From 90410f9370805e7f325140f4408712af1da3c4f39f45900f0072afa8d44390c7 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Tue, 24 Aug 2010 15:31:11 +0000 Subject: [PATCH] Accepting request 46105 from Base:System Copy from Base:System/openssh based on submit request 46105 from user anicka OBS-URL: https://build.opensuse.org/request/show/46105 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=48 --- openssh-5.5p1-forwards.diff | 14 ------ openssh-5.5p1-sftp-leak.diff | 12 ----- openssh-5.5p1.tar.bz2 | 3 -- ...fix.diff => openssh-5.6p1-askpass-fix.diff | 0 ...1-audit.patch => openssh-5.6p1-audit.patch | 48 +++++++++---------- ...rm.diff => openssh-5.6p1-blocksigalrm.diff | 0 ...iff => openssh-5.6p1-default-protocol.diff | 0 ...5.5p1-eal3.diff => openssh-5.6p1-eal3.diff | 20 ++++---- ...engines.diff => openssh-5.6p1-engines.diff | 46 +++++++++--------- ...tm.patch => openssh-5.6p1-gssapimitm.patch | 22 ++++----- ...ot.patch => openssh-5.6p1-homechroot.patch | 22 ++++----- openssh-5.6p1-host_ident.diff | 16 +++++++ ...m-fix2.diff => openssh-5.6p1-pam-fix2.diff | 0 ...m-fix3.diff => openssh-5.6p1-pam-fix3.diff | 0 ...h-5.5p1-pts.diff => openssh-5.6p1-pts.diff | 8 ++-- ...ix.diff => openssh-5.6p1-saveargv-fix.diff | 2 +- ...ale.diff => openssh-5.6p1-send_locale.diff | 0 ...ssh-5.6p1-sshconfig-knownhostschanges.diff | 0 ...1-tmpdir.diff => openssh-5.6p1-tmpdir.diff | 2 +- ...5p1-xauth.diff => openssh-5.6p1-xauth.diff | 2 +- ...f => openssh-5.6p1-xauthlocalhostname.diff | 14 +++--- openssh-5.5p1.dif => openssh-5.6p1.dif | 0 openssh-5.6p1.tar.bz2 | 3 ++ openssh-askpass-gnome.changes | 5 ++ openssh-askpass-gnome.spec | 4 +- openssh.changes | 40 ++++++++++++++++ openssh.spec | 14 +++--- 27 files changed, 166 insertions(+), 131 deletions(-) delete mode 100644 openssh-5.5p1-forwards.diff delete mode 100644 openssh-5.5p1-sftp-leak.diff delete mode 100644 openssh-5.5p1.tar.bz2 rename openssh-5.5p1-askpass-fix.diff => openssh-5.6p1-askpass-fix.diff (100%) rename openssh-5.5p1-audit.patch => openssh-5.6p1-audit.patch (88%) rename openssh-5.5p1-blocksigalrm.diff => openssh-5.6p1-blocksigalrm.diff (100%) rename openssh-5.5p1-default-protocol.diff => openssh-5.6p1-default-protocol.diff (100%) rename openssh-5.5p1-eal3.diff => openssh-5.6p1-eal3.diff (66%) rename openssh-5.5p1-engines.diff => openssh-5.6p1-engines.diff (79%) rename openssh-5.5p1-gssapimitm.patch => openssh-5.6p1-gssapimitm.patch (94%) rename openssh-5.5p1-homechroot.patch => openssh-5.6p1-homechroot.patch (92%) create mode 100644 openssh-5.6p1-host_ident.diff rename openssh-5.5p1-pam-fix2.diff => openssh-5.6p1-pam-fix2.diff (100%) rename openssh-5.5p1-pam-fix3.diff => openssh-5.6p1-pam-fix3.diff (100%) rename openssh-5.5p1-pts.diff => openssh-5.6p1-pts.diff (71%) rename openssh-5.5p1-saveargv-fix.diff => openssh-5.6p1-saveargv-fix.diff (93%) rename openssh-5.5p1-send_locale.diff => openssh-5.6p1-send_locale.diff (100%) rename openssh-5.5p1-sshconfig-knownhostschanges.diff => openssh-5.6p1-sshconfig-knownhostschanges.diff (100%) rename openssh-5.5p1-tmpdir.diff => openssh-5.6p1-tmpdir.diff (93%) rename openssh-5.5p1-xauth.diff => openssh-5.6p1-xauth.diff (97%) rename openssh-5.5p1-xauthlocalhostname.diff => openssh-5.6p1-xauthlocalhostname.diff (80%) rename openssh-5.5p1.dif => openssh-5.6p1.dif (100%) create mode 100644 openssh-5.6p1.tar.bz2 diff --git a/openssh-5.5p1-forwards.diff b/openssh-5.5p1-forwards.diff deleted file mode 100644 index cb515d9..0000000 --- a/openssh-5.5p1-forwards.diff +++ /dev/null @@ -1,14 +0,0 @@ -Index: channels.c -=================================================================== ---- channels.c.orig -+++ channels.c -@@ -2625,6 +2625,9 @@ channel_setup_fwd_listener(int type, con - char ntop[NI_MAXHOST], strport[NI_MAXSERV]; - in_port_t *lport_p; - -+ if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) -+ fatal("channel_setup_fwd_listener: too many forwards"); -+ - host = (type == SSH_CHANNEL_RPORT_LISTENER) ? - listen_addr : host_to_connect; - is_client = (type == SSH_CHANNEL_PORT_LISTENER); diff --git a/openssh-5.5p1-sftp-leak.diff b/openssh-5.5p1-sftp-leak.diff deleted file mode 100644 index 968cfdc..0000000 --- a/openssh-5.5p1-sftp-leak.diff +++ /dev/null @@ -1,12 +0,0 @@ -Index: openssh-5.4p1/sftp-client.c -=================================================================== ---- openssh-5.4p1.orig/sftp-client.c -+++ openssh-5.4p1/sftp-client.c -@@ -713,6 +713,7 @@ do_realpath(struct sftp_conn *conn, char - u_int status = buffer_get_int(&msg); - - error("Couldn't canonicalise: %s", fx2txt(status)); -+ buffer_free(&msg); - return(NULL); - } else if (type != SSH2_FXP_NAME) - fatal("Expected SSH2_FXP_NAME(%u) packet, got %u", diff --git a/openssh-5.5p1.tar.bz2 b/openssh-5.5p1.tar.bz2 deleted file mode 100644 index 041a844..0000000 --- a/openssh-5.5p1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:125862cb2709afc830c90911c106d1ef24b5b657deceedb872982cb6544cc137 -size 876219 diff --git a/openssh-5.5p1-askpass-fix.diff b/openssh-5.6p1-askpass-fix.diff similarity index 100% rename from openssh-5.5p1-askpass-fix.diff rename to openssh-5.6p1-askpass-fix.diff diff --git a/openssh-5.5p1-audit.patch b/openssh-5.6p1-audit.patch similarity index 88% rename from openssh-5.5p1-audit.patch rename to openssh-5.6p1-audit.patch index 12d70db..6c8ea40 100644 --- a/openssh-5.5p1-audit.patch +++ b/openssh-5.6p1-audit.patch @@ -1,9 +1,9 @@ # add support for Linux audit (FATE #120269) ================================================================================ -Index: openssh-5.4p1/Makefile.in +Index: openssh-5.6p1/Makefile.in =================================================================== ---- openssh-5.4p1.orig/Makefile.in -+++ openssh-5.4p1/Makefile.in +--- openssh-5.6p1.orig/Makefile.in ++++ openssh-5.6p1/Makefile.in @@ -46,6 +46,7 @@ LD=@LD@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ @@ -21,10 +21,10 @@ Index: openssh-5.4p1/Makefile.in scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -Index: openssh-5.4p1/auth.c +Index: openssh-5.6p1/auth.c =================================================================== ---- openssh-5.4p1.orig/auth.c -+++ openssh-5.4p1/auth.c +--- openssh-5.6p1.orig/auth.c ++++ openssh-5.6p1/auth.c @@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif @@ -38,7 +38,7 @@ Index: openssh-5.4p1/auth.c #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); -@@ -564,6 +570,10 @@ getpwnamallow(const char *user) +@@ -586,6 +592,10 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -49,11 +49,11 @@ Index: openssh-5.4p1/auth.c #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ -Index: openssh-5.4p1/config.h.in +Index: openssh-5.6p1/config.h.in =================================================================== ---- openssh-5.4p1.orig/config.h.in -+++ openssh-5.4p1/config.h.in -@@ -1415,6 +1415,9 @@ +--- openssh-5.6p1.orig/config.h.in ++++ openssh-5.6p1/config.h.in +@@ -1424,6 +1424,9 @@ /* Define if you want SELinux support. */ #undef WITH_SELINUX @@ -63,11 +63,11 @@ Index: openssh-5.4p1/config.h.in /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN -Index: openssh-5.4p1/configure.ac +Index: openssh-5.6p1/configure.ac =================================================================== ---- openssh-5.4p1.orig/configure.ac -+++ openssh-5.4p1/configure.ac -@@ -3363,6 +3363,20 @@ AC_ARG_WITH(selinux, +--- openssh-5.6p1.orig/configure.ac ++++ openssh-5.6p1/configure.ac +@@ -3393,6 +3393,20 @@ AC_ARG_WITH(selinux, fi ] ) @@ -88,7 +88,7 @@ Index: openssh-5.4p1/configure.ac # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, -@@ -4182,6 +4196,7 @@ echo " PAM support +@@ -4185,6 +4199,7 @@ echo " PAM support echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" @@ -96,10 +96,10 @@ Index: openssh-5.4p1/configure.ac echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" -Index: openssh-5.4p1/loginrec.c +Index: openssh-5.6p1/loginrec.c =================================================================== ---- openssh-5.4p1.orig/loginrec.c -+++ openssh-5.4p1/loginrec.c +--- openssh-5.6p1.orig/loginrec.c ++++ openssh-5.6p1/loginrec.c @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" @@ -121,7 +121,7 @@ Index: openssh-5.4p1/loginrec.c int lastlog_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li); -@@ -440,6 +447,10 @@ login_write(struct logininfo *li) +@@ -441,6 +448,10 @@ login_write(struct logininfo *li) /* set the timestamp */ login_set_current_time(li); @@ -132,7 +132,7 @@ Index: openssh-5.4p1/loginrec.c #ifdef USE_LOGIN syslogin_write_entry(li); #endif -@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li) +@@ -1399,6 +1410,87 @@ wtmpx_get_entry(struct logininfo *li) } #endif /* USE_WTMPX */ @@ -220,10 +220,10 @@ Index: openssh-5.4p1/loginrec.c /** ** Low-level libutil login() functions **/ -Index: openssh-5.4p1/loginrec.h +Index: openssh-5.6p1/loginrec.h =================================================================== ---- openssh-5.4p1.orig/loginrec.h -+++ openssh-5.4p1/loginrec.h +--- openssh-5.6p1.orig/loginrec.h ++++ openssh-5.6p1/loginrec.h @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch char *line_abbrevname(char *dst, const char *src, int dstsize); diff --git a/openssh-5.5p1-blocksigalrm.diff b/openssh-5.6p1-blocksigalrm.diff similarity index 100% rename from openssh-5.5p1-blocksigalrm.diff rename to openssh-5.6p1-blocksigalrm.diff diff --git a/openssh-5.5p1-default-protocol.diff b/openssh-5.6p1-default-protocol.diff similarity index 100% rename from openssh-5.5p1-default-protocol.diff rename to openssh-5.6p1-default-protocol.diff diff --git a/openssh-5.5p1-eal3.diff b/openssh-5.6p1-eal3.diff similarity index 66% rename from openssh-5.5p1-eal3.diff rename to openssh-5.6p1-eal3.diff index 13e95c8..8e31b05 100644 --- a/openssh-5.5p1-eal3.diff +++ b/openssh-5.6p1-eal3.diff @@ -1,8 +1,8 @@ -Index: openssh-5.4p1/sshd.8 +Index: openssh-5.6p1/sshd.8 =================================================================== ---- openssh-5.4p1.orig/sshd.8 -+++ openssh-5.4p1/sshd.8 -@@ -840,7 +840,7 @@ Contains Diffie-Hellman groups used for +--- openssh-5.6p1.orig/sshd.8 ++++ openssh-5.6p1/sshd.8 +@@ -850,7 +850,7 @@ Contains Diffie-Hellman groups used for The file format is described in .Xr moduli 5 . .Pp @@ -11,7 +11,7 @@ Index: openssh-5.4p1/sshd.8 See .Xr motd 5 . .Pp -@@ -853,7 +853,7 @@ are displayed to anyone trying to log in +@@ -863,7 +863,7 @@ are displayed to anyone trying to log in refused. The file should be world-readable. .Pp @@ -20,7 +20,7 @@ Index: openssh-5.4p1/sshd.8 This file is used in exactly the same way as .Pa hosts.equiv , but allows host-based authentication without permitting login with -@@ -930,8 +930,7 @@ The content of this file is not sensitiv +@@ -940,8 +940,7 @@ The content of this file is not sensitiv .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , @@ -30,11 +30,11 @@ Index: openssh-5.4p1/sshd.8 .Xr sshd_config 5 , .Xr inetd 8 , .Xr sftp-server 8 -Index: openssh-5.4p1/sshd_config.5 +Index: openssh-5.6p1/sshd_config.5 =================================================================== ---- openssh-5.4p1.orig/sshd_config.5 -+++ openssh-5.4p1/sshd_config.5 -@@ -451,7 +451,7 @@ or +--- openssh-5.6p1.orig/sshd_config.5 ++++ openssh-5.6p1/sshd_config.5 +@@ -496,7 +496,7 @@ or .Pp .Pa /etc/hosts.equiv and diff --git a/openssh-5.5p1-engines.diff b/openssh-5.6p1-engines.diff similarity index 79% rename from openssh-5.5p1-engines.diff rename to openssh-5.6p1-engines.diff index cf7065a..53edf52 100644 --- a/openssh-5.5p1-engines.diff +++ b/openssh-5.6p1-engines.diff @@ -1,7 +1,7 @@ -Index: openssh-5.4p1/ssh-add.c +Index: openssh-5.6p1/ssh-add.c =================================================================== ---- openssh-5.4p1.orig/ssh-add.c -+++ openssh-5.4p1/ssh-add.c +--- openssh-5.6p1.orig/ssh-add.c ++++ openssh-5.6p1/ssh-add.c @@ -43,6 +43,7 @@ #include @@ -10,7 +10,7 @@ Index: openssh-5.4p1/ssh-add.c #include #include -@@ -366,6 +367,10 @@ main(int argc, char **argv) +@@ -374,6 +375,10 @@ main(int argc, char **argv) SSLeay_add_all_algorithms(); @@ -21,10 +21,10 @@ Index: openssh-5.4p1/ssh-add.c /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); if (ac == NULL) { -Index: openssh-5.4p1/ssh-agent.c +Index: openssh-5.6p1/ssh-agent.c =================================================================== ---- openssh-5.4p1.orig/ssh-agent.c -+++ openssh-5.4p1/ssh-agent.c +--- openssh-5.6p1.orig/ssh-agent.c ++++ openssh-5.6p1/ssh-agent.c @@ -52,6 +52,7 @@ #include #include @@ -33,7 +33,7 @@ Index: openssh-5.4p1/ssh-agent.c #include #include -@@ -1091,6 +1092,10 @@ main(int ac, char **av) +@@ -1094,6 +1095,10 @@ main(int ac, char **av) SSLeay_add_all_algorithms(); @@ -44,10 +44,10 @@ Index: openssh-5.4p1/ssh-agent.c __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); -Index: openssh-5.4p1/ssh-keygen.c +Index: openssh-5.6p1/ssh-keygen.c =================================================================== ---- openssh-5.4p1.orig/ssh-keygen.c -+++ openssh-5.4p1/ssh-keygen.c +--- openssh-5.6p1.orig/ssh-keygen.c ++++ openssh-5.6p1/ssh-keygen.c @@ -22,6 +22,7 @@ #include #include @@ -56,7 +56,7 @@ Index: openssh-5.4p1/ssh-keygen.c #include #include -@@ -1523,6 +1524,11 @@ main(int argc, char **argv) +@@ -1782,6 +1783,11 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); SSLeay_add_all_algorithms(); @@ -68,10 +68,10 @@ Index: openssh-5.4p1/ssh-keygen.c log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); init_rng(); -Index: openssh-5.4p1/ssh-keysign.c +Index: openssh-5.6p1/ssh-keysign.c =================================================================== ---- openssh-5.4p1.orig/ssh-keysign.c -+++ openssh-5.4p1/ssh-keysign.c +--- openssh-5.6p1.orig/ssh-keysign.c ++++ openssh-5.6p1/ssh-keysign.c @@ -38,6 +38,7 @@ #include #include @@ -92,10 +92,10 @@ Index: openssh-5.4p1/ssh-keysign.c for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); -Index: openssh-5.4p1/ssh.c +Index: openssh-5.6p1/ssh.c =================================================================== ---- openssh-5.4p1.orig/ssh.c -+++ openssh-5.4p1/ssh.c +--- openssh-5.6p1.orig/ssh.c ++++ openssh-5.6p1/ssh.c @@ -74,6 +74,7 @@ #include #include "openbsd-compat/openssl-compat.h" @@ -104,7 +104,7 @@ Index: openssh-5.4p1/ssh.c #include "xmalloc.h" #include "ssh.h" -@@ -584,6 +585,10 @@ main(int ac, char **av) +@@ -602,6 +603,10 @@ main(int ac, char **av) SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); @@ -115,10 +115,10 @@ Index: openssh-5.4p1/ssh.c /* Initialize the command to execute on remote host. */ buffer_init(&command); -Index: openssh-5.4p1/sshd.c +Index: openssh-5.6p1/sshd.c =================================================================== ---- openssh-5.4p1.orig/sshd.c -+++ openssh-5.4p1/sshd.c +--- openssh-5.6p1.orig/sshd.c ++++ openssh-5.6p1/sshd.c @@ -77,6 +77,7 @@ #include #include @@ -127,7 +127,7 @@ Index: openssh-5.4p1/sshd.c #ifdef HAVE_SECUREWARE #include -@@ -1462,6 +1463,10 @@ main(int ac, char **av) +@@ -1471,6 +1472,10 @@ main(int ac, char **av) SSLeay_add_all_algorithms(); diff --git a/openssh-5.5p1-gssapimitm.patch b/openssh-5.6p1-gssapimitm.patch similarity index 94% rename from openssh-5.5p1-gssapimitm.patch rename to openssh-5.6p1-gssapimitm.patch index 592c57b..1209f88 100644 --- a/openssh-5.5p1-gssapimitm.patch +++ b/openssh-5.6p1-gssapimitm.patch @@ -75,9 +75,9 @@ Index: readconf.c - oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, - oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, -@@ -165,9 +165,11 @@ static struct { + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -167,9 +167,11 @@ static struct { #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, @@ -89,7 +89,7 @@ Index: readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -459,6 +461,10 @@ parse_flag: +@@ -477,6 +479,10 @@ parse_flag: case oGssDelegateCreds: intptr = &options->gss_deleg_creds; goto parse_flag; @@ -100,7 +100,7 @@ Index: readconf.c case oBatchMode: intptr = &options->batch_mode; -@@ -1016,6 +1022,7 @@ initialize_options(Options * options) +@@ -1059,6 +1065,7 @@ initialize_options(Options * options) options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; @@ -108,7 +108,7 @@ Index: readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1109,6 +1116,8 @@ fill_default_options(Options * options) +@@ -1158,6 +1165,8 @@ fill_default_options(Options * options) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; @@ -121,7 +121,7 @@ Index: readconf.h =================================================================== --- readconf.h.orig +++ readconf.h -@@ -45,6 +45,7 @@ typedef struct { +@@ -47,6 +47,7 @@ typedef struct { /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ @@ -141,7 +141,7 @@ Index: servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -216,6 +217,8 @@ fill_default_server_options(ServerOption +@@ -217,6 +218,8 @@ fill_default_server_options(ServerOption options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; @@ -150,7 +150,7 @@ Index: servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -306,7 +309,7 @@ typedef enum { +@@ -307,7 +310,7 @@ typedef enum { sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -159,7 +159,7 @@ Index: servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -369,9 +372,11 @@ static struct { +@@ -370,9 +373,11 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -171,7 +171,7 @@ Index: servconf.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -928,6 +933,10 @@ process_server_config_line(ServerOptions +@@ -929,6 +934,10 @@ process_server_config_line(ServerOptions case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; diff --git a/openssh-5.5p1-homechroot.patch b/openssh-5.6p1-homechroot.patch similarity index 92% rename from openssh-5.5p1-homechroot.patch rename to openssh-5.6p1-homechroot.patch index fc53869..bf86237 100644 --- a/openssh-5.5p1-homechroot.patch +++ b/openssh-5.6p1-homechroot.patch @@ -39,7 +39,7 @@ Index: session.c =================================================================== --- session.c.orig +++ session.c -@@ -119,6 +119,8 @@ void do_child(Session *, const char *); +@@ -120,6 +120,8 @@ void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); @@ -48,7 +48,7 @@ Index: session.c static void do_authenticated1(Authctxt *); static void do_authenticated2(Authctxt *); -@@ -805,6 +807,11 @@ do_exec(Session *s, const char *command) +@@ -806,6 +808,11 @@ do_exec(Session *s, const char *command) debug("Forced command (key option) '%.900s'", command); } @@ -60,7 +60,7 @@ Index: session.c #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); -@@ -1418,6 +1425,63 @@ do_nologin(struct passwd *pw) +@@ -1419,6 +1426,63 @@ do_nologin(struct passwd *pw) } /* @@ -124,7 +124,7 @@ Index: session.c * Chroot into a directory after checking it for safety: all path components * must be root-owned directories with strict permissions. */ -@@ -1427,6 +1491,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1428,6 +1492,7 @@ safely_chroot(const char *path, uid_t ui const char *cp; char component[MAXPATHLEN]; struct stat st; @@ -132,7 +132,7 @@ Index: session.c if (*path != '/') fatal("chroot path does not begin at root"); -@@ -1438,7 +1503,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1439,7 +1504,7 @@ safely_chroot(const char *path, uid_t ui * root-owned directory with strict permissions. */ for (cp = path; cp != NULL;) { @@ -141,7 +141,7 @@ Index: session.c strlcpy(component, path, sizeof(component)); else { cp++; -@@ -1451,14 +1516,20 @@ safely_chroot(const char *path, uid_t ui +@@ -1452,14 +1517,20 @@ safely_chroot(const char *path, uid_t ui if (stat(component, &st) != 0) fatal("%s: stat(\"%s\"): %s", __func__, component, strerror(errno)); @@ -163,7 +163,7 @@ Index: session.c } if (chdir(path) == -1) -@@ -1469,6 +1540,10 @@ safely_chroot(const char *path, uid_t ui +@@ -1470,6 +1541,10 @@ safely_chroot(const char *path, uid_t ui if (chdir("/") == -1) fatal("%s: chdir(/) after chroot: %s", __func__, strerror(errno)); @@ -238,9 +238,9 @@ Index: sshd_config.0 =================================================================== --- sshd_config.0.orig +++ sshd_config.0 -@@ -115,6 +115,14 @@ DESCRIPTION - which use logging do require /dev/log inside the chroot directory - (see sftp-server(8) for details). +@@ -143,6 +143,14 @@ DESCRIPTION + though sessions which use logging do require /dev/log inside the + chroot directory (see sftp-server(8) for details). + In the special case when only sftp is used, not ssh nor scp, it + is possible to use ChrootDirectory %h or ChrootDirectory @@ -257,7 +257,7 @@ Index: sshd_config.5 =================================================================== --- sshd_config.5.orig +++ sshd_config.5 -@@ -224,6 +224,17 @@ inside the chroot directory (see +@@ -269,6 +269,17 @@ inside the chroot directory (see .Xr sftp-server 8 for details). .Pp diff --git a/openssh-5.6p1-host_ident.diff b/openssh-5.6p1-host_ident.diff new file mode 100644 index 0000000..521923a --- /dev/null +++ b/openssh-5.6p1-host_ident.diff @@ -0,0 +1,16 @@ +Index: openssh-5.5p1/sshconnect.c +=================================================================== +--- openssh-5.5p1.orig/sshconnect.c ++++ openssh-5.5p1/sshconnect.c +@@ -916,6 +916,11 @@ check_host_key(char *hostname, struct so + error("Add correct host key in %.100s to get rid of this message.", + user_hostfile); + error("Offending key in %s:%d", host_file, host_line); ++ error("You can use following command to remove all keys for this IP:"); ++ if (ip_file) ++ error("ssh-keygen -R %s -f %s", hostname, ip_file); ++ else ++ error("ssh-keygen -R %s", hostname); + + /* + * If strict host key checking is in use, the user will have diff --git a/openssh-5.5p1-pam-fix2.diff b/openssh-5.6p1-pam-fix2.diff similarity index 100% rename from openssh-5.5p1-pam-fix2.diff rename to openssh-5.6p1-pam-fix2.diff diff --git a/openssh-5.5p1-pam-fix3.diff b/openssh-5.6p1-pam-fix3.diff similarity index 100% rename from openssh-5.5p1-pam-fix3.diff rename to openssh-5.6p1-pam-fix3.diff diff --git a/openssh-5.5p1-pts.diff b/openssh-5.6p1-pts.diff similarity index 71% rename from openssh-5.5p1-pts.diff rename to openssh-5.6p1-pts.diff index 3b6db35..d961a44 100644 --- a/openssh-5.5p1-pts.diff +++ b/openssh-5.6p1-pts.diff @@ -1,6 +1,8 @@ ---- loginrec.c +Index: loginrec.c +=================================================================== +--- loginrec.c.orig +++ loginrec.c -@@ -549,7 +549,7 @@ +@@ -554,7 +554,7 @@ getlast_entry(struct logininfo *li) * 1. The full filename (including '/dev') * 2. The stripped name (excluding '/dev') * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 @@ -9,7 +11,7 @@ * * Form 3 is used on some systems to identify a .tmp.? entry when * attempting to remove it. Typically both addition and removal is -@@ -610,6 +610,10 @@ +@@ -615,6 +615,10 @@ line_abbrevname(char *dst, const char *s if (strncmp(src, "tty", 3) == 0) src += 3; #endif diff --git a/openssh-5.5p1-saveargv-fix.diff b/openssh-5.6p1-saveargv-fix.diff similarity index 93% rename from openssh-5.5p1-saveargv-fix.diff rename to openssh-5.6p1-saveargv-fix.diff index 9fc3b07..be151a1 100644 --- a/openssh-5.5p1-saveargv-fix.diff +++ b/openssh-5.6p1-saveargv-fix.diff @@ -10,7 +10,7 @@ Index: sshd.c logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); -@@ -1307,7 +1308,11 @@ main(int ac, char **av) +@@ -1316,7 +1317,11 @@ main(int ac, char **av) #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ compat_init_setproctitle(ac, av); diff --git a/openssh-5.5p1-send_locale.diff b/openssh-5.6p1-send_locale.diff similarity index 100% rename from openssh-5.5p1-send_locale.diff rename to openssh-5.6p1-send_locale.diff diff --git a/openssh-5.5p1-sshconfig-knownhostschanges.diff b/openssh-5.6p1-sshconfig-knownhostschanges.diff similarity index 100% rename from openssh-5.5p1-sshconfig-knownhostschanges.diff rename to openssh-5.6p1-sshconfig-knownhostschanges.diff diff --git a/openssh-5.5p1-tmpdir.diff b/openssh-5.6p1-tmpdir.diff similarity index 93% rename from openssh-5.5p1-tmpdir.diff rename to openssh-5.6p1-tmpdir.diff index 17ca1c4..e04287d 100644 --- a/openssh-5.5p1-tmpdir.diff +++ b/openssh-5.6p1-tmpdir.diff @@ -2,7 +2,7 @@ Index: ssh-agent.c =================================================================== --- ssh-agent.c.orig +++ ssh-agent.c -@@ -1174,8 +1174,18 @@ main(int ac, char **av) +@@ -1177,8 +1177,18 @@ main(int ac, char **av) parent_pid = getpid(); if (agentsocket == NULL) { diff --git a/openssh-5.5p1-xauth.diff b/openssh-5.6p1-xauth.diff similarity index 97% rename from openssh-5.5p1-xauth.diff rename to openssh-5.6p1-xauth.diff index f35f5b9..d78e48a 100644 --- a/openssh-5.5p1-xauth.diff +++ b/openssh-5.6p1-xauth.diff @@ -2,7 +2,7 @@ Index: session.c =================================================================== --- session.c.orig +++ session.c -@@ -2521,8 +2521,41 @@ void +@@ -2525,8 +2525,41 @@ void session_close(Session *s) { u_int i; diff --git a/openssh-5.5p1-xauthlocalhostname.diff b/openssh-5.6p1-xauthlocalhostname.diff similarity index 80% rename from openssh-5.5p1-xauthlocalhostname.diff rename to openssh-5.6p1-xauthlocalhostname.diff index be76642..ead1794 100644 --- a/openssh-5.5p1-xauthlocalhostname.diff +++ b/openssh-5.6p1-xauthlocalhostname.diff @@ -2,7 +2,7 @@ Index: session.c =================================================================== --- session.c.orig +++ session.c -@@ -1113,7 +1113,7 @@ copy_environment(char **source, char *** +@@ -1114,7 +1114,7 @@ copy_environment(char **source, char *** } static char ** @@ -11,7 +11,7 @@ Index: session.c { char buf[256]; u_int i, envsize; -@@ -1300,6 +1300,8 @@ do_setup_env(Session *s, const char *she +@@ -1301,6 +1301,8 @@ do_setup_env(Session *s, const char *she for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -20,7 +20,7 @@ Index: session.c return env; } -@@ -1308,7 +1310,7 @@ do_setup_env(Session *s, const char *she +@@ -1309,7 +1311,7 @@ do_setup_env(Session *s, const char *she * first in this order). */ static void @@ -29,7 +29,7 @@ Index: session.c { FILE *f = NULL; char cmd[1024]; -@@ -1362,12 +1364,20 @@ do_rc_files(Session *s, const char *shel +@@ -1363,12 +1365,20 @@ do_rc_files(Session *s, const char *shel options.xauth_location); f = popen(cmd, "w"); if (f) { @@ -50,7 +50,7 @@ Index: session.c } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1669,6 +1679,7 @@ do_child(Session *s, const char *command +@@ -1670,6 +1680,7 @@ do_child(Session *s, const char *command { extern char **environ; char **env; @@ -58,7 +58,7 @@ Index: session.c char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; -@@ -1735,7 +1746,7 @@ do_child(Session *s, const char *command +@@ -1736,7 +1747,7 @@ do_child(Session *s, const char *command * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -67,7 +67,7 @@ Index: session.c #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1803,7 +1814,7 @@ do_child(Session *s, const char *command +@@ -1805,7 +1816,7 @@ do_child(Session *s, const char *command closefrom(STDERR_FILENO + 1); if (!options.use_login) diff --git a/openssh-5.5p1.dif b/openssh-5.6p1.dif similarity index 100% rename from openssh-5.5p1.dif rename to openssh-5.6p1.dif diff --git a/openssh-5.6p1.tar.bz2 b/openssh-5.6p1.tar.bz2 new file mode 100644 index 0000000..ba8d545 --- /dev/null +++ b/openssh-5.6p1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7ee242e0236597108ed3156420e6a7d517fffe21d89755c37f09cceb5d796e4c +size 896204 diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 9d1023e..a943963 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Aug 24 15:50:17 CEST 2010 - anicka@suse.cz + +- update to 5.6p1 + ------------------------------------------------------------------- Fri Mar 26 11:04:59 CET 2010 - anicka@suse.cz diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index b5d5e75..758a958 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,5 +1,5 @@ # -# spec file for package openssh-askpass-gnome (Version 5.5p1) +# spec file for package openssh-askpass-gnome (Version 5.6p1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,7 +22,7 @@ Name: openssh-askpass-gnome BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files License: BSD3c(or similar) Group: Productivity/Networking/SSH -Version: 5.5p1 +Version: 5.6p1 Release: 1 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on diff --git a/openssh.changes b/openssh.changes index f5c8bc0..b72aadd 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Tue Aug 24 15:43:08 CEST 2010 - anicka@suse.cz + +- update to 5.6p1 + * Added a ControlPersist option to ssh_config(5) that automatically + starts a background ssh(1) multiplex master when connecting. + * Hostbased authentication may now use certificate host keys. + * ssh-keygen(1) now supports signing certificate using a CA key that + has been stored in a PKCS#11 token. + * ssh(1) will now log the hostname and address that we connected to at + LogLevel=verbose after authentication is successful to mitigate + "phishing" attacks by servers with trusted keys that accept + authentication silently and automatically before presenting fake + password/passphrase prompts. + * Expand %h to the hostname in ssh_config Hostname options. + * Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8 + keys in addition to RFC4716 (SSH.COM) encodings via a new -m option + * sshd(8) will now queue debug messages for bad ownership or + permissions on the user's keyfiles encountered during authentication + and will send them after authentication has successfully completed. + * ssh(1) connection multiplexing now supports remote forwarding with + dynamic port allocation and can report the allocated port back to + the user + * sshd(8) now supports indirection in matching of principal names + listed in certificates. + * sshd(8) now has a new AuthorizedPrincipalsFile option to specify a + file containing a list of names that may be accepted in place of the + username when authorizing a certificate trusted via the + sshd_config(5) TrustedCAKeys option. + * Additional sshd_config(5) options are now valid inside Match blocks + * Revised the format of certificate keys. + * bugfixes +- removed -forward patch (SSH_MAX_FORWARDS_PER_DIRECTION not hard-coded + any more), removed memory leak fix (fixed in upstream) + +------------------------------------------------------------------- +Fri Aug 20 13:00:43 CEST 2010 - anicka@suse.cz + +- hint user how to remove offending keys (bnc#625552) + ------------------------------------------------------------------- Thu Jul 22 17:58:09 CEST 2010 - anicka@suse.cz diff --git a/openssh.spec b/openssh.spec index fce03b0..0dc4b73 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,5 +1,5 @@ # -# spec file for package openssh (Version 5.5p1) +# spec file for package openssh (Version 5.6p1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -35,7 +35,7 @@ Requires: /bin/netstat PreReq: pwdutils %insserv_prereq %fillup_prereq coreutils permissions Conflicts: nonfreessh AutoReqProv: on -Version: 5.5p1 +Version: 5.6p1 Release: 1 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) @@ -66,10 +66,9 @@ Patch12: %{name}-%{version}-xauth.diff Patch14: %{name}-%{version}-default-protocol.diff Patch15: %{name}-%{version}-audit.patch Patch16: %{name}-%{version}-pts.diff -Patch17: %{name}-%{version}-forwards.diff -Patch18: %{name}-%{version}-homechroot.patch -Patch19: %{name}-%{version}-sshconfig-knownhostschanges.diff -Patch20: %{name}-%{version}-sftp-leak.diff +Patch17: %{name}-%{version}-homechroot.patch +Patch18: %{name}-%{version}-sshconfig-knownhostschanges.diff +Patch19: %{name}-%{version}-host_ident.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass @@ -114,8 +113,7 @@ Window System passphrase dialog for OpenSSH. %patch16 %patch17 %patch18 -%patch19 -%patch20 -p1 +%patch19 -p1 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion}