Accepting request 35865 from Base:System

Copy from Base:System/openssh based on submit request 35865 from user dirkmueller OBS-URL: https://build.opensuse.org/request/show/35865 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=40
2010-03-31 17:31:53 +00:00 · 2010-03-31 17:31:53 +00:00 · 0dd322b228
commit 0dd322b228
parent c1af9ee4bd
4 changed files with 31 additions and 2 deletions
--- a/openssh-5.4p1-sshconfig-knownhostschanges.diff
+++ b/openssh-5.4p1-sshconfig-knownhostschanges.diff
@ -0,0 +1,20 @@
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
+++ ssh_config
+@@ -67,5 +67,14 @@ ForwardX11Trusted yes
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+ SendEnv LC_IDENTIFICATION LC_ALL
+-#   VisualHostKey no
+# This will print the fingerprint of the host key in "visual" form
+# this should make it easier to also recognize bad things
+# (enabled for openSUSE Factory before 11.3, if too much people are against,
+#  we can disable it again. meissner@novell.com)
+VisualHostKey yes
+
+# This will hash new host keys and make them so unusable for malicious
+# people or software trying to use known_hosts to find further hops.
+HashKnownHosts yes
+
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -23,7 +23,7 @@ BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/SSH
 Version:        5.4p1
-Release:        1
+Release:        2
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Mar 25 11:00:00 CET 2010 - meissner@suse.de
+
+- Enable VisualHostKey (ascii art of the hostkey fingerprint) and
+  HashHostKeys (hardening measure to make them unusable for worms/malicious
+  users for further host hopping).
+
 -------------------------------------------------------------------
 Tue Mar 23 18:57:07 CET 2010 - anicka@suse.cz

--- a/openssh.spec
+++ b/openssh.spec
@ -36,7 +36,7 @@ PreReq:         pwdutils %insserv_prereq  %fillup_prereq coreutils permissions
 Conflicts:      nonfreessh
 AutoReqProv:    on
 Version:        5.4p1
-Release:        1
+Release:        2
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@ -68,6 +68,7 @@ Patch15:        %{name}-%{version}-audit.patch
 Patch16:        %{name}-%{version}-pts.diff
 Patch17:        %{name}-%{version}-forwards.diff
 Patch18:        %{name}-%{version}-homechroot.patch
+Patch19:        %{name}-%{version}-sshconfig-knownhostschanges.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %package      askpass
@ -112,6 +113,7 @@ Window System passphrase dialog for OpenSSH.
 %patch16
 %patch17
 %patch18
+%patch19
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}