Accepting request 222365 from home:pcerny:factory

- Update of the underlying OpenSSH to 6.5p1

- Update to 6.5p1
  Features since 6.4p1:
  * ssh(1), sshd(8): support for key exchange using ECDH in
    Daniel Bernstein's Curve25519; default when both the client
    and server support it.
  * ssh(1), sshd(8): support for Ed25519 as a public key type fo
    rboth server and client.  Ed25519 is an EC signature offering
    better security than ECDSA and DSA and good performance.
  * Add a new private key format that uses a bcrypt KDF to better
    protect keys at rest. Used unconditionally for Ed25519 keys,
    on demand for other key types via the -o ssh-keygen(1)
    option.  Intended to become default in the near future.
    Details documented in PROTOCOL.key.
  * ssh(1), sshd(8): new transport cipher
    "chacha20-poly1305@openssh.com" combining Daniel Bernstein's
    ChaCha20 stream cipher and Poly1305 MAC to build an
    authenticated encryption mode. Details documented
    PROTOCOL.chacha20poly1305.
  * ssh(1), sshd(8): refuse RSA keys from old proprietary clients
    and servers that use the obsolete RSA+MD5 signature scheme.
    It will still be possible to connect with these
    clients/servers but only DSA keys will be accepted, and
    OpenSSH will refuse connection entirely in a future release.
  * ssh(1), sshd(8): refuse old proprietary clients and servers
    that use a weaker key exchange hash calculation.
  * ssh(1): increase the size of the Diffie-Hellman groups
    requested for each symmetric key size. New values from NIST
    Special Publication 800-57 with the upper limit specified by

OBS-URL: https://build.opensuse.org/request/show/222365
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
This commit is contained in:
Petr Cerny 2014-02-14 14:54:10 +00:00 committed by Git OBS Bridge
parent b189026b63
commit 08f9072513
44 changed files with 1171 additions and 1002 deletions

View File

@ -1,81 +0,0 @@
Index: openssh-6.4p1/sftp-server.8
===================================================================
--- openssh-6.4p1.orig/sftp-server.8
+++ openssh-6.4p1/sftp-server.8
@@ -35,6 +35,7 @@
.Op Fl f Ar log_facility
.Op Fl l Ar log_level
.Op Fl u Ar umask
+.Op Fl m Ar force_file_permissions
.Sh DESCRIPTION
.Nm
is a program that speaks the server side of SFTP protocol
@@ -104,6 +105,10 @@ Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
+.It Fl m Ar force_file_permissions
+Sets explicit file permissions to be applied to newly-created files instead
+of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
.El
.Pp
For logging to work,
Index: openssh-6.4p1/sftp-server.c
===================================================================
--- openssh-6.4p1.orig/sftp-server.c
+++ openssh-6.4p1/sftp-server.c
@@ -73,6 +73,10 @@ u_int version;
/* Disable writes */
int readonly;
+/* Force file permissions */
+int permforce = 0;
+long permforcemode;
+
/* portable attributes, etc. */
typedef struct Stat Stat;
@@ -557,6 +561,10 @@ process_open(void)
a = get_attrib();
flags = flags_from_portable(pflags);
mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
+ if (permforce == 1) {
+ mode = permforcemode;
+ (void)umask(0); /* so umask does not interfere */
+ }
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
@@ -1391,7 +1399,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
- "[-l log_level]\n\t[-u umask]\n",
+ "[-l log_level]\n\t[-u umask]\n[-m force_file_permissions]\n",
__progname);
exit(1);
}
@@ -1414,7 +1422,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw);
- while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:cehR")) != -1) {
+ while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:m:cehR")) != -1) {
switch (ch) {
case 'R':
readonly = 1;
@@ -1453,6 +1461,13 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
+ case 'm':
+ permforce = 1;
+ permforcemode = strtol(optarg, &cp, 8);
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
+ cp == optarg || (permforcemode == 0 && errno != 0))
+ fatal("Invalid umask \"%s\"", optarg);
+ break;
case 'h':
default:
sftp_server_usage();

View File

@ -1,46 +0,0 @@
# related to bnc#49845, upstream bug #529
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+++ b/openssh-6.4p1/sshd.c
@@ -309,16 +309,17 @@ sighup_handler(int sig)
/*
* Called from the main program after receiving SIGHUP.
* Restarts the server.
*/
static void
sighup_restart(void)
{
+ int i;
logit("Received SIGHUP; restarting.");
close_listen_socks();
close_startup_pipes();
alarm(0); /* alarm timer persists across exec */
signal(SIGHUP, SIG_IGN); /* will be restored after exec */
execv(saved_argv[0], saved_argv);
logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
strerror(errno));
@@ -1382,17 +1383,21 @@ main(int ac, char **av)
saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
for (i = 0; i < ac; i++)
saved_argv[i] = xstrdup(av[i]);
saved_argv[i] = NULL;
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
compat_init_setproctitle(ac, av);
- av = saved_argv;
+
+ av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1));
+ for (i = 0; i < saved_argc; i++)
+ av[i] = xstrdup(saved_argv[i]);
+ av[i] = NULL;
#endif
if (geteuid() == 0 && setgroups(0, NULL) == -1)
debug("setgroups(): %.200s", strerror(errno));
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2
size 1201402

View File

@ -2,9 +2,9 @@
# configuration # configuration
# bnc#50836 (was suse #35836) # bnc#50836 (was suse #35836)
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config --- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.4p1/ssh_config +++ b/openssh-6.5p1/ssh_config
@@ -12,19 +12,30 @@ @@ -12,19 +12,30 @@
# Any configuration value is only changed the first time it is set. # Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the # Thus, host-specific definitions should be at the beginning of the
@ -37,10 +37,10 @@ diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
# GSSAPIDelegateCredentials no # GSSAPIDelegateCredentials no
# BatchMode no # BatchMode no
# CheckHostIP yes # CheckHostIP yes
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config --- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.4p1/sshd_config +++ b/openssh-6.5p1/sshd_config
@@ -93,17 +93,17 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
@ -53,9 +53,9 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
+X11Forwarding yes +X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes #PrintMotd yes
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
#UseLogin no #UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations. UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no

View File

@ -8,9 +8,9 @@
# #
# PRIVSEP(getpwnamallow()) a few lines above already did this. # PRIVSEP(getpwnamallow()) a few lines above already did this.
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.4p1/auth2.c --- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.4p1/auth2.c +++ b/openssh-6.5p1/auth2.c
@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32 @@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32
authctxt->pw = PRIVSEP(getpwnamallow(user)); authctxt->pw = PRIVSEP(getpwnamallow(user));
authctxt->user = xstrdup(user); authctxt->user = xstrdup(user);

View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2011 # https://bugzilla.mindrot.org/attachment.cgi?id=2011
# by jchadima@redhat.com # by jchadima@redhat.com
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c --- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c +++ b/openssh-6.5p1/audit-bsm.c
@@ -370,20 +370,33 @@ audit_connection_from(const char *host, @@ -370,20 +370,33 @@ audit_connection_from(const char *host,
/* this is used on IPv4-only machines */ /* this is used on IPv4-only machines */
tid->port = (dev_t)port; tid->port = (dev_t)port;
@ -42,9 +42,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
/* not implemented */ /* not implemented */
} }
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c --- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c +++ b/openssh-6.5p1/audit-linux.c
@@ -30,97 +30,210 @@ @@ -30,97 +30,210 @@
#include "includes.h" #include "includes.h"
#if defined(USE_LINUX_AUDIT) #if defined(USE_LINUX_AUDIT)
@ -276,9 +276,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
} }
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c --- a/openssh-6.5p1/audit.c
+++ b/openssh-6.4p1/audit.c +++ b/openssh-6.5p1/audit.c
@@ -135,16 +135,27 @@ audit_connection_from(const char *host, @@ -135,16 +135,27 @@ audit_connection_from(const char *host,
void void
audit_event(ssh_audit_event_t event) audit_event(ssh_audit_event_t event)
@ -344,9 +344,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+ +
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h --- a/openssh-6.5p1/audit.h
+++ b/openssh-6.4p1/audit.h +++ b/openssh-6.5p1/audit.h
@@ -44,14 +44,16 @@ enum ssh_audit_event_type { @@ -44,14 +44,16 @@ enum ssh_audit_event_type {
SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */ SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */
SSH_CONNECTION_ABANDON, /* closed without completing auth */ SSH_CONNECTION_ABANDON, /* closed without completing auth */
@ -365,9 +365,9 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
ssh_audit_event_t audit_classify_auth(const char *); ssh_audit_event_t audit_classify_auth(const char *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c --- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.4p1/monitor.c +++ b/openssh-6.5p1/monitor.c
@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer @@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_userok(int, Buffer *);
@ -500,9 +500,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
void void
monitor_apply_keystate(struct monitor *pmonitor) monitor_apply_keystate(struct monitor *pmonitor)
{ {
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h --- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.4p1/monitor.h +++ b/openssh-6.5p1/monitor.h
@@ -64,16 +64,17 @@ enum monitor_reqtype { @@ -64,16 +64,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
@ -521,9 +521,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
int m_recvfd; int m_recvfd;
int m_sendfd; int m_sendfd;
int m_log_recvfd; int m_log_recvfd;
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c --- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c +++ b/openssh-6.5p1/monitor_wrap.c
@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event) @@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event)
buffer_init(&m); buffer_init(&m);
@ -574,9 +574,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
OM_uint32 OM_uint32
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
{ {
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h --- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h +++ b/openssh-6.5p1/monitor_wrap.h
@@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt @@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_sshpam_respond(void *, u_int, char **); int mm_sshpam_respond(void *, u_int, char **);
@ -597,9 +597,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *); void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */ /* SSHv1 interfaces */
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c --- a/openssh-6.5p1/session.c
+++ b/openssh-6.4p1/session.c +++ b/openssh-6.5p1/session.c
@@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm @@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif #endif
@ -625,13 +625,13 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
session_set_fds(s, ptyfd, fdout, -1, 1, 1); session_set_fds(s, ptyfd, fdout, -1, 1, 1);
} else { } else {
server_loop(pid, ptyfd, fdout, -1); server_loop(pid, ptyfd, fdout, -1);
@@ -811,25 +819,29 @@ do_exec(Session *s, const char *command) @@ -834,25 +842,29 @@ do_exec(Session *s, const char *command)
s->is_subsystem = s->is_subsystem ? session_type,
SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; tty == NULL ? "" : " on ",
} else if (s->is_subsystem) tty == NULL ? "" : tty,
s->is_subsystem = SUBSYSTEM_EXT; s->pw->pw_name,
debug("Forced command (key option) '%.900s'", command); get_remote_ipaddr(),
} get_remote_port());
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
+ if (s->command != NULL || s->command_handle != -1) + if (s->command != NULL || s->command_handle != -1)
@ -657,7 +657,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
original_command = NULL; original_command = NULL;
@@ -1875,16 +1887,17 @@ session_unused(int id) @@ -1903,16 +1915,17 @@ session_unused(int id)
bzero(&sessions[id], sizeof(*sessions)); bzero(&sessions[id], sizeof(*sessions));
sessions[id].self = id; sessions[id].self = id;
sessions[id].used = 0; sessions[id].used = 0;
@ -675,7 +675,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
session_new(void) session_new(void)
{ {
Session *s, *tmp; Session *s, *tmp;
@@ -1957,16 +1970,29 @@ session_open(Authctxt *authctxt, int cha @@ -1985,16 +1998,29 @@ session_open(Authctxt *authctxt, int cha
if (s->pw == NULL || !authctxt->valid) if (s->pw == NULL || !authctxt->valid)
fatal("no user for session %d", s->self); fatal("no user for session %d", s->self);
debug("session_open: session %d: link with channel %d", s->self, chanid); debug("session_open: session %d: link with channel %d", s->self, chanid);
@ -705,7 +705,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) { if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
debug("session_by_tty: session %d tty %s", i, tty); debug("session_by_tty: session %d tty %s", i, tty);
return s; return s;
@@ -2473,16 +2499,40 @@ session_exit_message(Session *s, int sta @@ -2501,16 +2527,40 @@ session_exit_message(Session *s, int sta
* interested in data we write. * interested in data we write.
* Note that we must not call 'chan_read_failed', since there could * Note that we must not call 'chan_read_failed', since there could
* be some more data waiting in the pipe. * be some more data waiting in the pipe.
@ -746,7 +746,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
debug("session_close: session %d pid %ld", s->self, (long)s->pid); debug("session_close: session %d pid %ld", s->self, (long)s->pid);
@@ -2513,16 +2563,20 @@ session_close(Session *s) @@ -2541,16 +2591,20 @@ session_close(Session *s)
int status; int status;
waitpid(pid, &status, 0); waitpid(pid, &status, 0);
@ -765,9 +765,9 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
free(s->auth_display); free(s->auth_display);
free(s->auth_data); free(s->auth_data);
free(s->auth_proto); free(s->auth_proto);
free(s->subsys);
if (s->env != NULL) { if (s->env != NULL) {
for (i = 0; i < s->num_env; i++) { @@ -2755,16 +2809,25 @@ session_setup_x11fwd(Session *s)
@@ -2726,16 +2780,25 @@ session_setup_x11fwd(Session *s)
} }
static void static void
@ -793,7 +793,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
debug("do_cleanup"); debug("do_cleanup");
/* no cleanup if we're in the child for login shell */ /* no cleanup if we're in the child for login shell */
@@ -2774,10 +2837,10 @@ do_cleanup(Authctxt *authctxt) @@ -2803,10 +2866,10 @@ do_cleanup(Authctxt *authctxt)
/* remove agent socket */ /* remove agent socket */
auth_sock_cleanup_proc(authctxt->pw); auth_sock_cleanup_proc(authctxt->pw);
@ -805,13 +805,13 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
- session_destroy_all(session_pty_cleanup2); - session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session); + session_destroy_all(do_cleanup_one_session);
} }
diff --git a/openssh-6.4p1/session.h b/openssh-6.4p1/session.h diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h
--- a/openssh-6.4p1/session.h --- a/openssh-6.5p1/session.h
+++ b/openssh-6.4p1/session.h +++ b/openssh-6.5p1/session.h
@@ -55,29 +55,37 @@ struct Session { @@ -56,29 +56,37 @@ struct Session {
int chanid;
int *x11_chanids; int *x11_chanids;
int is_subsystem; int is_subsystem;
char *subsys;
u_int num_env; u_int num_env;
struct { struct {
char *name; char *name;
@ -846,10 +846,10 @@ diff --git a/openssh-6.4p1/session.h b/openssh-6.4p1/session.h
const char *value); const char *value);
#endif #endif
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.4p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -2487,13 +2487,14 @@ cleanup_exit(int i) @@ -2504,13 +2504,14 @@ cleanup_exit(int i)
if (kill(pmonitor->m_pid, SIGKILL) != 0 && if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH) errno != ESRCH)
error("%s: kill(%d): %s", __func__, error("%s: kill(%d): %s", __func__,

View File

@ -5,9 +5,9 @@
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975) # (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975)
# by jchadima@redhat.com # by jchadima@redhat.com
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c --- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c +++ b/openssh-6.5p1/audit-bsm.c
@@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li) @@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li)
} }
@ -31,9 +31,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
if (cannot_audit(0)) if (cannot_audit(0))
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c --- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c +++ b/openssh-6.5p1/audit-linux.c
@@ -36,16 +36,18 @@ @@ -36,16 +36,18 @@
#include "log.h" #include "log.h"
#include "audit.h" #include "audit.h"
@ -101,9 +101,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
audit_connection_from(const char *host, int port) audit_connection_from(const char *host, int port)
{ {
/* not implemented */ /* not implemented */
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c --- a/openssh-6.5p1/audit.c
+++ b/openssh-6.4p1/audit.c +++ b/openssh-6.5p1/audit.c
@@ -31,16 +31,17 @@ @@ -31,16 +31,17 @@
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@ -178,9 +178,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h --- a/openssh-6.5p1/audit.h
+++ b/openssh-6.4p1/audit.h +++ b/openssh-6.5p1/audit.h
@@ -23,16 +23,17 @@ @@ -23,16 +23,17 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -212,9 +212,9 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+void audit_key(int, int *, const Key *); +void audit_key(int, int *, const Key *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c --- a/openssh-6.5p1/auth-rsa.c
+++ b/openssh-6.4p1/auth-rsa.c +++ b/openssh-6.5p1/auth-rsa.c
@@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key) @@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key)
return challenge; return challenge;
} }
@ -271,9 +271,9 @@ diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
* our challenge; returns zero if the client gives a wrong answer. * our challenge; returns zero if the client gives a wrong answer.
*/ */
diff --git a/openssh-6.4p1/auth.h b/openssh-6.4p1/auth.h diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h
--- a/openssh-6.4p1/auth.h --- a/openssh-6.5p1/auth.h
+++ b/openssh-6.4p1/auth.h +++ b/openssh-6.5p1/auth.h
@@ -182,16 +182,17 @@ int allowed_user(struct passwd *); @@ -182,16 +182,17 @@ int allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user); struct passwd * getpwnamallow(const char *user);
@ -310,10 +310,10 @@ diff --git a/openssh-6.4p1/auth.h b/openssh-6.4p1/auth.h
struct passwd *fakepw(void); struct passwd *fakepw(void);
diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
--- a/openssh-6.4p1/auth2-hostbased.c --- a/openssh-6.5p1/auth2-hostbased.c
+++ b/openssh-6.4p1/auth2-hostbased.c +++ b/openssh-6.5p1/auth2-hostbased.c
@@ -118,33 +118,45 @@ userauth_hostbased(Authctxt *authctxt) @@ -124,33 +124,45 @@ userauth_hostbased(Authctxt *authctxt)
#endif #endif
pubkey_auth_info(authctxt, key, pubkey_auth_info(authctxt, key,
@ -360,10 +360,10 @@ diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
const char *resolvedname, *ipaddr, *lookup, *reason; const char *resolvedname, *ipaddr, *lookup, *reason;
HostStatus host_status; HostStatus host_status;
int len; int len;
diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
--- a/openssh-6.4p1/auth2-pubkey.c --- a/openssh-6.5p1/auth2-pubkey.c
+++ b/openssh-6.4p1/auth2-pubkey.c +++ b/openssh-6.5p1/auth2-pubkey.c
@@ -147,17 +147,17 @@ userauth_pubkey(Authctxt *authctxt) @@ -153,17 +153,17 @@ userauth_pubkey(Authctxt *authctxt)
#ifdef DEBUG_PK #ifdef DEBUG_PK
buffer_dump(&b); buffer_dump(&b);
#endif #endif
@ -382,7 +382,7 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
debug("test whether pkalg/pkblob are acceptable"); debug("test whether pkalg/pkblob are acceptable");
packet_check_eom(); packet_check_eom();
@@ -184,16 +184,28 @@ done: @@ -190,16 +190,28 @@ done:
debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
if (key != NULL) if (key != NULL)
key_free(key); key_free(key);
@ -411,9 +411,9 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
int i; int i;
extra = NULL; extra = NULL;
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c --- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.4p1/monitor.c +++ b/openssh-6.5p1/monitor.c
@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data @@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data
} }
@ -474,9 +474,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
free(signature); free(signature);
free(data); free(data);
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c --- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c +++ b/openssh-6.5p1/monitor_wrap.c
@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha @@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha
/* /*
@ -540,9 +540,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
u_int len; u_int len;
Newkeys *newkey = NULL; Newkeys *newkey = NULL;
Enc *enc; Enc *enc;
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h --- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h +++ b/openssh-6.5p1/monitor_wrap.h
@@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int @@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int
void mm_inform_authserv(char *, char *); void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *); struct passwd *mm_getpwnamallow(const char *);

View File

@ -5,20 +5,21 @@
# (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976) # (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976)
# by jchadima@redhat.com # by jchadima@redhat.com
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in --- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.4p1/Makefile.in +++ b/openssh-6.5p1/Makefile.in
@@ -68,17 +68,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o @@ -71,17 +71,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- jpake.o schnorr.o ssh-pkcs11.o krl.o jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
+ jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+ auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@ -27,9 +28,9 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \ audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \ sshpty.o sshlogin.o servconf.o serverloop.o \
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c --- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c +++ b/openssh-6.5p1/audit-bsm.c
@@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event) @@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event)
case SSH_AUTH_FAIL_KBDINT: case SSH_AUTH_FAIL_KBDINT:
bsm_audit_bad_login("interactive password entry"); bsm_audit_bad_login("interactive password entry");
@ -52,9 +53,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c --- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c +++ b/openssh-6.5p1/audit-linux.c
@@ -35,16 +35,18 @@ @@ -35,16 +35,18 @@
#include "log.h" #include "log.h"
@ -140,9 +141,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+} +}
+ +
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c --- a/openssh-6.5p1/audit.c
+++ b/openssh-6.4p1/audit.c +++ b/openssh-6.5p1/audit.c
@@ -23,24 +23,27 @@ @@ -23,24 +23,27 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -232,9 +233,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h --- a/openssh-6.5p1/audit.h
+++ b/openssh-6.4p1/audit.h +++ b/openssh-6.5p1/audit.h
@@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t); @@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t);
void audit_count_session_open(void); void audit_count_session_open(void);
void audit_session_open(struct logininfo *); void audit_session_open(struct logininfo *);
@ -250,10 +251,10 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t); +void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/auditstub.c +++ b/openssh-6.5p1/auditstub.c
@@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+ +
@ -294,10 +295,10 @@ new file mode 100644
+{ +{
+} +}
+ +
diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
--- a/openssh-6.4p1/cipher.c --- a/openssh-6.5p1/cipher.c
+++ b/openssh-6.4p1/cipher.c +++ b/openssh-6.5p1/cipher.c
@@ -50,29 +50,17 @@ @@ -52,31 +52,17 @@
/* compatibility with old or broken OpenSSL versions */ /* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
@ -314,7 +315,9 @@ diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
- u_int iv_len; /* defaults to block_size */ - u_int iv_len; /* defaults to block_size */
- u_int auth_len; - u_int auth_len;
- u_int discard_len; - u_int discard_len;
- u_int cbc_mode; - u_int flags;
-#define CFLAG_CBC (1<<0)
-#define CFLAG_CHACHAPOLY (1<<1)
- const EVP_CIPHER *(*evptype)(void); - const EVP_CIPHER *(*evptype)(void);
-}; -};
- -
@ -328,10 +331,10 @@ diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
{ "blowfish-cbc", { "blowfish-cbc",
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h
--- a/openssh-6.4p1/cipher.h --- a/openssh-6.5p1/cipher.h
+++ b/openssh-6.4p1/cipher.h +++ b/openssh-6.5p1/cipher.h
@@ -56,17 +56,28 @@ @@ -58,17 +58,30 @@
#define SSH_CIPHER_MAX 31 #define SSH_CIPHER_MAX 31
#define CIPHER_ENCRYPT 1 #define CIPHER_ENCRYPT 1
@ -349,7 +352,9 @@ diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h
+ u_int iv_len; /* defaults to block_size */ + u_int iv_len; /* defaults to block_size */
+ u_int auth_len; + u_int auth_len;
+ u_int discard_len; + u_int discard_len;
+ u_int cbc_mode; + u_int flags;
+#define CFLAG_CBC (1<<0)
+#define CFLAG_CHACHAPOLY (1<<1)
+ const EVP_CIPHER *(*evptype)(void); + const EVP_CIPHER *(*evptype)(void);
+}; +};
+ +
@ -357,15 +362,14 @@ diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h
int plaintext; int plaintext;
int encrypt; int encrypt;
EVP_CIPHER_CTX evp; EVP_CIPHER_CTX evp;
struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
const Cipher *cipher; const Cipher *cipher;
}; };
u_int cipher_mask_ssh1(int); diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c --- a/openssh-6.5p1/kex.c
--- a/openssh-6.4p1/kex.c +++ b/openssh-6.5p1/kex.c
+++ b/openssh-6.4p1/kex.c @@ -45,16 +45,17 @@
@@ -44,16 +44,17 @@
#include "key.h"
#include "kex.h" #include "kex.h"
#include "log.h" #include "log.h"
#include "mac.h" #include "mac.h"
@ -373,6 +377,7 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
#include "dispatch.h" #include "dispatch.h"
#include "monitor.h" #include "monitor.h"
#include "roaming.h" #include "roaming.h"
#include "digest.h"
+#include "audit.h" +#include "audit.h"
#if OPENSSL_VERSION_NUMBER >= 0x00907000L #if OPENSSL_VERSION_NUMBER >= 0x00907000L
@ -382,7 +387,7 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
extern const EVP_MD *evp_ssh_sha256(void); extern const EVP_MD *evp_ssh_sha256(void);
# endif # endif
#endif #endif
@@ -336,53 +337,65 @@ kex_kexinit_finish(Kex *kex) @@ -346,53 +347,65 @@ kex_kexinit_finish(Kex *kex)
fatal("Unsupported key exchange %d", kex->kex_type); fatal("Unsupported key exchange %d", kex->kex_type);
} }
} }
@ -451,7 +456,7 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
comp->type = COMP_NONE; comp->type = COMP_NONE;
} else { } else {
fatal("unsupported comp %s", name); fatal("unsupported comp %s", name);
@@ -487,16 +500,19 @@ kex_choose_conf(Kex *kex) @@ -497,16 +510,19 @@ kex_choose_conf(Kex *kex)
if (authlen == 0) if (authlen == 0)
choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
@ -467,13 +472,13 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
need = 0; need = dh_need = 0;
for (mode = 0; mode < MODE_MAX; mode++) { for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = kex->newkeys[mode]; newkeys = kex->newkeys[mode];
if (need < newkeys->enc.key_len) need = MAX(need, newkeys->enc.key_len);
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c --- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.4p1/monitor.c +++ b/openssh-6.5p1/monitor.c
@@ -93,16 +93,17 @@ @@ -93,16 +93,17 @@
#include "monitor_wrap.h" #include "monitor_wrap.h"
#include "monitor_fdpass.h" #include "monitor_fdpass.h"
@ -582,7 +587,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
/* Specifies if a certain message is allowed at the moment */ /* Specifies if a certain message is allowed at the moment */
@@ -2410,8 +2421,52 @@ mm_answer_jpake_check_confirm(int sock, @@ -2411,8 +2422,52 @@ mm_answer_jpake_check_confirm(int sock,
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
@ -635,9 +640,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+} +}
+ +
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h --- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.4p1/monitor.h +++ b/openssh-6.5p1/monitor.h
@@ -65,16 +65,18 @@ enum monitor_reqtype { @@ -65,16 +65,18 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
@ -657,9 +662,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
int m_recvfd; int m_recvfd;
int m_sendfd; int m_sendfd;
int m_log_recvfd; int m_log_recvfd;
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c --- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c +++ b/openssh-6.5p1/monitor_wrap.c
@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k, @@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k,
success = buffer_get_int(&m); success = buffer_get_int(&m);
@ -707,9 +712,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+ buffer_free(&m); + buffer_free(&m);
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h --- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h +++ b/openssh-6.5p1/monitor_wrap.h
@@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha @@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha
void mm_sshpam_free_ctx(void *); void mm_sshpam_free_ctx(void *);
#endif #endif
@ -729,9 +734,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *); void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */ /* SSHv1 interfaces */
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.4p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -114,16 +114,17 @@ @@ -114,16 +114,17 @@
#include "session.h" #include "session.h"
#include "monitor_mm.h" #include "monitor_mm.h"
@ -750,7 +755,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
#include <syslog.h> #include <syslog.h>
int allow_severity; int allow_severity;
int deny_severity; int deny_severity;
@@ -2297,16 +2298,20 @@ do_ssh1_kex(void) @@ -2312,16 +2313,20 @@ do_ssh1_kex(void)
packet_disconnect("Warning: client selects unsupported cipher."); packet_disconnect("Warning: client selects unsupported cipher.");
/* Get check bytes from the packet. These must match those we /* Get check bytes from the packet. These must match those we

View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2014 # https://bugzilla.mindrot.org/attachment.cgi?id=2014
# by jchadima@redhat.com # by jchadima@redhat.com
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c --- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c +++ b/openssh-6.5p1/audit-bsm.c
@@ -480,9 +480,15 @@ audit_unsupported_body(int what) @@ -480,9 +480,15 @@ audit_unsupported_body(int what)
/* not implemented */ /* not implemented */
} }
@ -23,9 +23,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c --- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c +++ b/openssh-6.5p1/audit-linux.c
@@ -289,24 +289,25 @@ audit_unsupported_body(int what) @@ -289,24 +289,25 @@ audit_unsupported_body(int what)
/* no problem, the next instruction will be fatal() */ /* no problem, the next instruction will be fatal() */
return; return;
@ -91,9 +91,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+} +}
+ +
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c --- a/openssh-6.5p1/audit.c
+++ b/openssh-6.4p1/audit.c +++ b/openssh-6.5p1/audit.c
@@ -138,16 +138,22 @@ audit_unsupported(int what) @@ -138,16 +138,22 @@ audit_unsupported(int what)
} }
@ -138,9 +138,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h --- a/openssh-6.5p1/audit.h
+++ b/openssh-6.4p1/audit.h +++ b/openssh-6.5p1/audit.h
@@ -57,10 +57,12 @@ int audit_run_command(const char *); @@ -57,10 +57,12 @@ int audit_run_command(const char *);
void audit_end_command(int, const char *); void audit_end_command(int, const char *);
ssh_audit_event_t audit_classify_auth(const char *); ssh_audit_event_t audit_classify_auth(const char *);
@ -154,9 +154,9 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+void audit_session_key_free_body(int ctos, pid_t, uid_t); +void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
--- a/openssh-6.4p1/auditstub.c --- a/openssh-6.5p1/auditstub.c
+++ b/openssh-6.4p1/auditstub.c +++ b/openssh-6.5p1/auditstub.c
@@ -22,18 +22,29 @@ @@ -22,18 +22,29 @@
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
@ -187,10 +187,10 @@ diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{ +{
+} +}
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.4p1/kex.c --- a/openssh-6.5p1/kex.c
+++ b/openssh-6.4p1/kex.c +++ b/openssh-6.5p1/kex.c
@@ -667,8 +667,39 @@ dump_digest(char *msg, u_char *digest, i @@ -698,8 +698,39 @@ dump_digest(char *msg, u_char *digest, i
if (i%32 == 31) if (i%32 == 31)
fprintf(stderr, "\n"); fprintf(stderr, "\n");
else if (i%8 == 7) else if (i%8 == 7)
@ -230,17 +230,17 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp)); + memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+} +}
+ +
diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.4p1/kex.h --- a/openssh-6.5p1/kex.h
+++ b/openssh-6.4p1/kex.h +++ b/openssh-6.5p1/kex.h
@@ -157,16 +157,18 @@ Newkeys *kex_get_newkeys(int); @@ -163,16 +163,18 @@ void kexdh_client(Kex *);
void kexdh_client(Kex *);
void kexdh_server(Kex *); void kexdh_server(Kex *);
void kexgex_client(Kex *); void kexgex_client(Kex *);
void kexgex_server(Kex *); void kexgex_server(Kex *);
void kexecdh_client(Kex *); void kexecdh_client(Kex *);
void kexecdh_server(Kex *); void kexecdh_server(Kex *);
void kexc25519_client(Kex *);
void kexc25519_server(Kex *);
+void newkeys_destroy(Newkeys *newkeys); +void newkeys_destroy(Newkeys *newkeys);
+ +
@ -248,13 +248,13 @@ diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
void void
kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, kexgex_hash(int, char *, char *, char *, int, char *,
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *); BIGNUM *, BIGNUM *, u_char **, u_int *);
#ifdef OPENSSL_HAS_ECC #ifdef OPENSSL_HAS_ECC
diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
--- a/openssh-6.4p1/mac.c --- a/openssh-6.5p1/mac.c
+++ b/openssh-6.4p1/mac.c +++ b/openssh-6.5p1/mac.c
@@ -219,16 +219,30 @@ mac_clear(Mac *mac) @@ -219,16 +219,30 @@ mac_clear(Mac *mac)
if (mac->umac_ctx != NULL) if (mac->umac_ctx != NULL)
umac128_delete(mac->umac_ctx); umac128_delete(mac->umac_ctx);
@ -286,22 +286,22 @@ diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
char *maclist, *cp, *p; char *maclist, *cp, *p;
if (names == NULL || strcmp(names, "") == 0) if (names == NULL || strcmp(names, "") == 0)
diff --git a/openssh-6.4p1/mac.h b/openssh-6.4p1/mac.h diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h
--- a/openssh-6.4p1/mac.h --- a/openssh-6.5p1/mac.h
+++ b/openssh-6.4p1/mac.h +++ b/openssh-6.5p1/mac.h
@@ -24,8 +24,9 @@ @@ -24,8 +24,9 @@
*/ */
int mac_valid(const char *); int mac_valid(const char *);
char *mac_alg_list(void); char *mac_alg_list(char);
int mac_setup(Mac *, char *); int mac_setup(Mac *, char *);
int mac_init(Mac *); int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int); u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *); void mac_clear(Mac *);
+void mac_destroy(Mac *); +void mac_destroy(Mac *);
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c --- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.4p1/monitor.c +++ b/openssh-6.5p1/monitor.c
@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer * @@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer *
#endif #endif
@ -389,7 +389,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
/* Specifies if a certain message is allowed at the moment */ /* Specifies if a certain message is allowed at the moment */
@@ -1970,21 +1975,23 @@ mm_get_keystate(struct monitor *pmonitor @@ -1971,21 +1976,23 @@ mm_get_keystate(struct monitor *pmonitor
goto skip; goto skip;
} else { } else {
/* Get the Kex for rekeying */ /* Get the Kex for rekeying */
@ -413,7 +413,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
packets = buffer_get_int(&m); packets = buffer_get_int(&m);
bytes = buffer_get_int64(&m); bytes = buffer_get_int64(&m);
packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes); packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes);
@@ -2020,16 +2027,31 @@ mm_get_keystate(struct monitor *pmonitor @@ -2021,16 +2028,31 @@ mm_get_keystate(struct monitor *pmonitor
/* Roaming */ /* Roaming */
if (compat20) { if (compat20) {
@ -445,7 +445,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{ {
size_t len = (size_t) size * ncount; size_t len = (size_t) size * ncount;
@@ -2464,9 +2486,27 @@ mm_answer_audit_kex_body(int sock, Buffe @@ -2465,9 +2487,27 @@ mm_answer_audit_kex_body(int sock, Buffe
free(mac); free(mac);
free(compress); free(compress);
buffer_clear(m); buffer_clear(m);
@ -473,9 +473,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+ return 0; + return 0;
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h --- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.4p1/monitor.h +++ b/openssh-6.5p1/monitor.h
@@ -67,16 +67,17 @@ enum monitor_reqtype { @@ -67,16 +67,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
@ -494,9 +494,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
int m_recvfd; int m_recvfd;
int m_sendfd; int m_sendfd;
int m_log_recvfd; int m_log_recvfd;
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c --- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c +++ b/openssh-6.5p1/monitor_wrap.c
@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor @@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor
__func__, packet_get_newkeys(MODE_OUT), __func__, packet_get_newkeys(MODE_OUT),
packet_get_newkeys(MODE_IN)); packet_get_newkeys(MODE_IN));
@ -547,9 +547,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+ buffer_free(&m); + buffer_free(&m);
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h --- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h +++ b/openssh-6.5p1/monitor_wrap.h
@@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *); @@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@ -568,9 +568,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *); void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */ /* SSHv1 interfaces */
diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c
--- a/openssh-6.4p1/packet.c --- a/openssh-6.5p1/packet.c
+++ b/openssh-6.4p1/packet.c +++ b/openssh-6.5p1/packet.c
@@ -56,16 +56,17 @@ @@ -56,16 +56,17 @@
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@ -650,7 +650,7 @@ diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
packet_set_protocol_flags(u_int protocol_flags) packet_set_protocol_flags(u_int protocol_flags)
{ {
active_state->remote_protocol_flags = protocol_flags; active_state->remote_protocol_flags = protocol_flags;
@@ -728,16 +739,35 @@ packet_send1(void) @@ -729,16 +740,35 @@ packet_send1(void)
/* /*
* Note that the packet is now only buffered in output. It won't be * Note that the packet is now only buffered in output. It won't be
@ -686,7 +686,7 @@ diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
Comp *comp; Comp *comp;
CipherContext *cc; CipherContext *cc;
u_int64_t *max_blocks; u_int64_t *max_blocks;
@@ -753,31 +783,19 @@ set_newkeys(int mode) @@ -754,31 +784,19 @@ set_newkeys(int mode)
} else { } else {
cc = &active_state->receive_context; cc = &active_state->receive_context;
crypt_type = CIPHER_DECRYPT; crypt_type = CIPHER_DECRYPT;
@ -720,7 +720,7 @@ diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
mac = &active_state->newkeys[mode]->mac; mac = &active_state->newkeys[mode]->mac;
comp = &active_state->newkeys[mode]->comp; comp = &active_state->newkeys[mode]->comp;
if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0) if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
@@ -1995,54 +2013,93 @@ packet_get_output(void) @@ -2004,54 +2022,93 @@ packet_get_output(void)
} }
void * void *
@ -823,9 +823,9 @@ diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
+ backup_state = NULL; + backup_state = NULL;
} }
+ +
diff --git a/openssh-6.4p1/packet.h b/openssh-6.4p1/packet.h diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h
--- a/openssh-6.4p1/packet.h --- a/openssh-6.5p1/packet.h
+++ b/openssh-6.4p1/packet.h +++ b/openssh-6.5p1/packet.h
@@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t, @@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t,
time_t packet_get_rekey_timeout(void); time_t packet_get_rekey_timeout(void);
@ -837,10 +837,10 @@ diff --git a/openssh-6.4p1/packet.h b/openssh-6.4p1/packet.h
+void packet_destroy_all(int, int); +void packet_destroy_all(int, int);
#endif /* PACKET_H */ #endif /* PACKET_H */
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c --- a/openssh-6.5p1/session.c
+++ b/openssh-6.4p1/session.c +++ b/openssh-6.5p1/session.c
@@ -1661,16 +1661,19 @@ do_child(Session *s, const char *command @@ -1689,16 +1689,19 @@ do_child(Session *s, const char *command
int env_size; int env_size;
char *argv[ARGV_MAX]; char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL; const char *shell, *shell0, *hostname = NULL;
@ -860,10 +860,10 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
do_pwchange(s); do_pwchange(s);
exit(1); exit(1);
} }
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.4p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -703,16 +703,18 @@ privsep_preauth(Authctxt *authctxt) @@ -711,16 +711,18 @@ privsep_preauth(Authctxt *authctxt)
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
if (box != NULL) if (box != NULL)
ssh_sandbox_child(box); ssh_sandbox_child(box);
@ -882,7 +882,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
#ifdef DISABLE_FD_PASSING #ifdef DISABLE_FD_PASSING
if (1) { if (1) {
#else #else
@@ -727,16 +729,20 @@ privsep_postauth(Authctxt *authctxt) @@ -735,16 +737,20 @@ privsep_postauth(Authctxt *authctxt)
monitor_reinit(pmonitor); monitor_reinit(pmonitor);
pmonitor->m_pid = fork(); pmonitor->m_pid = fork();
@ -903,7 +903,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
/* child */ /* child */
@@ -2089,16 +2095,17 @@ main(int ac, char **av) @@ -2104,16 +2110,17 @@ main(int ac, char **av)
do_authentication(authctxt); do_authentication(authctxt);
} }
/* /*
@ -921,7 +921,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
* Cancel the alarm we set to limit the time taken for * Cancel the alarm we set to limit the time taken for
* authentication. * authentication.
*/ */
@@ -2141,16 +2148,18 @@ main(int ac, char **av) @@ -2156,16 +2163,18 @@ main(int ac, char **av)
packet_set_timeout(options.client_alive_interval, packet_set_timeout(options.client_alive_interval,
options.client_alive_count_max); options.client_alive_count_max);
@ -940,7 +940,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
verbose("Closing connection to %.500s port %d", remote_ip, remote_port); verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
#ifdef USE_PAM #ifdef USE_PAM
@@ -2480,26 +2489,38 @@ do_ssh2_kex(void) @@ -2497,26 +2506,38 @@ do_ssh2_kex(void)
#endif #endif
debug("KEX done"); debug("KEX done");
} }

View File

@ -4,9 +4,9 @@
# https://bugzilla.mindrot.org/attachment.cgi?id=2015 # https://bugzilla.mindrot.org/attachment.cgi?id=2015
# by jchadima@redhat.com # by jchadima@redhat.com
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c --- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c +++ b/openssh-6.5p1/audit-bsm.c
@@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char @@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char
/* not implemented */ /* not implemented */
} }
@ -35,9 +35,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c --- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c +++ b/openssh-6.5p1/audit-linux.c
@@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi @@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
buf, NULL, get_remote_ipaddr(), NULL, 1); buf, NULL, get_remote_ipaddr(), NULL, 1);
@ -94,9 +94,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+ error("cannot write into audit"); + error("cannot write into audit");
+} +}
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c --- a/openssh-6.5p1/audit.c
+++ b/openssh-6.4p1/audit.c +++ b/openssh-6.5p1/audit.c
@@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char @@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char
* This will be called on succesfull session key discard * This will be called on succesfull session key discard
*/ */
@ -127,9 +127,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h --- a/openssh-6.5p1/audit.h
+++ b/openssh-6.4p1/audit.h +++ b/openssh-6.5p1/audit.h
@@ -43,26 +43,30 @@ enum ssh_audit_event_type { @@ -43,26 +43,30 @@ enum ssh_audit_event_type {
SSH_INVALID_USER, SSH_INVALID_USER,
SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */ SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */
@ -161,11 +161,11 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+void audit_generate_ephemeral_server_key(const char *); +void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.4p1/key.c --- a/openssh-6.5p1/key.c
+++ b/openssh-6.4p1/key.c +++ b/openssh-6.5p1/key.c
@@ -1805,16 +1805,40 @@ key_demote(const Key *k) @@ -1959,16 +1959,41 @@ key_demote(const Key *k)
fatal("key_free: bad key type %d", k->type); fatal("key_demote: bad key type %d", k->type);
break; break;
} }
@ -191,7 +191,8 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL; + return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif +#endif
+ default: + default:
+ fatal("key_is_private: bad key type %d", k->type); + /* fatal("key_is_private: bad key type %d", k->type); */
+ debug2("key_is_private: bad key type %d", k->type);
+ return 1; + return 1;
+ } + }
+} +}
@ -201,23 +202,24 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
{ {
if (k == NULL) if (k == NULL)
return 0; return 0;
switch (k->type) { return key_type_is_cert(k->type);
case KEY_RSA_CERT_V00: }
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT: /* Return the cert-less equivalent to a certified key type */
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.4p1/key.h --- a/openssh-6.5p1/key.h
+++ b/openssh-6.4p1/key.h +++ b/openssh-6.5p1/key.h
@@ -106,16 +106,17 @@ int key_read(Key *, char **); @@ -113,16 +113,17 @@ int key_read(Key *, char **);
u_int key_size(const Key *); u_int key_size(const Key *);
enum fp_type key_fp_type_select(void); enum fp_type key_fp_type_select(void);
char *key_fp_type_str(enum fp_type); char *key_fp_type_str(enum fp_type);
Key *key_generate(int, u_int); Key *key_generate(int, u_int);
Key *key_from_private(const Key *); Key *key_from_private(const Key *);
int key_type_from_name(char *); int key_type_from_name(char *);
int key_is_cert(const Key *); int key_is_cert(const Key *);
+int key_is_private(const Key *k); +int key_is_private(const Key *k);
int key_type_is_cert(int);
int key_type_plain(int); int key_type_plain(int);
int key_to_certified(Key *, int); int key_to_certified(Key *, int);
int key_drop_cert(Key *); int key_drop_cert(Key *);
@ -225,10 +227,9 @@ diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
void key_cert_copy(const Key *, struct Key *); void key_cert_copy(const Key *, struct Key *);
int key_cert_check_authority(const Key *, int, int, const char *, int key_cert_check_authority(const Key *, int, int, const char *,
const char **); const char **);
int key_cert_is_legacy(const Key *); diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c --- a/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c +++ b/openssh-6.5p1/monitor.c
+++ b/openssh-6.4p1/monitor.c
@@ -110,16 +110,18 @@ extern u_int utmp_len; @@ -110,16 +110,18 @@ extern u_int utmp_len;
extern Newkeys *current_keys[]; extern Newkeys *current_keys[];
extern z_stream incoming_stream; extern z_stream incoming_stream;
@ -355,7 +356,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
/* Terminate process */ /* Terminate process */
exit(res); exit(res);
@@ -2504,9 +2513,30 @@ mm_answer_audit_session_key_free_body(in @@ -2505,9 +2514,30 @@ mm_answer_audit_session_key_free_body(in
audit_session_key_free_body(ctos, pid, uid); audit_session_key_free_body(ctos, pid, uid);
@ -386,9 +387,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+ return 0; + return 0;
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h --- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.4p1/monitor.h +++ b/openssh-6.5p1/monitor.h
@@ -68,16 +68,17 @@ enum monitor_reqtype { @@ -68,16 +68,17 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -407,9 +408,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
int m_recvfd; int m_recvfd;
int m_sendfd; int m_sendfd;
int m_log_recvfd; int m_log_recvfd;
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c --- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c +++ b/openssh-6.5p1/monitor_wrap.c
@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos, @@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos,
buffer_put_int(&m, ctos); buffer_put_int(&m, ctos);
buffer_put_int64(&m, pid); buffer_put_int64(&m, pid);
@ -436,9 +437,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+ buffer_free(&m); + buffer_free(&m);
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h --- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h +++ b/openssh-6.5p1/monitor_wrap.h
@@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *); @@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
#include "audit.h" #include "audit.h"
@ -457,9 +458,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
void mm_session_pty_cleanup2(struct Session *); void mm_session_pty_cleanup2(struct Session *);
/* SSHv1 interfaces */ /* SSHv1 interfaces */
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c --- a/openssh-6.5p1/session.c
+++ b/openssh-6.4p1/session.c +++ b/openssh-6.5p1/session.c
@@ -132,17 +132,17 @@ static int session_pty_req(Session *); @@ -132,17 +132,17 @@ static int session_pty_req(Session *);
/* import */ /* import */
@ -479,7 +480,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
/* data */ /* data */
static int sessions_first_unused = -1; static int sessions_first_unused = -1;
static int sessions_nalloc = 0; static int sessions_nalloc = 0;
@@ -1660,17 +1660,17 @@ do_child(Session *s, const char *command @@ -1688,17 +1688,17 @@ do_child(Session *s, const char *command
char **env; char **env;
int env_size; int env_size;
char *argv[ARGV_MAX]; char *argv[ARGV_MAX];
@ -498,9 +499,9 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
if (s->authctxt->force_pwchange) { if (s->authctxt->force_pwchange) {
do_setusercontext(pw); do_setusercontext(pw);
child_close_fds(); child_close_fds();
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.4p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -256,17 +256,17 @@ Buffer cfg; @@ -256,17 +256,17 @@ Buffer cfg;
/* message to be displayed after login */ /* message to be displayed after login */
@ -546,7 +547,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
if (startup_pipes) if (startup_pipes)
for (i = 0; i < options.max_startups; i++) for (i = 0; i < options.max_startups; i++)
if (startup_pipes[i] != -1) if (startup_pipes[i] != -1)
@@ -547,60 +556,99 @@ sshd_exchange_identification(int sock_in @@ -554,60 +563,99 @@ sshd_exchange_identification(int sock_in
close(sock_out); close(sock_out);
logit("Protocol major versions differ for %s: %.200s vs. %.200s", logit("Protocol major versions differ for %s: %.200s vs. %.200s",
get_remote_ipaddr(), get_remote_ipaddr(),
@ -649,7 +650,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
} }
static void static void
@@ -1179,16 +1227,17 @@ server_accept_loop(int *sock_in, int *so @@ -1192,16 +1240,17 @@ server_accept_loop(int *sock_in, int *so
/* Wait in select until there is a connection. */ /* Wait in select until there is a connection. */
ret = select(maxfd+1, fdset, NULL, NULL, NULL); ret = select(maxfd+1, fdset, NULL, NULL, NULL);
@ -667,7 +668,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
generate_ephemeral_server_key(); generate_ephemeral_server_key();
key_used = 0; key_used = 0;
key_do_regen = 0; key_do_regen = 0;
@@ -2138,27 +2187,28 @@ main(int ac, char **av) @@ -2153,27 +2202,28 @@ main(int ac, char **av)
/* /*
* In privilege separation, we fork another child and prepare * In privilege separation, we fork another child and prepare
* file descriptor passing. * file descriptor passing.
@ -697,7 +698,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
verbose("Closing connection to %.500s port %d", remote_ip, remote_port); verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
@@ -2377,17 +2427,17 @@ do_ssh1_kex(void) @@ -2392,17 +2442,17 @@ do_ssh1_kex(void)
MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
MD5_Final(session_key + 16, &md); MD5_Final(session_key + 16, &md);
memset(buf, 0, bytes); memset(buf, 0, bytes);
@ -716,7 +717,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
BN_clear_free(session_key_int); BN_clear_free(session_key_int);
/* Set the session key. From this on all communications will be encrypted. */ /* Set the session key. From this on all communications will be encrypted. */
@@ -2510,16 +2560,18 @@ cleanup_exit(int i) @@ -2527,16 +2577,18 @@ cleanup_exit(int i)
debug("Killing privsep child %d", pmonitor->m_pid); debug("Killing privsep child %d", pmonitor->m_pid);
if (kill(pmonitor->m_pid, SIGKILL) != 0 && if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH) errno != ESRCH)

View File

@ -1,8 +1,8 @@
# definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x # definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c --- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c +++ b/openssh-6.5p1/audit-linux.c
@@ -25,16 +25,17 @@ @@ -25,16 +25,17 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
* *
@ -21,10 +21,10 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
#include "key.h" #include "key.h"
#include "hostfile.h" #include "hostfile.h"
#include "auth.h" #include "auth.h"
diff --git a/openssh-6.4p1/compat-libaudit.h b/openssh-6.4p1/compat-libaudit.h diff --git a/openssh-6.5p1/compat-libaudit.h b/openssh-6.5p1/compat-libaudit.h
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/compat-libaudit.h +++ b/openssh-6.5p1/compat-libaudit.h
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */ +/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */
+/* libaudit.h -- +/* libaudit.h --

View File

@ -4,9 +4,9 @@
# Note that this particular solution causes the logs to always contain # Note that this particular solution causes the logs to always contain
# "hostname=?, addr=?" when DNS lookups are disabled. # "hostname=?, addr=?" when DNS lookups are disabled.
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c --- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c +++ b/openssh-6.5p1/audit-linux.c
@@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c @@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c
if (errno == EINVAL || errno == EPROTONOSUPPORT || if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT) errno == EAFNOSUPPORT)

View File

@ -2,9 +2,9 @@
# grace_alarm_handler) # grace_alarm_handler)
# bnc#57354 # bnc#57354
diff --git a/openssh-6.4p1/log.c b/openssh-6.4p1/log.c diff --git a/openssh-6.5p1/log.c b/openssh-6.5p1/log.c
--- a/openssh-6.4p1/log.c --- a/openssh-6.5p1/log.c
+++ b/openssh-6.4p1/log.c +++ b/openssh-6.5p1/log.c
@@ -47,16 +47,17 @@ @@ -47,16 +47,17 @@
#include <unistd.h> #include <unistd.h>
#include <errno.h> #include <errno.h>

View File

@ -1,8 +1,8 @@
# only enable SSHv2 protocol by default (upstream default is fallback to v1) # only enable SSHv2 protocol by default (upstream default is fallback to v1)
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config --- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.4p1/ssh_config +++ b/openssh-6.5p1/ssh_config
@@ -41,17 +41,17 @@ ForwardX11Trusted yes @@ -41,17 +41,17 @@ ForwardX11Trusted yes
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any

View File

@ -2,9 +2,9 @@
# reliable indicator of ABI changes and doesn't make much sense in a # reliable indicator of ABI changes and doesn't make much sense in a
# distribution package # distribution package
diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
--- a/openssh-6.4p1/entropy.c --- a/openssh-6.5p1/entropy.c
+++ b/openssh-6.4p1/entropy.c +++ b/openssh-6.5p1/entropy.c
@@ -212,22 +212,23 @@ seed_rng(void) @@ -212,22 +212,23 @@ seed_rng(void)
#endif #endif
/* /*

View File

@ -1,9 +1,9 @@
# fix paths and references in sshd man pages # fix paths and references in sshd man pages
diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8 diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
--- a/openssh-6.4p1/sshd.8 --- a/openssh-6.5p1/sshd.8
+++ b/openssh-6.4p1/sshd.8 +++ b/openssh-6.5p1/sshd.8
@@ -872,17 +872,17 @@ See @@ -875,17 +875,17 @@ See
If this file exists, If this file exists,
.Nm .Nm
refuses to let anyone except root log in. refuses to let anyone except root log in.
@ -22,7 +22,7 @@ diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
.It Pa /etc/ssh/ssh_host_key .It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_dsa_key
.It Pa /etc/ssh/ssh_host_ecdsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key
@@ -951,17 +951,17 @@ The content of this file is not sensitiv @@ -956,17 +956,17 @@ The content of this file is not sensitiv
.Xr sftp 1 , .Xr sftp 1 ,
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-add 1 , .Xr ssh-add 1 ,
@ -41,9 +41,9 @@ diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
OpenSSH is a derivative of the original and free OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen. ssh 1.2.12 release by Tatu Ylonen.
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5 diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5 --- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.4p1/sshd_config.5 +++ b/openssh-6.5p1/sshd_config.5
@@ -278,18 +278,17 @@ The contents of the specified file are s @@ -278,18 +278,17 @@ The contents of the specified file are s
authentication is allowed. authentication is allowed.
If the argument is If the argument is
@ -64,7 +64,7 @@ diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
to after authentication. to after authentication.
All components of the pathname must be root-owned directories that are All components of the pathname must be root-owned directories that are
not writable by any other user or group. not writable by any other user or group.
@@ -565,17 +564,17 @@ and @@ -576,17 +575,17 @@ and
.Pa .shosts .Pa .shosts
files will not be used in files will not be used in
.Cm RhostsRSAAuthentication .Cm RhostsRSAAuthentication

View File

@ -1,13 +1,13 @@
# HG changeset patch # HG changeset patch
# Parent d41afe56fd49d0a9669738b1f4d53ddae0cb195a # Parent 450c3933f35c6801a682ea32c588e4c9ff73414a
# select fingerprint hash algorithms based on the environment variable # select fingerprint hash algorithms based on the environment variable
# SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints # SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints
# Petr Cerny <pcerny@suse.cz> # Petr Cerny <pcerny@suse.cz>
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c --- a/openssh-6.5p1/auth-rsa.c
+++ b/openssh-6.4p1/auth-rsa.c +++ b/openssh-6.5p1/auth-rsa.c
@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p @@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p
/* check the real bits */ /* check the real bits */
@ -27,9 +27,9 @@ diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
if (auth_key_is_revoked(key)) if (auth_key_is_revoked(key))
break; break;
diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
--- a/openssh-6.4p1/auth.c --- a/openssh-6.5p1/auth.c
+++ b/openssh-6.4p1/auth.c +++ b/openssh-6.5p1/auth.c
@@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key) @@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key)
case -1: case -1:
/* Error opening revoked_keys_file: refuse all keys */ /* Error opening revoked_keys_file: refuse all keys */
@ -49,10 +49,10 @@ diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
fatal("key_in_file returned junk"); fatal("key_in_file returned junk");
} }
diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
--- a/openssh-6.4p1/auth2-hostbased.c --- a/openssh-6.5p1/auth2-hostbased.c
+++ b/openssh-6.4p1/auth2-hostbased.c +++ b/openssh-6.5p1/auth2-hostbased.c
@@ -196,23 +196,23 @@ hostbased_key_allowed(struct passwd *pw, @@ -202,23 +202,23 @@ hostbased_key_allowed(struct passwd *pw,
_PATH_SSH_SYSTEM_HOSTFILE2, _PATH_SSH_SYSTEM_HOSTFILE2,
options.ignore_user_known_hosts ? NULL : options.ignore_user_known_hosts ? NULL :
_PATH_SSH_USER_HOSTFILE2); _PATH_SSH_USER_HOSTFILE2);
@ -78,10 +78,10 @@ diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
return (host_status == HOST_OK); return (host_status == HOST_OK);
} }
diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
--- a/openssh-6.4p1/auth2-pubkey.c --- a/openssh-6.5p1/auth2-pubkey.c
+++ b/openssh-6.4p1/auth2-pubkey.c +++ b/openssh-6.5p1/auth2-pubkey.c
@@ -202,25 +202,25 @@ pubkey_auth_info(Authctxt *authctxt, con @@ -208,25 +208,25 @@ pubkey_auth_info(Authctxt *authctxt, con
i = vasprintf(&extra, fmt, ap); i = vasprintf(&extra, fmt, ap);
va_end(ap); va_end(ap);
if (i < 0 || extra == NULL) if (i < 0 || extra == NULL)
@ -109,7 +109,7 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
} }
static int static int
@@ -354,17 +354,17 @@ check_authkeys_file(FILE *f, char *file, @@ -360,17 +360,17 @@ check_authkeys_file(FILE *f, char *file,
if (key_is_cert(key)) { if (key_is_cert(key)) {
if (!key_equal(found, key->cert->signature_key)) if (!key_equal(found, key->cert->signature_key))
continue; continue;
@ -128,7 +128,7 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
* a key option, then prefer that list to matching * a key option, then prefer that list to matching
* their username in the certificate principals list. * their username in the certificate principals list.
*/ */
@@ -395,17 +395,17 @@ check_authkeys_file(FILE *f, char *file, @@ -401,17 +401,17 @@ check_authkeys_file(FILE *f, char *file,
break; break;
} else if (key_equal(found, key)) { } else if (key_equal(found, key)) {
if (auth_parse_options(pw, key_options, file, if (auth_parse_options(pw, key_options, file,
@ -147,7 +147,7 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
} }
if (found != NULL) if (found != NULL)
key_free(found); key_free(found);
@@ -421,17 +421,17 @@ user_cert_trusted_ca(struct passwd *pw, @@ -427,17 +427,17 @@ user_cert_trusted_ca(struct passwd *pw,
char *ca_fp, *principals_file = NULL; char *ca_fp, *principals_file = NULL;
const char *reason; const char *reason;
int ret = 0; int ret = 0;
@ -166,13 +166,13 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
options.trusted_user_ca_keys); options.trusted_user_ca_keys);
goto out; goto out;
} }
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.4p1/key.c --- a/openssh-6.5p1/key.c
+++ b/openssh-6.4p1/key.c +++ b/openssh-6.5p1/key.c
@@ -390,30 +390,38 @@ key_fingerprint_raw(const Key *k, enum f @@ -420,30 +420,39 @@ key_fingerprint_raw(const Key *k, enum f
free(blob); *dgst_raw_length = ssh_digest_bytes(hash_alg);
} else { } else {
fatal("key_fingerprint_raw: blob is null"); fatal("%s: blob is null", __func__);
} }
return retval; return retval;
} }
@ -185,6 +185,7 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
u_int i; u_int i;
- retval = xcalloc(1, dgst_raw_len * 3 + 1); - retval = xcalloc(1, dgst_raw_len * 3 + 1);
+ /* reserve space for both the key hash and the string for the hash type */
+ retval = xcalloc(1, dgst_raw_len * 3 + 1 + SSH_FP_TYPE_STRLEN + 2); + retval = xcalloc(1, dgst_raw_len * 3 + 1 + SSH_FP_TYPE_STRLEN + 2);
for (i = 0; i < dgst_raw_len; i++) { for (i = 0; i < dgst_raw_len; i++) {
char hex[4]; char hex[4];
@ -211,7 +212,7 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
{ {
char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
@@ -488,17 +496,18 @@ key_fingerprint_bubblebabble(u_char *dgs @@ -518,17 +527,18 @@ key_fingerprint_bubblebabble(u_char *dgs
* can be in the exact middle of the picture, and FLDBASE should be >=8 . * can be in the exact middle of the picture, and FLDBASE should be >=8 .
* Else pictures would be too dense, and drawing the frame would * Else pictures would be too dense, and drawing the frame would
* fail, too, because the key type would not fit in anymore. * fail, too, because the key type would not fit in anymore.
@ -231,7 +232,7 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
char *augmentation_string = " .o+=*BOX@%&#/^SE"; char *augmentation_string = " .o+=*BOX@%&#/^SE";
char *retval, *p; char *retval, *p;
u_char field[FLDSIZE_X][FLDSIZE_Y]; u_char field[FLDSIZE_X][FLDSIZE_Y];
@@ -555,18 +564,19 @@ key_fingerprint_randomart(u_char *dgst_r @@ -585,18 +595,19 @@ key_fingerprint_randomart(u_char *dgst_r
*p++ = '|'; *p++ = '|';
for (x = 0; x < FLDSIZE_X; x++) for (x = 0; x < FLDSIZE_X; x++)
*p++ = augmentation_string[MIN(field[x][y], len)]; *p++ = augmentation_string[MIN(field[x][y], len)];
@ -253,7 +254,7 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
char * char *
key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
@@ -575,34 +585,91 @@ key_fingerprint(const Key *k, enum fp_ty @@ -605,34 +616,91 @@ key_fingerprint(const Key *k, enum fp_ty
u_char *dgst_raw; u_char *dgst_raw;
u_int dgst_raw_len; u_int dgst_raw_len;
@ -347,10 +348,10 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
* the buffer containing the number. * the buffer containing the number.
*/ */
static int static int
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.4p1/key.h --- a/openssh-6.5p1/key.h
+++ b/openssh-6.4p1/key.h +++ b/openssh-6.5p1/key.h
@@ -51,16 +51,18 @@ enum fp_type { @@ -53,16 +53,18 @@ enum fp_type {
SSH_FP_MD5, SSH_FP_MD5,
SSH_FP_SHA256 SSH_FP_SHA256
}; };
@ -369,7 +370,7 @@ diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
struct KeyCert { struct KeyCert {
Buffer certblob; /* Kept around for use on wire */ Buffer certblob; /* Kept around for use on wire */
u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */ u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
@@ -97,16 +99,18 @@ int key_equal_public(const Key *, cons @@ -104,16 +106,18 @@ int key_equal_public(const Key *, cons
int key_equal(const Key *, const Key *); int key_equal(const Key *, const Key *);
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
@ -379,19 +380,19 @@ diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
int key_read(Key *, char **); int key_read(Key *, char **);
u_int key_size(const Key *); u_int key_size(const Key *);
+enum fp_type key_fp_type_select(void); +enum fp_type key_fp_type_select(void);
+char *key_fp_type_str(enum fp_type); +char *key_fp_type_str(enum fp_type);
Key *key_generate(int, u_int); Key *key_generate(int, u_int);
Key *key_from_private(const Key *); Key *key_from_private(const Key *);
int key_type_from_name(char *); int key_type_from_name(char *);
int key_is_cert(const Key *); int key_is_cert(const Key *);
int key_type_is_cert(int);
int key_type_plain(int); int key_type_plain(int);
int key_to_certified(Key *, int); int key_to_certified(Key *, int);
int key_drop_cert(Key *); diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c
diff --git a/openssh-6.4p1/ssh-add.c b/openssh-6.4p1/ssh-add.c --- a/openssh-6.5p1/ssh-add.c
--- a/openssh-6.4p1/ssh-add.c +++ b/openssh-6.5p1/ssh-add.c
+++ b/openssh-6.4p1/ssh-add.c @@ -325,17 +325,17 @@ list_identities(AuthenticationConnection
@@ -321,17 +321,17 @@ list_identities(AuthenticationConnection
int version; int version;
for (version = 1; version <= 2; version++) { for (version = 1; version <= 2; version++) {
@ -410,9 +411,9 @@ diff --git a/openssh-6.4p1/ssh-add.c b/openssh-6.4p1/ssh-add.c
if (!key_write(key, stdout)) if (!key_write(key, stdout))
fprintf(stderr, "key_write failed"); fprintf(stderr, "key_write failed");
fprintf(stdout, " %s\n", comment); fprintf(stdout, " %s\n", comment);
diff --git a/openssh-6.4p1/ssh-agent.c b/openssh-6.4p1/ssh-agent.c diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c
--- a/openssh-6.4p1/ssh-agent.c --- a/openssh-6.5p1/ssh-agent.c
+++ b/openssh-6.4p1/ssh-agent.c +++ b/openssh-6.5p1/ssh-agent.c
@@ -193,17 +193,17 @@ lookup_identity(Key *key, int version) @@ -193,17 +193,17 @@ lookup_identity(Key *key, int version)
/* Check confirmation of keysign request */ /* Check confirmation of keysign request */
@ -432,10 +433,10 @@ diff --git a/openssh-6.4p1/ssh-agent.c b/openssh-6.4p1/ssh-agent.c
return (ret); return (ret);
} }
diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c
--- a/openssh-6.4p1/ssh-keygen.c --- a/openssh-6.5p1/ssh-keygen.c
+++ b/openssh-6.4p1/ssh-keygen.c +++ b/openssh-6.5p1/ssh-keygen.c
@@ -725,27 +725,27 @@ do_download(struct passwd *pw) @@ -741,27 +741,27 @@ do_download(struct passwd *pw)
{ {
#ifdef ENABLE_PKCS11 #ifdef ENABLE_PKCS11
Key **keys = NULL; Key **keys = NULL;
@ -465,7 +466,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
free(ra); free(ra);
free(fp); free(fp);
} else { } else {
@@ -768,29 +768,29 @@ do_fingerprint(struct passwd *pw) @@ -784,29 +784,29 @@ do_fingerprint(struct passwd *pw)
FILE *f; FILE *f;
Key *public; Key *public;
char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
@ -497,7 +498,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
free(comment); free(comment);
free(ra); free(ra);
free(fp); free(fp);
@@ -846,17 +846,17 @@ do_fingerprint(struct passwd *pw) @@ -862,17 +862,17 @@ do_fingerprint(struct passwd *pw)
public = key_new(KEY_UNSPEC); public = key_new(KEY_UNSPEC);
if (key_read(public, &cp) != 1) { if (key_read(public, &cp) != 1) {
key_free(public); key_free(public);
@ -516,7 +517,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
free(fp); free(fp);
key_free(public); key_free(public);
invalid = 0; invalid = 0;
@@ -967,20 +967,20 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -983,20 +983,20 @@ do_gen_all_hostkeys(struct passwd *pw)
static void static void
printhost(FILE *f, const char *name, Key *public, int ca, int hash) printhost(FILE *f, const char *name, Key *public, int ca, int hash)
{ {
@ -539,7 +540,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
free(fp); free(fp);
} else { } else {
if (hash && (name = host_hash(name, NULL, 0)) == NULL) if (hash && (name = host_hash(name, NULL, 0)) == NULL)
@@ -1850,19 +1850,19 @@ do_show_cert(struct passwd *pw) @@ -1873,19 +1873,19 @@ do_show_cert(struct passwd *pw)
if (stat(identity_file, &st) < 0) if (stat(identity_file, &st) < 0)
fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
if ((key = key_load_public(identity_file, NULL)) == NULL) if ((key = key_load_public(identity_file, NULL)) == NULL)
@ -561,7 +562,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
printf(" Signing CA: %s %s\n", printf(" Signing CA: %s %s\n",
key_type(key->cert->signature_key), ca_fp); key_type(key->cert->signature_key), ca_fp);
printf(" Key ID: \"%s\"\n", key->cert->key_id); printf(" Key ID: \"%s\"\n", key->cert->key_id);
@@ -2650,18 +2650,18 @@ passphrase_again: @@ -2681,18 +2681,18 @@ passphrase_again:
exit(1); exit(1);
} }
if (!key_write(public, f)) if (!key_write(public, f))
@ -582,10 +583,10 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
printf("The key's randomart image is:\n"); printf("The key's randomart image is:\n");
printf("%s\n", ra); printf("%s\n", ra);
free(ra); free(ra);
diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
--- a/openssh-6.4p1/sshconnect.c --- a/openssh-6.5p1/sshconnect.c
+++ b/openssh-6.4p1/sshconnect.c +++ b/openssh-6.5p1/sshconnect.c
@@ -825,18 +825,18 @@ check_host_key(char *hostname, struct so @@ -906,18 +906,18 @@ check_host_key(char *hostname, struct so
"address '%.128s' to the list of known " "address '%.128s' to the list of known "
"hosts (%.30s).", type, ip, "hosts (%.30s).", type, ip,
user_hostfiles[0]); user_hostfiles[0]);
@ -606,7 +607,7 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
break; break;
case HOST_NEW: case HOST_NEW:
if (options.host_key_alias == NULL && port != 0 && if (options.host_key_alias == NULL && port != 0 &&
@@ -866,18 +866,18 @@ check_host_key(char *hostname, struct so @@ -947,18 +947,18 @@ check_host_key(char *hostname, struct so
if (show_other_keys(host_hostkeys, host_key)) if (show_other_keys(host_hostkeys, host_key))
snprintf(msg1, sizeof(msg1), snprintf(msg1, sizeof(msg1),
@ -627,7 +628,7 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
"Matching host key fingerprint" "Matching host key fingerprint"
" found in DNS.\n"); " found in DNS.\n");
else else
@@ -1131,17 +1131,17 @@ fail: @@ -1212,17 +1212,17 @@ fail:
/* returns 0 if key verifies or -1 if key does NOT verify */ /* returns 0 if key verifies or -1 if key does NOT verify */
int int
@ -646,7 +647,7 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
if (flags & DNS_VERIFY_FOUND) { if (flags & DNS_VERIFY_FOUND) {
@@ -1233,18 +1233,18 @@ show_other_keys(struct hostkeys *hostkey @@ -1319,18 +1319,18 @@ show_other_keys(struct hostkeys *hostkey
char *fp, *ra; char *fp, *ra;
const struct hostkey_entry *found; const struct hostkey_entry *found;
@ -667,7 +668,7 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
key_type(found->key), fp); key_type(found->key), fp);
if (options.visual_host_key) if (options.visual_host_key)
logit("%s", ra); logit("%s", ra);
@@ -1255,17 +1255,17 @@ show_other_keys(struct hostkeys *hostkey @@ -1341,17 +1341,17 @@ show_other_keys(struct hostkeys *hostkey
return ret; return ret;
} }
@ -686,10 +687,10 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed."); error("It is also possible that a host key has just been changed.");
error("The fingerprint for the %s key sent by the remote host is\n%s.", error("The fingerprint for the %s key sent by the remote host is\n%s.",
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c --- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.4p1/sshconnect2.c +++ b/openssh-6.5p1/sshconnect2.c
@@ -590,17 +590,17 @@ input_userauth_pk_ok(int type, u_int32_t @@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t
goto done; goto done;
} }
if (key->type != pktype) { if (key->type != pktype) {
@ -708,7 +709,7 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
* moved to the end of the queue. this also avoids confusion by * moved to the end of the queue. this also avoids confusion by
* duplicate keys * duplicate keys
*/ */
@@ -1204,17 +1204,17 @@ sign_and_send_pubkey(Authctxt *authctxt, @@ -1206,17 +1206,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
Buffer b; Buffer b;
u_char *blob, *signature; u_char *blob, *signature;
u_int bloblen, slen; u_int bloblen, slen;

View File

@ -4,9 +4,9 @@
# HG changeset patch # HG changeset patch
# Parent 6536ed881743cbf05afe962021b985f9b1eab495 # Parent 6536ed881743cbf05afe962021b985f9b1eab495
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in --- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.4p1/Makefile.in +++ b/openssh-6.5p1/Makefile.in
@@ -72,17 +72,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o @@ -72,17 +72,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -26,9 +26,9 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \ audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \ sshpty.o sshlogin.o servconf.o serverloop.o \
diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c --- a/openssh-6.5p1/auth-rsa.c
+++ b/openssh-6.4p1/auth-rsa.c +++ b/openssh-6.5p1/auth-rsa.c
@@ -15,17 +15,17 @@ @@ -15,17 +15,17 @@
*/ */
@ -171,9 +171,9 @@ diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
return (success); return (success);
} }
diff --git a/openssh-6.4p1/cipher-ctr.c b/openssh-6.4p1/cipher-ctr.c diff --git a/openssh-6.5p1/cipher-ctr.c b/openssh-6.5p1/cipher-ctr.c
--- a/openssh-6.4p1/cipher-ctr.c --- a/openssh-6.5p1/cipher-ctr.c
+++ b/openssh-6.4p1/cipher-ctr.c +++ b/openssh-6.5p1/cipher-ctr.c
@@ -21,16 +21,17 @@ @@ -21,16 +21,17 @@
#include <stdarg.h> #include <stdarg.h>
@ -208,9 +208,9 @@ diff --git a/openssh-6.4p1/cipher-ctr.c b/openssh-6.4p1/cipher-ctr.c
} }
#endif /* OPENSSL_HAVE_EVPCTR */ #endif /* OPENSSL_HAVE_EVPCTR */
diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
--- a/openssh-6.4p1/cipher.c --- a/openssh-6.5p1/cipher.c
+++ b/openssh-6.4p1/cipher.c +++ b/openssh-6.5p1/cipher.c
@@ -42,16 +42,17 @@ @@ -42,16 +42,17 @@
#include <openssl/md5.h> #include <openssl/md5.h>
@ -373,10 +373,10 @@ diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
/* /*
* Exports an IV from the CipherContext required to export the key * Exports an IV from the CipherContext required to export the key
* state back from the unprivileged child to the privileged parent * state back from the unprivileged child to the privileged parent
diff --git a/openssh-6.4p1/fips.c b/openssh-6.4p1/fips.c diff --git a/openssh-6.5p1/fips.c b/openssh-6.5p1/fips.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/fips.c +++ b/openssh-6.5p1/fips.c
@@ -0,0 +1,176 @@ @@ -0,0 +1,176 @@
+/* +/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved. + * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -554,10 +554,10 @@ new file mode 100644
+ return EVP_get_digestbynid(fips_hash_nid_min()); + return EVP_get_digestbynid(fips_hash_nid_min());
+} +}
+ +
diff --git a/openssh-6.4p1/fips.h b/openssh-6.4p1/fips.h diff --git a/openssh-6.5p1/fips.h b/openssh-6.5p1/fips.h
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/fips.h +++ b/openssh-6.5p1/fips.h
@@ -0,0 +1,54 @@ @@ -0,0 +1,54 @@
+/* +/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved. + * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -613,9 +613,9 @@ new file mode 100644
+ +
+#endif +#endif
+ +
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.4p1/key.c --- a/openssh-6.5p1/key.c
+++ b/openssh-6.4p1/key.c +++ b/openssh-6.5p1/key.c
@@ -49,16 +49,17 @@ @@ -49,16 +49,17 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "key.h" #include "key.h"
@ -654,9 +654,9 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
/* /*
* string lengths must be less or equal to SSH_FP_TYPE_STRLEN (defined in * string lengths must be less or equal to SSH_FP_TYPE_STRLEN (defined in
* key.h) as to fit into the fingerprint string buffer * key.h) as to fit into the fingerprint string buffer
diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
--- a/openssh-6.4p1/mac.c --- a/openssh-6.5p1/mac.c
+++ b/openssh-6.4p1/mac.c +++ b/openssh-6.5p1/mac.c
@@ -36,34 +36,35 @@ @@ -36,34 +36,35 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "log.h" #include "log.h"
@ -760,9 +760,9 @@ diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
mac_setup_by_id(mac, i); mac_setup_by_id(mac, i);
debug2("mac_setup: found %s", name); debug2("mac_setup: found %s", name);
return (0); return (0);
diff --git a/openssh-6.4p1/myproposal.h b/openssh-6.4p1/myproposal.h diff --git a/openssh-6.5p1/myproposal.h b/openssh-6.5p1/myproposal.h
--- a/openssh-6.4p1/myproposal.h --- a/openssh-6.5p1/myproposal.h
+++ b/openssh-6.4p1/myproposal.h +++ b/openssh-6.5p1/myproposal.h
@@ -71,16 +71,20 @@ @@ -71,16 +71,20 @@
"ssh-dss" "ssh-dss"
@ -804,9 +804,9 @@ diff --git a/openssh-6.4p1/myproposal.h b/openssh-6.4p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = { static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX, KEX_DEFAULT_KEX,
KEX_DEFAULT_PK_ALG, KEX_DEFAULT_PK_ALG,
diff --git a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c diff --git a/openssh-6.5p1/openbsd-compat/bsd-arc4random.c b/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
--- a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c --- a/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
+++ b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c +++ b/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
@@ -18,34 +18,35 @@ @@ -18,34 +18,35 @@
#include <sys/types.h> #include <sys/types.h>
@ -930,9 +930,9 @@ diff --git a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c b/openssh-6.4p1/openb
{ {
size_t i; size_t i;
u_int32_t r = 0; u_int32_t r = 0;
diff --git a/openssh-6.4p1/ssh-rsa.c b/openssh-6.4p1/ssh-rsa.c diff --git a/openssh-6.5p1/ssh-rsa.c b/openssh-6.5p1/ssh-rsa.c
--- a/openssh-6.4p1/ssh-rsa.c --- a/openssh-6.5p1/ssh-rsa.c
+++ b/openssh-6.4p1/ssh-rsa.c +++ b/openssh-6.5p1/ssh-rsa.c
@@ -27,16 +27,17 @@ @@ -27,16 +27,17 @@
#include "xmalloc.h" #include "xmalloc.h"
@ -987,9 +987,9 @@ diff --git a/openssh-6.4p1/ssh-rsa.c b/openssh-6.4p1/ssh-rsa.c
EVP_DigestInit(&md, evp_md); EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, data, datalen); EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen); EVP_DigestFinal(&md, digest, &dlen);
diff --git a/openssh-6.4p1/ssh.c b/openssh-6.4p1/ssh.c diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
--- a/openssh-6.4p1/ssh.c --- a/openssh-6.5p1/ssh.c
+++ b/openssh-6.4p1/ssh.c +++ b/openssh-6.5p1/ssh.c
@@ -99,16 +99,17 @@ @@ -99,16 +99,17 @@
#include "kex.h" #include "kex.h"
#include "mac.h" #include "mac.h"
@ -1051,9 +1051,9 @@ diff --git a/openssh-6.4p1/ssh.c b/openssh-6.4p1/ssh.c
options.use_privileged_port, options.use_privileged_port,
#else #else
original_effective_uid == 0 && options.use_privileged_port, original_effective_uid == 0 && options.use_privileged_port,
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c --- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.4p1/sshconnect2.c +++ b/openssh-6.5p1/sshconnect2.c
@@ -67,16 +67,17 @@ @@ -67,16 +67,17 @@
#include "dispatch.h" #include "dispatch.h"
#include "canohost.h" #include "canohost.h"
@ -1110,9 +1110,9 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
/* Prefer algorithms that we already have keys for */ /* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
order_hostkeyalgs(host, hostaddr, port); order_hostkeyalgs(host, hostaddr, port);
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.4p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -118,16 +118,17 @@ @@ -118,16 +118,17 @@
#ifdef GSSAPI #ifdef GSSAPI
#include "ssh-gss.h" #include "ssh-gss.h"

View File

@ -1,10 +1,10 @@
# HG changeset patch # HG changeset patch
# Parent a72dad36a987a441e9c92807b1d654e43ddee409 # Parent a72dad36a987a441e9c92807b1d654e43ddee409
diff --git a/openssh-6.4p1/ChangeLog.gssapi b/openssh-6.4p1/ChangeLog.gssapi diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ChangeLog.gssapi +++ b/openssh-6.5p1/ChangeLog.gssapi
@@ -0,0 +1,113 @@ @@ -0,0 +1,113 @@
+20110101 +20110101
+ - Finally update for OpenSSH 5.6p1 + - Finally update for OpenSSH 5.6p1
@ -119,9 +119,9 @@ new file mode 100644
+ add support for GssapiTrustDns option for gssapi-with-mic + add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu) + (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008> + <gssapi-with-mic support is Bugzilla #1008>
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in --- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.4p1/Makefile.in +++ b/openssh-6.5p1/Makefile.in
@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o @@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
canohost.o channels.o cipher.o cipher-aes.o \ canohost.o channels.o cipher.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
@ -158,9 +158,9 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
diff --git a/openssh-6.4p1/auth-krb5.c b/openssh-6.4p1/auth-krb5.c diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
--- a/openssh-6.4p1/auth-krb5.c --- a/openssh-6.5p1/auth-krb5.c
+++ b/openssh-6.4p1/auth-krb5.c +++ b/openssh-6.5p1/auth-krb5.c
@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c @@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem) if (problem)
goto out; goto out;
@ -229,9 +229,9 @@ diff --git a/openssh-6.4p1/auth-krb5.c b/openssh-6.4p1/auth-krb5.c
} }
#endif /* !HEIMDAL */ #endif /* !HEIMDAL */
#endif /* KRB5 */ #endif /* KRB5 */
diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.4p1/auth2-gss.c --- a/openssh-6.5p1/auth2-gss.c
+++ b/openssh-6.4p1/auth2-gss.c +++ b/openssh-6.5p1/auth2-gss.c
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
@ -357,9 +357,9 @@ diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
Authmethod method_gssapi_old = { Authmethod method_gssapi_old = {
"gssapi", "gssapi",
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.4p1/auth2.c --- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.4p1/auth2.c +++ b/openssh-6.5p1/auth2.c
@@ -64,27 +64,29 @@ extern Buffer loginmsg; @@ -64,27 +64,29 @@ extern Buffer loginmsg;
/* methods */ /* methods */
@ -390,9 +390,9 @@ diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
#endif #endif
&method_passwd, &method_passwd,
&method_kbdint, &method_kbdint,
diff --git a/openssh-6.4p1/clientloop.c b/openssh-6.4p1/clientloop.c diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
--- a/openssh-6.4p1/clientloop.c --- a/openssh-6.5p1/clientloop.c
+++ b/openssh-6.4p1/clientloop.c +++ b/openssh-6.5p1/clientloop.c
@@ -106,16 +106,20 @@ @@ -106,16 +106,20 @@
#include "authfd.h" #include "authfd.h"
#include "atomicio.h" #include "atomicio.h"
@ -440,9 +440,9 @@ diff --git a/openssh-6.4p1/clientloop.c b/openssh-6.4p1/clientloop.c
} }
} }
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.4p1/configure.ac --- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.4p1/configure.ac +++ b/openssh-6.5p1/configure.ac
@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect]) AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1], AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
@ -484,9 +484,9 @@ diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
[Define if pututxline updates lastlog too]) [Define if pututxline updates lastlog too])
) )
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
diff --git a/openssh-6.4p1/gss-genr.c b/openssh-6.4p1/gss-genr.c diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
--- a/openssh-6.4p1/gss-genr.c --- a/openssh-6.5p1/gss-genr.c
+++ b/openssh-6.4p1/gss-genr.c +++ b/openssh-6.5p1/gss-genr.c
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
@ -874,9 +874,9 @@ diff --git a/openssh-6.4p1/gss-genr.c b/openssh-6.4p1/gss-genr.c
+} +}
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff --git a/openssh-6.4p1/gss-serv-krb5.c b/openssh-6.4p1/gss-serv-krb5.c diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
--- a/openssh-6.4p1/gss-serv-krb5.c --- a/openssh-6.5p1/gss-serv-krb5.c
+++ b/openssh-6.4p1/gss-serv-krb5.c +++ b/openssh-6.5p1/gss-serv-krb5.c
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1023,9 +1023,9 @@ diff --git a/openssh-6.4p1/gss-serv-krb5.c b/openssh-6.4p1/gss-serv-krb5.c
#endif /* KRB5 */ #endif /* KRB5 */
#endif /* GSSAPI */ #endif /* GSSAPI */
diff --git a/openssh-6.4p1/gss-serv.c b/openssh-6.4p1/gss-serv.c diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
--- a/openssh-6.4p1/gss-serv.c --- a/openssh-6.5p1/gss-serv.c
+++ b/openssh-6.4p1/gss-serv.c +++ b/openssh-6.5p1/gss-serv.c
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
@ -1412,9 +1412,9 @@ diff --git a/openssh-6.4p1/gss-serv.c b/openssh-6.4p1/gss-serv.c
} }
#endif #endif
diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.4p1/kex.c --- a/openssh-6.5p1/kex.c
+++ b/openssh-6.4p1/kex.c +++ b/openssh-6.5p1/kex.c
@@ -46,16 +46,24 @@ @@ -46,16 +46,24 @@
#include "log.h" #include "log.h"
#include "mac.h" #include "mac.h"
@ -1471,9 +1471,9 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
choose_hostkeyalg(Kex *k, char *client, char *server) choose_hostkeyalg(Kex *k, char *client, char *server)
{ {
char *hostkeyalg = match_list(client, server, NULL); char *hostkeyalg = match_list(client, server, NULL);
diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.4p1/kex.h --- a/openssh-6.5p1/kex.h
+++ b/openssh-6.4p1/kex.h +++ b/openssh-6.5p1/kex.h
@@ -68,16 +68,19 @@ enum kex_modes { @@ -68,16 +68,19 @@ enum kex_modes {
}; };
@ -1539,10 +1539,10 @@ diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, u_char **, u_int *); BIGNUM *, BIGNUM *, u_char **, u_int *);
diff --git a/openssh-6.4p1/kexgssc.c b/openssh-6.4p1/kexgssc.c diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/kexgssc.c +++ b/openssh-6.5p1/kexgssc.c
@@ -0,0 +1,334 @@ @@ -0,0 +1,334 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1878,10 +1878,10 @@ new file mode 100644
+} +}
+ +
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff --git a/openssh-6.4p1/kexgsss.c b/openssh-6.4p1/kexgsss.c diff --git a/openssh-6.5p1/kexgsss.c b/openssh-6.5p1/kexgsss.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/kexgsss.c +++ b/openssh-6.5p1/kexgsss.c
@@ -0,0 +1,288 @@ @@ -0,0 +1,288 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -2171,9 +2171,9 @@ new file mode 100644
+ ssh_gssapi_rekey_creds(); + ssh_gssapi_rekey_creds();
+} +}
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.4p1/key.c --- a/openssh-6.5p1/key.c
+++ b/openssh-6.4p1/key.c +++ b/openssh-6.5p1/key.c
@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int @@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int
return "ecdsa-sha2-nistp384-cert-v01@openssh.com"; return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
case NID_secp521r1: case NID_secp521r1:
@ -2212,9 +2212,9 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
int int
key_ecdsa_nid_from_name(const char *name) key_ecdsa_nid_from_name(const char *name)
diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.4p1/key.h --- a/openssh-6.5p1/key.h
+++ b/openssh-6.4p1/key.h +++ b/openssh-6.5p1/key.h
@@ -39,16 +39,17 @@ enum types { @@ -39,16 +39,17 @@ enum types {
KEY_RSA, KEY_RSA,
KEY_DSA, KEY_DSA,
@ -2233,9 +2233,9 @@ diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
SSH_FP_SHA256 SSH_FP_SHA256
}; };
enum fp_rep { enum fp_rep {
diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c --- a/openssh-6.5p1/monitor.c
+++ b/openssh-6.4p1/monitor.c +++ b/openssh-6.5p1/monitor.c
@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *) @@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *)
int mm_answer_pam_free_ctx(int, Buffer *); int mm_answer_pam_free_ctx(int, Buffer *);
#endif #endif
@ -2532,9 +2532,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
{ {
struct jpake_ctx *pctx; struct jpake_ctx *pctx;
u_char *x3_proof, *x4_proof; u_char *x3_proof, *x4_proof;
diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h --- a/openssh-6.5p1/monitor.h
+++ b/openssh-6.4p1/monitor.h +++ b/openssh-6.5p1/monitor.h
@@ -70,16 +70,19 @@ enum monitor_reqtype { @@ -70,16 +70,19 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
@ -2555,9 +2555,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
int m_sendfd; int m_sendfd;
int m_log_recvfd; int m_log_recvfd;
int m_log_sendfd; int m_log_sendfd;
diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c --- a/openssh-6.5p1/monitor_wrap.c
+++ b/openssh-6.4p1/monitor_wrap.c +++ b/openssh-6.5p1/monitor_wrap.c
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss @@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
&m); &m);
@ -2638,9 +2638,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
char **hash_scheme, char **salt) char **hash_scheme, char **salt)
{ {
Buffer m; Buffer m;
diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h --- a/openssh-6.5p1/monitor_wrap.h
+++ b/openssh-6.4p1/monitor_wrap.h +++ b/openssh-6.5p1/monitor_wrap.h
@@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *, @@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *,
int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
@ -2663,9 +2663,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
void *mm_sshpam_init_ctx(struct Authctxt *); void *mm_sshpam_init_ctx(struct Authctxt *);
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_sshpam_respond(void *, u_int, char **); int mm_sshpam_respond(void *, u_int, char **);
diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.4p1/readconf.c --- a/openssh-6.5p1/readconf.c
+++ b/openssh-6.4p1/readconf.c +++ b/openssh-6.5p1/readconf.c
@@ -124,16 +124,18 @@ typedef enum { @@ -124,16 +124,18 @@ typedef enum {
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
@ -2813,9 +2813,9 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
options->rhosts_rsa_authentication = 0; options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1) if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0; options->hostbased_authentication = 0;
diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.4p1/readconf.h --- a/openssh-6.5p1/readconf.h
+++ b/openssh-6.4p1/readconf.h +++ b/openssh-6.5p1/readconf.h
@@ -43,18 +43,23 @@ typedef struct { @@ -43,18 +43,23 @@ typedef struct {
int rhosts_rsa_authentication; /* Try rhosts with RSA int rhosts_rsa_authentication; /* Try rhosts with RSA
* authentication. */ * authentication. */
@ -2840,9 +2840,9 @@ diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
int batch_mode; /* Batch mode: do not ask for passwords. */ int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */ int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */ int strict_host_key_checking; /* Strict host key checking. */
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.4p1/servconf.c --- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.4p1/servconf.c +++ b/openssh-6.5p1/servconf.c
@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions @@ -98,18 +98,21 @@ initialize_server_options(ServerOptions
options->hostbased_uses_name_from_packet_only = -1; options->hostbased_uses_name_from_packet_only = -1;
options->rsa_authentication = -1; options->rsa_authentication = -1;
@ -3000,9 +3000,9 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication, dump_cfg_fmtint(sKbdInteractiveAuthentication,
o->kbd_interactive_authentication); o->kbd_interactive_authentication);
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.4p1/servconf.h --- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.4p1/servconf.h +++ b/openssh-6.5p1/servconf.h
@@ -105,18 +105,21 @@ typedef struct { @@ -105,18 +105,21 @@ typedef struct {
* authentication mechanism, * authentication mechanism,
* such as SecurID or * such as SecurID or
@ -3025,9 +3025,9 @@ diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
/* If true, permit jpake auth */ /* If true, permit jpake auth */
int permit_empty_passwd; /* If false, do not permit empty int permit_empty_passwd; /* If false, do not permit empty
* passwords. */ * passwords. */
diff --git a/openssh-6.4p1/ssh-gss.h b/openssh-6.4p1/ssh-gss.h diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h
--- a/openssh-6.4p1/ssh-gss.h --- a/openssh-6.5p1/ssh-gss.h
+++ b/openssh-6.4p1/ssh-gss.h +++ b/openssh-6.5p1/ssh-gss.h
@@ -1,11 +1,11 @@ @@ -1,11 +1,11 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/* /*
@ -3151,9 +3151,9 @@ diff --git a/openssh-6.4p1/ssh-gss.h b/openssh-6.4p1/ssh-gss.h
#endif /* GSSAPI */ #endif /* GSSAPI */
#endif /* _SSH_GSS_H */ #endif /* _SSH_GSS_H */
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config --- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.4p1/ssh_config +++ b/openssh-6.5p1/ssh_config
@@ -32,16 +32,18 @@ Host * @@ -32,16 +32,18 @@ Host *
ForwardX11Trusted yes ForwardX11Trusted yes
@ -3173,9 +3173,9 @@ diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
# IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_dsa
diff --git a/openssh-6.4p1/ssh_config.5 b/openssh-6.4p1/ssh_config.5 diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
--- a/openssh-6.4p1/ssh_config.5 --- a/openssh-6.5p1/ssh_config.5
+++ b/openssh-6.4p1/ssh_config.5 +++ b/openssh-6.5p1/ssh_config.5
@@ -525,21 +525,53 @@ host key database, separated by whitespa @@ -525,21 +525,53 @@ host key database, separated by whitespa
The default is The default is
.Pa /etc/ssh/ssh_known_hosts , .Pa /etc/ssh/ssh_known_hosts ,
@ -3231,9 +3231,9 @@ diff --git a/openssh-6.4p1/ssh_config.5 b/openssh-6.4p1/ssh_config.5
These hashed names may be used normally by These hashed names may be used normally by
.Xr ssh 1 .Xr ssh 1
and and
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c --- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.4p1/sshconnect2.c +++ b/openssh-6.5p1/sshconnect2.c
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc @@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
return ret; return ret;
} }
@ -3503,9 +3503,9 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
/* initial userauth request */ /* initial userauth request */
packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_start(SSH2_MSG_USERAUTH_REQUEST);
packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->server_user);
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.4p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -119,16 +119,24 @@ @@ -119,16 +119,24 @@
#include "ssh-gss.h" #include "ssh-gss.h"
#endif #endif
@ -3812,9 +3812,9 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
kex->host_key_index=&get_hostkey_index; kex->host_key_index=&get_hostkey_index;
xxx_kex = kex; xxx_kex = kex;
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config --- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.4p1/sshd_config +++ b/openssh-6.5p1/sshd_config
@@ -75,16 +75,18 @@ PasswordAuthentication no @@ -75,16 +75,18 @@ PasswordAuthentication no
#KerberosAuthentication no #KerberosAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
@ -3834,9 +3834,9 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
#GSSAPIEnableMITMAttack no #GSSAPIEnableMITMAttack no
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5 diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5 --- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.4p1/sshd_config.5 +++ b/openssh-6.5p1/sshd_config.5
@@ -475,22 +475,50 @@ to force remote port forwardings to bind @@ -475,22 +475,50 @@ to force remote port forwardings to bind
to allow the client to select the address to which the forwarding is bound. to allow the client to select the address to which the forwarding is bound.
The default is The default is

View File

@ -13,9 +13,9 @@
# recommended to use the 'gssapi-with-mic' mechanism. Existing installations # recommended to use the 'gssapi-with-mic' mechanism. Existing installations
# are encouraged to upgrade as soon as possible. # are encouraged to upgrade as soon as possible.
diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.4p1/auth2-gss.c --- a/openssh-6.5p1/auth2-gss.c
+++ b/openssh-6.4p1/auth2-gss.c +++ b/openssh-6.5p1/auth2-gss.c
@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p @@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
if (flags & GSS_C_INTEG_FLAG) if (flags & GSS_C_INTEG_FLAG)
@ -58,9 +58,9 @@ diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
+}; +};
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.4p1/auth2.c --- a/openssh-6.5p1/auth2.c
+++ b/openssh-6.4p1/auth2.c +++ b/openssh-6.5p1/auth2.c
@@ -65,26 +65,28 @@ extern Buffer loginmsg; @@ -65,26 +65,28 @@ extern Buffer loginmsg;
extern Authmethod method_none; extern Authmethod method_none;
@ -90,10 +90,10 @@ diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
&method_kbdint, &method_kbdint,
&method_hostbased, &method_hostbased,
NULL NULL
diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.4p1/readconf.c --- a/openssh-6.5p1/readconf.c
+++ b/openssh-6.4p1/readconf.c +++ b/openssh-6.5p1/readconf.c
@@ -126,17 +126,17 @@ typedef enum { @@ -134,17 +134,17 @@ typedef enum {
oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
@ -109,10 +109,10 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
oHashKnownHosts, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oIgnoredUnknownOption, oDeprecated, oUnsupported oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
} OpCodes; oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -168,19 +168,21 @@ static struct { @@ -178,19 +178,21 @@ static struct {
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
{ "kerberosauthentication", oUnsupported }, { "kerberosauthentication", oUnsupported },
@ -134,7 +134,7 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
{ "identitiesonly", oIdentitiesOnly }, { "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName }, { "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias }, { "hostkeyalias", oHostKeyAlias },
@@ -514,16 +516,20 @@ parse_flag: @@ -837,16 +839,20 @@ parse_time:
case oGssAuthentication: case oGssAuthentication:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
@ -155,7 +155,7 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
case oCheckHostIP: case oCheckHostIP:
intptr = &options->check_host_ip; intptr = &options->check_host_ip;
goto parse_flag; goto parse_flag;
@@ -1164,16 +1170,17 @@ initialize_options(Options * options) @@ -1484,16 +1490,17 @@ initialize_options(Options * options)
options->xauth_location = NULL; options->xauth_location = NULL;
options->gateway_ports = -1; options->gateway_ports = -1;
options->use_privileged_port = -1; options->use_privileged_port = -1;
@ -173,7 +173,7 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
options->batch_mode = -1; options->batch_mode = -1;
options->check_host_ip = -1; options->check_host_ip = -1;
options->strict_host_key_checking = -1; options->strict_host_key_checking = -1;
@@ -1265,16 +1272,18 @@ fill_default_options(Options * options) @@ -1591,16 +1598,18 @@ fill_default_options(Options * options)
if (options->pubkey_authentication == -1) if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1; options->pubkey_authentication = 1;
if (options->challenge_response_authentication == -1) if (options->challenge_response_authentication == -1)
@ -192,10 +192,10 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
options->rhosts_rsa_authentication = 0; options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1) if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0; options->hostbased_authentication = 0;
diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.4p1/readconf.h --- a/openssh-6.5p1/readconf.h
+++ b/openssh-6.4p1/readconf.h +++ b/openssh-6.5p1/readconf.h
@@ -44,16 +44,17 @@ typedef struct { @@ -50,16 +50,17 @@ typedef struct {
* authentication. */ * authentication. */
int rsa_authentication; /* Try RSA authentication. */ int rsa_authentication; /* Try RSA authentication. */
int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */
@ -213,10 +213,10 @@ diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
int batch_mode; /* Batch mode: do not ask for passwords. */ int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */ int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */ int strict_host_key_checking; /* Strict host key checking. */
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.4p1/servconf.c --- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.4p1/servconf.c +++ b/openssh-6.5p1/servconf.c
@@ -103,16 +103,17 @@ initialize_server_options(ServerOptions @@ -104,16 +104,17 @@ initialize_server_options(ServerOptions
options->rsa_authentication = -1; options->rsa_authentication = -1;
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->kerberos_authentication = -1; options->kerberos_authentication = -1;
@ -234,7 +234,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
options->use_login = -1; options->use_login = -1;
options->compression = -1; options->compression = -1;
options->rekey_limit = -1; options->rekey_limit = -1;
@@ -237,16 +238,18 @@ fill_default_server_options(ServerOption @@ -242,16 +243,18 @@ fill_default_server_options(ServerOption
if (options->kerberos_ticket_cleanup == -1) if (options->kerberos_ticket_cleanup == -1)
options->kerberos_ticket_cleanup = 1; options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1) if (options->kerberos_get_afs_token == -1)
@ -253,7 +253,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
options->challenge_response_authentication = 1; options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1) if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0; options->permit_empty_passwd = 0;
@@ -333,17 +336,17 @@ typedef enum { @@ -338,17 +341,17 @@ typedef enum {
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@ -272,7 +272,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sAuthenticationMethods, sHostKeyAgent,
sDeprecated, sUnsupported sDeprecated, sUnsupported
@@ -400,19 +403,21 @@ static struct { @@ -405,19 +408,21 @@ static struct {
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -294,7 +294,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
#ifdef JPAKE #ifdef JPAKE
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else #else
@@ -1072,16 +1077,20 @@ process_server_config_line(ServerOptions @@ -1093,16 +1098,20 @@ process_server_config_line(ServerOptions
case sGssAuthentication: case sGssAuthentication:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -315,10 +315,10 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
intptr = &options->zero_knowledge_password_authentication; intptr = &options->zero_knowledge_password_authentication;
goto parse_flag; goto parse_flag;
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.4p1/servconf.h --- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.4p1/servconf.h +++ b/openssh-6.5p1/servconf.h
@@ -107,16 +107,17 @@ typedef struct { @@ -108,16 +108,17 @@ typedef struct {
* such as SecurID or * such as SecurID or
* /etc/passwd */ * /etc/passwd */
int kerberos_ticket_cleanup; /* If true, destroy ticket int kerberos_ticket_cleanup; /* If true, destroy ticket
@ -336,9 +336,9 @@ diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
/* If true, permit jpake auth */ /* If true, permit jpake auth */
int permit_empty_passwd; /* If false, do not permit empty int permit_empty_passwd; /* If false, do not permit empty
* passwords. */ * passwords. */
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config --- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.4p1/ssh_config +++ b/openssh-6.5p1/ssh_config
@@ -51,9 +51,16 @@ ForwardX11Trusted yes @@ -51,9 +51,16 @@ ForwardX11Trusted yes
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
@ -356,10 +356,10 @@ diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
+# GSSAPIEnableMITMAttack no +# GSSAPIEnableMITMAttack no
+ +
# RekeyLimit 1G 1h # RekeyLimit 1G 1h
diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c --- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.4p1/sshconnect2.c +++ b/openssh-6.5p1/sshconnect2.c
@@ -322,16 +322,21 @@ static char *authmethods_get(void); @@ -324,16 +324,21 @@ static char *authmethods_get(void);
Authmethod authmethods[] = { Authmethod authmethods[] = {
#ifdef GSSAPI #ifdef GSSAPI
@ -381,7 +381,7 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
NULL}, NULL},
{"publickey", {"publickey",
userauth_pubkey, userauth_pubkey,
@@ -696,17 +701,19 @@ process_gssapi_token(void *ctxt, gss_buf @@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf
packet_put_string(send_tok.value, send_tok.length); packet_put_string(send_tok.value, send_tok.length);
packet_send(); packet_send();
@ -402,10 +402,10 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
gssbuf.value = buffer_ptr(&b); gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b); gssbuf.length = buffer_len(&b);
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config --- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.4p1/sshd_config +++ b/openssh-6.5p1/sshd_config
@@ -79,16 +79,23 @@ PasswordAuthentication no @@ -80,16 +80,23 @@ PasswordAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes #KerberosTicketCleanup yes
#KerberosGetAFSToken no #KerberosGetAFSToken no

View File

@ -1,10 +1,10 @@
# identify hashed hosts in known_hosts and suggest command line for their # identify hashed hosts in known_hosts and suggest command line for their
# removal # removal
diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
--- a/openssh-6.4p1/sshconnect.c --- a/openssh-6.5p1/sshconnect.c
+++ b/openssh-6.4p1/sshconnect.c +++ b/openssh-6.5p1/sshconnect.c
@@ -986,16 +986,21 @@ check_host_key(char *hostname, struct so @@ -1067,16 +1067,21 @@ check_host_key(char *hostname, struct so
ip_found->file, ip_found->line); ip_found->file, ip_found->line);
} }
/* The host key has changed. */ /* The host key has changed. */

View File

@ -1,9 +1,9 @@
# SSHv1 to SSHv2 RSA keys converter # SSHv1 to SSHv2 RSA keys converter
diff --git a/openssh-6.4p1/converter/Makefile b/openssh-6.4p1/converter/Makefile diff --git a/openssh-6.5p1/converter/Makefile b/openssh-6.5p1/converter/Makefile
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/converter/Makefile +++ b/openssh-6.5p1/converter/Makefile
@@ -0,0 +1,17 @@ @@ -0,0 +1,17 @@
+ +
+bindir=/usr/bin +bindir=/usr/bin
@ -12,20 +12,20 @@ new file mode 100644
+all : ssh-keyconverter +all : ssh-keyconverter
+ +
+ssh-keyconverter.o: ssh-keyconverter.c ../key.h ../authfile.h ../misc.h ../xmalloc.h +ssh-keyconverter.o: ssh-keyconverter.c ../key.h ../authfile.h ../misc.h ../xmalloc.h
+ gcc $(CFLAGS) $(RPM_OPT_FLAGS) -c -I../ $< -o $@ + gcc $(RPM_OPT_FLAGS) -c -I../ $< -o $@
+ +
+ssh-keyconverter: ssh-keyconverter.o ../libssh.a ../openbsd-compat/libopenbsd-compat.a +ssh-keyconverter: ssh-keyconverter.o ../libssh.a ../openbsd-compat/libopenbsd-compat.a
+ gcc $< $(LDFLAGS) $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lcrypto -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@ + gcc $< -Wl,--no-as-needed $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@
+ +
+install: ssh-keyconverter ssh-keyconverter.1 +install: ssh-keyconverter ssh-keyconverter.1
+ if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755 $(DESTDIR)$(bindir); fi + if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755 $(DESTDIR)$(bindir); fi
+ install -m 755 ssh-keyconverter $(DESTDIR)$(bindir) + install -m 755 ssh-keyconverter $(DESTDIR)$(bindir)
+ if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi + if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi
+ install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1 + install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1
diff --git a/openssh-6.4p1/converter/ssh-keyconverter.1 b/openssh-6.4p1/converter/ssh-keyconverter.1 diff --git a/openssh-6.5p1/converter/ssh-keyconverter.1 b/openssh-6.5p1/converter/ssh-keyconverter.1
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/converter/ssh-keyconverter.1 +++ b/openssh-6.5p1/converter/ssh-keyconverter.1
@@ -0,0 +1,155 @@ @@ -0,0 +1,155 @@
+.\" Manpage for ssh-keyconverter +.\" Manpage for ssh-keyconverter
+.\" +.\"
@ -182,10 +182,10 @@ new file mode 100644
+.%D March 2001 +.%D March 2001
+.%O work in progress material +.%O work in progress material
+.Re +.Re
diff --git a/openssh-6.4p1/converter/ssh-keyconverter.c b/openssh-6.4p1/converter/ssh-keyconverter.c diff --git a/openssh-6.5p1/converter/ssh-keyconverter.c b/openssh-6.5p1/converter/ssh-keyconverter.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/converter/ssh-keyconverter.c +++ b/openssh-6.5p1/converter/ssh-keyconverter.c
@@ -0,0 +1,345 @@ @@ -0,0 +1,345 @@
+/* +/*
+ * SSH v1 to v2 RSA key converter. + * SSH v1 to v2 RSA key converter.

View File

@ -1,9 +1,9 @@
# set uid for functions that use it to seek in lastlog and wtmp files # set uid for functions that use it to seek in lastlog and wtmp files
# bnc#18024 (was suse #3024) # bnc#18024 (was suse #3024)
diff --git a/openssh-6.4p1/sshlogin.c b/openssh-6.4p1/sshlogin.c diff --git a/openssh-6.5p1/sshlogin.c b/openssh-6.5p1/sshlogin.c
--- a/openssh-6.4p1/sshlogin.c --- a/openssh-6.5p1/sshlogin.c
+++ b/openssh-6.4p1/sshlogin.c +++ b/openssh-6.5p1/sshlogin.c
@@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty, @@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty,
{ {
struct logininfo *li; struct logininfo *li;

View File

@ -8,10 +8,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks # internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
diff --git a/openssh-6.4p1/HOWTO.ldap-keys b/openssh-6.4p1/HOWTO.ldap-keys diff --git a/openssh-6.5p1/HOWTO.ldap-keys b/openssh-6.5p1/HOWTO.ldap-keys
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/HOWTO.ldap-keys +++ b/openssh-6.5p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@ @@ -0,0 +1,108 @@
+ +
+HOW TO START +HOW TO START
@ -121,9 +121,9 @@ new file mode 100644
+ - frederic peters. + - frederic peters.
+ - Finlay dobbie. + - Finlay dobbie.
+ - Stefan Fisher. + - Stefan Fisher.
diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in --- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.4p1/Makefile.in +++ b/openssh-6.5p1/Makefile.in
@@ -20,16 +20,18 @@ srcdir=@srcdir@ @@ -20,16 +20,18 @@ srcdir=@srcdir@
top_srcdir=@top_srcdir@ top_srcdir=@top_srcdir@
@ -164,14 +164,14 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
log.o match.o md-sha256.o moduli.o nchan.o packet.o \ log.o match.o md-sha256.o moduli.o nchan.o packet.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
@@ -90,18 +94,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -94,18 +98,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-krb5.o \ kexc25519s.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \ roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-seccomp-filter.o sandbox-capsicum.o
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@ -185,7 +185,7 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
PATHSUBS = \ PATHSUBS = \
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
@@ -164,16 +168,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss @@ -169,16 +173,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
@ -205,7 +205,7 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
# test driver for the loginrec code - not built by default # test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
@@ -266,30 +273,38 @@ install-files: @@ -271,30 +278,38 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -244,7 +244,7 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
install-sysconf: install-sysconf:
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
@@ -309,16 +324,23 @@ install-sysconf: @@ -314,16 +329,23 @@ install-sysconf:
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \ echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \ mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
else \ else \
@ -268,7 +268,7 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
else \ else \
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \ ./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
fi ; \ fi ; \
@@ -366,27 +388,30 @@ uninstall: @@ -377,27 +399,30 @@ uninstall:
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -299,10 +299,10 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.4p1/configure.ac --- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.4p1/configure.ac +++ b/openssh-6.5p1/configure.ac
@@ -1519,16 +1519,116 @@ AC_ARG_WITH([audit], @@ -1573,16 +1573,116 @@ AC_ARG_WITH([audit],
AC_MSG_RESULT([no]) AC_MSG_RESULT([no])
;; ;;
*) *)
@ -411,18 +411,18 @@ diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
+) +)
+AC_SUBST(INSTALL_SSH_LDAP_HELPER) +AC_SUBST(INSTALL_SSH_LDAP_HELPER)
+ +
dnl Checks for library functions. Please keep in alphabetical order AC_ARG_WITH([pie],
AC_CHECK_FUNCS([ \ [ --with-pie Build Position Independent Executables if possible], [
arc4random \ if test "x$withval" = "xno"; then
arc4random_buf \ use_pie=no
arc4random_uniform \ fi
asprintf \ if test "x$withval" = "xyes"; then
b64_ntop \ use_pie=yes
__b64_ntop \ fi
diff --git a/openssh-6.4p1/ldap-helper.c b/openssh-6.4p1/ldap-helper.c diff --git a/openssh-6.5p1/ldap-helper.c b/openssh-6.5p1/ldap-helper.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldap-helper.c +++ b/openssh-6.5p1/ldap-helper.c
@@ -0,0 +1,155 @@ @@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -579,10 +579,10 @@ new file mode 100644
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
+void buffer_put_string(Buffer *b, const void *f, u_int l) {} +void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+ +
diff --git a/openssh-6.4p1/ldap-helper.h b/openssh-6.4p1/ldap-helper.h diff --git a/openssh-6.5p1/ldap-helper.h b/openssh-6.5p1/ldap-helper.h
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldap-helper.h +++ b/openssh-6.5p1/ldap-helper.h
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -616,10 +616,10 @@ new file mode 100644
+extern int config_warning_config_file; +extern int config_warning_config_file;
+ +
+#endif /* LDAP_HELPER_H */ +#endif /* LDAP_HELPER_H */
diff --git a/openssh-6.4p1/ldap.conf b/openssh-6.4p1/ldap.conf diff --git a/openssh-6.5p1/ldap.conf b/openssh-6.5p1/ldap.conf
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldap.conf +++ b/openssh-6.5p1/ldap.conf
@@ -0,0 +1,88 @@ @@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+# +#
@ -709,10 +709,10 @@ new file mode 100644
+#tls_cert +#tls_cert
+#tls_key +#tls_key
+ +
diff --git a/openssh-6.4p1/ldapbody.c b/openssh-6.4p1/ldapbody.c diff --git a/openssh-6.5p1/ldapbody.c b/openssh-6.5p1/ldapbody.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldapbody.c +++ b/openssh-6.5p1/ldapbody.c
@@ -0,0 +1,494 @@ @@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1208,10 +1208,10 @@ new file mode 100644
+ return; + return;
+} +}
+ +
diff --git a/openssh-6.4p1/ldapbody.h b/openssh-6.4p1/ldapbody.h diff --git a/openssh-6.5p1/ldapbody.h b/openssh-6.5p1/ldapbody.h
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldapbody.h +++ b/openssh-6.5p1/ldapbody.h
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1250,10 +1250,10 @@ new file mode 100644
+ +
+#endif /* LDAPBODY_H */ +#endif /* LDAPBODY_H */
+ +
diff --git a/openssh-6.4p1/ldapconf.c b/openssh-6.4p1/ldapconf.c diff --git a/openssh-6.5p1/ldapconf.c b/openssh-6.5p1/ldapconf.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldapconf.c +++ b/openssh-6.5p1/ldapconf.c
@@ -0,0 +1,682 @@ @@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1937,10 +1937,10 @@ new file mode 100644
+ dump_cfg_string(lSSH_Filter, options.ssh_filter); + dump_cfg_string(lSSH_Filter, options.ssh_filter);
+} +}
+ +
diff --git a/openssh-6.4p1/ldapconf.h b/openssh-6.4p1/ldapconf.h diff --git a/openssh-6.5p1/ldapconf.h b/openssh-6.5p1/ldapconf.h
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldapconf.h +++ b/openssh-6.5p1/ldapconf.h
@@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -2013,10 +2013,10 @@ new file mode 100644
+void dump_config(void); +void dump_config(void);
+ +
+#endif /* LDAPCONF_H */ +#endif /* LDAPCONF_H */
diff --git a/openssh-6.4p1/ldapincludes.h b/openssh-6.4p1/ldapincludes.h diff --git a/openssh-6.5p1/ldapincludes.h b/openssh-6.5p1/ldapincludes.h
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldapincludes.h +++ b/openssh-6.5p1/ldapincludes.h
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -2059,10 +2059,10 @@ new file mode 100644
+#endif +#endif
+ +
+#endif /* LDAPINCLUDES_H */ +#endif /* LDAPINCLUDES_H */
diff --git a/openssh-6.4p1/ldapmisc.c b/openssh-6.4p1/ldapmisc.c diff --git a/openssh-6.5p1/ldapmisc.c b/openssh-6.5p1/ldapmisc.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldapmisc.c +++ b/openssh-6.5p1/ldapmisc.c
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+ +
+#include "ldapincludes.h" +#include "ldapincludes.h"
@ -2143,10 +2143,10 @@ new file mode 100644
+} +}
+#endif +#endif
+ +
diff --git a/openssh-6.4p1/ldapmisc.h b/openssh-6.4p1/ldapmisc.h diff --git a/openssh-6.5p1/ldapmisc.h b/openssh-6.5p1/ldapmisc.h
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ldapmisc.h +++ b/openssh-6.5p1/ldapmisc.h
@@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -2183,9 +2183,9 @@ new file mode 100644
+ +
+#endif /* LDAPMISC_H */ +#endif /* LDAPMISC_H */
+ +
diff --git a/openssh-6.4p1/openbsd-compat/base64.c b/openssh-6.4p1/openbsd-compat/base64.c diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compat/base64.c
--- a/openssh-6.4p1/openbsd-compat/base64.c --- a/openssh-6.5p1/openbsd-compat/base64.c
+++ b/openssh-6.4p1/openbsd-compat/base64.c +++ b/openssh-6.5p1/openbsd-compat/base64.c
@@ -41,17 +41,17 @@ @@ -41,17 +41,17 @@
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
@ -2243,9 +2243,9 @@ diff --git a/openssh-6.4p1/openbsd-compat/base64.c b/openssh-6.4p1/openbsd-compa
*/ */
int int
diff --git a/openssh-6.4p1/openbsd-compat/base64.h b/openssh-6.4p1/openbsd-compat/base64.h diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compat/base64.h
--- a/openssh-6.4p1/openbsd-compat/base64.h --- a/openssh-6.5p1/openbsd-compat/base64.h
+++ b/openssh-6.4p1/openbsd-compat/base64.h +++ b/openssh-6.5p1/openbsd-compat/base64.h
@@ -42,24 +42,24 @@ @@ -42,24 +42,24 @@
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/ */
@ -2275,10 +2275,10 @@ diff --git a/openssh-6.4p1/openbsd-compat/base64.h b/openssh-6.4p1/openbsd-compa
#endif /* HAVE___B64_PTON */ #endif /* HAVE___B64_PTON */
#endif /* _BSD_BASE64_H */ #endif /* _BSD_BASE64_H */
diff --git a/openssh-6.4p1/openssh-lpk-openldap.schema b/openssh-6.4p1/openssh-lpk-openldap.schema diff --git a/openssh-6.5p1/openssh-lpk-openldap.schema b/openssh-6.5p1/openssh-lpk-openldap.schema
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/openssh-lpk-openldap.schema +++ b/openssh-6.5p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2301,10 +2301,10 @@ new file mode 100644
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff --git a/openssh-6.4p1/openssh-lpk-sun.schema b/openssh-6.4p1/openssh-lpk-sun.schema diff --git a/openssh-6.5p1/openssh-lpk-sun.schema b/openssh-6.5p1/openssh-lpk-sun.schema
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/openssh-lpk-sun.schema +++ b/openssh-6.5p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2329,10 +2329,10 @@ new file mode 100644
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff --git a/openssh-6.4p1/ssh-ldap-helper.8 b/openssh-6.4p1/ssh-ldap-helper.8 diff --git a/openssh-6.5p1/ssh-ldap-helper.8 b/openssh-6.5p1/ssh-ldap-helper.8
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ssh-ldap-helper.8 +++ b/openssh-6.5p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2413,19 +2413,19 @@ new file mode 100644
+OpenSSH 5.5 + PKA-LDAP . +OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
diff --git a/openssh-6.4p1/ssh-ldap-wrapper b/openssh-6.4p1/ssh-ldap-wrapper diff --git a/openssh-6.5p1/ssh-ldap-wrapper b/openssh-6.5p1/ssh-ldap-wrapper
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ssh-ldap-wrapper +++ b/openssh-6.5p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
+#!/bin/sh +#!/bin/sh
+ +
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+ +
diff --git a/openssh-6.4p1/ssh-ldap.conf.5 b/openssh-6.4p1/ssh-ldap.conf.5 diff --git a/openssh-6.5p1/ssh-ldap.conf.5 b/openssh-6.5p1/ssh-ldap.conf.5
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/ssh-ldap.conf.5 +++ b/openssh-6.5p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@ @@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"

View File

@ -4,16 +4,16 @@
# #
# bnc#833605 # bnc#833605
diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.4p1/configure.ac --- a/openssh-6.5p1/configure.ac
+++ b/openssh-6.4p1/configure.ac +++ b/openssh-6.5p1/configure.ac
@@ -657,16 +657,18 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -695,16 +695,18 @@ main() { if (NSVersionOfRunTimeLibrary("
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
;; ;;
*-*-linux*) *-*-linux*)
no_dev_ptmx=1 no_dev_ptmx=1
use_pie=auto
check_for_libcrypt_later=1 check_for_libcrypt_later=1
check_for_openpty_ctty_bug=1 check_for_openpty_ctty_bug=1
+ AC_DEFINE([LOGIN_NO_ENDOPT], [1], + AC_DEFINE([LOGIN_NO_ENDOPT], [1],

View File

@ -1,9 +1,9 @@
# Do not write a PID file when not daemonizing (e.g. when running from systemd) # Do not write a PID file when not daemonizing (e.g. when running from systemd)
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.4p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -1959,17 +1959,17 @@ main(int ac, char **av) @@ -1973,17 +1973,17 @@ main(int ac, char **av)
signal(SIGCHLD, main_sigchld_handler); signal(SIGCHLD, main_sigchld_handler);
signal(SIGTERM, sigterm_handler); signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler); signal(SIGQUIT, sigterm_handler);

View File

@ -2,9 +2,9 @@
# UsePAM is used # UsePAM is used
# bnc#708678, FATE#312033 # bnc#708678, FATE#312033
diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
--- a/openssh-6.4p1/auth.c --- a/openssh-6.5p1/auth.c
+++ b/openssh-6.4p1/auth.c +++ b/openssh-6.5p1/auth.c
@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw) @@ -103,17 +103,17 @@ allowed_user(struct passwd * pw)
struct spwd *spw = NULL; struct spwd *spw = NULL;
#endif #endif
@ -43,9 +43,9 @@ diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
#endif #endif
#ifdef LOCKED_PASSWD_PREFIX #ifdef LOCKED_PASSWD_PREFIX
if (strncmp(passwd, LOCKED_PASSWD_PREFIX, if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.4p1/servconf.c --- a/openssh-6.5p1/servconf.c
+++ b/openssh-6.4p1/servconf.c +++ b/openssh-6.5p1/servconf.c
@@ -66,16 +66,17 @@ extern Buffer cfg; @@ -66,16 +66,17 @@ extern Buffer cfg;
void void
@ -64,7 +64,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
options->address_family = -1; options->address_family = -1;
options->num_host_key_files = 0; options->num_host_key_files = 0;
options->num_host_cert_files = 0; options->num_host_cert_files = 0;
@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions @@ -158,16 +159,18 @@ initialize_server_options(ServerOptions
} }
void void
@ -83,7 +83,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
/* fill default hostkeys for protocols */ /* fill default hostkeys for protocols */
if (options->protocol & SSH_PROTO_1) if (options->protocol & SSH_PROTO_1)
options->host_key_files[options->num_host_key_files++] = options->host_key_files[options->num_host_key_files++] =
@@ -315,17 +318,17 @@ fill_default_server_options(ServerOption @@ -320,17 +323,17 @@ fill_default_server_options(ServerOption
#endif #endif
} }
@ -102,7 +102,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
sKerberosGetAFSToken, sKerberosGetAFSToken,
sKerberosTgtPassing, sChallengeResponseAuthentication, sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
@@ -360,18 +363,20 @@ typedef enum { @@ -365,18 +368,20 @@ typedef enum {
static struct { static struct {
const char *name; const char *name;
ServerOpCodes opcode; ServerOpCodes opcode;
@ -123,7 +123,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
{ "pidfile", sPidFile, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL },
@@ -857,16 +862,19 @@ process_server_config_line(ServerOptions @@ -878,16 +883,19 @@ process_server_config_line(ServerOptions
} }
} }
@ -143,10 +143,10 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
/* ignore ports from configfile if cmdline specifies ports */ /* ignore ports from configfile if cmdline specifies ports */
if (options->ports_from_cmdline) if (options->ports_from_cmdline)
return 0; return 0;
diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.4p1/servconf.h --- a/openssh-6.5p1/servconf.h
+++ b/openssh-6.4p1/servconf.h +++ b/openssh-6.5p1/servconf.h
@@ -161,16 +161,17 @@ typedef struct { @@ -162,16 +162,17 @@ typedef struct {
*/ */
u_int num_authkeys_files; /* Files containing public keys */ u_int num_authkeys_files; /* Files containing public keys */
@ -164,10 +164,10 @@ diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0 diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
--- a/openssh-6.4p1/sshd_config.0 --- a/openssh-6.5p1/sshd_config.0
+++ b/openssh-6.4p1/sshd_config.0 +++ b/openssh-6.5p1/sshd_config.0
@@ -706,16 +706,24 @@ DESCRIPTION @@ -720,16 +720,24 @@ DESCRIPTION
Because PAM challenge-response authentication usually serves an Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable equivalent role to password authentication, you should disable
@ -192,10 +192,10 @@ diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
privilege separation is to prevent privilege escalation by privilege separation is to prevent privilege escalation by
containing any corruption within the unprivileged processes. The containing any corruption within the unprivileged processes. The
default is ``yes''. If UsePrivilegeSeparation is set to default is ``yes''. If UsePrivilegeSeparation is set to
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5 diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5 --- a/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.4p1/sshd_config.5 +++ b/openssh-6.5p1/sshd_config.5
@@ -1178,16 +1178,28 @@ or @@ -1199,16 +1199,28 @@ or
.Pp .Pp
If If
.Cm UsePAM .Cm UsePAM

View File

@ -1,10 +1,10 @@
# force PAM in defaullt install (this was removed from upstream in 3.8p1) # force PAM in defaullt install (this was removed from upstream in 3.8p1)
# bnc#46749 # bnc#46749
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config --- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.4p1/sshd_config +++ b/openssh-6.5p1/sshd_config
@@ -63,17 +63,17 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys
#HostbasedAuthentication no #HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for # Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication # RhostsRSAAuthentication and HostbasedAuthentication
@ -23,7 +23,7 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
@@ -88,17 +88,17 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -89,17 +89,17 @@ AuthorizedKeysFile .ssh/authorized_keys
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and # be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration, # PasswordAuthentication. Depending on your PAM configuration,
@ -41,4 +41,4 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
X11Forwarding yes X11Forwarding yes
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PrintMotd yes #PermitTTY yes

View File

@ -1,10 +1,10 @@
# posix threads are generally not supported nor safe # posix threads are generally not supported nor safe
# (see upstream log from 2005-05-24) # (see upstream log from 2005-05-24)
diff --git a/openssh-6.4p1/auth-pam.c b/openssh-6.4p1/auth-pam.c diff --git a/openssh-6.5p1/auth-pam.c b/openssh-6.5p1/auth-pam.c
--- a/openssh-6.4p1/auth-pam.c --- a/openssh-6.5p1/auth-pam.c
+++ b/openssh-6.4p1/auth-pam.c +++ b/openssh-6.5p1/auth-pam.c
@@ -779,17 +779,19 @@ sshpam_query(void *ctx, char **name, cha @@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha
} }
if (type == PAM_SUCCESS) { if (type == PAM_SUCCESS) {
if (!sshpam_authctxt->valid || if (!sshpam_authctxt->valid ||

View File

@ -1,10 +1,10 @@
# use same lines naming as utempter (prevents problems with using different # use same lines naming as utempter (prevents problems with using different
# formats in ?tmp? files) # formats in ?tmp? files)
diff --git a/openssh-6.4p1/loginrec.c b/openssh-6.4p1/loginrec.c diff --git a/openssh-6.5p1/loginrec.c b/openssh-6.5p1/loginrec.c
--- a/openssh-6.4p1/loginrec.c --- a/openssh-6.5p1/loginrec.c
+++ b/openssh-6.4p1/loginrec.c +++ b/openssh-6.5p1/loginrec.c
@@ -535,17 +535,17 @@ getlast_entry(struct logininfo *li) @@ -538,17 +538,17 @@ getlast_entry(struct logininfo *li)
/* /*
* 'line' string utility functions * 'line' string utility functions
* *
@ -23,7 +23,7 @@ diff --git a/openssh-6.4p1/loginrec.c b/openssh-6.4p1/loginrec.c
*/ */
@@ -596,16 +596,20 @@ line_abbrevname(char *dst, const char *s @@ -599,16 +599,20 @@ line_abbrevname(char *dst, const char *s
/* Always skip prefix if present */ /* Always skip prefix if present */
if (strncmp(src, "/dev/", 5) == 0) if (strncmp(src, "/dev/", 5) == 0)
src += 5; src += 5;

View File

@ -0,0 +1,28 @@
# related to bnc#49845, upstream bug #529
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -1399,17 +1399,21 @@ main(int ac, char **av)
saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
for (i = 0; i < ac; i++)
saved_argv[i] = xstrdup(av[i]);
saved_argv[i] = NULL;
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
compat_init_setproctitle(ac, av);
- av = saved_argv;
+
+ av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1));
+ for (i = 0; i < saved_argc; i++)
+ av[i] = xstrdup(saved_argv[i]);
+ av[i] = NULL;
#endif
if (geteuid() == 0 && setgroups(0, NULL) == -1)
debug("setgroups(): %.200s", strerror(errno));
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

View File

@ -1,9 +1,9 @@
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random # extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172 # bnc#703221, FATE#312172
diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c --- a/openssh-6.5p1/audit-bsm.c
+++ b/openssh-6.4p1/audit-bsm.c +++ b/openssh-6.5p1/audit-bsm.c
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char @@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char
/* not implemented */ /* not implemented */
} }
@ -20,9 +20,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c --- a/openssh-6.5p1/audit-linux.c
+++ b/openssh-6.4p1/audit-linux.c +++ b/openssh-6.5p1/audit-linux.c
@@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons @@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons
} }
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
@ -55,9 +55,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+ error("cannot write into audit"); + error("cannot write into audit");
+} +}
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c --- a/openssh-6.5p1/audit.c
+++ b/openssh-6.4p1/audit.c +++ b/openssh-6.5p1/audit.c
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char @@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char
/* /*
* This will be called on generation of the ephemeral server key * This will be called on generation of the ephemeral server key
@ -75,9 +75,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h --- a/openssh-6.5p1/audit.h
+++ b/openssh-6.4p1/audit.h +++ b/openssh-6.5p1/audit.h
@@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *); @@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *);
void audit_unsupported(int); void audit_unsupported(int);
void audit_kex(int, char *, char *, char *); void audit_kex(int, char *, char *, char *);
@ -90,9 +90,9 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+void audit_linux_prng_seed(long, const char *); +void audit_linux_prng_seed(long, const char *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
--- a/openssh-6.4p1/entropy.c --- a/openssh-6.5p1/entropy.c
+++ b/openssh-6.4p1/entropy.c +++ b/openssh-6.5p1/entropy.c
@@ -45,16 +45,17 @@ @@ -45,16 +45,17 @@
#include "ssh.h" #include "ssh.h"
@ -126,17 +126,17 @@ diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c
if (RAND_status() != 1) if (RAND_status() != 1)
fatal("PRNG is not seeded"); fatal("PRNG is not seeded");
} }
diff --git a/openssh-6.4p1/openbsd-compat/Makefile.in b/openssh-6.4p1/openbsd-compat/Makefile.in diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-compat/Makefile.in
--- a/openssh-6.4p1/openbsd-compat/Makefile.in --- a/openssh-6.5p1/openbsd-compat/Makefile.in
+++ b/openssh-6.4p1/openbsd-compat/Makefile.in +++ b/openssh-6.5p1/openbsd-compat/Makefile.in
@@ -15,17 +15,17 @@ AR=@AR@ @@ -15,17 +15,17 @@ AR=@AR@
RANLIB=@RANLIB@ RANLIB=@RANLIB@
INSTALL=@INSTALL@ INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@ LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
@ -148,10 +148,10 @@ diff --git a/openssh-6.4p1/openbsd-compat/Makefile.in b/openssh-6.4p1/openbsd-co
$(COMPAT): ../config.h $(COMPAT): ../config.h
$(OPENBSD): ../config.h $(OPENBSD): ../config.h
diff --git a/openssh-6.4p1/openbsd-compat/port-linux-prng.c b/openssh-6.4p1/openbsd-compat/port-linux-prng.c diff --git a/openssh-6.5p1/openbsd-compat/port-linux-prng.c b/openssh-6.5p1/openbsd-compat/port-linux-prng.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/openbsd-compat/port-linux-prng.c +++ b/openssh-6.5p1/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+/* +/*
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com> + * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
@ -232,9 +232,9 @@ new file mode 100644
+ fatal ("EOF reading %s", random); + fatal ("EOF reading %s", random);
+ } + }
+} +}
diff --git a/openssh-6.4p1/openbsd-compat/port-linux.h b/openssh-6.4p1/openbsd-compat/port-linux.h diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-compat/port-linux.h
--- a/openssh-6.4p1/openbsd-compat/port-linux.h --- a/openssh-6.5p1/openbsd-compat/port-linux.h
+++ b/openssh-6.4p1/openbsd-compat/port-linux.h +++ b/openssh-6.5p1/openbsd-compat/port-linux.h
@@ -14,16 +14,20 @@ @@ -14,16 +14,20 @@
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
@ -256,10 +256,10 @@ diff --git a/openssh-6.4p1/openbsd-compat/port-linux.h b/openssh-6.4p1/openbsd-c
void ssh_selinux_setfscreatecon(const char *); void ssh_selinux_setfscreatecon(const char *);
#endif #endif
diff --git a/openssh-6.4p1/ssh-add.1 b/openssh-6.4p1/ssh-add.1 diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1
--- a/openssh-6.4p1/ssh-add.1 --- a/openssh-6.5p1/ssh-add.1
+++ b/openssh-6.4p1/ssh-add.1 +++ b/openssh-6.5p1/ssh-add.1
@@ -155,16 +155,30 @@ or related script. @@ -156,16 +156,30 @@ or related script.
(Note that on some machines it (Note that on some machines it
may be necessary to redirect the input from may be necessary to redirect the input from
.Pa /dev/null .Pa /dev/null
@ -290,10 +290,10 @@ diff --git a/openssh-6.4p1/ssh-add.1 b/openssh-6.4p1/ssh-add.1
.It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user. Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa .It Pa ~/.ssh/id_ecdsa
diff --git a/openssh-6.4p1/ssh-agent.1 b/openssh-6.4p1/ssh-agent.1 diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1
--- a/openssh-6.4p1/ssh-agent.1 --- a/openssh-6.5p1/ssh-agent.1
+++ b/openssh-6.4p1/ssh-agent.1 +++ b/openssh-6.5p1/ssh-agent.1
@@ -193,16 +193,33 @@ Contains the protocol version 2 ECDSA au @@ -196,16 +196,33 @@ Contains the protocol version 2 ED25519
.It Pa ~/.ssh/id_rsa .It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user. Contains the protocol version 2 RSA authentication identity of the user.
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
@ -327,10 +327,10 @@ diff --git a/openssh-6.4p1/ssh-agent.1 b/openssh-6.4p1/ssh-agent.1
.Sh AUTHORS .Sh AUTHORS
OpenSSH is a derivative of the original and free OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen. ssh 1.2.12 release by Tatu Ylonen.
diff --git a/openssh-6.4p1/ssh-keygen.1 b/openssh-6.4p1/ssh-keygen.1 diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1
--- a/openssh-6.4p1/ssh-keygen.1 --- a/openssh-6.5p1/ssh-keygen.1
+++ b/openssh-6.4p1/ssh-keygen.1 +++ b/openssh-6.5p1/ssh-keygen.1
@@ -800,16 +800,33 @@ on all machines @@ -827,16 +827,33 @@ on all machines
where the user wishes to log in using public key authentication. where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret. There is no need to keep the contents of this file secret.
.Pp .Pp
@ -364,14 +364,14 @@ diff --git a/openssh-6.4p1/ssh-keygen.1 b/openssh-6.4p1/ssh-keygen.1
.Xr sshd 8 .Xr sshd 8
.Rs .Rs
.%R RFC 4716 .%R RFC 4716
diff --git a/openssh-6.4p1/ssh-keysign.8 b/openssh-6.4p1/ssh-keysign.8 diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8
--- a/openssh-6.4p1/ssh-keysign.8 --- a/openssh-6.5p1/ssh-keysign.8
+++ b/openssh-6.4p1/ssh-keysign.8 +++ b/openssh-6.5p1/ssh-keysign.8
@@ -73,16 +73,33 @@ Since they are readable only by root, @@ -75,16 +75,33 @@ must be set-uid root if host-based authe
must be set-uid root if host-based authentication is used.
.Pp .Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
If these files exist they are assumed to contain public certificate If these files exist they are assumed to contain public certificate
information corresponding with the private keys above. information corresponding with the private keys above.
@ -401,10 +401,10 @@ diff --git a/openssh-6.4p1/ssh-keysign.8 b/openssh-6.4p1/ssh-keysign.8
.Sh HISTORY .Sh HISTORY
.Nm .Nm
first appeared in first appeared in
diff --git a/openssh-6.4p1/ssh.1 b/openssh-6.4p1/ssh.1 diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1
--- a/openssh-6.4p1/ssh.1 --- a/openssh-6.5p1/ssh.1
+++ b/openssh-6.4p1/ssh.1 +++ b/openssh-6.5p1/ssh.1
@@ -1290,16 +1290,30 @@ reads @@ -1304,16 +1304,30 @@ reads
and adds lines of the format and adds lines of the format
.Dq VARNAME=value .Dq VARNAME=value
to the environment if the file exists and users are allowed to to the environment if the file exists and users are allowed to
@ -435,10 +435,10 @@ diff --git a/openssh-6.4p1/ssh.1 b/openssh-6.4p1/ssh.1
world-readable if the user's home directory is on an NFS partition, world-readable if the user's home directory is on an NFS partition,
because because
.Xr sshd 8 .Xr sshd 8
diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8 diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
--- a/openssh-6.4p1/sshd.8 --- a/openssh-6.5p1/sshd.8
+++ b/openssh-6.4p1/sshd.8 +++ b/openssh-6.5p1/sshd.8
@@ -941,16 +941,33 @@ and not group or world-writable. @@ -946,16 +946,33 @@ and not group or world-writable.
.It Pa /var/run/sshd.pid .It Pa /var/run/sshd.pid
Contains the process ID of the Contains the process ID of the
.Nm .Nm
@ -472,9 +472,9 @@ diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
.Xr ssh-agent 1 , .Xr ssh-agent 1 ,
.Xr ssh-keygen 1 , .Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 , .Xr ssh-keyscan 1 ,
diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c --- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.4p1/sshd.c +++ b/openssh-6.5p1/sshd.c
@@ -50,16 +50,18 @@ @@ -50,16 +50,18 @@
#ifdef HAVE_SYS_STAT_H #ifdef HAVE_SYS_STAT_H
# include <sys/stat.h> # include <sys/stat.h>
@ -518,7 +518,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
/* This is set to true when a signal is received. */ /* This is set to true when a signal is received. */
static volatile sig_atomic_t received_sighup = 0; static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0; static volatile sig_atomic_t received_sigterm = 0;
@@ -1300,16 +1309,21 @@ server_accept_loop(int *sock_in, int *so @@ -1313,16 +1322,21 @@ server_accept_loop(int *sock_in, int *so
for (j = 0; j < options.max_startups; j++) for (j = 0; j < options.max_startups; j++)
if (startup_pipes[j] == -1) { if (startup_pipes[j] == -1) {
startup_pipes[j] = startup_p[0]; startup_pipes[j] = startup_p[0];

View File

@ -1,9 +1,9 @@
# send locales in default configuration # send locales in default configuration
# bnc#65747 # bnc#65747
diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config --- a/openssh-6.5p1/ssh_config
+++ b/openssh-6.4p1/ssh_config +++ b/openssh-6.5p1/ssh_config
@@ -58,9 +58,14 @@ ForwardX11Trusted yes @@ -58,9 +58,14 @@ ForwardX11Trusted yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com # ProxyCommand ssh -q -W %h:%p gateway.example.com
@ -19,10 +19,10 @@ diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
+SendEnv LC_IDENTIFICATION LC_ALL +SendEnv LC_IDENTIFICATION LC_ALL
+ +
# RekeyLimit 1G 1h # RekeyLimit 1G 1h
diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config --- a/openssh-6.5p1/sshd_config
+++ b/openssh-6.4p1/sshd_config +++ b/openssh-6.5p1/sshd_config
@@ -125,13 +125,18 @@ UsePrivilegeSeparation sandbox # Defaul @@ -127,14 +127,19 @@ UsePrivilegeSeparation sandbox # Defaul
#VersionAddendum none #VersionAddendum none
# no default banner path # no default banner path
@ -40,4 +40,5 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
#Match User anoncvs #Match User anoncvs
# X11Forwarding no # X11Forwarding no
# AllowTcpForwarding no # AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server

View File

@ -0,0 +1,155 @@
# additional option for sftp-server to force file mode for new files
# FATE#312774
# http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
# http://marc.info/?l=openssh-unix-dev&m=128896838930893
diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8
--- a/openssh-6.5p1/sftp-server.8
+++ b/openssh-6.5p1/sftp-server.8
@@ -33,16 +33,17 @@
.Bk -words
.Op Fl ehR
.Op Fl d Ar start_directory
.Op Fl f Ar log_facility
.Op Fl l Ar log_level
.Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests
.Op Fl u Ar umask
+.Op Fl m Ar force_file_permissions
.Ek
.Nm
.Fl Q Ar protocol_feature
.Sh DESCRIPTION
.Nm
is a program that speaks the server side of SFTP protocol
to stdout and expects client requests from stdin.
.Nm
@@ -133,16 +134,20 @@ Places this instance of
into a read-only mode.
Attempts to open files for writing, as well as other operations that change
the state of the filesystem, will be denied.
.It Fl u Ar umask
Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
+.It Fl m Ar force_file_permissions
+Sets explicit file permissions to be applied to newly-created files instead
+of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
.El
.Pp
For logging to work,
.Nm
must be able to access
.Pa /dev/log .
Use of
.Nm
diff --git a/openssh-6.5p1/sftp-server.c b/openssh-6.5p1/sftp-server.c
--- a/openssh-6.5p1/sftp-server.c
+++ b/openssh-6.5p1/sftp-server.c
@@ -75,16 +75,20 @@ static u_int version;
static int init_done;
/* Disable writes */
static int readonly;
/* Requests that are allowed/denied */
static char *request_whitelist, *request_blacklist;
+/* Force file permissions */
+int permforce = 0;
+long permforcemode;
+
/* portable attributes, etc. */
typedef struct Stat Stat;
struct Stat {
char *name;
char *long_name;
Attrib attrib;
};
@@ -670,16 +674,20 @@ process_open(u_int32_t id)
int handle, fd, flags, mode, status = SSH2_FX_FAILURE;
name = get_string(NULL);
pflags = get_int(); /* portable flags */
debug3("request %u: open flags %d", id, pflags);
a = get_attrib();
flags = flags_from_portable(pflags);
mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
+ if (permforce == 1) {
+ mode = permforcemode;
+ (void)umask(0); /* so umask does not interfere */
+ }
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
((flags & O_ACCMODE) == O_WRONLY ||
(flags & O_ACCMODE) == O_RDWR)) {
verbose("Refusing open request in read-only mode");
status = SSH2_FX_PERMISSION_DENIED;
} else {
@@ -1425,17 +1433,18 @@ sftp_server_cleanup_exit(int i)
static void
sftp_server_usage(void)
{
extern char *__progname;
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] "
- "[-p whitelisted_requests] [-u umask]\n"
+ "[-p whitelisted_requests] [-u umask]\n\t"
+ "[-m force_file_permissions]\n",
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
}
int
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
{
@@ -1450,17 +1459,17 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
- "d:f:l:P:p:Q:u:cehR")) != -1) {
+ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
fprintf(stderr, "Invalid query type\n");
exit(1);
}
for (i = 0; handlers[i].handler != NULL; i++)
printf("%s\n", handlers[i].name);
@@ -1510,16 +1519,23 @@ sftp_server_main(int argc, char **argv,
case 'u':
errno = 0;
mask = strtol(optarg, &cp, 8);
if (mask < 0 || mask > 0777 || *cp != '\0' ||
cp == optarg || (mask == 0 && errno != 0))
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
+ case 'm':
+ permforce = 1;
+ permforcemode = strtol(optarg, &cp, 8);
+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
+ cp == optarg || (permforcemode == 0 && errno != 0))
+ fatal("Invalid umask \"%s\"", optarg);
+ break;
case 'h':
default:
sftp_server_usage();
}
}
log_init(__progname, log_level, log_facility, log_stderr);

View File

@ -1,8 +1,8 @@
# run sftp sessions inside a chroot # run sftp sessions inside a chroot
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c --- a/openssh-6.5p1/session.c
+++ b/openssh-6.4p1/session.c +++ b/openssh-6.5p1/session.c
@@ -120,16 +120,18 @@ int do_exec(Session *, const char *); @@ -120,16 +120,18 @@ int do_exec(Session *, const char *);
void do_login(Session *, const char *); void do_login(Session *, const char *);
#ifdef LOGIN_NEEDS_UTMPX #ifdef LOGIN_NEEDS_UTMPX
@ -22,13 +22,13 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
/* import */ /* import */
extern ServerOptions options; extern ServerOptions options;
extern char *__progname; extern char *__progname;
@@ -818,16 +820,21 @@ do_exec(Session *s, const char *command) @@ -827,16 +829,21 @@ do_exec(Session *s, const char *command)
if (IS_INTERNAL_SFTP(command)) { "subsystem '%.900s'", s->subsys);
s->is_subsystem = s->is_subsystem ? } else if (command == NULL) {
SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; snprintf(session_type, sizeof(session_type), "shell");
} else if (s->is_subsystem) } else {
s->is_subsystem = SUBSYSTEM_EXT; /* NB. we don't log unforced commands to preserve privacy */
debug("Forced command (key option) '%.900s'", command); snprintf(session_type, sizeof(session_type), "command");
} }
+ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) { + if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
@ -36,15 +36,15 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
+ exit (1); + exit (1);
+ } + }
+ +
#ifdef SSH_AUDIT_EVENTS if (s->ttyfd != -1) {
if (s->command != NULL || s->command_handle != -1) tty = s->tty;
fatal("do_exec: command already set"); if (strncmp(tty, "/dev/", 5) == 0)
if (command != NULL) tty += 5;
s->command = xstrdup(command); }
else if (s->ttyfd == -1) {
char *shell = s->pw->pw_shell;
@@ -1435,67 +1442,132 @@ do_nologin(struct passwd *pw) verbose("Starting session: %s%s%s for %s from %.200s port %d",
session_type,
@@ -1458,67 +1465,132 @@ do_nologin(struct passwd *pw)
while (fgets(buf, sizeof(buf), f)) while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr); fputs(buf, stderr);
fclose(f); fclose(f);
@ -179,10 +179,10 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
do_setusercontext(struct passwd *pw) do_setusercontext(struct passwd *pw)
{ {
char *chroot_path, *tmp; char *chroot_path, *tmp;
diff --git a/openssh-6.4p1/sftp-chrootenv.h b/openssh-6.4p1/sftp-chrootenv.h diff --git a/openssh-6.5p1/sftp-chrootenv.h b/openssh-6.5p1/sftp-chrootenv.h
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/openssh-6.4p1/sftp-chrootenv.h +++ b/openssh-6.5p1/sftp-chrootenv.h
@@ -0,0 +1,30 @@ @@ -0,0 +1,30 @@
+/* +/*
+ * Copyright (c) 2009 Jan F Chadima. All rights reserved. + * Copyright (c) 2009 Jan F Chadima. All rights reserved.
@ -214,10 +214,10 @@ new file mode 100644
+ +
+#endif +#endif
+ +
diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c
--- a/openssh-6.4p1/sftp-common.c --- a/openssh-6.5p1/sftp-common.c
+++ b/openssh-6.4p1/sftp-common.c +++ b/openssh-6.5p1/sftp-common.c
@@ -41,16 +41,17 @@ @@ -42,16 +42,17 @@
#endif #endif
#include "xmalloc.h" #include "xmalloc.h"
@ -235,13 +235,13 @@ diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c
a->flags = 0; a->flags = 0;
a->size = 0; a->size = 0;
a->uid = 0; a->uid = 0;
@@ -191,23 +192,23 @@ ls_file(const char *name, const struct s @@ -193,23 +194,23 @@ ls_file(const char *name, const struct s
{
int ulen, glen, sz = 0; int ulen, glen, sz = 0;
struct tm *ltime = localtime(&st->st_mtime); struct tm *ltime = localtime(&st->st_mtime);
char *user, *group; char *user, *group;
char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1]; char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
char sbuf[FMT_SCALED_STRSIZE]; char sbuf[FMT_SCALED_STRSIZE];
time_t now;
strmode(st->st_mode, mode); strmode(st->st_mode, mode);
- if (!remote) { - if (!remote) {
@ -259,11 +259,11 @@ diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c
group = gbuf; group = gbuf;
} }
if (ltime != NULL) { if (ltime != NULL) {
if (time(NULL) - st->st_mtime < (365*24*60*60)/2) now = time(NULL);
sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime); if (now - (365*24*60*60)/2 < st->st_mtime &&
diff --git a/openssh-6.4p1/sftp-server-main.c b/openssh-6.4p1/sftp-server-main.c diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c
--- a/openssh-6.4p1/sftp-server-main.c --- a/openssh-6.5p1/sftp-server-main.c
+++ b/openssh-6.4p1/sftp-server-main.c +++ b/openssh-6.5p1/sftp-server-main.c
@@ -17,21 +17,24 @@ @@ -17,21 +17,24 @@
#include "includes.h" #include "includes.h"
@ -289,10 +289,10 @@ diff --git a/openssh-6.4p1/sftp-server-main.c b/openssh-6.4p1/sftp-server-main.c
int int
main(int argc, char **argv) main(int argc, char **argv)
diff --git a/openssh-6.4p1/sftp.c b/openssh-6.4p1/sftp.c diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c
--- a/openssh-6.4p1/sftp.c --- a/openssh-6.5p1/sftp.c
+++ b/openssh-6.4p1/sftp.c +++ b/openssh-6.5p1/sftp.c
@@ -106,16 +106,18 @@ struct complete_ctx { @@ -109,16 +109,18 @@ struct complete_ctx {
char **remote_pathp; char **remote_pathp;
}; };
@ -311,9 +311,9 @@ diff --git a/openssh-6.4p1/sftp.c b/openssh-6.4p1/sftp.c
#define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */ #define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */
#define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */ #define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */
#define LS_NAME_SORT 0x0008 /* Sort by name (default) */ #define LS_NAME_SORT 0x0008 /* Sort by name (default) */
diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0 diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
--- a/openssh-6.4p1/sshd_config.0 --- a/openssh-6.5p1/sshd_config.0
+++ b/openssh-6.4p1/sshd_config.0 +++ b/openssh-6.5p1/sshd_config.0
@@ -189,16 +189,24 @@ DESCRIPTION @@ -189,16 +189,24 @@ DESCRIPTION
session this requires at least a shell, typically sh(1), and session this requires at least a shell, typically sh(1), and
basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
@ -335,13 +335,13 @@ diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
Ciphers Ciphers
Specifies the ciphers allowed for protocol version 2. Multiple Specifies the ciphers allowed for protocol version 2. Multiple
ciphers must be comma-separated. The supported ciphers are ciphers must be comma-separated. The supported ciphers are:
``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5 --- a/openssh-6.5p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5 +++ b/openssh-6.5p1/sshd_config.5
+++ b/openssh-6.4p1/sshd_config.5
@@ -324,16 +324,27 @@ For file transfer sessions using @@ -324,16 +324,27 @@ For file transfer sessions using
no additional configuration of the environment is necessary if the no additional configuration of the environment is necessary if the
in-process sftp server is used, in-process sftp server is used,
@ -367,6 +367,6 @@ diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
.It Cm Ciphers .It Cm Ciphers
Specifies the ciphers allowed for protocol version 2. Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated. Multiple ciphers must be comma-separated.
The supported ciphers are The supported ciphers are:
.Pp
.Dq 3des-cbc , .Dq 3des-cbc ,
.Dq aes128-cbc ,

View File

@ -1,10 +1,10 @@
# try to remove xauth cookies on logout # try to remove xauth cookies on logout
# bnc#98815 # bnc#98815
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c --- a/openssh-6.5p1/session.c
+++ b/openssh-6.4p1/session.c +++ b/openssh-6.5p1/session.c
@@ -2477,18 +2477,50 @@ session_exit_message(Session *s, int sta @@ -2505,18 +2505,50 @@ session_exit_message(Session *s, int sta
if (c->ostate != CHAN_OUTPUT_CLOSED) if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_write_failed(c); chan_write_failed(c);
} }

View File

@ -1,10 +1,10 @@
# handle hostname changes when forwarding X # handle hostname changes when forwarding X
# bnc#98627 # bnc#98627
diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c --- a/openssh-6.5p1/session.c
+++ b/openssh-6.4p1/session.c +++ b/openssh-6.5p1/session.c
@@ -1118,17 +1118,17 @@ copy_environment(char **source, char *** @@ -1141,17 +1141,17 @@ copy_environment(char **source, char ***
debug3("Copy environment: %s=%s", var_name, var_val); debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val); child_set_env(env, envsize, var_name, var_val);
@ -23,7 +23,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL; char *path = NULL;
#endif #endif
@@ -1305,25 +1305,27 @@ do_setup_env(Session *s, const char *she @@ -1328,25 +1328,27 @@ do_setup_env(Session *s, const char *she
read_environment_file(&env, &envsize, buf); read_environment_file(&env, &envsize, buf);
} }
if (debug_flag) { if (debug_flag) {
@ -52,7 +52,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
do_xauth = do_xauth =
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
@@ -1367,22 +1369,30 @@ do_rc_files(Session *s, const char *shel @@ -1390,22 +1392,30 @@ do_rc_files(Session *s, const char *shel
"%.500s add %.100s %.100s %.100s\n", "%.500s add %.100s %.100s %.100s\n",
options.xauth_location, s->auth_display, options.xauth_location, s->auth_display,
s->auth_proto, s->auth_data); s->auth_proto, s->auth_data);
@ -83,7 +83,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
} }
static void static void
@@ -1631,16 +1641,17 @@ child_close_fds(void) @@ -1659,16 +1669,17 @@ child_close_fds(void)
* ids, and executing the command or shell. * ids, and executing the command or shell.
*/ */
#define ARGV_MAX 10 #define ARGV_MAX 10
@ -101,7 +101,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
destroy_sensitive_data(); destroy_sensitive_data();
@@ -1697,17 +1708,17 @@ do_child(Session *s, const char *command @@ -1725,17 +1736,17 @@ do_child(Session *s, const char *command
* legal, and means /bin/sh. * legal, and means /bin/sh.
*/ */
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
@ -120,7 +120,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
/* we have to stash the hostname before we close our socket. */ /* we have to stash the hostname before we close our socket. */
if (options.use_login) if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len, hostname = get_remote_name_or_ip(utmp_len,
@@ -1766,17 +1777,17 @@ do_child(Session *s, const char *command @@ -1794,17 +1805,17 @@ do_child(Session *s, const char *command
strerror(errno)); strerror(errno));
if (r) if (r)
exit(1); exit(1);

3
openssh-6.5p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
size 1293187

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com
- Update of the underlying OpenSSH to 6.5p1
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com

View File

@ -26,7 +26,7 @@ BuildRequires: openssl-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: tcpd-devel BuildRequires: tcpd-devel
BuildRequires: update-desktop-files BuildRequires: update-desktop-files
Version: 6.4p1 Version: 6.5p1
Release: 0 Release: 0
Requires: openssh = %{version} Requires: openssh = %{version}
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH

View File

@ -1,3 +1,98 @@
-------------------------------------------------------------------
Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com
- Update to 6.5p1
Features since 6.4p1:
* ssh(1), sshd(8): support for key exchange using ECDH in
Daniel Bernstein's Curve25519; default when both the client
and server support it.
* ssh(1), sshd(8): support for Ed25519 as a public key type fo
rboth server and client. Ed25519 is an EC signature offering
better security than ECDSA and DSA and good performance.
* Add a new private key format that uses a bcrypt KDF to better
protect keys at rest. Used unconditionally for Ed25519 keys,
on demand for other key types via the -o ssh-keygen(1)
option. Intended to become default in the near future.
Details documented in PROTOCOL.key.
* ssh(1), sshd(8): new transport cipher
"chacha20-poly1305@openssh.com" combining Daniel Bernstein's
ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode. Details documented
PROTOCOL.chacha20poly1305.
* ssh(1), sshd(8): refuse RSA keys from old proprietary clients
and servers that use the obsolete RSA+MD5 signature scheme.
It will still be possible to connect with these
clients/servers but only DSA keys will be accepted, and
OpenSSH will refuse connection entirely in a future release.
* ssh(1), sshd(8): refuse old proprietary clients and servers
that use a weaker key exchange hash calculation.
* ssh(1): increase the size of the Diffie-Hellman groups
requested for each symmetric key size. New values from NIST
Special Publication 800-57 with the upper limit specified by
RFC4419.
* ssh(1), ssh-agent(1): support pkcs#11 tokens that only
provide X.509 certs instead of raw public keys (requested as
bz#1908).
* ssh(1): new ssh_config(5) "Match" keyword that allows
conditional configuration to be applied by matching on
hostname, user and result of arbitrary commands.
* ssh(1): support for client-side hostname canonicalisation
using a set of DNS suffixes and rules in ssh_config(5). This
allows unqualified names to be canonicalised to
fully-qualified domain names to eliminate ambiguity when
looking up keys in known_hosts or checking host certificate
names.
* sftp-server(8): ability to whitelist and/or blacklist sftp
protocol requests by name.
* sftp-server(8): sftp "fsync@openssh.com" to support calling
fsync(2) on an open file handle.
* sshd(8): ssh_config(5) PermitTTY to disallow TTY allocation,
mirroring the longstanding no-pty authorized_keys option.
* ssh(1): ssh_config ProxyUseFDPass option that supports the
use of ProxyCommands that establish a connection and then
pass a connected file descriptor back to ssh(1). This allows
the ProxyCommand to exit rather than staying around to
transfer data.
Bugfixes since 6.4p1:
* ssh(1), sshd(8): fix potential stack exhaustion caused by
nested certificates.
* ssh(1): bz#1211: make BindAddress work with
UsePrivilegedPort.
* sftp(1): bz#2137: fix the progress meter for resumed
transfer.
* ssh-add(1): bz#2187: do not request smartcard PIN when
removing keys from ssh-agent.
* sshd(8): bz#2139: fix re-exec fallback when original sshd
binary cannot be executed.
* ssh-keygen(1): make relative-specified certificate expiry
times relative to current time and not the validity start
time.
* sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match
block.
* sftp(1): bz#2129: symlinking a file would incorrectly
canonicalise the target path.
* ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11
agent helper executable.
* sshd(8): improve logging of sessions to include the user
name, remote host and port, the session type (shell, command,
etc.) and allocated TTY (if any).
* sshd(8): bz#1297: tell the client (via a debug message) when
their preferred listen address has been overridden by the
server's GatewayPorts setting.
* sshd(8): bz#2162: include report port in bad protocol banner
message.
* sftp(1): bz#2163: fix memory leak in error path in
do_readdir().
* sftp(1): bz#2171: don't leak file descriptor on error.
* sshd(8): include the local address and port in "Connection
from ..." message (only shown at loglevel>=verbose).
- systemd systems
* create sysconfig file on systemd systems as well, yet do not
require it at run-time (bnc#862600)
* symlink rcsshd to /usr/bin/service
- rename "-forcepermissions" patch to "-sftp_force_permissions"
- disable key converter - ssh-keygen is able to do the same
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 11 07:42:09 UTC 2014 - meissner@suse.com Tue Feb 11 07:42:09 UTC 2014 - meissner@suse.com

View File

@ -41,17 +41,22 @@
%endif %endif
%if 0%{?suse_version} > 1140 %if 0%{?suse_version} > 1140
%define has_systemd 1
%define has_krb_mini 1 %define has_krb_mini 1
%else %else
%define has_systemd 0
%define has_krb_mini 0 %define has_krb_mini 0
%endif %endif
%if 0%{?suse_version} >= 1230 %if 0%{?suse_version} > 1220
%define init_script_allowed 0 %define uses_systemd 1
%else %else
%define init_script_allowed 1 %define uses_systemd 0
%endif
%define sandbox_seccomp 0
%ifarch %ix86 x86_64
%if 0%{?suse_version} > 1220
%define sandbox_seccomp 1
%endif
%endif %endif
%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d %define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
@ -77,17 +82,16 @@ BuildRequires: libselinux-devel
BuildRequires: openldap2-devel BuildRequires: openldap2-devel
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: pam-devel BuildRequires: pam-devel
%if %{has_systemd} %if %{uses_systemd}
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
%{?systemd_requires} %{?systemd_requires}
%endif %endif
BuildRequires: tcpd-devel BuildRequires: tcpd-devel
Requires: /bin/netstat
PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
Conflicts: nonfreessh Conflicts: nonfreessh
Recommends: xauth Recommends: xauth
Recommends: %{name}-helpers Recommends: %{name}-helpers
Version: 6.4p1 Version: 6.5p1
Release: 0 Release: 0
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-3-Clause and MIT License: BSD-3-Clause and MIT
@ -104,40 +108,41 @@ Source7: sshd.fw
Source8: sysconfig.ssh Source8: sysconfig.ssh
Source9: sshd-gen-keys-start Source9: sshd-gen-keys-start
Source10: sshd.service Source10: sshd.service
Patch1: openssh-6.4p1-key-converter.patch Patch1: openssh-6.5p1-key-converter.patch
Patch2: openssh-6.4p1-X11-forwarding.patch Patch2: openssh-6.5p1-X11-forwarding.patch
Patch3: openssh-6.4p1-lastlog.patch Patch3: openssh-6.5p1-lastlog.patch
Patch4: openssh-6.4p1-pam-fix2.patch Patch4: openssh-6.5p1-pam-fix2.patch
Patch5: openssh-6.4p1-saveargv-fix.patch Patch5: openssh-6.5p1-saveargv-fix.patch
Patch6: openssh-6.4p1-pam-fix3.patch Patch6: openssh-6.5p1-pam-fix3.patch
Patch7: openssh-6.4p1-gssapimitm.patch Patch7: openssh-6.5p1-gssapimitm.patch
Patch8: openssh-6.4p1-eal3.patch Patch8: openssh-6.5p1-eal3.patch
Patch9: openssh-6.4p1-blocksigalrm.patch Patch9: openssh-6.5p1-blocksigalrm.patch
Patch10: openssh-6.4p1-send_locale.patch Patch10: openssh-6.5p1-send_locale.patch
Patch11: openssh-6.4p1-xauthlocalhostname.patch Patch11: openssh-6.5p1-xauthlocalhostname.patch
Patch12: openssh-6.4p1-xauth.patch Patch12: openssh-6.5p1-xauth.patch
Patch13: openssh-6.4p1-default-protocol.patch Patch13: openssh-6.5p1-default-protocol.patch
Patch14: openssh-6.4p1-pts.patch Patch14: openssh-6.5p1-pts.patch
Patch15: openssh-6.4p1-pam-check-locks.patch Patch15: openssh-6.5p1-pam-check-locks.patch
Patch16: openssh-6.4p1-fingerprint_hash.patch Patch16: openssh-6.5p1-fingerprint_hash.patch
Patch17: openssh-6.4p1-audit1-remove_duplicit_audit.patch Patch17: openssh-6.5p1-audit1-remove_duplicit_audit.patch
Patch18: openssh-6.4p1-audit2-better_audit_of_user_actions.patch Patch18: openssh-6.5p1-audit2-better_audit_of_user_actions.patch
Patch19: openssh-6.4p1-audit3-key_auth_usage.patch Patch19: openssh-6.5p1-audit3-key_auth_usage.patch
Patch20: openssh-6.4p1-audit4-kex_results.patch Patch20: openssh-6.5p1-audit4-kex_results.patch
Patch21: openssh-6.4p1-audit5-session_key_destruction.patch Patch21: openssh-6.5p1-audit5-session_key_destruction.patch
Patch22: openssh-6.4p1-audit6-server_key_destruction.patch Patch22: openssh-6.5p1-audit6-server_key_destruction.patch
Patch23: openssh-6.4p1-audit7-libaudit_compat.patch Patch23: openssh-6.5p1-audit7-libaudit_compat.patch
Patch24: openssh-6.4p1-audit8-libaudit_dns_timeouts.patch Patch24: openssh-6.5p1-audit8-libaudit_dns_timeouts.patch
Patch25: openssh-6.4p1-seed-prng.patch Patch25: openssh-6.5p1-seed-prng.patch
Patch26: openssh-6.4p1-ldap.patch Patch26: openssh-6.5p1-ldap.patch
Patch27: openssh-6.4p1-fips.patch Patch27: openssh-6.5p1-fips.patch
Patch28: openssh-6.4p1-gssapi_key_exchange.patch Patch28: openssh-6.5p1-gssapi_key_exchange.patch
Patch29: openssh-6.4p1-login_options.patch Patch29: openssh-6.5p1-login_options.patch
Patch30: openssh-6.4p1-disable-openssl-abi-check.patch Patch30: openssh-6.5p1-disable-openssl-abi-check.patch
Patch31: openssh-6.4p1-no_fork-no_pid_file.patch Patch31: openssh-6.5p1-no_fork-no_pid_file.patch
Patch32: openssh-6.4p1-host_ident.patch Patch32: openssh-6.5p1-host_ident.patch
Patch33: openssh-6.4p1-sftp_homechroot.patch Patch33: openssh-6.5p1-sftp_homechroot.patch
Patch34: openssh-6.4p1-forcepermissions.patch Patch34: openssh-6.5p1-sftp_force_permissions.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
@ -162,7 +167,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
%prep %prep
%setup -q %setup -q
%patch1 -p2 #patch1 -p2
%patch2 -p2 %patch2 -p2
%patch3 -p2 %patch3 -p2
%patch4 -p2 %patch4 -p2
@ -195,7 +200,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
%patch31 -p2 %patch31 -p2
%patch32 -p2 %patch32 -p2
%patch33 -p2 %patch33 -p2
%patch34 -p1 %patch34 -p2
cp %{SOURCE3} %{SOURCE4} . cp %{SOURCE3} %{SOURCE4} .
%build %build
@ -212,14 +217,14 @@ PIEFLAGS="-fPIE"
PIEFLAGS="-fpie" PIEFLAGS="-fpie"
%endif %endif
CFLAGS="%{optflags} $PIEFLAGS -fstack-protector" CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
%if 0%{?suse_version} < 1230 #%if 0%{?suse_version} < 1230
CFLAGS="-lrt $CFLAGS" #CFLAGS="-lrt $CFLAGS"
%endif #%endif
CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector" CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
LDFLAGS="-pie -Wl,--as-needed" LDFLAGS="-pie -Wl,--as-needed"
%if 0%{?suse_version} < 1230 #%if 0%{?suse_version} < 1230
LDFLAGS="-lrt $LDFLAGS" #LDFLAGS="-lrt $LDFLAGS"
%endif #%endif
#CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64" #CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64"
export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
./configure \ ./configure \
@ -232,14 +237,18 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%if %{has_libselinux} %if %{has_libselinux}
--with-selinux \ --with-selinux \
%endif %endif
%if %{has_systemd} %if %{uses_systemd}
--with-pid-dir=/run \ --with-pid-dir=/run \
%endif %endif
--with-ssl-engine \ --with-ssl-engine \
--with-pam \ --with-pam \
--with-kerberos5=%{_prefix} \ --with-kerberos5=%{_prefix} \
--with-privsep-path=/var/lib/empty \ --with-privsep-path=/var/lib/empty \
%if %{sandbox_seccomp}
--with-sandbox=seccomp_filter \
%else
--with-sandbox=rlimit \ --with-sandbox=rlimit \
%endif
%ifnarch s390 s390x %ifnarch s390 s390x
--with-opensc \ --with-opensc \
%endif %endif
@ -253,24 +262,28 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
--target=%{_target_cpu}-suse-linux \ --target=%{_target_cpu}-suse-linux \
### configure end ### configure end
make -j 1 make %{?_smp_mflags}
make -j 1 -C converter #make %{?_smp_mflags} -C converter
%install %install
make install DESTDIR=%{buildroot} make install DESTDIR=%{buildroot}
make install DESTDIR=%{buildroot} -C converter #make install DESTDIR=%{buildroot} -C converter
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -d -m 755 %{buildroot}/var/lib/sshd install -d -m 755 %{buildroot}/var/lib/sshd
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/ install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/ install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
install -d -m 755 %{buildroot}%{_initddir} install -d -m 755 %{buildroot}%{_initddir}
%if %{init_script_allowed} %if %{uses_systemd}
install -m 755 %{SOURCE1} %{buildroot}%{_initddir}/sshd install -m 0755 %{SOURCE1} .
ln -vs ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcsshd
%else %else
install -m 755 %{SOURCE1} . install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
install -m 0644 %{SOURCE10} .
ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
%endif %endif
install -d -m 755 %{buildroot}/var/adm/fillup-templates install -d -m 755 %{buildroot}/var/adm/fillup-templates
install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
@ -289,44 +302,38 @@ install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
# askpass wrapper # askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
rm -f %{buildroot}%{_datadir}/Ssh.bin rm -f %{buildroot}%{_datadir}/Ssh.bin
# sshd keys generator wrapper
%if %{has_systemd}
install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcsshd
%endif
%pre %pre
getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
%if %{has_systemd} %if %{uses_systemd}
%service_add_pre sshd.service %service_add_pre sshd.service
%endif %endif
%post %post
%if %{init_script_allowed} %if %{uses_systemd}
%{fillup_and_insserv -n ssh sshd} %{fillup_only -n ssh sshd}
%endif
%if %{has_systemd}
%service_add_post sshd.service %service_add_post sshd.service
%else
%{fillup_and_insserv -n ssh sshd}
%endif %endif
%preun %preun
%if %{init_script_allowed} %if %{uses_systemd}
%stop_on_removal sshd
%endif
%if %{has_systemd}
%service_del_preun sshd.service %service_del_preun sshd.service
%else
%stop_on_removal sshd
%endif %endif
%postun %postun
%if %{init_script_allowed} %if %{uses_systemd}
%service_del_postun sshd.service
%else
%restart_on_update sshd %restart_on_update sshd
%{insserv_cleanup} %{insserv_cleanup}
%endif %endif
%if %{has_systemd}
%service_del_postun sshd.service
%endif
%files %files
%defattr(-,root,root) %defattr(-,root,root)
@ -337,10 +344,12 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%if %{init_script_allowed} %if %{uses_systemd}
%attr(0755,root,root) %config %{_initddir}/sshd
%else
%doc sshd.init %doc sshd.init
%attr(0644,root,root) %config %{_unitdir}/sshd.service
%else
%attr(0755,root,root) %config %{_initddir}/sshd
%doc sshd.service
%endif %endif
%attr(0755,root,root) %{_bindir}/* %attr(0755,root,root) %{_bindir}/*
%attr(0755,root,root) %{_sbindir}/* %attr(0755,root,root) %{_sbindir}/*
@ -353,10 +362,6 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
%dir %{_sysconfdir}/slp.reg.d %dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg %config %{_sysconfdir}/slp.reg.d/ssh.reg
/var/adm/fillup-templates/sysconfig.ssh /var/adm/fillup-templates/sysconfig.ssh
%if %{has_systemd}
%{_sbindir}/sshd-gen-keys-start
%{_unitdir}/sshd.service
%endif
%if %{has_fw_dir} %if %{has_fw_dir}
%if %{needs_all_dirs} %if %{needs_all_dirs}
%dir %{_fwdir} %dir %{_fwdir}

View File

@ -56,7 +56,7 @@ rc_reset
case "$1" in case "$1" in
start) start)
ssh-keygen -A /usr/sbin/sshd-gen-keys-start
echo -n "Starting SSH daemon" echo -n "Starting SSH daemon"
## Start daemon with startproc(8). If this fails ## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate. ## the echo return value is set appropriate.

View File

@ -3,7 +3,7 @@ Description=OpenSSH Daemon
After=network.target After=network.target
[Service] [Service]
EnvironmentFile=/etc/sysconfig/ssh EnvironmentFile=-/etc/sysconfig/ssh
ExecStartPre=/usr/sbin/sshd-gen-keys-start ExecStartPre=/usr/sbin/sshd-gen-keys-start
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID