This commit is contained in:
commit
b889e699cf
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
.osc
|
134
README.SuSE
Normal file
134
README.SuSE
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
|
||||||
|
Dear users,
|
||||||
|
|
||||||
|
|
||||||
|
This is OpenSSH version 4.4p1.
|
||||||
|
|
||||||
|
There is a very important change in sshd with SuSE Linux 9.1:
|
||||||
|
|
||||||
|
The "gssapi" support has been replaced with the "gssapi-with-mic" to fix
|
||||||
|
possible MITM attacks (to enable support for the deprecated 'gssapi'
|
||||||
|
authentication set GSSAPIEnableMITMAttack to 'yes'). These two versions
|
||||||
|
are not compatible. The option GSSAPICleanupCreds is obsoleted, use
|
||||||
|
GSSAPICleanupCredentials instead.
|
||||||
|
|
||||||
|
We disabled the new feature 'untrusted cookies' by default because it brings a
|
||||||
|
lot of problems. If you like to enable it, set ForwardX11Trusted to 'no' in
|
||||||
|
ssh_config.
|
||||||
|
|
||||||
|
The option UsePrivilegeSeparation was reverted to 'yes' because the problematic
|
||||||
|
calling of PAM modules in this mode was fixed.
|
||||||
|
|
||||||
|
The option KeepAlive has been obsoleted, use TCPKeepAlive instead.
|
||||||
|
|
||||||
|
There is an important change in sshd with SuSE Linux 9.0:
|
||||||
|
|
||||||
|
The value of option ChallengeResponseAuthentication is reverted to default
|
||||||
|
value yes, which is necessary for PAM authentication.
|
||||||
|
|
||||||
|
I this OpenSSH version is removed kerberos support from protocol SSH1,
|
||||||
|
since it has been replaced with GSSAPI, but keeps kerberos password
|
||||||
|
authentication for protocols SSH1 and SSH2. To enable Kerberos authentication
|
||||||
|
read README.kerberos file.
|
||||||
|
|
||||||
|
Important change in sshd with SuSE Linux 8.1 is that sshd X11 forwarding listens
|
||||||
|
on localhost by default. See sshd X11UseLocalhost option to revert to prior
|
||||||
|
behaviour if your older X11 clients do not function with this configuration.
|
||||||
|
|
||||||
|
The package openssh was splitted to openssh and the new package askpass.
|
||||||
|
|
||||||
|
OpenSSH supports two protocol versions (SSH1 and SSH2) which need to be
|
||||||
|
configured differently.
|
||||||
|
Protocol version 1 is the old protocol and protocol version 2 is the new
|
||||||
|
protocol that has several advantages from the security point of view.
|
||||||
|
|
||||||
|
Please note that the default ssh protocol version has been changed to
|
||||||
|
version 2 with SuSE Linux 8.0.
|
||||||
|
|
||||||
|
The change of the default protocol version brings one important change for
|
||||||
|
users who use identity keys for remote login with passphrases.
|
||||||
|
|
||||||
|
(Please note the difference: 'password' means a system password on a
|
||||||
|
given machine. The term 'passphrase', however, is usually used for the
|
||||||
|
string that an ssh private key is protected (encrypted) with.)
|
||||||
|
|
||||||
|
Protocol version 1 uses the key from file ~/.ssh/identity and compares
|
||||||
|
it with keys from file ~/.ssh/authorized_keys on the remote machine.
|
||||||
|
|
||||||
|
Protocol version 2 uses keys from files ~/.ssh/id_rsa or ~/.ssh/id_dsa
|
||||||
|
and they are compared with keys from file ~/.ssh/authorized_keys.
|
||||||
|
Note: Servers with OpenSSH < 2.9.9p1 use ~/.ssh/authorized_keys2 instead.
|
||||||
|
|
||||||
|
If you don't want to switch to protocol version 2 now, add a line saying
|
||||||
|
"Protocol 1,2" to /etc/ssh/ssh_config of the SuSE Linux 8.0 system to
|
||||||
|
retain the old ssh behaviour.
|
||||||
|
|
||||||
|
How to convert your environment to protocol version 2:
|
||||||
|
|
||||||
|
1) Creating the necessary identity keys for protocol version 2:
|
||||||
|
|
||||||
|
There are two ways:
|
||||||
|
|
||||||
|
A) You can use your old keys for protocol 1, but you have to convert them
|
||||||
|
to the format of protocol 2.
|
||||||
|
This can be done with the tool ssh-keyconverter:
|
||||||
|
|
||||||
|
Every user that will use protocol version 2 needs to do this:
|
||||||
|
|
||||||
|
cd ~/.ssh
|
||||||
|
ssh-keyconverter -k identity
|
||||||
|
- at this point you will be asked for the passphrase of ~/.ssh/identity
|
||||||
|
ssh-keyconverter -a authorized_keys
|
||||||
|
|
||||||
|
If OpenSSH < 2.9.9p1 is used on the server:
|
||||||
|
|
||||||
|
grep ssh- authorized_keys >>authorized_keys2
|
||||||
|
|
||||||
|
To enable login to other users with the converted protocol version 2 keys,
|
||||||
|
the other user has to add the new ~/.ssh/id_rsa.pub to his authorized keys.
|
||||||
|
|
||||||
|
You can do this by script by forcing version 1 with the -1 switch:
|
||||||
|
|
||||||
|
for host in .... ; do
|
||||||
|
ssh -1 user@$host 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub
|
||||||
|
ssh -1 user@$host 'cat >> .ssh/authorized_keys2' < ~/.ssh/id_rsa.pub
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
B) You can generate new keys for protocol 2 by "ssh-keygen -t rsa" or
|
||||||
|
"ssh-keygen -t dsa", then add id_rsa.pub (or id_dsa.pub) to
|
||||||
|
authorized_keys2 and copy authorized_keys2 to the remote machine. See
|
||||||
|
"man ssh" and "man ssh-keygen" for more info.
|
||||||
|
|
||||||
|
|
||||||
|
2) Handling of protocol version 2 with ssh-agent and ssh-add:
|
||||||
|
|
||||||
|
If you continue to use protocol version 1, there is nothing to do because
|
||||||
|
the default identity is still ~/.ssh/identity.
|
||||||
|
|
||||||
|
For protocol version 2, you have to pass the correct file (~/.ssh/id_rsa or
|
||||||
|
~/.ssh/id_dsa) to ssh-add. To support the version 1 key and the version 2
|
||||||
|
key you have to add both keys. Example:
|
||||||
|
|
||||||
|
eval `ssh-agent -s`
|
||||||
|
ssh-add ~/.ssh/identity ~/.ssh/id_rsa
|
||||||
|
|
||||||
|
This will add your version 1 and version 2 keys and if they have the same
|
||||||
|
passphrase, you only have to type it once.
|
||||||
|
|
||||||
|
Other changes:
|
||||||
|
|
||||||
|
The OpenSSH handling of ssh-add/ssh-askpass is solved different as
|
||||||
|
with OpenSSH 2.x You don't need to call ssh-askpass any longer. If
|
||||||
|
ssh-add is called and doesn't have a real TTY, it will launch
|
||||||
|
/usr/lib/ssh/ssh-askpass itself. Make sure that the DISPLAY variable
|
||||||
|
is always set correctly.
|
||||||
|
|
||||||
|
If you want to use ssh-agent under X windows, just edit the file .xsession
|
||||||
|
in your home directory and change usessh="no" to usessh="yes". After
|
||||||
|
logining in you only need to start ssh-add by hand, click or startup script.
|
||||||
|
|
||||||
|
If you want to use ssh-agent with startx, add the example above to your
|
||||||
|
~/.xinitrc before the window manager is started.
|
||||||
|
|
||||||
|
Your SuSE Team
|
23
README.kerberos
Normal file
23
README.kerberos
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
|
||||||
|
This version of the Kerbros/GSSAPI support avoids DNS lookups
|
||||||
|
for Kerberos-related names. These DNS lookups were problematic
|
||||||
|
for dialup users because they would lead to excessive delays
|
||||||
|
if DNS was not reachable.
|
||||||
|
|
||||||
|
In order to disable these lookups, I had to change the default
|
||||||
|
configuration, disabling GSSAPI authentication.
|
||||||
|
|
||||||
|
If you do use Kerberos, please make sure you edit the server and
|
||||||
|
client configuration files as follows:
|
||||||
|
|
||||||
|
/etc/ssh/sshd_config:
|
||||||
|
|
||||||
|
GSSAPIAuthentication yes
|
||||||
|
GSSAPICleanupCredentials yes
|
||||||
|
|
||||||
|
/etc/ssh/ssh_config:
|
||||||
|
Host *
|
||||||
|
... lots of other options ...
|
||||||
|
GSSAPIAuthentication yes
|
||||||
|
GSSAPIDelegateCredentials yes
|
||||||
|
|
3
converter.tar.bz2
Normal file
3
converter.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:da7ff204375259aef8aaf3ad89c7f311134354fe0129cddce927de5d4f7ab349
|
||||||
|
size 4792
|
87
openssh-4.5p1-addrlist.dif
Normal file
87
openssh-4.5p1-addrlist.dif
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
--- sshd.c
|
||||||
|
+++ sshd.c
|
||||||
|
@@ -253,6 +253,62 @@
|
||||||
|
|
||||||
|
static void do_ssh1_kex(void);
|
||||||
|
static void do_ssh2_kex(void);
|
||||||
|
+char * isaddr(struct addrinfo *addr, char *name);
|
||||||
|
+void remove_duplicities(struct addrinfo *addr, char *port);
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * returns port if addr equals name
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+char*
|
||||||
|
+isaddr(struct addrinfo *addr, char *name)
|
||||||
|
+{
|
||||||
|
+ char ntop[NI_MAXHOST];
|
||||||
|
+ char *strport;
|
||||||
|
+
|
||||||
|
+ strport = (char*) malloc(NI_MAXSERV+1);
|
||||||
|
+ if (getnameinfo(addr->ai_addr, addr->ai_addrlen,
|
||||||
|
+ ntop, sizeof(ntop), strport, sizeof(strport),
|
||||||
|
+ NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
|
||||||
|
+ error("getnameinfo failed");
|
||||||
|
+ free(strport);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ if (!strcmp(ntop,name))
|
||||||
|
+ return strport;
|
||||||
|
+ else{
|
||||||
|
+ free(strport);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * it removes all "0.0.0.0" elements with given port
|
||||||
|
+ * from the list
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+remove_duplicities(struct addrinfo *ai_start, char *port)
|
||||||
|
+{
|
||||||
|
+ struct addrinfo *ai, *ai1, *aiprev, *ainext;
|
||||||
|
+ char *port1;
|
||||||
|
+
|
||||||
|
+ aiprev=ai_start;
|
||||||
|
+ for (ai = ai_start->ai_next; ai; ai = ainext) {
|
||||||
|
+ ainext = ai->ai_next;
|
||||||
|
+ port1 = isaddr(ai, "0.0.0.0");
|
||||||
|
+ if (port1 && !strcmp(port,port1)){
|
||||||
|
+ aiprev->ai_next = ainext;
|
||||||
|
+ free(ai);
|
||||||
|
+ free(port1);
|
||||||
|
+ } else {
|
||||||
|
+ if (port1)
|
||||||
|
+ free(port1);
|
||||||
|
+ aiprev = ai;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Close all listening sockets
|
||||||
|
@@ -941,6 +997,7 @@
|
||||||
|
int ret, listen_sock, on = 1;
|
||||||
|
struct addrinfo *ai;
|
||||||
|
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
|
||||||
|
+ char *port;
|
||||||
|
|
||||||
|
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
|
||||||
|
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
|
||||||
|
@@ -986,6 +1043,13 @@
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
listen_socks[num_listen_socks] = listen_sock;
|
||||||
|
+
|
||||||
|
+ port = isaddr(ai,"::");
|
||||||
|
+ if (port) {
|
||||||
|
+ remove_duplicities(ai, port);
|
||||||
|
+ free(port);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
num_listen_socks++;
|
||||||
|
|
||||||
|
/* Start listening on the port. */
|
72
openssh-4.5p1-askpass-fix.diff
Normal file
72
openssh-4.5p1-askpass-fix.diff
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
--- x11-ssh-askpass.c
|
||||||
|
+++ x11-ssh-askpass.c
|
||||||
|
@@ -1301,7 +1301,7 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-Bool eventIsInsideButton(AppInfo *app, XEvent *event, ButtonInfo button)
|
||||||
|
+Bool eventIsInsideButton(AppInfo *app, ButtonInfo button, XEvent *event)
|
||||||
|
{
|
||||||
|
/* 'gcc -Wall' complains about 'app' being an unused parameter.
|
||||||
|
* Tough. We might want to use it later, and then we don't have
|
||||||
|
@@ -1343,11 +1343,11 @@
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (ButtonPress == event->type) {
|
||||||
|
- if (eventIsInsideButton(app, event, d->okButton)) {
|
||||||
|
+ if (eventIsInsideButton(app, d->okButton, event)) {
|
||||||
|
d->pressedButton = OK_BUTTON;
|
||||||
|
d->okButton.pressed = True;
|
||||||
|
paintButton(app, d->dialogWindow, d->okButton);
|
||||||
|
- } else if (eventIsInsideButton(app, event, d->cancelButton)) {
|
||||||
|
+ } else if (eventIsInsideButton(app, d->cancelButton, event)) {
|
||||||
|
d->pressedButton = CANCEL_BUTTON;
|
||||||
|
d->cancelButton.pressed = True;
|
||||||
|
paintButton(app, d->dialogWindow, d->cancelButton);
|
||||||
|
@@ -1356,7 +1356,7 @@
|
||||||
|
}
|
||||||
|
} else if (ButtonRelease == event->type) {
|
||||||
|
if (OK_BUTTON == d->pressedButton) {
|
||||||
|
- if (eventIsInsideButton(app, event, d->okButton)) {
|
||||||
|
+ if (eventIsInsideButton(app, d->okButton, event)) {
|
||||||
|
acceptAction(app);
|
||||||
|
} else {
|
||||||
|
if (d->okButton.pressed) {
|
||||||
|
@@ -1365,7 +1365,7 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (CANCEL_BUTTON == d->pressedButton) {
|
||||||
|
- if (eventIsInsideButton(app, event, d->cancelButton)) {
|
||||||
|
+ if (eventIsInsideButton(app, d->cancelButton, event)) {
|
||||||
|
cancelAction(app);
|
||||||
|
} else {
|
||||||
|
if (d->cancelButton.pressed) {
|
||||||
|
@@ -1385,7 +1385,7 @@
|
||||||
|
if (NO_BUTTON == d->pressedButton) {
|
||||||
|
return;
|
||||||
|
} else if (OK_BUTTON == d->pressedButton) {
|
||||||
|
- if (eventIsInsideButton(app, event, d->okButton)) {
|
||||||
|
+ if (eventIsInsideButton(app, d->okButton, event)) {
|
||||||
|
if (!(d->okButton.pressed)) {
|
||||||
|
d->okButton.pressed = True;
|
||||||
|
paintButton(app, d->dialogWindow, d->okButton);
|
||||||
|
@@ -1397,7 +1397,7 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (CANCEL_BUTTON == d->pressedButton) {
|
||||||
|
- if (eventIsInsideButton(app, event, d->cancelButton)) {
|
||||||
|
+ if (eventIsInsideButton(app, d->cancelButton, event)) {
|
||||||
|
if (!(d->cancelButton.pressed)) {
|
||||||
|
d->cancelButton.pressed = True;
|
||||||
|
paintButton(app, d->dialogWindow, d->cancelButton);
|
||||||
|
--- x11-ssh-askpass.h
|
||||||
|
+++ x11-ssh-askpass.h
|
||||||
|
@@ -258,7 +258,7 @@
|
||||||
|
void addToPassphrase(AppInfo *app, char c);
|
||||||
|
|
||||||
|
void handleKeyPress(AppInfo *app, XEvent *event);
|
||||||
|
-Bool eventIsInsideButton(AppInfo *app, XEvent *event, ButtonInfo button);
|
||||||
|
+Bool eventIsInsideButton(AppInfo *app, ButtonInfo button, XEvent *event);
|
||||||
|
void handleButtonPress(AppInfo *app, XEvent *event);
|
||||||
|
void handlePointerMotion(AppInfo *app, XEvent *event);
|
||||||
|
|
42
openssh-4.5p1-blocksigalrm.diff
Normal file
42
openssh-4.5p1-blocksigalrm.diff
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
--- log.c
|
||||||
|
+++ log.c
|
||||||
|
@@ -50,6 +50,7 @@
|
||||||
|
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "log.h"
|
||||||
|
+#include <signal.h>
|
||||||
|
|
||||||
|
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||||
|
static int log_on_stderr = 1;
|
||||||
|
@@ -313,6 +314,7 @@
|
||||||
|
char fmtbuf[MSGBUFSIZ];
|
||||||
|
char *txt = NULL;
|
||||||
|
int pri = LOG_INFO;
|
||||||
|
+ sigset_t nset, oset;
|
||||||
|
|
||||||
|
if (level > log_level)
|
||||||
|
return;
|
||||||
|
@@ -351,6 +353,15 @@
|
||||||
|
pri = LOG_ERR;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ /* Prevent a race between the grace_alarm
|
||||||
|
+ * which writes a log message and terminates
|
||||||
|
+ * and main sshd code that leads to deadlock
|
||||||
|
+ * as syslog is not async safe.
|
||||||
|
+ */
|
||||||
|
+ sigemptyset(&nset);
|
||||||
|
+ sigaddset(&nset, SIGALRM);
|
||||||
|
+ sigprocmask(SIG_BLOCK, &nset, &oset);
|
||||||
|
+
|
||||||
|
if (txt != NULL) {
|
||||||
|
snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
|
||||||
|
vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
|
||||||
|
@@ -372,5 +383,7 @@
|
||||||
|
syslog(pri, "%.500s", fmtbuf);
|
||||||
|
closelog();
|
||||||
|
#endif
|
||||||
|
+
|
||||||
|
+ sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||||
|
}
|
||||||
|
}
|
22
openssh-4.5p1-default-protocol.diff
Normal file
22
openssh-4.5p1-default-protocol.diff
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
--- ssh_config
|
||||||
|
+++ ssh_config
|
||||||
|
@@ -46,7 +46,7 @@
|
||||||
|
# IdentityFile ~/.ssh/id_rsa
|
||||||
|
# IdentityFile ~/.ssh/id_dsa
|
||||||
|
# Port 22
|
||||||
|
-# Protocol 2,1
|
||||||
|
+ Protocol 2
|
||||||
|
# Cipher 3des
|
||||||
|
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
|
||||||
|
# EscapeChar ~
|
||||||
|
--- sshd_config
|
||||||
|
+++ sshd_config
|
||||||
|
@@ -11,7 +11,7 @@
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
#Port 22
|
||||||
|
-#Protocol 2,1
|
||||||
|
+Protocol 2
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
#ListenAddress ::
|
51
openssh-4.5p1-eal3.diff
Normal file
51
openssh-4.5p1-eal3.diff
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
--- openssh-4.5p1/sshd.8
|
||||||
|
+++ openssh-4.5p1/sshd.8
|
||||||
|
@@ -739,7 +739,7 @@
|
||||||
|
The file format is described in
|
||||||
|
.Xr moduli 5 .
|
||||||
|
.Pp
|
||||||
|
-.It /etc/motd
|
||||||
|
+.It /etc/lib/motd
|
||||||
|
See
|
||||||
|
.Xr motd 5 .
|
||||||
|
.Pp
|
||||||
|
@@ -752,7 +752,7 @@
|
||||||
|
refused.
|
||||||
|
The file should be world-readable.
|
||||||
|
.Pp
|
||||||
|
-.It /etc/shosts.equiv
|
||||||
|
+.It /etc/ssh/shosts.equiv
|
||||||
|
This file is used in exactly the same way as
|
||||||
|
.Pa hosts.equiv ,
|
||||||
|
but allows host-based authentication without permitting login with
|
||||||
|
@@ -828,8 +828,7 @@
|
||||||
|
.Xr ssh-keygen 1 ,
|
||||||
|
.Xr chroot 2 ,
|
||||||
|
.Xr hosts_access 5 ,
|
||||||
|
-.Xr login.conf 5 ,
|
||||||
|
-.Xr moduli 5 ,
|
||||||
|
+.Xr login.defs 5 ,
|
||||||
|
.Xr sshd_config 5 ,
|
||||||
|
.Xr inetd 8 ,
|
||||||
|
.Xr sftp-server 8
|
||||||
|
--- openssh-4.5p1/sshd_config.5
|
||||||
|
+++ openssh-4.5p1/sshd_config.5
|
||||||
|
@@ -169,9 +169,6 @@
|
||||||
|
By default, no banner is displayed.
|
||||||
|
.It Cm ChallengeResponseAuthentication
|
||||||
|
Specifies whether challenge-response authentication is allowed.
|
||||||
|
-All authentication styles from
|
||||||
|
-.Xr login.conf 5
|
||||||
|
-are supported.
|
||||||
|
The default is
|
||||||
|
.Dq yes .
|
||||||
|
.It Cm Ciphers
|
||||||
|
@@ -384,7 +381,7 @@
|
||||||
|
.Pp
|
||||||
|
.Pa /etc/hosts.equiv
|
||||||
|
and
|
||||||
|
-.Pa /etc/shosts.equiv
|
||||||
|
+.Pa /etc/ssh/shosts.equiv
|
||||||
|
are still used.
|
||||||
|
The default is
|
||||||
|
.Dq yes .
|
132
openssh-4.5p1-engines.diff
Normal file
132
openssh-4.5p1-engines.diff
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
# Load drivers for available hardware crypto accelerators.
|
||||||
|
# -- mludvig@suse.cz
|
||||||
|
Index: openssh-3.8p1/ssh-add.c
|
||||||
|
================================================================================
|
||||||
|
--- openssh-4.5p1/ssh-add.c
|
||||||
|
+++ openssh-4.5p1/ssh-add.c
|
||||||
|
@@ -42,6 +42,7 @@
|
||||||
|
#include <sys/param.h>
|
||||||
|
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
+#include <openssl/engine.h>
|
||||||
|
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <pwd.h>
|
||||||
|
@@ -343,6 +344,10 @@
|
||||||
|
|
||||||
|
SSLeay_add_all_algorithms();
|
||||||
|
|
||||||
|
+ /* Init available hardware crypto engines. */
|
||||||
|
+ ENGINE_load_builtin_engines();
|
||||||
|
+ ENGINE_register_all_complete();
|
||||||
|
+
|
||||||
|
/* At first, get a connection to the authentication agent. */
|
||||||
|
ac = ssh_get_authentication_connection();
|
||||||
|
if (ac == NULL) {
|
||||||
|
--- openssh-4.5p1/ssh-agent.c
|
||||||
|
+++ openssh-4.5p1/ssh-agent.c
|
||||||
|
@@ -51,6 +51,7 @@
|
||||||
|
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/md5.h>
|
||||||
|
+#include <openssl/engine.h>
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
@@ -1044,6 +1045,10 @@
|
||||||
|
|
||||||
|
SSLeay_add_all_algorithms();
|
||||||
|
|
||||||
|
+ /* Init available hardware crypto engines. */
|
||||||
|
+ ENGINE_load_builtin_engines();
|
||||||
|
+ ENGINE_register_all_complete();
|
||||||
|
+
|
||||||
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
init_rng();
|
||||||
|
seed_rng();
|
||||||
|
--- openssh-4.5p1/ssh-keygen.c
|
||||||
|
+++ openssh-4.5p1/ssh-keygen.c
|
||||||
|
@@ -21,6 +21,7 @@
|
||||||
|
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
+#include <openssl/engine.h>
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
@@ -1074,6 +1075,11 @@
|
||||||
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
|
||||||
|
SSLeay_add_all_algorithms();
|
||||||
|
+
|
||||||
|
+ /* Init available hardware crypto engines. */
|
||||||
|
+ ENGINE_load_builtin_engines();
|
||||||
|
+ ENGINE_register_all_complete();
|
||||||
|
+
|
||||||
|
log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
||||||
|
|
||||||
|
init_rng();
|
||||||
|
--- openssh-4.5p1/ssh-keysign.c
|
||||||
|
+++ openssh-4.5p1/ssh-keysign.c
|
||||||
|
@@ -38,6 +38,7 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
#include <openssl/rsa.h>
|
||||||
|
+#include <openssl/engine.h>
|
||||||
|
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "log.h"
|
||||||
|
@@ -195,6 +196,11 @@
|
||||||
|
fatal("could not open any host key");
|
||||||
|
|
||||||
|
SSLeay_add_all_algorithms();
|
||||||
|
+
|
||||||
|
+ /* Init available hardware crypto engines. */
|
||||||
|
+ ENGINE_load_builtin_engines();
|
||||||
|
+ ENGINE_register_all_complete();
|
||||||
|
+
|
||||||
|
for (i = 0; i < 256; i++)
|
||||||
|
rnd[i] = arc4random();
|
||||||
|
RAND_seed(rnd, sizeof(rnd));
|
||||||
|
--- openssh-4.5p1/ssh.c
|
||||||
|
+++ openssh-4.5p1/ssh.c
|
||||||
|
@@ -72,6 +72,7 @@
|
||||||
|
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
+#include <openssl/engine.h>
|
||||||
|
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "ssh.h"
|
||||||
|
@@ -556,6 +557,10 @@
|
||||||
|
SSLeay_add_all_algorithms();
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
|
+ /* Init available hardware crypto engines. */
|
||||||
|
+ ENGINE_load_builtin_engines();
|
||||||
|
+ ENGINE_register_all_complete();
|
||||||
|
+
|
||||||
|
/* Initialize the command to execute on remote host. */
|
||||||
|
buffer_init(&command);
|
||||||
|
|
||||||
|
--- openssh-4.5p1/sshd.c
|
||||||
|
+++ openssh-4.5p1/sshd.c
|
||||||
|
@@ -75,6 +75,7 @@
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
#include <openssl/md5.h>
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
+#include <openssl/engine.h>
|
||||||
|
#ifdef HAVE_SECUREWARE
|
||||||
|
#include <sys/security.h>
|
||||||
|
#include <prot.h>
|
||||||
|
@@ -1444,6 +1445,10 @@
|
||||||
|
|
||||||
|
SSLeay_add_all_algorithms();
|
||||||
|
|
||||||
|
+ /* Init available hardware crypto engines. */
|
||||||
|
+ ENGINE_load_builtin_engines();
|
||||||
|
+ ENGINE_register_all_complete();
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Force logging to stderr until we have loaded the private host
|
||||||
|
* key (unless started from inetd)
|
10
openssh-4.5p1-gcc-fix.patch
Normal file
10
openssh-4.5p1-gcc-fix.patch
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
--- scard-opensc.c
|
||||||
|
+++ scard-opensc.c
|
||||||
|
@@ -31,6 +31,7 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/x509.h>
|
||||||
|
|
||||||
|
+#include <string.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
|
||||||
|
#include <opensc/opensc.h>
|
242
openssh-4.5p1-gssapimitm.patch
Normal file
242
openssh-4.5p1-gssapimitm.patch
Normal file
@ -0,0 +1,242 @@
|
|||||||
|
The patch below adds support for the deprecated 'gssapi' authentication
|
||||||
|
mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
||||||
|
in this release. The use of 'gssapi' is deprecated due to the presence of
|
||||||
|
potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
|
||||||
|
susceptible to.
|
||||||
|
|
||||||
|
To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling,
|
||||||
|
backwards compatibility may be obtained by supplying the
|
||||||
|
'GssapiEnableMitmAttack yes' option to either the client or server.
|
||||||
|
|
||||||
|
It should be noted that this patch is being made available purely as a means
|
||||||
|
of easing the process of moving to OpenSSH 3.8p1. Any new installations are
|
||||||
|
recommended to use the 'gssapi-with-mic' mechanism. Existing installations
|
||||||
|
are encouraged to upgrade as soon as possible.
|
||||||
|
|
||||||
|
Index: auth2-gss.c
|
||||||
|
================================================================================
|
||||||
|
--- auth2-gss.c
|
||||||
|
+++ auth2-gss.c
|
||||||
|
@@ -177,6 +177,15 @@
|
||||||
|
dispatch_set(
|
||||||
|
SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
|
||||||
|
&input_gssapi_exchange_complete);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Old style 'gssapi' didn't have the GSSAPI_MIC
|
||||||
|
+ * and went straight to sending exchange_complete
|
||||||
|
+ */
|
||||||
|
+ if (options.gss_enable_mitm)
|
||||||
|
+ dispatch_set(
|
||||||
|
+ SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
|
||||||
|
+ &input_gssapi_exchange_complete);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -298,4 +307,10 @@
|
||||||
|
&options.gss_authentication
|
||||||
|
};
|
||||||
|
|
||||||
|
+Authmethod method_gssapi_old = {
|
||||||
|
+ "gssapi",
|
||||||
|
+ userauth_gssapi,
|
||||||
|
+ &options.gss_enable_mitm
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
#endif /* GSSAPI */
|
||||||
|
--- auth2.c
|
||||||
|
+++ auth2.c
|
||||||
|
@@ -65,6 +65,7 @@
|
||||||
|
extern Authmethod method_hostbased;
|
||||||
|
#ifdef GSSAPI
|
||||||
|
extern Authmethod method_gssapi;
|
||||||
|
+extern Authmethod method_gssapi_old;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
Authmethod *authmethods[] = {
|
||||||
|
@@ -72,6 +73,7 @@
|
||||||
|
&method_pubkey,
|
||||||
|
#ifdef GSSAPI
|
||||||
|
&method_gssapi,
|
||||||
|
+ &method_gssapi_old,
|
||||||
|
#endif
|
||||||
|
&method_passwd,
|
||||||
|
&method_kbdint,
|
||||||
|
--- readconf.c
|
||||||
|
+++ readconf.c
|
||||||
|
@@ -126,7 +126,7 @@
|
||||||
|
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
|
||||||
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||||
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||||
|
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||||
|
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM,
|
||||||
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||||
|
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
||||||
|
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
||||||
|
@@ -164,9 +164,11 @@
|
||||||
|
#if defined(GSSAPI)
|
||||||
|
{ "gssapiauthentication", oGssAuthentication },
|
||||||
|
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
||||||
|
+ { "gssapienablemitmattack", oGssEnableMITM },
|
||||||
|
#else
|
||||||
|
{ "gssapiauthentication", oUnsupported },
|
||||||
|
{ "gssapidelegatecredentials", oUnsupported },
|
||||||
|
+ { "gssapienablemitmattack", oUnsupported },
|
||||||
|
#endif
|
||||||
|
{ "fallbacktorsh", oDeprecated },
|
||||||
|
{ "usersh", oDeprecated },
|
||||||
|
@@ -445,6 +447,10 @@
|
||||||
|
case oGssDelegateCreds:
|
||||||
|
intptr = &options->gss_deleg_creds;
|
||||||
|
goto parse_flag;
|
||||||
|
+
|
||||||
|
+ case oGssEnableMITM:
|
||||||
|
+ intptr = &options->gss_enable_mitm;
|
||||||
|
+ goto parse_flag;
|
||||||
|
|
||||||
|
case oBatchMode:
|
||||||
|
intptr = &options->batch_mode;
|
||||||
|
@@ -1012,6 +1018,7 @@
|
||||||
|
options->challenge_response_authentication = -1;
|
||||||
|
options->gss_authentication = -1;
|
||||||
|
options->gss_deleg_creds = -1;
|
||||||
|
+ options->gss_enable_mitm = -1;
|
||||||
|
options->password_authentication = -1;
|
||||||
|
options->kbd_interactive_authentication = -1;
|
||||||
|
options->kbd_interactive_devices = NULL;
|
||||||
|
@@ -1102,6 +1109,8 @@
|
||||||
|
options->gss_authentication = 0;
|
||||||
|
if (options->gss_deleg_creds == -1)
|
||||||
|
options->gss_deleg_creds = 0;
|
||||||
|
+ if (options->gss_enable_mitm == -1)
|
||||||
|
+ options->gss_enable_mitm = 0;
|
||||||
|
if (options->password_authentication == -1)
|
||||||
|
options->password_authentication = 1;
|
||||||
|
if (options->kbd_interactive_authentication == -1)
|
||||||
|
--- readconf.h
|
||||||
|
+++ readconf.h
|
||||||
|
@@ -45,6 +45,7 @@
|
||||||
|
/* Try S/Key or TIS, authentication. */
|
||||||
|
int gss_authentication; /* Try GSS authentication */
|
||||||
|
int gss_deleg_creds; /* Delegate GSS credentials */
|
||||||
|
+ int gss_enable_mitm; /* Enable old style gssapi auth */
|
||||||
|
int password_authentication; /* Try password
|
||||||
|
* authentication. */
|
||||||
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||||
|
--- servconf.c
|
||||||
|
+++ servconf.c
|
||||||
|
@@ -91,6 +91,7 @@
|
||||||
|
options->kerberos_get_afs_token = -1;
|
||||||
|
options->gss_authentication=-1;
|
||||||
|
options->gss_cleanup_creds = -1;
|
||||||
|
+ options->gss_enable_mitm = -1;
|
||||||
|
options->password_authentication = -1;
|
||||||
|
options->kbd_interactive_authentication = -1;
|
||||||
|
options->challenge_response_authentication = -1;
|
||||||
|
@@ -206,6 +207,8 @@
|
||||||
|
options->gss_authentication = 0;
|
||||||
|
if (options->gss_cleanup_creds == -1)
|
||||||
|
options->gss_cleanup_creds = 1;
|
||||||
|
+ if (options->gss_enable_mitm == -1)
|
||||||
|
+ options->gss_enable_mitm = 0;
|
||||||
|
if (options->password_authentication == -1)
|
||||||
|
options->password_authentication = 1;
|
||||||
|
if (options->kbd_interactive_authentication == -1)
|
||||||
|
@@ -290,7 +293,7 @@
|
||||||
|
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||||
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||||
|
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||||
|
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||||
|
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
|
||||||
|
sMatch, sPermitOpen, sForceCommand,
|
||||||
|
sUsePrivilegeSeparation,
|
||||||
|
sDeprecated, sUnsupported
|
||||||
|
@@ -351,9 +354,11 @@
|
||||||
|
#ifdef GSSAPI
|
||||||
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||||
|
+ { "gssapienablemitmattack", sGssEnableMITM },
|
||||||
|
#else
|
||||||
|
{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
+ { "gssapienablemitmattack", sUnsupported },
|
||||||
|
#endif
|
||||||
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
|
||||||
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
|
||||||
|
@@ -877,6 +882,10 @@
|
||||||
|
case sGssCleanupCreds:
|
||||||
|
intptr = &options->gss_cleanup_creds;
|
||||||
|
goto parse_flag;
|
||||||
|
+
|
||||||
|
+ case sGssEnableMITM:
|
||||||
|
+ intptr = &options->gss_enable_mitm;
|
||||||
|
+ goto parse_flag;
|
||||||
|
|
||||||
|
case sPasswordAuthentication:
|
||||||
|
intptr = &options->password_authentication;
|
||||||
|
--- servconf.h
|
||||||
|
+++ servconf.h
|
||||||
|
@@ -88,6 +88,7 @@
|
||||||
|
* authenticated with Kerberos. */
|
||||||
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||||
|
+ int gss_enable_mitm; /* If true, enable old style GSSAPI */
|
||||||
|
int password_authentication; /* If true, permit password
|
||||||
|
* authentication. */
|
||||||
|
int kbd_interactive_authentication; /* If true, permit */
|
||||||
|
--- ssh_config
|
||||||
|
+++ ssh_config
|
||||||
|
@@ -53,3 +53,13 @@
|
||||||
|
# Tunnel no
|
||||||
|
# TunnelDevice any:any
|
||||||
|
# PermitLocalCommand no
|
||||||
|
+# GSSAPIAuthentication no
|
||||||
|
+# GSSAPIDelegateCredentials no
|
||||||
|
+
|
||||||
|
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
||||||
|
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
||||||
|
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
||||||
|
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
||||||
|
+# GSSAPIEnableMITMAttack no
|
||||||
|
+
|
||||||
|
+>>>>>>>
|
||||||
|
--- sshconnect2.c
|
||||||
|
+++ sshconnect2.c
|
||||||
|
@@ -242,6 +242,10 @@
|
||||||
|
userauth_gssapi,
|
||||||
|
&options.gss_authentication,
|
||||||
|
NULL},
|
||||||
|
+ {"gssapi",
|
||||||
|
+ userauth_gssapi,
|
||||||
|
+ &options.gss_enable_mitm,
|
||||||
|
+ NULL},
|
||||||
|
#endif
|
||||||
|
{"hostbased",
|
||||||
|
userauth_hostbased,
|
||||||
|
@@ -576,7 +580,9 @@
|
||||||
|
|
||||||
|
if (status == GSS_S_COMPLETE) {
|
||||||
|
/* send either complete or MIC, depending on mechanism */
|
||||||
|
- if (!(flags & GSS_C_INTEG_FLAG)) {
|
||||||
|
+
|
||||||
|
+ if (strcmp(authctxt->method->name,"gssapi")==0 ||
|
||||||
|
+ (!(flags & GSS_C_INTEG_FLAG))) {
|
||||||
|
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
|
||||||
|
packet_send();
|
||||||
|
} else {
|
||||||
|
--- sshd_config
|
||||||
|
+++ sshd_config
|
||||||
|
@@ -69,6 +69,13 @@
|
||||||
|
#GSSAPIAuthentication no
|
||||||
|
#GSSAPICleanupCredentials yes
|
||||||
|
|
||||||
|
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
|
||||||
|
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
|
||||||
|
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
||||||
|
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
||||||
|
+#GSSAPIEnableMITMAttack no
|
||||||
|
+
|
||||||
|
+
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
20
openssh-4.5p1-pam-fix2.diff
Normal file
20
openssh-4.5p1-pam-fix2.diff
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
--- sshd_config
|
||||||
|
+++ sshd_config
|
||||||
|
@@ -53,7 +53,7 @@
|
||||||
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
-#PasswordAuthentication yes
|
||||||
|
+PasswordAuthentication no
|
||||||
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# Change to no to disable s/key passwords
|
||||||
|
@@ -78,7 +78,7 @@
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
-#UsePAM no
|
||||||
|
+UsePAM yes
|
||||||
|
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
13
openssh-4.5p1-pam-fix3.diff
Normal file
13
openssh-4.5p1-pam-fix3.diff
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
--- auth-pam.c
|
||||||
|
+++ auth-pam.c
|
||||||
|
@@ -785,7 +785,9 @@
|
||||||
|
fatal("Internal error: PAM auth "
|
||||||
|
"succeeded when it should have "
|
||||||
|
"failed");
|
||||||
|
- import_environments(&buffer);
|
||||||
|
+#ifndef USE_POSIX_THREADS
|
||||||
|
+ import_environments(&buffer);
|
||||||
|
+#endif
|
||||||
|
*num = 0;
|
||||||
|
**echo_on = 0;
|
||||||
|
ctxt->pam_done = 1;
|
62
openssh-4.5p1-pwname-home.diff
Normal file
62
openssh-4.5p1-pwname-home.diff
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
--- openssh-4.5p1/misc.c
|
||||||
|
+++ openssh-4.5p1/misc.c
|
||||||
|
@@ -186,6 +186,29 @@
|
||||||
|
return (old);
|
||||||
|
}
|
||||||
|
|
||||||
|
+struct passwd *getpwuid_wh(uid_t uid) {
|
||||||
|
+ /* Return the password structure by lookup of the username in $ENV{USER},
|
||||||
|
+ but only when the UID matches a lookup-by-uid so as to not allow using
|
||||||
|
+ another users' .ssh files in case this function be used in superuser
|
||||||
|
+ context. */
|
||||||
|
+
|
||||||
|
+ const char *user = getenv("USER");
|
||||||
|
+ struct passwd *pe_nam, *pe_uid;
|
||||||
|
+
|
||||||
|
+ if(user == NULL || (pe_nam = getpwnam(user)) == NULL) {
|
||||||
|
+ return getpwuid(uid);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ pe_nam = pwcopy(pe_nam);
|
||||||
|
+ if((pe_uid = getpwuid(uid)) == NULL || pe_nam->pw_uid != pe_uid->pw_uid) {
|
||||||
|
+ free(pe_nam);
|
||||||
|
+ return pe_uid;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(pe_nam); // - need to return a non-pwcopy struct
|
||||||
|
+ return getpwnam(user);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
struct passwd *
|
||||||
|
pwcopy(struct passwd *pw)
|
||||||
|
{
|
||||||
|
@@ -524,7 +547,7 @@
|
||||||
|
user[slash] = '\0';
|
||||||
|
if ((pw = getpwnam(user)) == NULL)
|
||||||
|
fatal("tilde_expand_filename: No such user %s", user);
|
||||||
|
- } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
|
||||||
|
+ } else if ((pw = getpwuid_wh(uid)) == NULL) /* ~/path */
|
||||||
|
fatal("tilde_expand_filename: No such uid %d", uid);
|
||||||
|
|
||||||
|
if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
|
||||||
|
--- openssh-4.5p1/misc.h
|
||||||
|
+++ openssh-4.5p1/misc.h
|
||||||
|
@@ -34,6 +34,7 @@
|
||||||
|
char *tohex(const void *, size_t);
|
||||||
|
void sanitise_stdfd(void);
|
||||||
|
|
||||||
|
+struct passwd *getpwuid_wh(uid_t);
|
||||||
|
struct passwd *pwcopy(struct passwd *);
|
||||||
|
|
||||||
|
typedef struct arglist arglist;
|
||||||
|
--- openssh-4.5p1/ssh.c
|
||||||
|
+++ openssh-4.5p1/ssh.c
|
||||||
|
@@ -249,7 +249,7 @@
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
/* Get user data. */
|
||||||
|
- pw = getpwuid(original_real_uid);
|
||||||
|
+ pw = getpwuid_wh(original_real_uid);
|
||||||
|
if (!pw) {
|
||||||
|
logit("You don't exist, go away!");
|
||||||
|
exit(255);
|
23
openssh-4.5p1-saveargv-fix.diff
Normal file
23
openssh-4.5p1-saveargv-fix.diff
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
--- sshd.c
|
||||||
|
+++ sshd.c
|
||||||
|
@@ -358,6 +358,7 @@
|
||||||
|
static void
|
||||||
|
sighup_restart(void)
|
||||||
|
{
|
||||||
|
+ int i;
|
||||||
|
logit("Received SIGHUP; restarting.");
|
||||||
|
close_listen_socks();
|
||||||
|
close_startup_pipes();
|
||||||
|
@@ -1317,7 +1318,11 @@
|
||||||
|
#ifndef HAVE_SETPROCTITLE
|
||||||
|
/* Prepare for later setproctitle emulation */
|
||||||
|
compat_init_setproctitle(ac, av);
|
||||||
|
- av = saved_argv;
|
||||||
|
+
|
||||||
|
+ av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1));
|
||||||
|
+ for (i = 0; i < saved_argc; i++)
|
||||||
|
+ av[i] = xstrdup(saved_argv[i]);
|
||||||
|
+ av[i] = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (geteuid() == 0 && setgroups(0, NULL) == -1)
|
25
openssh-4.5p1-send_locale.diff
Normal file
25
openssh-4.5p1-send_locale.diff
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
--- ssh_config
|
||||||
|
+++ ssh_config
|
||||||
|
@@ -62,4 +62,7 @@
|
||||||
|
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
||||||
|
# GSSAPIEnableMITMAttack no
|
||||||
|
|
||||||
|
->>>>>>>
|
||||||
|
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
|
||||||
|
+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
+SendEnv LC_IDENTIFICATION LC_ALL
|
||||||
|
--- sshd_config
|
||||||
|
+++ sshd_config
|
||||||
|
@@ -112,6 +112,11 @@
|
||||||
|
# override default of no subsystems
|
||||||
|
Subsystem sftp /usr/libexec/sftp-server
|
||||||
|
|
||||||
|
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
|
||||||
|
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
+AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||||
|
+
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
71
openssh-4.5p1-strict-aliasing-fix.diff
Normal file
71
openssh-4.5p1-strict-aliasing-fix.diff
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
--- readconf.c
|
||||||
|
+++ readconf.c
|
||||||
|
@@ -328,6 +328,7 @@
|
||||||
|
int opcode, *intptr, value, value2, scale;
|
||||||
|
long long orig, val64;
|
||||||
|
size_t len;
|
||||||
|
+ LogLevel *loglevelptr;
|
||||||
|
Forward fwd;
|
||||||
|
|
||||||
|
/* Strip trailing whitespace */
|
||||||
|
@@ -692,14 +693,14 @@
|
||||||
|
break;
|
||||||
|
|
||||||
|
case oLogLevel:
|
||||||
|
- intptr = (int *) &options->log_level;
|
||||||
|
+ loglevelptr = &options->log_level;
|
||||||
|
arg = strdelim(&s);
|
||||||
|
value = log_level_number(arg);
|
||||||
|
if (value == SYSLOG_LEVEL_NOT_SET)
|
||||||
|
fatal("%.200s line %d: unsupported log level '%s'",
|
||||||
|
filename, linenum, arg ? arg : "<NONE>");
|
||||||
|
- if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
|
||||||
|
- *intptr = (LogLevel) value;
|
||||||
|
+ if (*activep && *loglevelptr == SYSLOG_LEVEL_NOT_SET)
|
||||||
|
+ *loglevelptr = (LogLevel) value;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case oLocalForward:
|
||||||
|
--- servconf.c
|
||||||
|
+++ servconf.c
|
||||||
|
@@ -622,6 +622,8 @@
|
||||||
|
{
|
||||||
|
char *cp, **charptr, *arg, *p;
|
||||||
|
int cmdline = 0, *intptr, value, n;
|
||||||
|
+ LogLevel *loglevelptr;
|
||||||
|
+ SyslogFacility *syslogfacilityptr;
|
||||||
|
ServerOpCodes opcode;
|
||||||
|
u_short port;
|
||||||
|
u_int i, flags = 0;
|
||||||
|
@@ -977,25 +979,25 @@
|
||||||
|
goto parse_flag;
|
||||||
|
|
||||||
|
case sLogFacility:
|
||||||
|
- intptr = (int *) &options->log_facility;
|
||||||
|
+ syslogfacilityptr = &options->log_facility;
|
||||||
|
arg = strdelim(&cp);
|
||||||
|
value = log_facility_number(arg);
|
||||||
|
if (value == SYSLOG_FACILITY_NOT_SET)
|
||||||
|
fatal("%.200s line %d: unsupported log facility '%s'",
|
||||||
|
filename, linenum, arg ? arg : "<NONE>");
|
||||||
|
- if (*intptr == -1)
|
||||||
|
- *intptr = (SyslogFacility) value;
|
||||||
|
+ if (*syslogfacilityptr == -1)
|
||||||
|
+ *syslogfacilityptr = (SyslogFacility) value;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case sLogLevel:
|
||||||
|
- intptr = (int *) &options->log_level;
|
||||||
|
+ loglevelptr = &options->log_level;
|
||||||
|
arg = strdelim(&cp);
|
||||||
|
value = log_level_number(arg);
|
||||||
|
if (value == SYSLOG_LEVEL_NOT_SET)
|
||||||
|
fatal("%.200s line %d: unsupported log level '%s'",
|
||||||
|
filename, linenum, arg ? arg : "<NONE>");
|
||||||
|
- if (*intptr == -1)
|
||||||
|
- *intptr = (LogLevel) value;
|
||||||
|
+ if (*loglevelptr == -1)
|
||||||
|
+ *loglevelptr = (LogLevel) value;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case sAllowTcpForwarding:
|
22
openssh-4.5p1-tmpdir.diff
Normal file
22
openssh-4.5p1-tmpdir.diff
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
--- ssh-agent.c
|
||||||
|
+++ ssh-agent.c
|
||||||
|
@@ -1127,8 +1127,18 @@
|
||||||
|
parent_pid = getpid();
|
||||||
|
|
||||||
|
if (agentsocket == NULL) {
|
||||||
|
+ char *tmp1, *tmp;
|
||||||
|
+ char *tmp2 = "ssh-XXXXXXXXXX";
|
||||||
|
+ size_t len;
|
||||||
|
+
|
||||||
|
+ if ((tmp1 = getenv("TMPDIR")) == NULL)
|
||||||
|
+ tmp1 = "/tmp";
|
||||||
|
+ len = strlen(tmp1) + strlen(tmp2) + 1;
|
||||||
|
+ tmp = malloc(len);
|
||||||
|
+ snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2);
|
||||||
|
/* Create private directory for agent socket */
|
||||||
|
- strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir);
|
||||||
|
+ strlcpy(socket_dir, tmp, sizeof socket_dir);
|
||||||
|
+ free(tmp);
|
||||||
|
if (mkdtemp(socket_dir) == NULL) {
|
||||||
|
perror("mkdtemp: private socket dir");
|
||||||
|
exit(1);
|
40
openssh-4.5p1-xauth.diff
Normal file
40
openssh-4.5p1-xauth.diff
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
--- session.c
|
||||||
|
+++ session.c
|
||||||
|
@@ -2250,8 +2250,37 @@
|
||||||
|
session_close(Session *s)
|
||||||
|
{
|
||||||
|
u_int i;
|
||||||
|
+ pid_t pid;
|
||||||
|
+ FILE *f = NULL;
|
||||||
|
+ char cmd[1024];
|
||||||
|
+ int do_xauth;
|
||||||
|
+ struct passwd * pw = s->pw;
|
||||||
|
+ do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
|
||||||
|
|
||||||
|
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
|
||||||
|
+
|
||||||
|
+ if (do_xauth && options.xauth_location != NULL) {
|
||||||
|
+
|
||||||
|
+ if ((pid = fork()) == 0) {
|
||||||
|
+ permanently_set_uid(pw);
|
||||||
|
+
|
||||||
|
+ /* Remove authority data from .Xauthority if appropriate. */
|
||||||
|
+ debug("Running %.500s remove %.100s\n",
|
||||||
|
+ options.xauth_location, s->auth_display);
|
||||||
|
+
|
||||||
|
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
|
||||||
|
+ s->pw->pw_dir, options.xauth_location);
|
||||||
|
+ f = popen(cmd, "w");
|
||||||
|
+ if (f) {
|
||||||
|
+ fprintf(f, "remove %s\n", s->auth_display);
|
||||||
|
+ pclose(f);
|
||||||
|
+ } else
|
||||||
|
+ error("Could not run %s\n", cmd);
|
||||||
|
+ exit(0);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if (s->ttyfd != -1)
|
||||||
|
session_pty_cleanup(s);
|
||||||
|
if (s->term)
|
76
openssh-4.5p1-xauthlocalhostname.diff
Normal file
76
openssh-4.5p1-xauthlocalhostname.diff
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
--- session.c
|
||||||
|
+++ session.c
|
||||||
|
@@ -996,7 +996,7 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
static char **
|
||||||
|
-do_setup_env(Session *s, const char *shell)
|
||||||
|
+do_setup_env(Session *s, const char *shell, int *env_size)
|
||||||
|
{
|
||||||
|
char buf[256];
|
||||||
|
u_int i, envsize;
|
||||||
|
@@ -1183,6 +1183,8 @@
|
||||||
|
for (i = 0; env[i]; i++)
|
||||||
|
fprintf(stderr, " %.200s\n", env[i]);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ *env_size = envsize;
|
||||||
|
return env;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1191,7 +1193,7 @@
|
||||||
|
* first in this order).
|
||||||
|
*/
|
||||||
|
static void
|
||||||
|
-do_rc_files(Session *s, const char *shell)
|
||||||
|
+do_rc_files(Session *s, const char *shell, char **env, int *env_size)
|
||||||
|
{
|
||||||
|
FILE *f = NULL;
|
||||||
|
char cmd[1024];
|
||||||
|
@@ -1244,12 +1246,20 @@
|
||||||
|
options.xauth_location);
|
||||||
|
f = popen(cmd, "w");
|
||||||
|
if (f) {
|
||||||
|
+ char hostname[MAXHOSTNAMELEN];
|
||||||
|
+
|
||||||
|
fprintf(f, "remove %s\n",
|
||||||
|
s->auth_display);
|
||||||
|
fprintf(f, "add %s %s %s\n",
|
||||||
|
s->auth_display, s->auth_proto,
|
||||||
|
s->auth_data);
|
||||||
|
pclose(f);
|
||||||
|
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
|
||||||
|
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
|
||||||
|
+ hostname);
|
||||||
|
+ else
|
||||||
|
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
|
||||||
|
+ strerror(errno));
|
||||||
|
} else {
|
||||||
|
fprintf(stderr, "Could not run %s\n",
|
||||||
|
cmd);
|
||||||
|
@@ -1469,6 +1479,7 @@
|
||||||
|
{
|
||||||
|
extern char **environ;
|
||||||
|
char **env;
|
||||||
|
+ int env_size;
|
||||||
|
char *argv[10];
|
||||||
|
const char *shell, *shell0, *hostname = NULL;
|
||||||
|
struct passwd *pw = s->pw;
|
||||||
|
@@ -1534,7 +1545,7 @@
|
||||||
|
* Make sure $SHELL points to the shell from the password file,
|
||||||
|
* even if shell is overridden from login.conf
|
||||||
|
*/
|
||||||
|
- env = do_setup_env(s, shell);
|
||||||
|
+ env = do_setup_env(s, shell, &env_size);
|
||||||
|
|
||||||
|
#ifdef HAVE_LOGIN_CAP
|
||||||
|
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||||
|
@@ -1596,7 +1607,7 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!options.use_login)
|
||||||
|
- do_rc_files(s, shell);
|
||||||
|
+ do_rc_files(s, shell, env, &env_size);
|
||||||
|
|
||||||
|
/* restore SIGPIPE for child */
|
||||||
|
signal(SIGPIPE, SIG_DFL);
|
45
openssh-4.5p1.dif
Normal file
45
openssh-4.5p1.dif
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
--- ssh_config
|
||||||
|
+++ ssh_config
|
||||||
|
@@ -17,9 +17,20 @@
|
||||||
|
# list of available options, their meanings and defaults, please see the
|
||||||
|
# ssh_config(5) man page.
|
||||||
|
|
||||||
|
-# Host *
|
||||||
|
+Host *
|
||||||
|
# ForwardAgent no
|
||||||
|
# ForwardX11 no
|
||||||
|
+
|
||||||
|
+# If you do not trust your remote host (or its administrator), you
|
||||||
|
+# should not forward X11 connections to your local X11-display for
|
||||||
|
+# security reasons: Someone stealing the authentification data on the
|
||||||
|
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
||||||
|
+# keystrokes as you type, just like any other X11 client could do.
|
||||||
|
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
||||||
|
+# file if you want to have the remote X11 authentification data to
|
||||||
|
+# expire after two minutes after remote login.
|
||||||
|
+ForwardX11Trusted yes
|
||||||
|
+
|
||||||
|
# RhostsRSAAuthentication no
|
||||||
|
# RSAAuthentication yes
|
||||||
|
# PasswordAuthentication yes
|
||||||
|
--- sshd_config
|
||||||
|
+++ sshd_config
|
||||||
|
@@ -82,7 +82,7 @@
|
||||||
|
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
||||||
|
-#X11Forwarding no
|
||||||
|
+X11Forwarding yes
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PrintMotd yes
|
||||||
|
--- sshlogin.c
|
||||||
|
+++ sshlogin.c
|
||||||
|
@@ -126,6 +126,7 @@
|
||||||
|
|
||||||
|
li = login_alloc_entry(pid, user, host, tty);
|
||||||
|
login_set_addr(li, addr, addrlen);
|
||||||
|
+ li->uid=uid;
|
||||||
|
login_login(li);
|
||||||
|
login_free_entry(li);
|
||||||
|
}
|
3
openssh-4.5p1.tar.bz2
Normal file
3
openssh-4.5p1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:1b2826c2c9b94cd2c2c441a3acf2b0f954b8556a0db6aa938cac13c44504e186
|
||||||
|
size 776871
|
3
openssh-SuSE.tar.bz2
Normal file
3
openssh-SuSE.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:f183c56221e52c71a00058675d9e94e1e34668b266d8a11c02cf4e91a151d65b
|
||||||
|
size 1914
|
84
openssh-askpass-gnome.changes
Normal file
84
openssh-askpass-gnome.changes
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz
|
||||||
|
|
||||||
|
- update to 4.5p1
|
||||||
|
* Use privsep_pw if we have it, but only require it if we
|
||||||
|
absolutely need it.
|
||||||
|
* Correctly check for bad signatures in the monitor, otherwise
|
||||||
|
the monitor and the unpriv process can get out of sync.
|
||||||
|
* Clear errno before calling the strtol functions.
|
||||||
|
* exit instead of doing a blocking tcp send if we detect
|
||||||
|
a client/server timeout, since the tcp sendqueue might
|
||||||
|
be already full (of alive requests)
|
||||||
|
* include signal.h, errno.h, sys/in.h
|
||||||
|
* some more bugfixes
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 4 12:56:40 CEST 2006 - postadal@suse.cz
|
||||||
|
|
||||||
|
- updated to version 4.4p1 [#208662]
|
||||||
|
* fixed pre-authentication DoS, that would cause sshd(8) to spin
|
||||||
|
until the login grace time expired
|
||||||
|
* fixed unsafe signal hander, which was vulnerable to a race condition
|
||||||
|
that could be exploited to perform a pre-authentication DoS
|
||||||
|
* fixed a GSSAPI authentication abort that could be used to determine
|
||||||
|
the validity of usernames on some platforms
|
||||||
|
* implemented conditional configuration in sshd_config(5) using the
|
||||||
|
"Match" directive
|
||||||
|
* added support for Diffie-Hellman group exchange key agreement with a
|
||||||
|
final hash of SHA256
|
||||||
|
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
|
||||||
|
* added optional logging of transactions to sftp-server(8)
|
||||||
|
* ssh(1) will now record port numbers for hosts stored in
|
||||||
|
~/.ssh/authorized_keys when a non-standard port has been requested
|
||||||
|
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
|
||||||
|
a non-zero exit code) when requested port forwardings could not be
|
||||||
|
established
|
||||||
|
* extended sshd_config(5) "SubSystem" declarations to allow the
|
||||||
|
specification of command-line arguments
|
||||||
|
- removed obsoleted patches: autoconf-fix.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 25 13:40:10 CEST 2006 - schwab@suse.de
|
||||||
|
|
||||||
|
- Fix syntax error in configure script.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 25 21:39:06 CET 2006 - mls@suse.de
|
||||||
|
|
||||||
|
- converted neededforbuild to BuildRequires
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 3 15:54:49 CET 2006 - postadal@suse.cz
|
||||||
|
|
||||||
|
- updated to version 4.2p1
|
||||||
|
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 8 16:20:06 CEST 2005 - postadal@suse.cz
|
||||||
|
|
||||||
|
- don't strip
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 4 11:30:18 CEST 2005 - uli@suse.de
|
||||||
|
|
||||||
|
- parallelize build
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 10 16:24:22 CEST 2005 - postadal@suse.cz
|
||||||
|
|
||||||
|
- updated to version 4.1p1
|
||||||
|
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
|
||||||
|
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
|
||||||
|
sendenv-fix, documentation-fix
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 19 18:25:29 CET 2005 - postadal@suse.cz
|
||||||
|
|
||||||
|
- renamed askpass-gnome package to openssh-askpass-gnome
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 19 15:58:07 CET 2005 - postadal@suse.cz
|
||||||
|
|
||||||
|
- splited spec file to decreas number of build dependencies
|
||||||
|
|
167
openssh-askpass-gnome.spec
Normal file
167
openssh-askpass-gnome.spec
Normal file
@ -0,0 +1,167 @@
|
|||||||
|
#
|
||||||
|
# spec file for package openssh-askpass-gnome (Version 4.5p1)
|
||||||
|
#
|
||||||
|
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
|
# This file and all modifications and additions to the pristine
|
||||||
|
# package are under the same license as the package itself.
|
||||||
|
#
|
||||||
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
# norootforbuild
|
||||||
|
|
||||||
|
Name: openssh-askpass-gnome
|
||||||
|
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
|
||||||
|
License: Other License(s), see package
|
||||||
|
Group: Productivity/Networking/SSH
|
||||||
|
Version: 4.5p1
|
||||||
|
Release: 11
|
||||||
|
Requires: openssh = %{version} openssh-askpass = %{version}
|
||||||
|
Autoreqprov: on
|
||||||
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
|
URL: http://www.openssh.com/
|
||||||
|
%define _name openssh
|
||||||
|
Source: %{_name}-%{version}.tar.bz2
|
||||||
|
Patch: %{_name}-%{version}.dif
|
||||||
|
Patch15: %{_name}-%{version}-pam-fix2.diff
|
||||||
|
Patch17: %{_name}-%{version}-strict-aliasing-fix.diff
|
||||||
|
Patch18: %{_name}-%{version}-saveargv-fix.diff
|
||||||
|
Patch19: %{_name}-%{version}-pam-fix3.diff
|
||||||
|
Patch21: %{_name}-%{version}-gssapimitm.patch
|
||||||
|
Patch26: %{_name}-%{version}-eal3.diff
|
||||||
|
Patch27: %{_name}-%{version}-engines.diff
|
||||||
|
Patch28: %{_name}-%{version}-blocksigalrm.diff
|
||||||
|
Patch42: %{_name}-gssapi_krb5-fix.patch
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
|
%description
|
||||||
|
SSH (Secure Shell) is a program for logging into a remote machine and
|
||||||
|
for executing commands on a remote machine. This package contains a
|
||||||
|
GNOME-based passphrase dialog for OpenSSH.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Authors:
|
||||||
|
--------
|
||||||
|
Aaron Campbell
|
||||||
|
Bob Beck
|
||||||
|
Markus Friedl
|
||||||
|
Niels Provos
|
||||||
|
Theo de Raadt
|
||||||
|
Dug Song
|
||||||
|
Ben Taylor <bent@clark.net>
|
||||||
|
Chip Salzenberg <chip@valinux.com>
|
||||||
|
Chris Saia <csaia@wtower.com>
|
||||||
|
Dan Brosemer <odin@linuxfreak.com>
|
||||||
|
Jim Knoble <jmknoble@pobox.com>
|
||||||
|
Marc G. Fournier <marc.fournier@acadiau.ca>
|
||||||
|
Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
|
||||||
|
Niels Kristian Bech Jensen <nkbj@image.dk>
|
||||||
|
Phil Hands <phil@hands.com>
|
||||||
|
Thomas Neumann <tom@smart.ruhr.de>
|
||||||
|
Tudor Bosman <tudorb@jm.nu>
|
||||||
|
Damien Miller <djm@ibs.com.au>
|
||||||
|
|
||||||
|
%define prefix /usr
|
||||||
|
%prep
|
||||||
|
%setup -q -n %{_name}-%{version}
|
||||||
|
%patch
|
||||||
|
%patch15
|
||||||
|
%patch17
|
||||||
|
%patch18
|
||||||
|
%patch19
|
||||||
|
%patch21
|
||||||
|
%patch26 -p1
|
||||||
|
%patch27 -p1
|
||||||
|
%patch28
|
||||||
|
%patch42
|
||||||
|
|
||||||
|
%build
|
||||||
|
%{?suse_update_config:%{suse_update_config}}
|
||||||
|
aclocal
|
||||||
|
autoheader
|
||||||
|
autoconf
|
||||||
|
CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" \
|
||||||
|
./configure \
|
||||||
|
--mandir=%{_mandir} \
|
||||||
|
--prefix=%{prefix} \
|
||||||
|
--infodir=%{_infodir} \
|
||||||
|
--sysconfdir=/etc/ssh \
|
||||||
|
--libexecdir=%{prefix}/%_lib/ssh \
|
||||||
|
--with-tcp-wrappers \
|
||||||
|
--with-pam \
|
||||||
|
--with-kerberos5=/usr \
|
||||||
|
--with-privsep-path=/var/lib/empty \
|
||||||
|
--with-opensc \
|
||||||
|
--disable-strip \
|
||||||
|
--target=%{_target_cpu}-suse-linux
|
||||||
|
cd contrib
|
||||||
|
make %{?jobs:-j%jobs} gnome-ssh-askpass2
|
||||||
|
mv gnome-ssh-askpass2 gnome-ssh-askpass
|
||||||
|
|
||||||
|
%install
|
||||||
|
install -d -m 755 $RPM_BUILD_ROOT/usr/%_lib/ssh/
|
||||||
|
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/%_lib/ssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
%clean
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
|
%files
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
%changelog -n openssh-askpass-gnome
|
||||||
|
* Tue Dec 12 2006 - anicka@suse.cz
|
||||||
|
- update to 4.5p1
|
||||||
|
* Use privsep_pw if we have it, but only require it if we
|
||||||
|
absolutely need it.
|
||||||
|
* Correctly check for bad signatures in the monitor, otherwise
|
||||||
|
the monitor and the unpriv process can get out of sync.
|
||||||
|
* Clear errno before calling the strtol functions.
|
||||||
|
* exit instead of doing a blocking tcp send if we detect
|
||||||
|
a client/server timeout, since the tcp sendqueue might
|
||||||
|
be already full (of alive requests)
|
||||||
|
* include signal.h, errno.h, sys/in.h
|
||||||
|
* some more bugfixes
|
||||||
|
* Wed Oct 04 2006 - postadal@suse.cz
|
||||||
|
- updated to version 4.4p1 [#208662]
|
||||||
|
* fixed pre-authentication DoS, that would cause sshd(8) to spin
|
||||||
|
until the login grace time expired
|
||||||
|
* fixed unsafe signal hander, which was vulnerable to a race condition
|
||||||
|
that could be exploited to perform a pre-authentication DoS
|
||||||
|
* fixed a GSSAPI authentication abort that could be used to determine
|
||||||
|
the validity of usernames on some platforms
|
||||||
|
* implemented conditional configuration in sshd_config(5) using the
|
||||||
|
"Match" directive
|
||||||
|
* added support for Diffie-Hellman group exchange key agreement with a
|
||||||
|
final hash of SHA256
|
||||||
|
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
|
||||||
|
* added optional logging of transactions to sftp-server(8)
|
||||||
|
* ssh(1) will now record port numbers for hosts stored in
|
||||||
|
~/.ssh/authorized_keys when a non-standard port has been requested
|
||||||
|
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
|
||||||
|
a non-zero exit code) when requested port forwardings could not be
|
||||||
|
established
|
||||||
|
* extended sshd_config(5) "SubSystem" declarations to allow the
|
||||||
|
specification of command-line arguments
|
||||||
|
- removed obsoleted patches: autoconf-fix.patch
|
||||||
|
* Tue Jul 25 2006 - schwab@suse.de
|
||||||
|
- Fix syntax error in configure script.
|
||||||
|
* Wed Jan 25 2006 - mls@suse.de
|
||||||
|
- converted neededforbuild to BuildRequires
|
||||||
|
* Tue Jan 03 2006 - postadal@suse.cz
|
||||||
|
- updated to version 4.2p1
|
||||||
|
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
|
||||||
|
* Thu Sep 08 2005 - postadal@suse.cz
|
||||||
|
- don't strip
|
||||||
|
* Thu Aug 04 2005 - uli@suse.de
|
||||||
|
- parallelize build
|
||||||
|
* Fri Jun 10 2005 - postadal@suse.cz
|
||||||
|
- updated to version 4.1p1
|
||||||
|
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
|
||||||
|
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
|
||||||
|
sendenv-fix, documentation-fix
|
||||||
|
* Wed Jan 19 2005 - postadal@suse.cz
|
||||||
|
- renamed askpass-gnome package to openssh-askpass-gnome
|
||||||
|
* Wed Jan 19 2005 - postadal@suse.cz
|
||||||
|
- splited spec file to decreas number of build dependencies
|
18
openssh-gssapi_krb5-fix.patch
Normal file
18
openssh-gssapi_krb5-fix.patch
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
--- configure.ac
|
||||||
|
+++ configure.ac
|
||||||
|
@@ -3220,7 +3220,14 @@
|
||||||
|
K5LIBS="-lgssapi $K5LIBS" ],
|
||||||
|
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
|
||||||
|
[ AC_DEFINE(GSSAPI)
|
||||||
|
- K5LIBS="-lgssapi_krb5 $K5LIBS" ],
|
||||||
|
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ]
|
||||||
|
+ AC_CHECK_LIB(gssapi_krb5, gss_krb5_copy_ccache, [
|
||||||
|
+ K5LIBS="-lgssapi_krb5 $K5LIBS"
|
||||||
|
+ ], [
|
||||||
|
+ AC_MSG_WARN([Cannot find -lgssapi_krb5 with gss_krb5_copy_ccache()])
|
||||||
|
+ ],
|
||||||
|
+ $K5LIBS
|
||||||
|
+ ),
|
||||||
|
AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
|
||||||
|
$K5LIBS)
|
||||||
|
],
|
1033
openssh.changes
Normal file
1033
openssh.changes
Normal file
File diff suppressed because it is too large
Load Diff
812
openssh.spec
Normal file
812
openssh.spec
Normal file
@ -0,0 +1,812 @@
|
|||||||
|
#
|
||||||
|
# spec file for package openssh (Version 4.5p1)
|
||||||
|
#
|
||||||
|
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
|
# This file and all modifications and additions to the pristine
|
||||||
|
# package are under the same license as the package itself.
|
||||||
|
#
|
||||||
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
# norootforbuild
|
||||||
|
|
||||||
|
Name: openssh
|
||||||
|
%define _prefix %(xft-config --prefix)
|
||||||
|
%if "%{_prefix}" == "/usr/X11R6"
|
||||||
|
%define _mandir %{_prefix}/man
|
||||||
|
%define _appdefdir %{_prefix}/lib/X11/app-defaults
|
||||||
|
%else
|
||||||
|
%define _appdefdir %{_prefix}/share/X11/app-defaults
|
||||||
|
%endif
|
||||||
|
BuildRequires: krb5-devel opensc-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel
|
||||||
|
License: BSD License and BSD-like, X11/MIT
|
||||||
|
Group: Productivity/Networking/SSH
|
||||||
|
Obsoletes: ssh
|
||||||
|
Provides: ssh
|
||||||
|
Requires: /bin/netstat
|
||||||
|
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
|
||||||
|
Conflicts: nonfreessh
|
||||||
|
Autoreqprov: on
|
||||||
|
Version: 4.5p1
|
||||||
|
Release: 11
|
||||||
|
%define xversion 1.2.4.1
|
||||||
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
|
URL: http://www.openssh.com/
|
||||||
|
Source: %{name}-%{version}.tar.bz2
|
||||||
|
Source1: %{name}-SuSE.tar.bz2
|
||||||
|
Source2: sshd.pamd
|
||||||
|
Source3: x11-ssh-askpass-%{xversion}.tar.bz2
|
||||||
|
Source4: README.SuSE
|
||||||
|
Source5: converter.tar.bz2
|
||||||
|
Source6: README.kerberos
|
||||||
|
Source7: ssh.reg
|
||||||
|
Source8: ssh-askpass
|
||||||
|
Patch: %{name}-%{version}.dif
|
||||||
|
Patch1: %{name}-%{version}-addrlist.dif
|
||||||
|
Patch12: %{name}-%{version}-askpass-fix.diff
|
||||||
|
Patch15: %{name}-%{version}-pam-fix2.diff
|
||||||
|
Patch17: %{name}-%{version}-strict-aliasing-fix.diff
|
||||||
|
Patch18: %{name}-%{version}-saveargv-fix.diff
|
||||||
|
Patch19: %{name}-%{version}-pam-fix3.diff
|
||||||
|
Patch21: %{name}-%{version}-gssapimitm.patch
|
||||||
|
Patch26: %{name}-%{version}-eal3.diff
|
||||||
|
Patch27: %{name}-%{version}-engines.diff
|
||||||
|
Patch28: %{name}-%{version}-blocksigalrm.diff
|
||||||
|
Patch35: %{name}-%{version}-send_locale.diff
|
||||||
|
Patch36: %{name}-%{version}-xauthlocalhostname.diff
|
||||||
|
Patch37: %{name}-%{version}-tmpdir.diff
|
||||||
|
Patch38: %{name}-%{version}-pwname-home.diff
|
||||||
|
Patch40: %{name}-%{version}-xauth.diff
|
||||||
|
Patch41: %{name}-%{version}-gcc-fix.patch
|
||||||
|
Patch42: %{name}-gssapi_krb5-fix.patch
|
||||||
|
Patch43: %{name}-%{version}-default-protocol.diff
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
%package askpass
|
||||||
|
Summary: A passphrase dialog for OpenSSH and the X Window System
|
||||||
|
Requires: openssh = %{version}
|
||||||
|
Provides: openssh:/usr/%_lib/ssh/ssh-askpass
|
||||||
|
Group: Productivity/Networking/SSH
|
||||||
|
|
||||||
|
%description
|
||||||
|
SSH (Secure Shell) is a program for logging into and executing commands
|
||||||
|
on a remote machine. It is intended to replace rlogin and rsh and
|
||||||
|
provides secure encrypted communication between two untrusted hosts
|
||||||
|
over an insecure network. X Window System connections and arbitrary
|
||||||
|
TCP/IP ports can also be forwarded over the secure channel.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Authors:
|
||||||
|
--------
|
||||||
|
Aaron Campbell
|
||||||
|
Bob Beck
|
||||||
|
Markus Friedl
|
||||||
|
Niels Provos
|
||||||
|
Theo de Raadt
|
||||||
|
Dug Song
|
||||||
|
Ben Taylor <bent@clark.net>
|
||||||
|
Chip Salzenberg <chip@valinux.com>
|
||||||
|
Chris Saia <csaia@wtower.com>
|
||||||
|
Dan Brosemer <odin@linuxfreak.com>
|
||||||
|
Jim Knoble <jmknoble@pobox.com>
|
||||||
|
Marc G. Fournier <marc.fournier@acadiau.ca>
|
||||||
|
Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
|
||||||
|
Niels Kristian Bech Jensen <nkbj@image.dk>
|
||||||
|
Phil Hands <phil@hands.com>
|
||||||
|
Thomas Neumann <tom@smart.ruhr.de>
|
||||||
|
Tudor Bosman <tudorb@jm.nu>
|
||||||
|
Damien Miller <djm@ibs.com.au>
|
||||||
|
|
||||||
|
|
||||||
|
%description askpass
|
||||||
|
Ssh (Secure Shell) is a program for logging into a remote machine and
|
||||||
|
for executing commands on a remote machine. This package contains an X
|
||||||
|
Window System passphrase dialog for OpenSSH.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Authors:
|
||||||
|
--------
|
||||||
|
Aaron Campbell
|
||||||
|
Bob Beck
|
||||||
|
Markus Friedl
|
||||||
|
Niels Provos
|
||||||
|
Theo de Raadt
|
||||||
|
Dug Song
|
||||||
|
Ben Taylor <bent@clark.net>
|
||||||
|
Chip Salzenberg <chip@valinux.com>
|
||||||
|
Chris Saia <csaia@wtower.com>
|
||||||
|
Dan Brosemer <odin@linuxfreak.com>
|
||||||
|
Jim Knoble <jmknoble@pobox.com>
|
||||||
|
Marc G. Fournier <marc.fournier@acadiau.ca>
|
||||||
|
Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
|
||||||
|
Niels Kristian Bech Jensen <nkbj@image.dk>
|
||||||
|
Phil Hands <phil@hands.com>
|
||||||
|
Thomas Neumann <tom@smart.ruhr.de>
|
||||||
|
Tudor Bosman <tudorb@jm.nu>
|
||||||
|
Damien Miller <djm@ibs.com.au>
|
||||||
|
|
||||||
|
%define prefix /usr
|
||||||
|
%prep
|
||||||
|
%setup -q -b 3 -a 1 -a 5
|
||||||
|
%patch
|
||||||
|
%patch1
|
||||||
|
%patch15
|
||||||
|
%patch17
|
||||||
|
%patch18
|
||||||
|
%patch19
|
||||||
|
%patch21
|
||||||
|
%patch26 -p1
|
||||||
|
%patch27 -p1
|
||||||
|
%patch28
|
||||||
|
%patch35
|
||||||
|
%patch36
|
||||||
|
%patch37
|
||||||
|
%patch38 -p1
|
||||||
|
%patch40
|
||||||
|
%patch41
|
||||||
|
%patch42
|
||||||
|
%patch43
|
||||||
|
cp -v %{SOURCE4} .
|
||||||
|
cp -v %{SOURCE6} .
|
||||||
|
cd ../x11-ssh-askpass-%{xversion}
|
||||||
|
%patch12
|
||||||
|
|
||||||
|
%build
|
||||||
|
%if "%{_prefix}" != "/usr/X11R6"
|
||||||
|
for i in configure.ac Makefile.in pathnames.h ssh_config.0 ssh_config.5 sshd_config.0 sshd_config.5 ; do
|
||||||
|
sed -i -e 's@%{_prefix}@/usr@g' $i
|
||||||
|
done
|
||||||
|
%endif
|
||||||
|
%{?suse_update_config:%{suse_update_config}}
|
||||||
|
aclocal
|
||||||
|
autoheader
|
||||||
|
autoconf
|
||||||
|
%ifarch s390 s390x
|
||||||
|
PIEFLAGS="-fPIE"
|
||||||
|
%else
|
||||||
|
PIEFLAGS="-fpie"
|
||||||
|
%endif
|
||||||
|
#Obsoleted CFLAGS="-DUSE_POSIX_THREADS $RPM_OPT_FLAGS" CXXFLAGS="-DUSE_POSIX_THREADS $RPM_O \
|
||||||
|
#Obsoleted LDFLAGS="-lpthread" \
|
||||||
|
LDFLAGS="-pie" CFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" CXXFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" \
|
||||||
|
./configure \
|
||||||
|
--mandir=%{_mandir} \
|
||||||
|
--prefix=%{prefix} \
|
||||||
|
--infodir=%{_infodir} \
|
||||||
|
--sysconfdir=/etc/ssh \
|
||||||
|
--libexecdir=%{prefix}/%_lib/ssh \
|
||||||
|
--with-tcp-wrappers \
|
||||||
|
--with-pam \
|
||||||
|
--with-kerberos5=/usr \
|
||||||
|
--with-privsep-path=/var/lib/empty \
|
||||||
|
%ifnarch s390 s390x
|
||||||
|
--with-opensc \
|
||||||
|
%endif
|
||||||
|
--disable-strip \
|
||||||
|
--with-xauth=%{_prefix}/bin/xauth \
|
||||||
|
--target=%{_target_cpu}-suse-linux
|
||||||
|
# --with-afs=/usr \
|
||||||
|
make %{?jobs:-j%jobs}
|
||||||
|
(cd converter; make %{?jobs:-j%jobs})
|
||||||
|
cd contrib
|
||||||
|
cd ../../x11-ssh-askpass-%{xversion}
|
||||||
|
CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS"
|
||||||
|
./configure \
|
||||||
|
--mandir=%{_mandir} \
|
||||||
|
--prefix=%{_prefix} \
|
||||||
|
--libexecdir=%{prefix}/%_lib/ssh
|
||||||
|
xmkmf
|
||||||
|
make includes USRLIBDIR=%_prefix/%_lib
|
||||||
|
make %{?jobs:-j%jobs} USRLIBDIR=%_prefix/%_lib CCOPTIONS="$RPM_OPT_FLAGS"
|
||||||
|
|
||||||
|
%install
|
||||||
|
make DESTDIR=$RPM_BUILD_ROOT/ install
|
||||||
|
install -d -m 755 $RPM_BUILD_ROOT/etc/pam.d
|
||||||
|
install -d -m 755 $RPM_BUILD_ROOT/var/lib/sshd
|
||||||
|
install -m 644 %{S:2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||||
|
install -d -m 755 $RPM_BUILD_ROOT/etc/slp.reg.d/
|
||||||
|
install -m 644 %{S:7} $RPM_BUILD_ROOT/etc/slp.reg.d/
|
||||||
|
cp -a SuSE/* $RPM_BUILD_ROOT
|
||||||
|
# install shell script to automate the process of adding your public key to a remote machine
|
||||||
|
install -m 755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin
|
||||||
|
install -m 644 contrib/ssh-copy-id.1 $RPM_BUILD_ROOT/%{_mandir}/man1
|
||||||
|
(cd converter; make install DESTDIR=$RPM_BUILD_ROOT/)
|
||||||
|
cd ../x11-ssh-askpass-%{xversion}
|
||||||
|
make BINDIR=/usr/%_lib/ssh DESTDIR=$RPM_BUILD_ROOT install install.man
|
||||||
|
rm -rf $RPM_BUILD_ROOT/usr/%_lib/ssh/ssh-askpass
|
||||||
|
sed -e "s@usr/lib/ssh@usr/%_lib/ssh@" < %{S:8} > $RPM_BUILD_ROOT/usr/%_lib/ssh/ssh-askpass
|
||||||
|
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
|
||||||
|
sed -i -e s@/usr/libexec@/usr/%{_lib}@g $RPM_BUILD_ROOT/etc/ssh/sshd_config
|
||||||
|
|
||||||
|
%pre
|
||||||
|
/usr/sbin/groupadd -g 65 -o -r sshd 2> /dev/null || :
|
||||||
|
/usr/sbin/useradd -r -o -g sshd -u 71 -s /bin/false -c "SSH daemon" -d /var/lib/sshd sshd 2> /dev/null || :
|
||||||
|
|
||||||
|
%post
|
||||||
|
%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
|
||||||
|
%run_permissions
|
||||||
|
|
||||||
|
%verifyscript
|
||||||
|
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%stop_on_removal sshd
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%restart_on_update sshd
|
||||||
|
%{insserv_cleanup}
|
||||||
|
|
||||||
|
%clean
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
|
%files
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%dir %attr(755,root,root) /var/lib/sshd
|
||||||
|
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS
|
||||||
|
%attr(0755,root,root) %dir /etc/ssh
|
||||||
|
%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli
|
||||||
|
%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config
|
||||||
|
%verify(not mode) %attr(0640,root,root) %config(noreplace) /etc/ssh/sshd_config
|
||||||
|
%attr(0644,root,root) %config /etc/pam.d/sshd
|
||||||
|
%attr(0755,root,root) %config /etc/init.d/sshd
|
||||||
|
%attr(0755,root,root) /usr/bin/ssh
|
||||||
|
/usr/bin/scp
|
||||||
|
/usr/bin/sftp
|
||||||
|
/usr/bin/slogin
|
||||||
|
/usr/bin/ssh-*
|
||||||
|
/usr/sbin/*
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/scp.1.gz
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/ssh-keygen.1.gz
|
||||||
|
%attr(444,root,root) %doc /usr/share/man/man1/ssh-keyconverter.1.gz
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/ssh.1.gz
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/slogin.1.gz
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/ssh-agent.1*
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/ssh-add.1*
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/sftp.1*
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man1/ssh-copy-id.1*
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man5/*
|
||||||
|
%attr(444,root,root) %doc %{_mandir}/man8/*
|
||||||
|
%attr(0755,root,root) %dir /usr/%_lib/ssh
|
||||||
|
%attr(0755,root,root) /usr/%_lib/ssh/sftp-server
|
||||||
|
%attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign
|
||||||
|
%dir /etc/slp.reg.d
|
||||||
|
/etc/slp.reg.d/ssh.reg
|
||||||
|
/var/adm/fillup-templates/sysconfig.ssh
|
||||||
|
|
||||||
|
%files askpass
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%attr(0755,root,root) /usr/%_lib/ssh/ssh-askpass
|
||||||
|
%attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass
|
||||||
|
%doc %_mandir/man1/ssh-askpass.1x.gz
|
||||||
|
%doc %_mandir/man1/x11-ssh-askpass.1x.gz
|
||||||
|
%config %_appdefdir/SshAskpass
|
||||||
|
|
||||||
|
%changelog -n openssh
|
||||||
|
* Sat Jan 06 2007 - anicka@suse.cz
|
||||||
|
- disable SSHv1 protocol in default configuration [#231808]
|
||||||
|
* Tue Dec 12 2006 - anicka@suse.cz
|
||||||
|
- update to 4.5p1
|
||||||
|
* Use privsep_pw if we have it, but only require it if we
|
||||||
|
absolutely need it.
|
||||||
|
* Correctly check for bad signatures in the monitor, otherwise
|
||||||
|
the monitor and the unpriv process can get out of sync.
|
||||||
|
* Clear errno before calling the strtol functions.
|
||||||
|
* exit instead of doing a blocking tcp send if we detect
|
||||||
|
a client/server timeout, since the tcp sendqueue might
|
||||||
|
be already full (of alive requests)
|
||||||
|
* include signal.h, errno.h, sys/in.h
|
||||||
|
* some more bugfixes
|
||||||
|
* Wed Nov 22 2006 - anicka@suse.cz
|
||||||
|
- fixed README.SuSE [#223025]
|
||||||
|
* Thu Nov 09 2006 - anicka@suse.cz
|
||||||
|
- backport security fixes from openssh 4.5 (#219115)
|
||||||
|
* Tue Nov 07 2006 - ro@suse.de
|
||||||
|
- fix manpage permissions
|
||||||
|
* Tue Oct 31 2006 - anicka@suse.cz
|
||||||
|
- fix gssapi_krb5-fix patch [#215615]
|
||||||
|
- fix xauth patch
|
||||||
|
* Tue Oct 10 2006 - postadal@suse.cz
|
||||||
|
- fixed building openssh from src.rpm [#176528] (gssapi_krb5-fix.patch)
|
||||||
|
* Tue Oct 03 2006 - postadal@suse.cz
|
||||||
|
- updated to version 4.4p1 [#208662]
|
||||||
|
* fixed pre-authentication DoS, that would cause sshd(8) to spin
|
||||||
|
until the login grace time expired
|
||||||
|
* fixed unsafe signal hander, which was vulnerable to a race condition
|
||||||
|
that could be exploited to perform a pre-authentication DoS
|
||||||
|
* fixed a GSSAPI authentication abort that could be used to determine
|
||||||
|
the validity of usernames on some platforms
|
||||||
|
* implemented conditional configuration in sshd_config(5) using the
|
||||||
|
"Match" directive
|
||||||
|
* added support for Diffie-Hellman group exchange key agreement with a
|
||||||
|
final hash of SHA256
|
||||||
|
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
|
||||||
|
* added optional logging of transactions to sftp-server(8)
|
||||||
|
* ssh(1) will now record port numbers for hosts stored in
|
||||||
|
~/.ssh/authorized_keys when a non-standard port has been requested
|
||||||
|
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
|
||||||
|
a non-zero exit code) when requested port forwardings could not be
|
||||||
|
established
|
||||||
|
* extended sshd_config(5) "SubSystem" declarations to allow the
|
||||||
|
specification of command-line arguments
|
||||||
|
- removed obsoleted patches: autoconf-fix.patch, dos-fix.patch
|
||||||
|
- fixed gcc issues (gcc-fix.patch)
|
||||||
|
* Wed Sep 20 2006 - postadal@suse.cz
|
||||||
|
- fixed DoS by CRC compensation attack detector [#206917] (dos-fix.patch)
|
||||||
|
- fixed client NULL deref on protocol error
|
||||||
|
- cosmetic fix in init script [#203826]
|
||||||
|
* Fri Sep 01 2006 - kukuk@suse.de
|
||||||
|
- sshd.pamd: Add pam_loginuid, move pam_nologin to a better position
|
||||||
|
* Fri Aug 25 2006 - postadal@suse.cz
|
||||||
|
- fixed path for xauth [#198676]
|
||||||
|
* Thu Aug 03 2006 - postadal@suse.cz
|
||||||
|
- fixed build with X11R7
|
||||||
|
* Thu Jul 20 2006 - postadal@suse.cz
|
||||||
|
- updated to version 4.3p2
|
||||||
|
* experimental support for tunneling network packets via tun(4)
|
||||||
|
- removed obsoleted patches: pam-error.patch, CVE-2006-0225.patch,
|
||||||
|
scp.patch, sigalarm.patch
|
||||||
|
* Mon Feb 13 2006 - postadal@suse.cz
|
||||||
|
- upstream fixes
|
||||||
|
- fixed "scp a b c", when c is not directory (scp.patch)
|
||||||
|
- eliminate some code duplicated in privsep and non-privsep paths, and
|
||||||
|
explicitly clear SIGALRM handler (sigalarm.patch)
|
||||||
|
* Fri Feb 03 2006 - postadal@suse.cz
|
||||||
|
- fixed local arbitrary command execution vulnerability [#143435]
|
||||||
|
(CVE-2006-0225.patch)
|
||||||
|
* Thu Feb 02 2006 - postadal@suse.cz
|
||||||
|
- fixed xauth.diff for disabled UsePrivilegeSeparation mode [#145809]
|
||||||
|
- build on s390 without Smart card support (opensc) [#147383]
|
||||||
|
* Mon Jan 30 2006 - postadal@suse.cz
|
||||||
|
- fixed patch xauth.diff [#145809]
|
||||||
|
- fixed comments [#142989]
|
||||||
|
* Wed Jan 25 2006 - mls@suse.de
|
||||||
|
- converted neededforbuild to BuildRequires
|
||||||
|
* Mon Jan 16 2006 - meissner@suse.de
|
||||||
|
- added -fstack-protector.
|
||||||
|
* Tue Jan 03 2006 - postadal@suse.cz
|
||||||
|
- updated to version 4.2p1
|
||||||
|
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
|
||||||
|
* Tue Nov 15 2005 - postadal@suse.cz
|
||||||
|
- do not delegate GSSAPI credentials to log in with a different method
|
||||||
|
than GSSAPI [#128928] (CAN-2005-2798, gssapi-secfix.patch)
|
||||||
|
* Sun Oct 23 2005 - postadal@suse.cz
|
||||||
|
- fixed PAM to send authentication failing mesaage to client [#130043]
|
||||||
|
(pam-error.patch)
|
||||||
|
* Wed Sep 14 2005 - postadal@suse.cz
|
||||||
|
- fixed uninitialized variable in patch xauth.diff [#98815]
|
||||||
|
* Thu Sep 08 2005 - postadal@suse.cz
|
||||||
|
- don't strip
|
||||||
|
* Mon Sep 05 2005 - postadal@suse.cz
|
||||||
|
- added patch xauth.diff prevent from polluting xauthority file [#98815]
|
||||||
|
* Mon Aug 22 2005 - postadal@suse.cz
|
||||||
|
- fixed problem when multiple accounts have same UID [#104773]
|
||||||
|
(pwname-home.diff)
|
||||||
|
- added fixes from upstream (upstream_fixes.diff)
|
||||||
|
* Thu Aug 18 2005 - postadal@suse.cz
|
||||||
|
- added patch tmpdir.diff for using $TMPDIR by ssh-agent [#95731]
|
||||||
|
* Thu Aug 04 2005 - uli@suse.de
|
||||||
|
- parallelize build
|
||||||
|
* Mon Aug 01 2005 - postadal@suse.cz
|
||||||
|
- added patch resolving problems with hostname changes [#98627]
|
||||||
|
(xauthlocalhostname.diff)
|
||||||
|
* Wed Jun 22 2005 - kukuk@suse.de
|
||||||
|
- Compile/link with -fpie/-pie
|
||||||
|
* Wed Jun 15 2005 - meissner@suse.de
|
||||||
|
- build x11-ask-pass with RPM_OPT_FLAGS.
|
||||||
|
* Fri Jun 10 2005 - postadal@suse.cz
|
||||||
|
- updated to version 4.1p1
|
||||||
|
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
|
||||||
|
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
|
||||||
|
sendenv-fix, documentation-fix
|
||||||
|
* Thu Mar 10 2005 - postadal@suse.cz
|
||||||
|
- fixed SendEnv config parsing bug
|
||||||
|
- documented timeout on untrusted x11 forwarding sessions (openssh#849)
|
||||||
|
- mentioned ForwardX11Trusted in ssh.1 (openssh#987)
|
||||||
|
* Thu Mar 03 2005 - postadal@suse.cz
|
||||||
|
- enabled accepting and sending locale environment variables in protocol 2
|
||||||
|
[#65747, #50091]
|
||||||
|
* Thu Feb 24 2005 - postadal@suse.cz
|
||||||
|
- added patches from cvs: gssapi-pam (openssh#918),
|
||||||
|
krb5ccname (openssh#445), logdenysource (openssh#909)
|
||||||
|
* Thu Feb 03 2005 - postadal@suse.cz
|
||||||
|
- fixed keyboard-interactive/pam/Kerberos leaks info about user existence
|
||||||
|
[#48329] (openssh#971, CAN-2003-0190)
|
||||||
|
* Wed Jan 19 2005 - postadal@suse.cz
|
||||||
|
- splited spec file to decreas number of build dependencies
|
||||||
|
- fixed restoring terminal setting after Ctrl+C during password prompt in scp/sftp [#43309]
|
||||||
|
- allowed users to see output from failing PAM session modules (openssh #890,
|
||||||
|
pam-returnfromsession.patch)
|
||||||
|
* Mon Nov 08 2004 - kukuk@suse.de
|
||||||
|
- Use common-* PAM config files for sshd PAM configuration
|
||||||
|
* Mon Oct 25 2004 - postadal@suse.cz
|
||||||
|
- switched heimdal-* to kerberos-devel-packages in #needforbuild
|
||||||
|
* Fri Sep 03 2004 - ro@suse.de
|
||||||
|
- fix lib64 issue
|
||||||
|
* Tue Aug 31 2004 - postadal@suse.cz
|
||||||
|
- updated to version 3.9p1
|
||||||
|
- removed obsoleted patches: scp-fix.diff and window_change-fix.diff
|
||||||
|
* Thu Aug 26 2004 - postadal@suse.cz
|
||||||
|
- added openssh-askpass-gnome subpackage
|
||||||
|
- added ssh-askpass script for choosing askpass depending on windowmanager
|
||||||
|
(by Robert Love <rml@novell.com>)
|
||||||
|
- build with Smart card support (opensc) [#44289]
|
||||||
|
* Tue Aug 17 2004 - postadal@suse.cz
|
||||||
|
- removed old implementation of "Update Messages" [#36059]
|
||||||
|
* Thu Aug 12 2004 - postadal@suse.cz
|
||||||
|
- updated to version 3.8p1
|
||||||
|
- removed obsoleted patches: sftp-progress-fix and pam-fix4
|
||||||
|
* Mon Jun 28 2004 - meissner@suse.de
|
||||||
|
- block sigalarm during syslog output or we might deadlock
|
||||||
|
on recursively entering syslog(). (LTC#9523, SUSE#42354)
|
||||||
|
* Wed May 26 2004 - postadal@suse.cz
|
||||||
|
- fixed commented default value for GSSAPI
|
||||||
|
* Thu May 20 2004 - mludvig@suse.cz
|
||||||
|
- Load drivers for available hardware crypto accelerators.
|
||||||
|
* Fri Apr 30 2004 - postadal@suse.cz
|
||||||
|
- updated README.kerberos (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials)
|
||||||
|
* Mon Apr 19 2004 - postadal@suse.cz
|
||||||
|
- updated README.SuSE (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials)
|
||||||
|
[#39010]
|
||||||
|
* Fri Mar 26 2004 - postadal@suse.cz
|
||||||
|
- fixed sshd(8) and sshd_config(5) man pages (EAL3)
|
||||||
|
- fixed spelling errors in README.SuSE [#37086]
|
||||||
|
* Thu Mar 25 2004 - postadal@suse.cz
|
||||||
|
- fixed change window request [#33177]
|
||||||
|
* Mon Mar 22 2004 - postadal@suse.cz
|
||||||
|
- updated README.SuSE
|
||||||
|
- removed %%verify from /usr/bin/ssh in specfile
|
||||||
|
* Thu Mar 18 2004 - postadal@suse.cz
|
||||||
|
- fixed previous fix of security bug in scp [#35443] (CAN-2004-0175)
|
||||||
|
(was too restrictive)
|
||||||
|
- fixed permission of /usr/bin/ssh
|
||||||
|
* Mon Mar 15 2004 - postadal@suse.cz
|
||||||
|
- fixed comments in sshd_config and ssh_config
|
||||||
|
* Mon Mar 15 2004 - postadal@suse.cz
|
||||||
|
- enabled privilege separation mode (new version fixes a lot of problematic PAM
|
||||||
|
calling [#30328])
|
||||||
|
- fixed security bug in scp [#35443] (CAN-2004-0175)
|
||||||
|
- reverted to old behaviour of ForwardingX11 [#35836]
|
||||||
|
(set ForwardX11Trusted to 'yes' by default)
|
||||||
|
- updated README.SuSE
|
||||||
|
- fixed pam code (pam-fix4.diff, backported from openssh-SNAP-20040311)
|
||||||
|
* Fri Mar 05 2004 - postadal@suse.cz
|
||||||
|
- updated README.SuSE (Remote x11 clients are now untrusted by default) [#35368]
|
||||||
|
- added gssapimitm patch (support for old GSSAPI)
|
||||||
|
* Mon Mar 01 2004 - postadal@suse.cz
|
||||||
|
- updated to version 3.8p1
|
||||||
|
* The "gssapi" support has been replaced with the "gssapi-with-mic"
|
||||||
|
to fix possible MITM attacks. These two versions are not compatible.
|
||||||
|
- removed obsoleted patches: krb5.patch, dns-lookups.patch, pam-fix.diff,
|
||||||
|
pam-end-fix.diff
|
||||||
|
- used process forking instead pthreads
|
||||||
|
(developers fixed bugs in pam calling and they recommended to don't use threads)
|
||||||
|
* Tue Feb 24 2004 - postadal@suse.cz
|
||||||
|
- fixed the problem with save_argv in sshd.c re-apeared again in version 3.7.1p2
|
||||||
|
(it caused bad behaviour after receiving SIGHUP - used by reload of init script)
|
||||||
|
[#34845]
|
||||||
|
* Wed Feb 18 2004 - kukuk@suse.de
|
||||||
|
- Real strict-aliasing patch
|
||||||
|
* Wed Feb 18 2004 - postadal@suse.cz
|
||||||
|
- fixed strict-aliasing patch [#34551]
|
||||||
|
* Sat Feb 14 2004 - adrian@suse.de
|
||||||
|
- provide SLP registration file /etc/slp.reg.d/ssh.reg
|
||||||
|
* Tue Feb 03 2004 - postadal@suse.cz
|
||||||
|
- used patch from pam-end-fix.diff [#33132]
|
||||||
|
- fixed instalation openssh without documentation [#33937]
|
||||||
|
- fixed auth-pam.c which breaks strict aliasing
|
||||||
|
* Mon Jan 19 2004 - meissner@suse.de
|
||||||
|
- Added a ; to ssh-key-converter.c to fix gcc 3.4 build.
|
||||||
|
* Fri Jan 16 2004 - kukuk@suse.de
|
||||||
|
- Add pam-devel to neededforbuild
|
||||||
|
* Thu Nov 06 2003 - postadal@suse.cz
|
||||||
|
- added /usr/bin/slogin explicitly to %%file list [#32921]
|
||||||
|
* Sun Nov 02 2003 - adrian@suse.de
|
||||||
|
- add %%run_permissions to fix build
|
||||||
|
* Tue Oct 14 2003 - postadal@suse.cz
|
||||||
|
- reverted value UsePAM to "yes" and set PasswordAuthentication to "no"
|
||||||
|
in file /etc/ssh/sshd_config (the version 3.7.1p2 disabled PAM support
|
||||||
|
by default) [#31749]
|
||||||
|
* Tue Sep 23 2003 - draht@suse.de
|
||||||
|
- New version 3.7.1p2; signature from 86FF9C48 Damien Miller
|
||||||
|
verified for source tarball. Bugs fixed with this version:
|
||||||
|
[#31637] (CAN-2003-0786, CAN-2003-0786). Briefly:
|
||||||
|
1) SSH1 PAM challenge response auth ignored the result of the
|
||||||
|
authentication (with privsep off)
|
||||||
|
2) The PAM conversation function trashed the stack, by referring
|
||||||
|
to the **resp parameter as an array of pointers rather than
|
||||||
|
as a pointer to an array of struct pam_responses.
|
||||||
|
At least security bug 1) is exploitable.
|
||||||
|
* Fri Sep 19 2003 - postadal@suse.cz
|
||||||
|
- use pthreads instead process forking (it needs by pam modules)
|
||||||
|
- fixed bug in calling pam_setcred [#31025]
|
||||||
|
(pam-fix.diff - string "FILE:" added to begin of KRB5CCNAME)
|
||||||
|
- updated README.SuSE
|
||||||
|
- reverted ChallengeResponseAuthentication option to default value yes
|
||||||
|
(necessary for pam authentication) [#31432]
|
||||||
|
* Thu Sep 18 2003 - postadal@suse.cz
|
||||||
|
- updated to version 3.7.1p1 (with security patches)
|
||||||
|
- removed obsoleted patches: chauthtok.patch, krb-include-fix.diff,
|
||||||
|
gssapi-fix.diff, saveargv-fix.diff, gssapi-20030430.diff, racecondition-fix
|
||||||
|
- updated README.kerberos
|
||||||
|
* Tue Sep 16 2003 - postadal@suse.cz
|
||||||
|
- fixed race condition in allocating memory [#31025] (CAN-2003-0693)
|
||||||
|
* Mon Sep 15 2003 - postadal@suse.cz
|
||||||
|
- disabled privilege separation, which caused some problems [#30328]
|
||||||
|
(updated README.SuSE)
|
||||||
|
* Thu Sep 04 2003 - postadal@suse.cz
|
||||||
|
- fixed bug in x11-ssh-askpass dialog [#25846] (askpass-fix.diff is workaround for gcc bug)
|
||||||
|
* Fri Aug 29 2003 - kukuk@suse.de
|
||||||
|
- Call useradd -r for system account [Bug #29611]
|
||||||
|
* Mon Aug 25 2003 - postadal@suse.cz
|
||||||
|
- use new stop_on_removal/restart_on_upate macros
|
||||||
|
- fixed lib64 problem in /etc/ssh/sshd_config [#28766]
|
||||||
|
* Tue Aug 19 2003 - mmj@suse.de
|
||||||
|
- Add sysconfig metadata [#28943]
|
||||||
|
* Fri Aug 01 2003 - ro@suse.de
|
||||||
|
- add e2fsprogs-devel to neededforbuild
|
||||||
|
* Thu Jul 24 2003 - postadal@suse.cz
|
||||||
|
- updated to version 3.6.1p2
|
||||||
|
- added the new version of patch for GSSAPI (gssapi-20030430.diff),
|
||||||
|
the older one was removed (gssapi.patch)
|
||||||
|
- added README.kerberos to filelist
|
||||||
|
* Tue Jun 03 2003 - mmj@suse.de
|
||||||
|
- Remove files we don't package
|
||||||
|
* Wed Apr 02 2003 - postadal@suse.cz
|
||||||
|
- fixed bad behaviour after receiving SIGHUP (this bug caused not working reload of init script)
|
||||||
|
* Tue Mar 18 2003 - postadal@suse.cz
|
||||||
|
- added $remote_fs to init.d script (needed if /usr is on remote fs [#25577])
|
||||||
|
* Thu Mar 13 2003 - postadal@suse.cz
|
||||||
|
- fixed segfault while using GSSAPI for authentication when connecting to localhost (took care about error value of ssh_gssapi_import_name() in function ssh_gssapi_client_ctx())
|
||||||
|
* Mon Mar 10 2003 - kukuk@suse.de
|
||||||
|
- Remove extra "/" from pid file path.
|
||||||
|
* Mon Mar 03 2003 - postadal@suse.cz
|
||||||
|
- modified init.d script (now checking sshd.init.pid instead of port 22) [#24263]
|
||||||
|
* Mon Mar 03 2003 - okir@suse.de
|
||||||
|
- added comment to /etc/pam.d/ssh on how to enable
|
||||||
|
support for resmgr (#24363).
|
||||||
|
* Fri Feb 21 2003 - postadal@suse.cz
|
||||||
|
- added ssh-copy-id shell script [#23745]
|
||||||
|
* Fri Feb 14 2003 - postadal@suse.cz
|
||||||
|
- given back gssapi and dns-lookups patches
|
||||||
|
* Wed Jan 22 2003 - postadal@suse.cz
|
||||||
|
- updated to version 3.5p1
|
||||||
|
- removed obsolete patches: owl-mm, forced-commands-only, krb
|
||||||
|
- added patch krb5 (for heimdal)
|
||||||
|
- temporarily removed gssapi patch and dns-lookups (needs rewriting)
|
||||||
|
- fix sysconfig metadata
|
||||||
|
* Thu Dec 05 2002 - okir@suse.de
|
||||||
|
- avoid Kerberos DNS lookups in the default config (#20395)
|
||||||
|
- added README.kerberos
|
||||||
|
* Thu Sep 19 2002 - postadal@suse.cz
|
||||||
|
- added info about changes in the new version of openssh
|
||||||
|
to README.SuSE [#19757]
|
||||||
|
* Mon Sep 02 2002 - okir@suse.de
|
||||||
|
- privsep directory now /var/lib/empty, which is provided by
|
||||||
|
filesystem package (#17556)
|
||||||
|
* Wed Aug 28 2002 - nashif@suse.de
|
||||||
|
- Added insserv & co to PreReq
|
||||||
|
* Mon Aug 26 2002 - okir@suse.de
|
||||||
|
- applied patch that adds GSSAPI support in protocol version 2 (#18239)
|
||||||
|
* Thu Aug 22 2002 - postadal@suse.cz
|
||||||
|
- added the patch to fix malfunction of PermitRootLogin seted to
|
||||||
|
forced-commands-only [#17149]
|
||||||
|
* Fri Aug 09 2002 - okir@suse.de
|
||||||
|
- syslog now reports kerberos auth method when logging in via
|
||||||
|
kerberos (#17469)
|
||||||
|
* Tue Jul 23 2002 - okir@suse.de
|
||||||
|
- enabled kerberos support
|
||||||
|
- added patch to support kerberos 5 authentication in privsep mode.
|
||||||
|
- added missing section 5 manpages
|
||||||
|
- added missing ssh-keysign to files list (new for privsep)
|
||||||
|
* Mon Jul 22 2002 - okir@suse.de
|
||||||
|
- fixed handling of expired passwords in privsep mode
|
||||||
|
* Tue Jul 09 2002 - mmj@suse.de
|
||||||
|
- Don't source rc.config
|
||||||
|
* Wed Jul 03 2002 - draht@suse.de
|
||||||
|
- ssh-keygen must be told to explicitly create type rsa1 keys
|
||||||
|
in the start script.
|
||||||
|
* Tue Jul 02 2002 - ro@suse.de
|
||||||
|
- useradd/groupadd in preinstall to standardize
|
||||||
|
* Sat Jun 29 2002 - ro@suse.de
|
||||||
|
- updated patch from solar: zero out bytes for no longer used pages
|
||||||
|
in mmap-fallback solution
|
||||||
|
* Thu Jun 27 2002 - ro@suse.de
|
||||||
|
- updated owl-fallback.diff from solar
|
||||||
|
* Thu Jun 27 2002 - ro@suse.de
|
||||||
|
- update to 3.4p1
|
||||||
|
o privilege separation support
|
||||||
|
o overflow fix from ISS
|
||||||
|
- unsplit openssh-server and openssh-client
|
||||||
|
* Tue Jun 18 2002 - mmj@suse.de
|
||||||
|
- Update to 3.2.3p1 which fixed following compared to 3.2.2p1
|
||||||
|
o a defect in the BSD_AUTH access control handling for
|
||||||
|
o login/tty problems on Solaris (bug #245)
|
||||||
|
o build problems on Cygwin systems
|
||||||
|
- Split the package to openssh, openssh-server, openssh-client and
|
||||||
|
openssh-askpass
|
||||||
|
* Sun May 19 2002 - mmj@suse.de
|
||||||
|
- Updated to 3.2.2p which includes security and several bugfixes.
|
||||||
|
* Fri Mar 15 2002 - ro@suse.de
|
||||||
|
- added "Obsoletes: ssh"
|
||||||
|
* Tue Mar 05 2002 - draht@suse.de
|
||||||
|
- security fix for bug in channels.c (channelbug.dif)
|
||||||
|
* Fri Mar 01 2002 - bk@suse.de
|
||||||
|
- fix ssh-agent example to use eval `ssh-agent -s` and a typo.
|
||||||
|
- add sentence on use of ssh-agent with startx
|
||||||
|
* Tue Feb 26 2002 - bk@suse.de
|
||||||
|
- update README.SuSE to improve documentation on protocol version
|
||||||
|
* Wed Feb 13 2002 - cihlar@suse.cz
|
||||||
|
- rewritten addrlist patch - "0.0.0.0" is removed from list
|
||||||
|
after "::" is successful [#8951]
|
||||||
|
* Mon Feb 11 2002 - cihlar@suse.cz
|
||||||
|
- added info about the change of the default protocol version
|
||||||
|
to README.SuSE
|
||||||
|
* Thu Feb 07 2002 - cihlar@suse.cz
|
||||||
|
- removed addrlist patch which fixed bug [#8951] as it breaks
|
||||||
|
functionality on machines with kernel without IPv6 support,
|
||||||
|
bug reopened, new solution will be find
|
||||||
|
- switched to default protocol version 2
|
||||||
|
- added ssh-keyconvert (thanks Olaf Kirch <okir@suse.de>)
|
||||||
|
- removed static linking against libcrypto, as crypt() was removed
|
||||||
|
from it [#5333]
|
||||||
|
* Tue Jan 22 2002 - kukuk@suse.de
|
||||||
|
- Add pam_nologin to account management (else it will not be
|
||||||
|
called if user does not do password authentification)
|
||||||
|
* Tue Jan 15 2002 - egmont@suselinux.hu
|
||||||
|
- removed colon from shutdown message
|
||||||
|
* Thu Jan 10 2002 - cihlar@suse.cz
|
||||||
|
- use %%{_lib}
|
||||||
|
* Thu Dec 13 2001 - ro@suse.de
|
||||||
|
- moved rc.config.d -> sysconfig
|
||||||
|
* Mon Dec 10 2001 - cihlar@suse.cz
|
||||||
|
- removed START_SSHD
|
||||||
|
* Fri Dec 07 2001 - cihlar@suse.cz
|
||||||
|
- update to version 3.0.2p1:
|
||||||
|
* CheckMail option in sshd_config is deprecated
|
||||||
|
* X11 cookies are now stored in $HOME
|
||||||
|
* fixed a vulnerability in the UseLogin option
|
||||||
|
* /etc/ssh_known_hosts2 and ~/.ssh/known_hosts2 are obsolete,
|
||||||
|
/etc/ssh_known_hosts and ~/.ssh/known_hosts can be used
|
||||||
|
* several minor fixes
|
||||||
|
- update x11-ssh-askpass to version 1.2.4.1:
|
||||||
|
* fixed Imakefile.in
|
||||||
|
- fixed bug in adresses "::" and "0.0.0.0" [#8951]
|
||||||
|
* Fri Oct 05 2001 - cihlar@suse.cz
|
||||||
|
- update to version 2.9.9p2
|
||||||
|
- removed obsolete clientloop and command patches
|
||||||
|
- uncommented "HostKey /etc/ssh/ssh_host_rsa_key" in sshd_config
|
||||||
|
- added German translation of e-mail to sysadmin
|
||||||
|
- init script fixed to work when more listening sshd runs
|
||||||
|
- added /bin/netstat to requires
|
||||||
|
* Mon Sep 24 2001 - cihlar@suse.cz
|
||||||
|
- fixed security problem with sftp & bypassing
|
||||||
|
keypair auth restrictions - patch based on CVS
|
||||||
|
- fixed status part of init script - it returned
|
||||||
|
running even if there were only sshd of connections
|
||||||
|
and no listening sshd [#11220]
|
||||||
|
- fixed stop part of init script - when there was no
|
||||||
|
/var/run/sshd.pid, all sshd were killed
|
||||||
|
* Thu Sep 06 2001 - nadvornik@suse.cz
|
||||||
|
- added patch for correct buffer flushing from CVS [bug #6450]
|
||||||
|
* Fri Jul 27 2001 - cihlar@suse.cz
|
||||||
|
- update x11-ssh-askpass to version 1.2.2
|
||||||
|
* Thu Jul 26 2001 - cihlar@suse.cz
|
||||||
|
- update to version 2.9p2
|
||||||
|
- removed obsolete "cookies" patch
|
||||||
|
* Mon Jun 11 2001 - cihlar@suse.cz
|
||||||
|
- fixed to compile with new xmkmf
|
||||||
|
* Thu Jun 07 2001 - cihlar@suse.cz
|
||||||
|
- fixed security bug when any file "cookies" could
|
||||||
|
be removed by anybody
|
||||||
|
* Tue Jun 05 2001 - bjacke@suse.de
|
||||||
|
- generate rsa host key in init script
|
||||||
|
* Tue Jun 05 2001 - cihlar@suse.cz
|
||||||
|
- removed complete path from PAM modules
|
||||||
|
* Thu May 03 2001 - cihlar@suse.cz
|
||||||
|
- update to version 2.9p1
|
||||||
|
- removed obsolete --with-openssl
|
||||||
|
- removed obsolete man patch
|
||||||
|
* Mon Apr 30 2001 - cihlar@suse.cz
|
||||||
|
- enable PAM support
|
||||||
|
* Fri Apr 13 2001 - ro@suse.de
|
||||||
|
- fixed specfile for extra README.SuSE
|
||||||
|
* Fri Apr 13 2001 - cihlar@suse.cz
|
||||||
|
- fixed init script by new skeleton
|
||||||
|
* Thu Mar 22 2001 - cihlar@suse.cz
|
||||||
|
- update to version 2.5.2p2
|
||||||
|
* Wed Mar 14 2001 - cihlar@suse.cz
|
||||||
|
- fixed ssh man page
|
||||||
|
* Mon Mar 12 2001 - cihlar@suse.cz
|
||||||
|
- update to version 2.5.1p2
|
||||||
|
- added xf86 to neededforbuild
|
||||||
|
* Fri Mar 09 2001 - schwab@suse.de
|
||||||
|
- Fix missing crypt declaration.
|
||||||
|
* Fri Feb 23 2001 - cihlar@suse.cz
|
||||||
|
- update to version 2.5.1p1
|
||||||
|
- update x11-ssh-askpass to version 1.2.0
|
||||||
|
* Tue Feb 20 2001 - cihlar@suse.cz
|
||||||
|
- modified README.SuSE [#4365]
|
||||||
|
- fixed start script to agree with skeleton
|
||||||
|
- fixed start script so "stop" kills only sshd
|
||||||
|
listening for connections
|
||||||
|
- compiled with --with-openssl
|
||||||
|
- "ListenAddress 0.0.0.0" in sshd_config commented out -
|
||||||
|
listen on both ipv4 and ipv6
|
||||||
|
- fixed var/adm/notify/messages/openssh_update [#6406]
|
||||||
|
* Thu Jan 25 2001 - smid@suse.cz
|
||||||
|
- startup script fixed [#5559]
|
||||||
|
* Tue Jan 16 2001 - nadvornik@suse.cz
|
||||||
|
- libcrypto linked static [#5333]
|
||||||
|
* Thu Jan 11 2001 - cihlar@suse.cz
|
||||||
|
- uncomment sftp-server part in sshd_config
|
||||||
|
- added /usr/X11R6/lib/X11/app-defaults/SshAskpass to %%files
|
||||||
|
* Thu Jan 11 2001 - cihlar@suse.cz
|
||||||
|
- fixed %%files [#5230]
|
||||||
|
- fixed installation of x11-ssh-askpass to BuildRoot
|
||||||
|
- added man pages of x11-ssh-askpass
|
||||||
|
* Wed Jan 10 2001 - smid@suse.cz
|
||||||
|
- notice about how to enable ipv6 added to mail
|
||||||
|
- for administrator [#5297]
|
||||||
|
* Wed Dec 13 2000 - smid@suse.cz
|
||||||
|
- default ipv6 listennig disabled (problems with libc2.2) [#4588]
|
||||||
|
* Tue Dec 05 2000 - smid@suse.cz
|
||||||
|
- notify message changed
|
||||||
|
* Mon Dec 04 2000 - lmuelle@suse.de
|
||||||
|
- fixed provides/ conflicts to ssh
|
||||||
|
* Thu Nov 30 2000 - smid@suse.cz
|
||||||
|
- path to ssh-askpass fixed
|
||||||
|
- stop in %%preun removed
|
||||||
|
- new init style
|
||||||
|
* Sun Nov 26 2000 - schwab@suse.de
|
||||||
|
- Restore rcsshd link.
|
||||||
|
* Sun Nov 26 2000 - kukuk@suse.de
|
||||||
|
- Add openssl-devel to neededforbuild
|
||||||
|
* Mon Nov 20 2000 - smid@suse.cz
|
||||||
|
- New version 2.3.0
|
||||||
|
* Wed Sep 06 2000 - smid@suse.cz
|
||||||
|
- remove --with-ipv4-default option
|
||||||
|
* Wed Jul 05 2000 - garloff@suse.de
|
||||||
|
- ... and tell the sysadmin and user more about what they can do
|
||||||
|
about it (schwab).
|
||||||
|
* Wed Jul 05 2000 - garloff@suse.de
|
||||||
|
- Inform the user (admin) about the fact that the default behaviour
|
||||||
|
with respect to X11-forwarding has been changed to be disabled.
|
||||||
|
* Wed Jun 28 2000 - smid@suse.cz
|
||||||
|
- warning that generating DSA key can an take a long time.
|
||||||
|
(bugzilla 3015)
|
||||||
|
- writing to wtmp and lastlog fixed (bugzilla 3024)
|
||||||
|
- reading config file (parameter Protocol) fixed
|
||||||
|
* Fri Jun 16 2000 - garloff@suse.de
|
||||||
|
- Added generation of ssh_host_dsa_key
|
||||||
|
* Tue Jun 13 2000 - nadvornik@suse.cz
|
||||||
|
- update to 2.1.1p1
|
||||||
|
* Thu Jun 08 2000 - cihlar@suse.cz
|
||||||
|
- uncommented %%clean
|
||||||
|
* Fri May 05 2000 - smid@suse.cz
|
||||||
|
- buildroot added
|
||||||
|
- upgrade to 1.2.3
|
||||||
|
* Tue Mar 21 2000 - kukuk@suse.de
|
||||||
|
- Update to 1.2.2p1
|
||||||
|
* Mon Mar 06 2000 - kukuk@suse.de
|
||||||
|
- Fix the diff.
|
||||||
|
* Sun Mar 05 2000 - kukuk@suse.de
|
||||||
|
- Add a README.SuSE with a short description how to use ssh-add
|
||||||
|
* Tue Feb 29 2000 - schwab@suse.de
|
||||||
|
- Update config.{guess,sub}.
|
||||||
|
* Fri Feb 25 2000 - kukuk@suse.de
|
||||||
|
- Fix need for build, add group tag.
|
||||||
|
* Wed Feb 02 2000 - kukuk@suse.de
|
||||||
|
- Change new defaults back to old one
|
||||||
|
* Sun Jan 30 2000 - kukuk@suse.de
|
||||||
|
- Add x11-ssh-askpass to filelist
|
||||||
|
* Fri Jan 28 2000 - kukuk@suse.de
|
||||||
|
- Update to OpenSSH 1.2.2
|
||||||
|
- Add x11-ssh-askpass-1.0
|
||||||
|
* Tue Jan 25 2000 - kukuk@suse.de
|
||||||
|
- Add reload and status to /sbin/init.d/sshd [Bug 1747]
|
||||||
|
* Thu Jan 20 2000 - kukuk@suse.de
|
||||||
|
- Update to 1.2.1pre27 with IPv6 support
|
||||||
|
* Fri Dec 31 1999 - kukuk@suse.de
|
||||||
|
- Initial version
|
44
ssh-askpass
Normal file
44
ssh-askpass
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
SESSION=
|
||||||
|
|
||||||
|
case "$DESKTOP_SESSION" in
|
||||||
|
kde) SESSION=kde ;;
|
||||||
|
gnome) SESSION=gnome ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ -z "$SESSION" ] ; then
|
||||||
|
WM="${WINDOWMANAGER##*/}"
|
||||||
|
case "$WM" in
|
||||||
|
*kde*) SESSION=kde ;;
|
||||||
|
*gnome*) SESSION=gnome ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$SESSION" ] ; then
|
||||||
|
if [ -n "$KDE_FULL_SESSION" ] ; then
|
||||||
|
SESSION=kde
|
||||||
|
fi
|
||||||
|
if [ -n "$GNOME_DESKTOP_SESSION_ID" ] ; then
|
||||||
|
SESSION=gnome
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
GNOME_SSH_ASKPASS="/usr/lib/ssh/gnome-ssh-askpass"
|
||||||
|
X11_SSH_ASKPASS="/usr/lib/ssh/x11-ssh-askpass"
|
||||||
|
|
||||||
|
# note: if there is ever a kde-ssh-askpass, just add it based on SESSION=kde
|
||||||
|
|
||||||
|
case "$SESSION" in
|
||||||
|
gnome)
|
||||||
|
if [ -f $GNOME_SSH_ASKPASS ]; then
|
||||||
|
exec $GNOME_SSH_ASKPASS ${1+"$@"}
|
||||||
|
else
|
||||||
|
exec $X11_SSH_ASKPASS ${1+"$@"}
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
exec $X11_SSH_ASKPASS ${1+"$@"}
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
18
ssh.reg
Normal file
18
ssh.reg
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
#############################################################################
|
||||||
|
#
|
||||||
|
# OpenSLP registration file
|
||||||
|
#
|
||||||
|
# register SSH daemon
|
||||||
|
#
|
||||||
|
#############################################################################
|
||||||
|
|
||||||
|
# Register the usual sshd, if it is running
|
||||||
|
service:ssh://$HOSTNAME:22,en,65535
|
||||||
|
tcp-port=22
|
||||||
|
description=Secure Shell Daemon
|
||||||
|
|
||||||
|
# ssh can get used to copy files with konqueror using the fish:/ protocol
|
||||||
|
service:fish://$HOSTNAME:22,en,65535
|
||||||
|
tcp-port=22
|
||||||
|
description=KDE file transfer via SSH
|
||||||
|
|
10
sshd.pamd
Normal file
10
sshd.pamd
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth requisite pam_nologin.so
|
||||||
|
auth include common-auth
|
||||||
|
account include common-account
|
||||||
|
password include common-password
|
||||||
|
session required pam_loginuid.so
|
||||||
|
session include common-session
|
||||||
|
# Enable the following line to get resmgr support for
|
||||||
|
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
|
||||||
|
#session optional pam_resmgr.so fake_ttyname
|
3
x11-ssh-askpass-1.2.4.1.tar.bz2
Normal file
3
x11-ssh-askpass-1.2.4.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:59352a27a324ae70cabb82e769aa6fbfc997ef8566fe8f12226388dcfe0f685f
|
||||||
|
size 27590
|
Loading…
Reference in New Issue
Block a user