Accepting request 48012 from Base:System

Copy from Base:System/openssh based on submit request 48012 from user anicka

OBS-URL: https://build.opensuse.org/request/show/48012
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=49

README.SuSE

@@ -1,137 +1,15 @@
+This is OpenSSH version 5.6p1.
 
-  Dear users,
+There are following changes in default settings of ssh client: 
 
+* Accepting and sending of locale environment variables in protocol 2 is
+  enabled.
 
-This is OpenSSH version 5.1p1.
+* New host keys will be hashed to and them unusable for malicious people or
+  software trying to use known_hosts to find further hops.
 
-There is a change in default settings of ssh client: accepting and sending of
-locale environment variables in protocol 2 is enabled.
+* Tunneled clear text passwords are disabled.
 
-There is a very important change in sshd with SuSE Linux 9.1: 
+* PAM authentication is enabled.
 
-The "gssapi" support has been replaced with the "gssapi-with-mic" to fix 
-possible MITM attacks (to enable support for the deprecated 'gssapi' 
-authentication set GSSAPIEnableMITMAttack to 'yes'). These two versions 
-are not compatible. The option GSSAPICleanupCreds is obsoleted, use 
-GSSAPICleanupCredentials instead.
-
-We disabled the new feature 'untrusted cookies' by default because it brings a
-lot of problems. If you like to enable it, set ForwardX11Trusted to 'no' in
-ssh_config.
-
-The option UsePrivilegeSeparation was reverted to 'yes' because the problematic 
-calling of PAM modules in this mode was fixed.
-
-The option KeepAlive has been obsoleted, use TCPKeepAlive instead.
-
-There is an important change in sshd with SuSE Linux 9.0:
-
-The value of option ChallengeResponseAuthentication is reverted to default 
-value yes, which is necessary for PAM authentication.
-
-I this OpenSSH version is removed kerberos support from protocol SSH1, 
-since it has been replaced with GSSAPI, but keeps kerberos password 
-authentication for protocols SSH1 and SSH2. To enable Kerberos authentication 
-read README.kerberos file. 
-
-Important change in sshd with SuSE Linux 8.1 is that sshd X11 forwarding listens 
-on localhost by default. See sshd X11UseLocalhost option to revert to prior 
-behaviour if your older X11 clients do not function with this configuration.
-
-The package openssh was splitted to openssh and the new package askpass.
-
-OpenSSH supports two protocol versions (SSH1 and SSH2) which need to be 
-configured differently.
-Protocol version 1 is the old protocol and protocol version 2 is the new
-protocol that has several advantages from the security point of view.
-
-Please note that the default ssh protocol version has been changed to
-version 2 with SuSE Linux 8.0. 
-
-The change of the default protocol version brings one important change for
-users who use identity keys for remote login with passphrases.
-
-(Please note the difference: 'password' means a system password on a
-given machine. The term 'passphrase', however, is usually used for the
-string that an ssh private key is protected (encrypted) with.)
-
-Protocol version 1 uses the key from file ~/.ssh/identity and compares
-it with keys from file ~/.ssh/authorized_keys on the remote machine.
-
-Protocol version 2 uses keys from files ~/.ssh/id_rsa or ~/.ssh/id_dsa
-and they are compared with keys from file ~/.ssh/authorized_keys.
-Note: Servers with OpenSSH < 2.9.9p1 use ~/.ssh/authorized_keys2 instead.
-
-If you don't want to switch to protocol version 2 now, add a line saying
-"Protocol 1,2" to /etc/ssh/ssh_config of the SuSE Linux 8.0 system to
-retain the old ssh behaviour.
-
-How to convert your environment to protocol version 2:
-
-1) Creating the necessary identity keys for protocol version 2:
-
-  There are two ways:
-
-  A) You can use your old keys for protocol 1, but you have to convert them
-     to the format of protocol 2.
-     This can be done with the tool ssh-keyconverter:
-
-     Every user that will use protocol version 2 needs to do this:
-
-         cd ~/.ssh
-         ssh-keyconverter -k identity
-         - at this point you will be asked for the passphrase of ~/.ssh/identity
-         ssh-keyconverter -a authorized_keys
-
-     If OpenSSH < 2.9.9p1 is used on the server:
-
-         grep ssh- authorized_keys >>authorized_keys2
-
-     To enable login to other users with the converted protocol version 2 keys,
-     the other user has to add the new ~/.ssh/id_rsa.pub to his authorized keys.
-
-     You can do this by script by forcing version 1 with the -1 switch:
-
-     for host in .... ; do
-       ssh -1 user@$host 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub
-       ssh -1 user@$host 'cat >> .ssh/authorized_keys2' < ~/.ssh/id_rsa.pub
-     done
-
-
-  B) You can generate new keys for protocol 2 by "ssh-keygen -t rsa" or
-     "ssh-keygen -t dsa", then add id_rsa.pub (or id_dsa.pub) to
-     authorized_keys2 and copy authorized_keys2 to the remote machine. See
-     "man ssh" and "man ssh-keygen" for more info.
-
-
-2) Handling of protocol version 2 with ssh-agent and ssh-add:
-
-If you continue to use protocol version 1, there is nothing to do because
-the default identity is still ~/.ssh/identity.
-
-For protocol version 2, you have to pass the correct file (~/.ssh/id_rsa or
-~/.ssh/id_dsa) to ssh-add. To support the version 1 key and the version 2
-key you have to add both keys. Example:
-
-	eval `ssh-agent -s`
-	ssh-add ~/.ssh/identity ~/.ssh/id_rsa 
-
-This will add your version 1 and version 2 keys and if they have the same
-passphrase, you only have to type it once.
-
-Other changes:
-
-The OpenSSH handling of ssh-add/ssh-askpass is solved different as
-with OpenSSH 2.x You don't need to call ssh-askpass any longer. If
-ssh-add is called and doesn't have a real TTY, it will launch
-/usr/lib/ssh/ssh-askpass itself. Make sure that the DISPLAY variable
-is always set correctly.
-
-If you want to use ssh-agent under X windows, just edit the file .xsession
-in your home directory and change usessh="no" to usessh="yes". After 
-logining in you only need to start ssh-add by hand, click or startup script.
-
-If you want to use ssh-agent with startx, add the example above to your
-~/.xinitrc before the window manager is started.
-
-  Your SuSE Team
+* Only support for protocol 2 is enabled. 

openssh-askpass-gnome.spec

@@ -23,7 +23,7 @@ BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/SSH
 Version:        5.6p1
-Release:        1
+Release:        2
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH

openssh.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Sep 13 14:47:10 CEST 2010 - anicka@suse.cz
+
+- actualize README.SuSE (bnc#638893) 
+
 -------------------------------------------------------------------
 Tue Aug 24 15:43:08 CEST 2010 - anicka@suse.cz
 

openssh.spec

@@ -36,7 +36,7 @@ PreReq:         pwdutils %insserv_prereq  %fillup_prereq coreutils permissions
 Conflicts:      nonfreessh
 AutoReqProv:    on
 Version:        5.6p1
-Release:        1
+Release:        2
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/