
Version: 5.0p1
|
Version: 5.1p1
|
||||||
Release: 4
|
Release: 1
|
||||||
%define xversion 1.2.4.1
|
%define xversion 1.2.4.1
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
Url: http://www.openssh.com/
|
Url: http://www.openssh.com/
|
||||||
@ -58,7 +58,6 @@ Patch36: %{name}-%{version}-xauthlocalhostname.diff
|
|||||||
Patch37: %{name}-%{version}-tmpdir.diff
|
Patch37: %{name}-%{version}-tmpdir.diff
|
||||||
Patch40: %{name}-%{version}-xauth.diff
|
Patch40: %{name}-%{version}-xauth.diff
|
||||||
Patch41: %{name}-%{version}-gcc-fix.patch
|
Patch41: %{name}-%{version}-gcc-fix.patch
|
||||||
Patch42: %{name}-gssapi_krb5-fix.patch
|
|
||||||
Patch43: %{name}-%{version}-default-protocol.diff
|
Patch43: %{name}-%{version}-default-protocol.diff
|
||||||
Patch44: %{name}-%{version}-audit.patch
|
Patch44: %{name}-%{version}-audit.patch
|
||||||
Patch45: %{name}-%{version}-pts.diff
|
Patch45: %{name}-%{version}-pts.diff
|
||||||
@ -148,7 +147,6 @@ Authors:
|
|||||||
%patch37
|
%patch37
|
||||||
%patch40
|
%patch40
|
||||||
%patch41
|
%patch41
|
||||||
%patch42
|
|
||||||
%patch43
|
%patch43
|
||||||
%patch44 -p1
|
%patch44 -p1
|
||||||
%patch45
|
%patch45
|
||||||
@ -252,7 +250,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%files
|
%files
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%dir %attr(755,root,root) /var/lib/sshd
|
%dir %attr(755,root,root) /var/lib/sshd
|
||||||
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS
|
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS
|
||||||
%attr(0755,root,root) %dir /etc/ssh
|
%attr(0755,root,root) %dir /etc/ssh
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli
|
%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli
|
||||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config
|
||||||
@ -294,6 +292,87 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%config %_appdefdir/SshAskpass
|
%config %_appdefdir/SshAskpass
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 22 2008 anicka@suse.cz
|
||||||
|
- update to 5.1p1
|
||||||
|
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
|
||||||
|
other platforms) when X11UseLocalhost=no
|
||||||
|
* Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
|
||||||
|
and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
|
||||||
|
ssh_config(5) option "VisualHostKey".
|
||||||
|
* sshd_config(5) now supports CIDR address/masklen matching in "Match
|
||||||
|
address" blocks, with a fallback to classic wildcard matching.
|
||||||
|
* sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
|
||||||
|
from="..." restrictions, also with a fallback to classic wildcard
|
||||||
|
matching.
|
||||||
|
* Added an extended test mode (-T) to sshd(8) to request that it write
|
||||||
|
its effective configuration to stdout and exit. Extended test mode
|
||||||
|
also supports the specification of connection parameters (username,
|
||||||
|
source address and hostname) to test the application of
|
||||||
|
sshd_config(5) Match rules.
|
||||||
|
* ssh(1) now prints the number of bytes transferred and the overall
|
||||||
|
connection throughput for SSH protocol 2 sessions when in verbose
|
||||||
|
mode (previously these statistics were displayed for protocol 1
|
||||||
|
connections only).
|
||||||
|
* sftp-server(8) now supports extension methods statvfs@openssh.com and
|
||||||
|
fstatvfs@openssh.com that implement statvfs(2)-like operations.
|
||||||
|
* sftp(1) now has a "df" command to the sftp client that uses the
|
||||||
|
statvfs@openssh.com to produce a df(1)-like display of filesystem
|
||||||
|
space and inode utilisation (requires statvfs@openssh.com support on
|
||||||
|
the server)
|
||||||
|
* Added a MaxSessions option to sshd_config(5) to allow control of the
|
||||||
|
number of multiplexed sessions supported over a single TCP connection.
|
||||||
|
This allows increasing the number of allowed sessions above the
|
||||||
|
previous default of 10, disabling connection multiplexing
|
||||||
|
(MaxSessions=1) or disallowing login/shell/subsystem sessions
|
||||||
|
entirely (MaxSessions=0).
|
||||||
|
* Added a no-more-sessions@openssh.com global request extension that is
|
||||||
|
sent from ssh(1) to sshd(8) when the client knows that it will never
|
||||||
|
request another session (i.e. when session multiplexing is disabled).
|
||||||
|
This allows a server to disallow further session requests and
|
||||||
|
terminate the session in cases where the client has been hijacked.
|
||||||
|
* ssh-keygen(1) now supports the use of the -l option in combination
|
||||||
|
with -F to search for a host in ~/.ssh/known_hosts and display its
|
||||||
|
fingerprint.
|
||||||
|
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
|
||||||
|
"rsa1".
|
||||||
|
* Added an AllowAgentForwarding option to sshd_config(8) to control
|
||||||
|
whether authentication agent forwarding is permitted. Note that this
|
||||||
|
is a loose control, as a client may install their own unofficial
|
||||||
|
forwarder.
|
||||||
|
* ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
|
||||||
|
network data, resulting in a ~10%% speedup
|
||||||
|
* ssh(1) and sshd(8) will now try additional addresses when connecting
|
||||||
|
to a port forward destination whose DNS name resolves to more than
|
||||||
|
one address. The previous behaviour was to try the only first address
|
||||||
|
and give up if that failed. (bz#383)
|
||||||
|
* ssh(1) and sshd(8) now support signalling that channels are
|
||||||
|
half-closed for writing, through a channel protocol extension
|
||||||
|
notification "eow@openssh.com". This allows propagation of closed
|
||||||
|
file descriptors, so that commands such as:
|
||||||
|
"ssh -2 localhost od /bin/ls | true"
|
||||||
|
do not send unnecessary data over the wire. (bz#85)
|
||||||
|
* sshd(8): increased the default size of ssh protocol 1 ephemeral keys
|
||||||
|
from 768 to 1024 bits.
|
||||||
|
* When ssh(1) has been requested to fork after authentication
|
||||||
|
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
|
||||||
|
after replies for any -R forwards have been seen. Allows for robust
|
||||||
|
detection of -R forward failure when using -f. (bz#92)
|
||||||
|
* "Match group" blocks in sshd_config(5) now support negation of
|
||||||
|
groups. E.g. "Match group staff,!guests" (bz#1315)
|
||||||
|
* sftp(1) and sftp-server(8) now allow chmod-like operations to set
|
||||||
|
set[ug]id/sticky bits. (bz#1310)
|
||||||
|
* The MaxAuthTries option is now permitted in sshd_config(5) match
|
||||||
|
blocks.
|
||||||
|
* Multiplexed ssh(1) sessions now support a subset of the ~ escapes
|
||||||
|
that are available to a primary connection. (bz#1331)
|
||||||
|
* ssh(1) connection multiplexing will now fall back to creating a new
|
||||||
|
connection in most error cases. (bz#1439 bz#1329)
|
||||||
|
* Added some basic interoperability tests against Twisted Conch.
|
||||||
|
* Documented OpenSSH's extensions to and deviations from the published
|
||||||
|
SSH protocols (the PROTOCOL file in the distribution)
|
||||||
|
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
|
||||||
|
* bugfixes
|
||||||
|
- remove gssapi_krb5-fix patch
|
||||||
* Fri Apr 18 2008 werner@suse.de
|
* Fri Apr 18 2008 werner@suse.de
|
||||||
- Handle pts slave lines like utemper
|
- Handle pts slave lines like utemper
|
||||||
* Wed Apr 09 2008 anicka@suse.cz
|
* Wed Apr 09 2008 anicka@suse.cz
|
||||||
|
Loading…
Reference in New Issue
Block a user