OBS User unknown 2008-07-25 02:29:14 +00:00 committed by Git OBS Bridge
parent 0ee0f71602
commit 011c00b91f
23 changed files with 264 additions and 121 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fafd3e0fe129d372340f17906bcdee4150823c2435fe8e85208b23df27ee3d4b
size 810512

View File

@ -1,7 +1,7 @@
# add support for Linux audit (FATE #120269) # add support for Linux audit (FATE #120269)
================================================================================ ================================================================================
--- openssh-4.7p1/Makefile.in --- openssh-5.1p1/Makefile.in
+++ openssh-4.7p1/Makefile.in +++ openssh-5.1p1/Makefile.in
@@ -44,6 +44,7 @@ @@ -44,6 +44,7 @@
CFLAGS=@CFLAGS@ CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@ -10,7 +10,7 @@
SSHDLIBS=@SSHDLIBS@ SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@ LIBEDIT=@LIBEDIT@
AR=@AR@ AR=@AR@
@@ -136,7 +137,7 @@ @@ -137,7 +138,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
@ -19,9 +19,9 @@
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-4.7p1/auth.c --- openssh-5.1p1/auth.c
+++ openssh-4.7p1/auth.c +++ openssh-5.1p1/auth.c
@@ -286,6 +286,12 @@ @@ -287,6 +287,12 @@
get_canonical_hostname(options.use_dns), "ssh", &loginmsg); get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif # endif
#endif #endif
@ -34,7 +34,7 @@
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed) if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method)); audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@ @@ -533,6 +539,10 @@
record_failed_login(user, record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh"); get_canonical_hostname(options.use_dns), "ssh");
#endif #endif
@ -45,9 +45,9 @@
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER); audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
--- openssh-4.7p1/config.h.in --- openssh-5.1p1/config.h.in
+++ openssh-4.7p1/config.h.in +++ openssh-5.1p1/config.h.in
@@ -1334,6 +1334,9 @@ @@ -1388,6 +1388,9 @@
/* Define if you want SELinux support. */ /* Define if you want SELinux support. */
#undef WITH_SELINUX #undef WITH_SELINUX
@ -57,9 +57,9 @@
/* Define to 1 if your processor stores words with the most significant byte /* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */ first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN #undef WORDS_BIGENDIAN
--- openssh-4.7p1/configure.ac --- openssh-5.1p1/configure.ac
+++ openssh-4.7p1/configure.ac +++ openssh-5.1p1/configure.ac
@@ -3216,6 +3216,20 @@ @@ -3314,6 +3314,20 @@
fi ] fi ]
) )
@ -80,7 +80,7 @@
# Check whether user wants Kerberos 5 support # Check whether user wants Kerberos 5 support
KRB5_MSG="no" KRB5_MSG="no"
AC_ARG_WITH(kerberos5, AC_ARG_WITH(kerberos5,
@@ -4036,6 +4050,7 @@ @@ -4134,6 +4148,7 @@
echo " OSF SIA support: $SIA_MSG" echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG" echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG" echo " SELinux support: $SELINUX_MSG"
@ -88,8 +88,8 @@
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-4.7p1/loginrec.c --- openssh-5.1p1/loginrec.c
+++ openssh-4.7p1/loginrec.c +++ openssh-5.1p1/loginrec.c
@@ -176,6 +176,10 @@ @@ -176,6 +176,10 @@
#include "auth.h" #include "auth.h"
#include "buffer.h" #include "buffer.h"
@ -174,8 +174,8 @@
/** /**
** Low-level libutil login() functions ** Low-level libutil login() functions
**/ **/
--- openssh-4.7p1/loginrec.h --- openssh-5.1p1/loginrec.h
+++ openssh-4.7p1/loginrec.h +++ openssh-5.1p1/loginrec.h
@@ -127,5 +127,9 @@ @@ -127,5 +127,9 @@
char *line_abbrevname(char *dst, const char *src, int dstsize); char *line_abbrevname(char *dst, const char *src, int dstsize);

View File

@ -8,7 +8,7 @@
static LogLevel log_level = SYSLOG_LEVEL_INFO; static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1; static int log_on_stderr = 1;
@@ -314,6 +315,7 @@ @@ -336,6 +337,7 @@
char fmtbuf[MSGBUFSIZ]; char fmtbuf[MSGBUFSIZ];
char *txt = NULL; char *txt = NULL;
int pri = LOG_INFO; int pri = LOG_INFO;
@ -16,7 +16,7 @@
int saved_errno = errno; int saved_errno = errno;
if (level > log_level) if (level > log_level)
@@ -365,6 +367,14 @@ @@ -387,6 +389,14 @@
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
write(STDERR_FILENO, msgbuf, strlen(msgbuf)); write(STDERR_FILENO, msgbuf, strlen(msgbuf));
} else { } else {
@ -31,7 +31,7 @@
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf); syslog_r(pri, &sdata, "%.500s", fmtbuf);
@@ -374,6 +384,7 @@ @@ -396,6 +406,7 @@
syslog(pri, "%.500s", fmtbuf); syslog(pri, "%.500s", fmtbuf);
closelog(); closelog();
#endif #endif

View File

@ -1,6 +1,6 @@
--- openssh-4.6p1/sshd.8 --- openssh-5.1p1/sshd.8
+++ openssh-4.6p1/sshd.8 +++ openssh-5.1p1/sshd.8
@@ -739,7 +739,7 @@ @@ -785,7 +785,7 @@
The file format is described in The file format is described in
.Xr moduli 5 . .Xr moduli 5 .
.Pp .Pp
@ -9,7 +9,7 @@
See See
.Xr motd 5 . .Xr motd 5 .
.Pp .Pp
@@ -752,7 +752,7 @@ @@ -798,7 +798,7 @@
refused. refused.
The file should be world-readable. The file should be world-readable.
.Pp .Pp
@ -18,8 +18,8 @@
This file is used in exactly the same way as This file is used in exactly the same way as
.Pa hosts.equiv , .Pa hosts.equiv ,
but allows host-based authentication without permitting login with but allows host-based authentication without permitting login with
@@ -828,8 +828,7 @@ @@ -875,8 +875,7 @@
.Xr ssh-keygen 1 , .Xr ssh-keyscan 1 ,
.Xr chroot 2 , .Xr chroot 2 ,
.Xr hosts_access 5 , .Xr hosts_access 5 ,
-.Xr login.conf 5 , -.Xr login.conf 5 ,
@ -28,9 +28,9 @@
.Xr sshd_config 5 , .Xr sshd_config 5 ,
.Xr inetd 8 , .Xr inetd 8 ,
.Xr sftp-server 8 .Xr sftp-server 8
--- openssh-4.6p1/sshd_config.5 --- openssh-5.1p1/sshd_config.5
+++ openssh-4.6p1/sshd_config.5 +++ openssh-5.1p1/sshd_config.5
@@ -167,9 +167,6 @@ @@ -177,9 +177,6 @@
By default, no banner is displayed. By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication .It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed. Specifies whether challenge-response authentication is allowed.
@ -39,8 +39,8 @@
-are supported. -are supported.
The default is The default is
.Dq yes . .Dq yes .
.It Cm Ciphers .It Cm ChrootDirectory
@@ -382,7 +379,7 @@ @@ -438,7 +435,7 @@
.Pp .Pp
.Pa /etc/hosts.equiv .Pa /etc/hosts.equiv
and and

View File

@ -1,5 +1,5 @@
--- openssh-4.9p1/ssh-add.c --- openssh-5.1p1/ssh-add.c
+++ openssh-4.9p1/ssh-add.c +++ openssh-5.1p1/ssh-add.c
@@ -43,6 +43,7 @@ @@ -43,6 +43,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -19,8 +19,8 @@
/* At first, get a connection to the authentication agent. */ /* At first, get a connection to the authentication agent. */
ac = ssh_get_authentication_connection(); ac = ssh_get_authentication_connection();
if (ac == NULL) { if (ac == NULL) {
--- openssh-4.9p1/ssh-agent.c --- openssh-5.1p1/ssh-agent.c
+++ openssh-4.9p1/ssh-agent.c +++ openssh-5.1p1/ssh-agent.c
@@ -52,6 +52,7 @@ @@ -52,6 +52,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/md5.h> #include <openssl/md5.h>
@ -29,7 +29,7 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
@@ -1063,6 +1064,10 @@ @@ -1076,6 +1077,10 @@
SSLeay_add_all_algorithms(); SSLeay_add_all_algorithms();
@ -40,8 +40,8 @@
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
init_rng(); init_rng();
seed_rng(); seed_rng();
--- openssh-4.9p1/ssh-keygen.c --- openssh-5.1p1/ssh-keygen.c
+++ openssh-4.9p1/ssh-keygen.c +++ openssh-5.1p1/ssh-keygen.c
@@ -22,6 +22,7 @@ @@ -22,6 +22,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/pem.h> #include <openssl/pem.h>
@ -50,7 +50,7 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
@@ -1072,6 +1073,11 @@ @@ -1099,6 +1100,11 @@
__progname = ssh_get_progname(argv[0]); __progname = ssh_get_progname(argv[0]);
SSLeay_add_all_algorithms(); SSLeay_add_all_algorithms();
@ -62,8 +62,8 @@
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
init_rng(); init_rng();
--- openssh-4.9p1/ssh-keysign.c --- openssh-5.1p1/ssh-keysign.c
+++ openssh-4.9p1/ssh-keysign.c +++ openssh-5.1p1/ssh-keysign.c
@@ -38,6 +38,7 @@ @@ -38,6 +38,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/rand.h> #include <openssl/rand.h>
@ -84,17 +84,17 @@
for (i = 0; i < 256; i++) for (i = 0; i < 256; i++)
rnd[i] = arc4random(); rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd)); RAND_seed(rnd, sizeof(rnd));
--- openssh-4.9p1/ssh.c --- openssh-5.1p1/ssh.c
+++ openssh-4.9p1/ssh.c +++ openssh-5.1p1/ssh.c
@@ -73,6 +73,7 @@ @@ -73,6 +73,7 @@
#include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
+#include <openssl/engine.h> +#include <openssl/engine.h>
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh.h" #include "ssh.h"
@@ -561,6 +562,10 @@ @@ -562,6 +563,10 @@
SSLeay_add_all_algorithms(); SSLeay_add_all_algorithms();
ERR_load_crypto_strings(); ERR_load_crypto_strings();
@ -105,9 +105,9 @@
/* Initialize the command to execute on remote host. */ /* Initialize the command to execute on remote host. */
buffer_init(&command); buffer_init(&command);
--- openssh-4.9p1/sshd.c --- openssh-5.1p1/sshd.c
+++ openssh-4.9p1/sshd.c +++ openssh-5.1p1/sshd.c
@@ -76,6 +76,7 @@ @@ -77,6 +77,7 @@
#include <openssl/md5.h> #include <openssl/md5.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
@ -115,7 +115,7 @@
#ifdef HAVE_SECUREWARE #ifdef HAVE_SECUREWARE
#include <sys/security.h> #include <sys/security.h>
@@ -1465,6 +1466,10 @@ @@ -1416,6 +1417,10 @@
SSLeay_add_all_algorithms(); SSLeay_add_all_algorithms();

View File

@ -46,7 +46,7 @@ Index: auth2-gss.c
#endif /* GSSAPI */ #endif /* GSSAPI */
--- auth2.c --- auth2.c
+++ auth2.c +++ auth2.c
@@ -65,6 +65,7 @@ @@ -70,6 +70,7 @@
extern Authmethod method_hostbased; extern Authmethod method_hostbased;
#ifdef GSSAPI #ifdef GSSAPI
extern Authmethod method_gssapi; extern Authmethod method_gssapi;
@ -54,7 +54,7 @@ Index: auth2-gss.c
#endif #endif
Authmethod *authmethods[] = { Authmethod *authmethods[] = {
@@ -72,6 +73,7 @@ @@ -77,6 +78,7 @@
&method_pubkey, &method_pubkey,
#ifdef GSSAPI #ifdef GSSAPI
&method_gssapi, &method_gssapi,
@ -73,7 +73,7 @@ Index: auth2-gss.c
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
@@ -164,9 +164,11 @@ @@ -165,9 +165,11 @@
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds }, { "gssapidelegatecredentials", oGssDelegateCreds },
@ -85,7 +85,7 @@ Index: auth2-gss.c
#endif #endif
{ "fallbacktorsh", oDeprecated }, { "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated }, { "usersh", oDeprecated },
@@ -445,6 +447,10 @@ @@ -447,6 +449,10 @@
case oGssDelegateCreds: case oGssDelegateCreds:
intptr = &options->gss_deleg_creds; intptr = &options->gss_deleg_creds;
goto parse_flag; goto parse_flag;
@ -96,7 +96,7 @@ Index: auth2-gss.c
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
@@ -1011,6 +1017,7 @@ @@ -1017,6 +1023,7 @@
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
options->gss_deleg_creds = -1; options->gss_deleg_creds = -1;
@ -104,7 +104,7 @@ Index: auth2-gss.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -1101,6 +1108,8 @@ @@ -1108,6 +1115,8 @@
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_deleg_creds == -1) if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0; options->gss_deleg_creds = 0;
@ -125,7 +125,7 @@ Index: auth2-gss.c
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- servconf.c --- servconf.c
+++ servconf.c +++ servconf.c
@@ -91,6 +91,7 @@ @@ -93,6 +93,7 @@
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
options->gss_authentication=-1; options->gss_authentication=-1;
options->gss_cleanup_creds = -1; options->gss_cleanup_creds = -1;
@ -133,7 +133,7 @@ Index: auth2-gss.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -207,6 +208,8 @@ @@ -211,6 +212,8 @@
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1) if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1; options->gss_cleanup_creds = 1;
@ -142,16 +142,16 @@ Index: auth2-gss.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -291,7 +294,7 @@ @@ -299,7 +302,7 @@
sBanner, sUseDNS, sHostbasedAuthentication, sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sUsePrivilegeSeparation, sAllowAgentForwarding,
sDeprecated, sUnsupported sDeprecated, sUnsupported
@@ -352,9 +355,11 @@ @@ -360,9 +363,11 @@
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -163,7 +163,7 @@ Index: auth2-gss.c
#endif #endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -878,6 +883,10 @@ @@ -885,6 +890,10 @@
case sGssCleanupCreds: case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds; intptr = &options->gss_cleanup_creds;
goto parse_flag; goto parse_flag;
@ -176,7 +176,7 @@ Index: auth2-gss.c
intptr = &options->password_authentication; intptr = &options->password_authentication;
--- servconf.h --- servconf.h
+++ servconf.h +++ servconf.h
@@ -91,6 +91,7 @@ @@ -92,6 +92,7 @@
* authenticated with Kerberos. */ * authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
@ -202,7 +202,7 @@ Index: auth2-gss.c
+>>>>>>> +>>>>>>>
--- sshconnect2.c --- sshconnect2.c
+++ sshconnect2.c +++ sshconnect2.c
@@ -243,6 +243,10 @@ @@ -246,6 +246,10 @@
userauth_gssapi, userauth_gssapi,
&options.gss_authentication, &options.gss_authentication,
NULL}, NULL},
@ -213,7 +213,7 @@ Index: auth2-gss.c
#endif #endif
{"hostbased", {"hostbased",
userauth_hostbased, userauth_hostbased,
@@ -577,7 +581,9 @@ @@ -587,7 +591,9 @@
if (status == GSS_S_COMPLETE) { if (status == GSS_S_COMPLETE) {
/* send either complete or MIC, depending on mechanism */ /* send either complete or MIC, depending on mechanism */
@ -226,7 +226,7 @@ Index: auth2-gss.c
} else { } else {
--- sshd_config --- sshd_config
+++ sshd_config +++ sshd_config
@@ -73,6 +73,13 @@ @@ -74,6 +74,13 @@
#GSSAPIAuthentication no #GSSAPIAuthentication no
#GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes

View File

@ -1,6 +1,6 @@
--- sshd_config --- sshd_config
+++ sshd_config +++ sshd_config
@@ -53,7 +53,7 @@ @@ -58,7 +58,7 @@
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
@ -9,12 +9,12 @@
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to no to disable s/key passwords # Change to no to disable s/key passwords
@@ -78,7 +78,7 @@ @@ -83,7 +83,7 @@
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
-#UsePAM no -#UsePAM no
+UsePAM yes +UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes #AllowTcpForwarding yes
#GatewayPorts no

View File

@ -1,6 +1,6 @@
--- auth-pam.c --- auth-pam.c
+++ auth-pam.c +++ auth-pam.c
@@ -785,7 +785,9 @@ @@ -786,7 +786,9 @@
fatal("Internal error: PAM auth " fatal("Internal error: PAM auth "
"succeeded when it should have " "succeeded when it should have "
"failed"); "failed");

View File

@ -1,6 +1,6 @@
--- loginrec.c --- loginrec.c
+++ loginrec.c 2008-04-18 17:58:59.585065028 +0200 +++ loginrec.c
@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li) @@ -549,7 +549,7 @@
* 1. The full filename (including '/dev') * 1. The full filename (including '/dev')
* 2. The stripped name (excluding '/dev') * 2. The stripped name (excluding '/dev')
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
@ -9,7 +9,7 @@
* *
* Form 3 is used on some systems to identify a .tmp.? entry when * Form 3 is used on some systems to identify a .tmp.? entry when
* attempting to remove it. Typically both addition and removal is * attempting to remove it. Typically both addition and removal is
@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s @@ -610,6 +610,10 @@
if (strncmp(src, "tty", 3) == 0) if (strncmp(src, "tty", 3) == 0)
src += 3; src += 3;
#endif #endif

View File

@ -1,6 +1,6 @@
--- sshd.c --- sshd.c
+++ sshd.c +++ sshd.c
@@ -358,6 +358,7 @@ @@ -305,6 +305,7 @@
static void static void
sighup_restart(void) sighup_restart(void)
{ {
@ -8,7 +8,7 @@
logit("Received SIGHUP; restarting."); logit("Received SIGHUP; restarting.");
close_listen_socks(); close_listen_socks();
close_startup_pipes(); close_startup_pipes();
@@ -1318,7 +1319,11 @@ @@ -1270,7 +1271,11 @@
#ifndef HAVE_SETPROCTITLE #ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */ /* Prepare for later setproctitle emulation */
compat_init_setproctitle(ac, av); compat_init_setproctitle(ac, av);

View File

@ -1,6 +1,6 @@
--- ssh_config --- ssh_config
+++ ssh_config +++ ssh_config
@@ -62,4 +62,7 @@ @@ -63,4 +63,7 @@
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
# GSSAPIEnableMITMAttack no # GSSAPIEnableMITMAttack no
@ -11,7 +11,7 @@
+SendEnv LC_IDENTIFICATION LC_ALL +SendEnv LC_IDENTIFICATION LC_ALL
--- sshd_config --- sshd_config
+++ sshd_config +++ sshd_config
@@ -112,6 +112,11 @@ @@ -119,6 +119,11 @@
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server Subsystem sftp /usr/libexec/sftp-server

View File

@ -1,6 +1,6 @@
--- ssh-agent.c --- ssh-agent.c
+++ ssh-agent.c +++ ssh-agent.c
@@ -1126,8 +1126,18 @@ @@ -1159,8 +1159,18 @@
parent_pid = getpid(); parent_pid = getpid();
if (agentsocket == NULL) { if (agentsocket == NULL) {

View File

@ -1,6 +1,6 @@
--- session.c --- session.c
+++ session.c +++ session.c
@@ -2250,8 +2250,41 @@ @@ -2487,8 +2487,41 @@
session_close(Session *s) session_close(Session *s)
{ {
u_int i; u_int i;

View File

@ -1,6 +1,6 @@
--- session.c --- session.c
+++ session.c +++ session.c
@@ -997,7 +997,7 @@ @@ -1104,7 +1104,7 @@
} }
static char ** static char **
@ -9,7 +9,7 @@
{ {
char buf[256]; char buf[256];
u_int i, envsize; u_int i, envsize;
@@ -1184,6 +1184,8 @@ @@ -1291,6 +1291,8 @@
for (i = 0; env[i]; i++) for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]); fprintf(stderr, " %.200s\n", env[i]);
} }
@ -18,7 +18,7 @@
return env; return env;
} }
@@ -1192,7 +1194,7 @@ @@ -1299,7 +1301,7 @@
* first in this order). * first in this order).
*/ */
static void static void
@ -27,7 +27,7 @@
{ {
FILE *f = NULL; FILE *f = NULL;
char cmd[1024]; char cmd[1024];
@@ -1246,12 +1248,20 @@ @@ -1353,12 +1355,20 @@
options.xauth_location); options.xauth_location);
f = popen(cmd, "w"); f = popen(cmd, "w");
if (f) { if (f) {
@ -48,7 +48,7 @@
} else { } else {
fprintf(stderr, "Could not run %s\n", fprintf(stderr, "Could not run %s\n",
cmd); cmd);
@@ -1537,6 +1547,7 @@ @@ -1644,6 +1654,7 @@
{ {
extern char **environ; extern char **environ;
char **env; char **env;
@ -56,7 +56,7 @@
char *argv[ARGV_MAX]; char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL; const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw; struct passwd *pw = s->pw;
@@ -1602,7 +1613,7 @@ @@ -1710,7 +1721,7 @@
* Make sure $SHELL points to the shell from the password file, * Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf * even if shell is overridden from login.conf
*/ */
@ -65,7 +65,7 @@
#ifdef HAVE_LOGIN_CAP #ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
@@ -1666,7 +1677,7 @@ @@ -1778,7 +1789,7 @@
closefrom(STDERR_FILENO + 1); closefrom(STDERR_FILENO + 1);
if (!options.use_login) if (!options.use_login)

View File

@ -24,8 +24,8 @@
# PasswordAuthentication yes # PasswordAuthentication yes
--- sshd_config --- sshd_config
+++ sshd_config +++ sshd_config
@@ -82,7 +82,7 @@ @@ -88,7 +88,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes #AllowTcpForwarding yes
#GatewayPorts no #GatewayPorts no
-#X11Forwarding no -#X11Forwarding no
@ -35,7 +35,7 @@
#PrintMotd yes #PrintMotd yes
--- sshlogin.c --- sshlogin.c
+++ sshlogin.c +++ sshlogin.c
@@ -126,6 +126,7 @@ @@ -125,6 +125,7 @@
li = login_alloc_entry(pid, user, host, tty); li = login_alloc_entry(pid, user, host, tty);
login_set_addr(li, addr, addrlen); login_set_addr(li, addr, addrlen);

3
openssh-5.1p1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bbe533aa4d2d083011035e3b63e558eaf8db83f7b062410a2035aeb822904472
size 835720

View File

@ -1,5 +1,5 @@
# #
# spec file for package openssh-askpass-gnome (Version 5.0p1) # spec file for package openssh-askpass-gnome (Version 5.1p1)
# #
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine # This file and all modifications and additions to the pristine
@ -15,8 +15,8 @@ Name: openssh-askpass-gnome
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: BSD 3-Clause License: BSD 3-Clause
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
Version: 5.0p1 Version: 5.1p1
Release: 5 Release: 1
Requires: openssh = %{version} openssh-askpass = %{version} Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH
@ -31,7 +31,6 @@ Patch21: %{_name}-%{version}-gssapimitm.patch
Patch26: %{_name}-%{version}-eal3.diff Patch26: %{_name}-%{version}-eal3.diff
Patch27: %{_name}-%{version}-engines.diff Patch27: %{_name}-%{version}-engines.diff
Patch28: %{_name}-%{version}-blocksigalrm.diff Patch28: %{_name}-%{version}-blocksigalrm.diff
Patch42: %{_name}-gssapi_krb5-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
@ -74,7 +73,6 @@ Authors:
%patch26 -p1 %patch26 -p1
%patch27 -p1 %patch27 -p1
%patch28 %patch28
%patch42
%build %build
%{?suse_update_config:%{suse_update_config}} %{?suse_update_config:%{suse_update_config}}

View File

@ -1,18 +0,0 @@
--- configure.ac
+++ configure.ac
@@ -3283,7 +3283,14 @@
K5LIBS="-lgssapi $K5LIBS" ],
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
[ AC_DEFINE(GSSAPI)
- K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ]
+ AC_CHECK_LIB(gssapi_krb5, gss_krb5_copy_ccache, [
+ K5LIBS="-lgssapi_krb5 $K5LIBS"
+ ], [
+ AC_MSG_WARN([Cannot find -lgssapi_krb5 with gss_krb5_copy_ccache()])
+ ],
+ $K5LIBS
+ ),
AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
$K5LIBS)
],

View File

@ -1,3 +1,87 @@
-------------------------------------------------------------------
Tue Jul 22 20:39:29 CEST 2008 - anicka@suse.cz
- update to 5.1p1
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
other platforms) when X11UseLocalhost=no
* Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
ssh_config(5) option "VisualHostKey".
* sshd_config(5) now supports CIDR address/masklen matching in "Match
address" blocks, with a fallback to classic wildcard matching.
* sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
from="..." restrictions, also with a fallback to classic wildcard
matching.
* Added an extended test mode (-T) to sshd(8) to request that it write
its effective configuration to stdout and exit. Extended test mode
also supports the specification of connection parameters (username,
source address and hostname) to test the application of
sshd_config(5) Match rules.
* ssh(1) now prints the number of bytes transferred and the overall
connection throughput for SSH protocol 2 sessions when in verbose
mode (previously these statistics were displayed for protocol 1
connections only).
* sftp-server(8) now supports extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations.
* sftp(1) now has a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation (requires statvfs@openssh.com support on
the server)
* Added a MaxSessions option to sshd_config(5) to allow control of the
number of multiplexed sessions supported over a single TCP connection.
This allows increasing the number of allowed sessions above the
previous default of 10, disabling connection multiplexing
(MaxSessions=1) or disallowing login/shell/subsystem sessions
entirely (MaxSessions=0).
* Added a no-more-sessions@openssh.com global request extension that is
sent from ssh(1) to sshd(8) when the client knows that it will never
request another session (i.e. when session multiplexing is disabled).
This allows a server to disallow further session requests and
terminate the session in cases where the client has been hijacked.
* ssh-keygen(1) now supports the use of the -l option in combination
with -F to search for a host in ~/.ssh/known_hosts and display its
fingerprint.
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
"rsa1".
* Added an AllowAgentForwarding option to sshd_config(8) to control
whether authentication agent forwarding is permitted. Note that this
is a loose control, as a client may install their own unofficial
forwarder.
* ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
network data, resulting in a ~10% speedup
* ssh(1) and sshd(8) will now try additional addresses when connecting
to a port forward destination whose DNS name resolves to more than
one address. The previous behaviour was to try the only first address
and give up if that failed. (bz#383)
* ssh(1) and sshd(8) now support signalling that channels are
half-closed for writing, through a channel protocol extension
notification "eow@openssh.com". This allows propagation of closed
file descriptors, so that commands such as:
"ssh -2 localhost od /bin/ls | true"
do not send unnecessary data over the wire. (bz#85)
* sshd(8): increased the default size of ssh protocol 1 ephemeral keys
from 768 to 1024 bits.
* When ssh(1) has been requested to fork after authentication
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
after replies for any -R forwards have been seen. Allows for robust
detection of -R forward failure when using -f. (bz#92)
* "Match group" blocks in sshd_config(5) now support negation of
groups. E.g. "Match group staff,!guests" (bz#1315)
* sftp(1) and sftp-server(8) now allow chmod-like operations to set
set[ug]id/sticky bits. (bz#1310)
* The MaxAuthTries option is now permitted in sshd_config(5) match
blocks.
* Multiplexed ssh(1) sessions now support a subset of the ~ escapes
that are available to a primary connection. (bz#1331)
* ssh(1) connection multiplexing will now fall back to creating a new
connection in most error cases. (bz#1439 bz#1329)
* Added some basic interoperability tests against Twisted Conch.
* Documented OpenSSH's extensions to and deviations from the published
SSH protocols (the PROTOCOL file in the distribution)
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
* bugfixes
- remove gssapi_krb5-fix patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Apr 18 17:53:30 CEST 2008 - werner@suse.de Fri Apr 18 17:53:30 CEST 2008 - werner@suse.de

View File

@ -1,5 +1,5 @@
# #
# spec file for package openssh (Version 5.0p1) # spec file for package openssh (Version 5.1p1)
# #
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine # This file and all modifications and additions to the pristine
@ -29,8 +29,8 @@ Requires: /bin/netstat
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh Conflicts: nonfreessh
AutoReqProv: on AutoReqProv: on
Version: 5.0p1 Version: 5.1p1
Release: 4 Release: 1
%define xversion 1.2.4.1 %define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/ Url: http://www.openssh.com/
@ -58,7 +58,6 @@ Patch36: %{name}-%{version}-xauthlocalhostname.diff
Patch37: %{name}-%{version}-tmpdir.diff Patch37: %{name}-%{version}-tmpdir.diff
Patch40: %{name}-%{version}-xauth.diff Patch40: %{name}-%{version}-xauth.diff
Patch41: %{name}-%{version}-gcc-fix.patch Patch41: %{name}-%{version}-gcc-fix.patch
Patch42: %{name}-gssapi_krb5-fix.patch
Patch43: %{name}-%{version}-default-protocol.diff Patch43: %{name}-%{version}-default-protocol.diff
Patch44: %{name}-%{version}-audit.patch Patch44: %{name}-%{version}-audit.patch
Patch45: %{name}-%{version}-pts.diff Patch45: %{name}-%{version}-pts.diff
@ -148,7 +147,6 @@ Authors:
%patch37 %patch37
%patch40 %patch40
%patch41 %patch41
%patch42
%patch43 %patch43
%patch44 -p1 %patch44 -p1
%patch45 %patch45
@ -252,7 +250,7 @@ rm -rf $RPM_BUILD_ROOT
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%dir %attr(755,root,root) /var/lib/sshd %dir %attr(755,root,root) /var/lib/sshd
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS %doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS
%attr(0755,root,root) %dir /etc/ssh %attr(0755,root,root) %dir /etc/ssh
%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli %attr(0600,root,root) %config(noreplace) /etc/ssh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config %verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config
@ -294,6 +292,87 @@ rm -rf $RPM_BUILD_ROOT
%config %_appdefdir/SshAskpass %config %_appdefdir/SshAskpass
%changelog %changelog
* Tue Jul 22 2008 anicka@suse.cz
- update to 5.1p1
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
other platforms) when X11UseLocalhost=no
* Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
ssh_config(5) option "VisualHostKey".
* sshd_config(5) now supports CIDR address/masklen matching in "Match
address" blocks, with a fallback to classic wildcard matching.
* sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
from="..." restrictions, also with a fallback to classic wildcard
matching.
* Added an extended test mode (-T) to sshd(8) to request that it write
its effective configuration to stdout and exit. Extended test mode
also supports the specification of connection parameters (username,
source address and hostname) to test the application of
sshd_config(5) Match rules.
* ssh(1) now prints the number of bytes transferred and the overall
connection throughput for SSH protocol 2 sessions when in verbose
mode (previously these statistics were displayed for protocol 1
connections only).
* sftp-server(8) now supports extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations.
* sftp(1) now has a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation (requires statvfs@openssh.com support on
the server)
* Added a MaxSessions option to sshd_config(5) to allow control of the
number of multiplexed sessions supported over a single TCP connection.
This allows increasing the number of allowed sessions above the
previous default of 10, disabling connection multiplexing
(MaxSessions=1) or disallowing login/shell/subsystem sessions
entirely (MaxSessions=0).
* Added a no-more-sessions@openssh.com global request extension that is
sent from ssh(1) to sshd(8) when the client knows that it will never
request another session (i.e. when session multiplexing is disabled).
This allows a server to disallow further session requests and
terminate the session in cases where the client has been hijacked.
* ssh-keygen(1) now supports the use of the -l option in combination
with -F to search for a host in ~/.ssh/known_hosts and display its
fingerprint.
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
"rsa1".
* Added an AllowAgentForwarding option to sshd_config(8) to control
whether authentication agent forwarding is permitted. Note that this
is a loose control, as a client may install their own unofficial
forwarder.
* ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
network data, resulting in a ~10%% speedup
* ssh(1) and sshd(8) will now try additional addresses when connecting
to a port forward destination whose DNS name resolves to more than
one address. The previous behaviour was to try the only first address
and give up if that failed. (bz#383)
* ssh(1) and sshd(8) now support signalling that channels are
half-closed for writing, through a channel protocol extension
notification "eow@openssh.com". This allows propagation of closed
file descriptors, so that commands such as:
"ssh -2 localhost od /bin/ls | true"
do not send unnecessary data over the wire. (bz#85)
* sshd(8): increased the default size of ssh protocol 1 ephemeral keys
from 768 to 1024 bits.
* When ssh(1) has been requested to fork after authentication
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
after replies for any -R forwards have been seen. Allows for robust
detection of -R forward failure when using -f. (bz#92)
* "Match group" blocks in sshd_config(5) now support negation of
groups. E.g. "Match group staff,!guests" (bz#1315)
* sftp(1) and sftp-server(8) now allow chmod-like operations to set
set[ug]id/sticky bits. (bz#1310)
* The MaxAuthTries option is now permitted in sshd_config(5) match
blocks.
* Multiplexed ssh(1) sessions now support a subset of the ~ escapes
that are available to a primary connection. (bz#1331)
* ssh(1) connection multiplexing will now fall back to creating a new
connection in most error cases. (bz#1439 bz#1329)
* Added some basic interoperability tests against Twisted Conch.
* Documented OpenSSH's extensions to and deviations from the published
SSH protocols (the PROTOCOL file in the distribution)
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
* bugfixes
- remove gssapi_krb5-fix patch
* Fri Apr 18 2008 werner@suse.de * Fri Apr 18 2008 werner@suse.de
- Handle pts slave lines like utemper - Handle pts slave lines like utemper
* Wed Apr 09 2008 anicka@suse.cz * Wed Apr 09 2008 anicka@suse.cz