Accepting request 1203550 from network
OBS-URL: https://build.opensuse.org/request/show/1203550 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=185
This commit is contained in:
commit
fef82d94da
@ -1,23 +0,0 @@
|
|||||||
Index: openssh-9.8p1/sshd-session.c
|
|
||||||
===================================================================
|
|
||||||
--- openssh-9.8p1.orig/sshd-session.c
|
|
||||||
+++ openssh-9.8p1/sshd-session.c
|
|
||||||
@@ -1624,9 +1624,6 @@ cleanup_exit(int i)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- /* Override default fatal exit value when auth was attempted */
|
|
||||||
- if (i == 255 && auth_attempted)
|
|
||||||
- _exit(EXIT_AUTH_ATTEMPTED);
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
|
||||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
|
||||||
if (the_active_state != NULL &&
|
|
||||||
@@ -1636,5 +1633,8 @@ cleanup_exit(int i)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
clobber_stack();
|
|
||||||
+ /* Override default fatal exit value when auth was attempted */
|
|
||||||
+ if (i == 255 && auth_attempted)
|
|
||||||
+ _exit(EXIT_AUTH_ATTEMPTED);
|
|
||||||
_exit(i);
|
|
||||||
}
|
|
@ -1,39 +0,0 @@
|
|||||||
From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antonio Larrosa <alarrosa@suse.com>
|
|
||||||
Date: Mon, 12 Aug 2024 11:32:42 +0200
|
|
||||||
Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth
|
|
||||||
|
|
||||||
The return value of argv_assemble is owned by the caller and should be
|
|
||||||
free'd. When processing the sSubsystem case there are two calls to
|
|
||||||
argv_assemble but only one of them is freed. This patch fixes the small
|
|
||||||
(29 bytes according to valgrind) memory leak.
|
|
||||||
|
|
||||||
The output from valgrind:
|
|
||||||
==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913
|
|
||||||
==115369== at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
|
|
||||||
==115369== by 0x124A22: argv_assemble (misc.c:2165)
|
|
||||||
==115369== by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004)
|
|
||||||
==115369== by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032)
|
|
||||||
==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049)
|
|
||||||
==115369== by 0x111C6E: main (sshd.c:1445)
|
|
||||||
|
|
||||||
Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515
|
|
||||||
---
|
|
||||||
servconf.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/servconf.c b/servconf.c
|
|
||||||
index 5a20d6f8..0b989b95 100644
|
|
||||||
--- a/servconf.c
|
|
||||||
+++ b/servconf.c
|
|
||||||
@@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|
||||||
xasprintf(&options->subsystem_args[options->num_subsystems],
|
|
||||||
"%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
|
|
||||||
free(arg2);
|
|
||||||
+ free(arg);
|
|
||||||
argv_consume(&ac);
|
|
||||||
options->num_subsystems++;
|
|
||||||
break;
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
@ -754,7 +754,7 @@ Index: openssh-9.6p1/ssh-keygen.c
|
|||||||
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
|
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
|
||||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||||
|
|
||||||
type = sshkey_type_from_name(key_type_name);
|
type = sshkey_type_from_shortname(key_type_name);
|
||||||
+
|
+
|
||||||
+ /* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
|
+ /* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
|
||||||
+ * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit
|
+ * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit
|
||||||
|
@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
|
|||||||
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||||
kexgexc.o kexgexs.o \
|
kexgexc.o kexgexs.o \
|
||||||
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
|
||||||
+ kexgssc.o \
|
+ kexgssc.o \
|
||||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
sshbuf-io.o
|
sshbuf-io.o
|
||||||
@ -1293,9 +1293,9 @@ index a5ae6ac0..fe714141 100644
|
|||||||
--- a/kex.h
|
--- a/kex.h
|
||||||
+++ b/kex.h
|
+++ b/kex.h
|
||||||
@@ -102,6 +102,15 @@ enum kex_exchange {
|
@@ -102,6 +102,15 @@ enum kex_exchange {
|
||||||
KEX_ECDH_SHA2,
|
|
||||||
KEX_C25519_SHA256,
|
KEX_C25519_SHA256,
|
||||||
KEX_KEM_SNTRUP761X25519_SHA512,
|
KEX_KEM_SNTRUP761X25519_SHA512,
|
||||||
|
KEX_KEM_MLKEM768X25519_SHA256,
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
+ KEX_GSS_GRP1_SHA1,
|
+ KEX_GSS_GRP1_SHA1,
|
||||||
+ KEX_GSS_GRP14_SHA1,
|
+ KEX_GSS_GRP14_SHA1,
|
||||||
@ -3488,7 +3488,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
|
|
||||||
free(hkalgs);
|
free(hkalgs);
|
||||||
|
|
||||||
@@ -224,14 +256,44 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
@@ -224,15 +256,45 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
|
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
|
||||||
# endif
|
# endif
|
||||||
@ -3507,6 +3507,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||||
|
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
|
||||||
ssh->kex->verify_host_key=&verify_host_key_callback;
|
ssh->kex->verify_host_key=&verify_host_key_callback;
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3758,7 +3759,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||||
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
|
||||||
diff --git a/sshd_config b/sshd_config
|
diff --git a/sshd_config b/sshd_config
|
||||||
index 19b7c91a..2c48105f 100644
|
index 19b7c91a..2c48105f 100644
|
||||||
--- a/sshd_config
|
--- a/sshd_config
|
||||||
|
@ -3,7 +3,7 @@ Index: openssh-8.9p1/Makefile.in
|
|||||||
--- openssh-8.9p1.orig/Makefile.in
|
--- openssh-8.9p1.orig/Makefile.in
|
||||||
+++ openssh-8.9p1/Makefile.in
|
+++ openssh-8.9p1/Makefile.in
|
||||||
@@ -116,7 +116,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -116,7 +116,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
|
||||||
kexgssc.o \
|
kexgssc.o \
|
||||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
- sshbuf-io.o
|
- sshbuf-io.o
|
||||||
@ -2245,7 +2245,7 @@ Index: openssh-8.9p1/sshd-session.c
|
|||||||
|
|
||||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||||
@@ -2525,7 +2593,9 @@ cleanup_exit(int i)
|
@@ -2525,7 +2593,9 @@ cleanup_exit(int i)
|
||||||
_exit(EXIT_AUTH_ATTEMPTED);
|
}
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
||||||
- if (the_active_state != NULL && mm_is_monitor())
|
- if (the_active_state != NULL && mm_is_monitor())
|
||||||
@ -2254,12 +2254,22 @@ Index: openssh-8.9p1/sshd-session.c
|
|||||||
+ mm_is_monitor())
|
+ mm_is_monitor())
|
||||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||||
#endif
|
#endif
|
||||||
_exit(i);
|
/* Override default fatal exit value when auth was attempted */
|
||||||
Index: openssh-8.9p1/sshkey.c
|
Index: openssh-8.9p1/sshkey.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-8.9p1.orig/sshkey.c
|
--- openssh-8.9p1.orig/sshkey.c
|
||||||
+++ openssh-8.9p1/sshkey.c
|
+++ openssh-8.9p1/sshkey.c
|
||||||
@@ -400,6 +400,38 @@ sshkey_type_is_valid_ca(int type)
|
@@ -35,6 +35,9 @@ sshkey_type_is_valid_ca(int type)
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||||
|
+# include <openssl/core_names.h>
|
||||||
|
+# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "crypto_api.h"
|
||||||
|
@@ -400,6 +403,53 @@ sshkey_type_is_valid_ca(int type)
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
@ -2267,23 +2277,38 @@ Index: openssh-8.9p1/sshkey.c
|
|||||||
+{
|
+{
|
||||||
+ switch (k->type) {
|
+ switch (k->type) {
|
||||||
+#ifdef WITH_OPENSSL
|
+#ifdef WITH_OPENSSL
|
||||||
|
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
||||||
+ case KEY_RSA_CERT:
|
+ case KEY_RSA_CERT:
|
||||||
+ case KEY_RSA: {
|
+ case KEY_RSA:
|
||||||
+ const BIGNUM *d;
|
+ case KEY_ECDSA_CERT:
|
||||||
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
|
+ case KEY_ECDSA: {
|
||||||
|
+ BIGNUM *d = NULL;
|
||||||
|
+ EVP_PKEY_get_bn_param(k->pkey, OSSL_PKEY_PARAM_PRIV_KEY, &d);
|
||||||
+ return d != NULL;
|
+ return d != NULL;
|
||||||
+ }
|
+ }
|
||||||
+ case KEY_DSA_CERT:
|
+# else /* OPENSSL < 3.0.0 */
|
||||||
+ case KEY_DSA: {
|
+ case KEY_RSA_CERT:
|
||||||
+ const BIGNUM *priv_key;
|
+ case KEY_RSA: {
|
||||||
+ DSA_get0_key(k->dsa, NULL, &priv_key);
|
+ const BIGNUM *d = NULL;
|
||||||
+ return priv_key != NULL;
|
+ RSA *rsakey = EVP_PKEY_get0_RSA(k->pkey);
|
||||||
|
+ if (rsakey)
|
||||||
|
+ RSA_get0_key(rsakey, NULL, NULL, &d);
|
||||||
|
+ return d != NULL;
|
||||||
+ }
|
+ }
|
||||||
+# ifdef OPENSSL_HAS_ECC
|
+# ifdef OPENSSL_HAS_ECC
|
||||||
+ case KEY_ECDSA_CERT:
|
+ case KEY_ECDSA_CERT:
|
||||||
+ case KEY_ECDSA:
|
+ case KEY_ECDSA: {
|
||||||
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
|
+ EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(k->pkey);
|
||||||
|
+ return (eckey != NULL) && (EC_KEY_get0_private_key(eckey) != NULL);
|
||||||
|
+ }
|
||||||
+# endif /* OPENSSL_HAS_ECC */
|
+# endif /* OPENSSL_HAS_ECC */
|
||||||
|
+# endif /* OPENSSL < 3.0.0 */
|
||||||
|
+ case KEY_DSA_CERT:
|
||||||
|
+ case KEY_DSA: {
|
||||||
|
+ const BIGNUM *priv_key = NULL;
|
||||||
|
+ DSA_get0_key(k->dsa, NULL, &priv_key);
|
||||||
|
+ return priv_key != NULL;
|
||||||
|
+ }
|
||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
+ case KEY_ED25519_CERT:
|
+ case KEY_ED25519_CERT:
|
||||||
+ case KEY_ED25519:
|
+ case KEY_ED25519:
|
||||||
@ -2303,9 +2328,9 @@ Index: openssh-8.9p1/sshkey.h
|
|||||||
--- openssh-8.9p1.orig/sshkey.h
|
--- openssh-8.9p1.orig/sshkey.h
|
||||||
+++ openssh-8.9p1/sshkey.h
|
+++ openssh-8.9p1/sshkey.h
|
||||||
@@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke
|
@@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke
|
||||||
int sshkey_unshield_private(struct sshkey *);
|
|
||||||
|
|
||||||
int sshkey_type_from_name(const char *);
|
int sshkey_type_from_name(const char *);
|
||||||
|
int sshkey_type_from_shortname(const char *);
|
||||||
+int sshkey_is_private(const struct sshkey *);
|
+int sshkey_is_private(const struct sshkey *);
|
||||||
int sshkey_is_cert(const struct sshkey *);
|
int sshkey_is_cert(const struct sshkey *);
|
||||||
int sshkey_is_sk(const struct sshkey *);
|
int sshkey_is_sk(const struct sshkey *);
|
||||||
|
@ -160,7 +160,7 @@ Index: openssh-9.6p1/ssh_config.5
|
|||||||
.It Cm HostKeyAlias
|
.It Cm HostKeyAlias
|
||||||
Specifies an alias that should be used instead of the
|
Specifies an alias that should be used instead of the
|
||||||
real host name when looking up or saving the host key
|
real host name when looking up or saving the host key
|
||||||
@@ -1311,36 +1313,30 @@ it may be zero or more of:
|
@@ -1311,37 +1313,30 @@ it may be zero or more of:
|
||||||
and
|
and
|
||||||
.Cm pam .
|
.Cm pam .
|
||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
@ -172,7 +172,7 @@ Index: openssh-9.6p1/ssh_config.5
|
|||||||
+.Pp
|
+.Pp
|
||||||
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
|
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
|
||||||
their preference order.
|
their preference order.
|
||||||
The selected algorithm will the the first algorithm in this list that
|
The selected algorithm will be the first algorithm in this list that
|
||||||
the server also supports.
|
the server also supports.
|
||||||
Multiple algorithms must be comma-separated.
|
Multiple algorithms must be comma-separated.
|
||||||
.Pp
|
.Pp
|
||||||
@ -194,7 +194,8 @@ Index: openssh-9.6p1/ssh_config.5
|
|||||||
-.Pp
|
-.Pp
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-sntrup761x25519-sha512@openssh.com,
|
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
|
||||||
|
-mlkem768x25519-sha256,
|
||||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
-diffie-hellman-group-exchange-sha256,
|
-diffie-hellman-group-exchange-sha256,
|
||||||
@ -534,13 +535,14 @@ Index: openssh-9.6p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The supported algorithms are:
|
The supported algorithms are:
|
||||||
.Pp
|
.Pp
|
||||||
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
|
@@ -1072,17 +1057,6 @@ ecdh-sha2-nistp521
|
||||||
sntrup761x25519-sha512@openssh.com
|
sntrup761x25519-sha512@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-sntrup761x25519-sha512@openssh.com,
|
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
|
||||||
|
-mlkem768x25519-sha256,
|
||||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
-diffie-hellman-group-exchange-sha256,
|
-diffie-hellman-group-exchange-sha256,
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
|
|
||||||
size 1910393
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmaCMn0ACgkQKj9BTnNg
|
|
||||||
YLrjcBAAgO7xhKUXp8YxdqSZigDbcHu7T37bm1pRTKg2ihPepz+q6pV+DY8AHSRu
|
|
||||||
eyuOCOHYzjLyArFpiMX3z9iT2NqO+KNBvKQoh8loaxNrECmgRGk2jBEKiibFSP5M
|
|
||||||
i6CYkF3sET9xnVDkt4P6KievWXY1/Tl93qve3K2a/bvvgT8s2AaBMM8u4BMGNm3D
|
|
||||||
sc3A6euN0aiXRts2V6I885VyrQDMK++E7+eTHet0ex82KH4I+ceIOwB48hny4wpb
|
|
||||||
Zaqy9pTFisTmFNOF6d3TB58yMWoLQIbLuVrbbbcr7hFYCWsgj0yN5iYQNOR9pU4E
|
|
||||||
ooF+aC0kK9M4iUXthzjjgIjnMzsCmPeKisbwblsPSfSgccj/pCMzW8C3CMVL6AvG
|
|
||||||
slSSLK42qm3f38kx3sg2S8LDW0v+hoyvBmKNFMiBwsF2tWCXIG+oP1PDYpJUpaOJ
|
|
||||||
RFHG7JEPtY94UJGdo5C4YhqDWr3HOqEwuVIt1gWMMPs9IvDkDRo6emmDd64FFAKH
|
|
||||||
ss3hHixu6OHqU5iw6JIVVtYiur6s9m6N/Xxt5Ho6wuqnzUZ+Dwj3L6lF9IOJbJxU
|
|
||||||
Ufb70I1Uko9kXcoje9ONUsqr88wfQY+JZxxVTlzDUDadytCzmO3wXsz+cosMQ5Rw
|
|
||||||
aOZwXYyvmcoZuUQG8GIqRO1wfOcD7o7pI6IyVJQjOeG/rA0eu/4=
|
|
||||||
=Gj2n
|
|
||||||
-----END PGP SIGNATURE-----
|
|
BIN
openssh-9.9p1.tar.gz
(Stored with Git LFS)
Normal file
BIN
openssh-9.9p1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openssh-9.9p1.tar.gz.asc
Normal file
16
openssh-9.9p1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmbspccACgkQKj9BTnNg
|
||||||
|
YLppxRAAv7eU/Xd2w9MX9vWQdhugiPByEcKg7KuKXUUs9xJGy+HbLqPqUCvn1UW6
|
||||||
|
qodKoSAdeBuSB7AjzuIQ1lTVX7C67OmZaVPRq25ar5b+Wq4SSlv23KMRq0b4EVyw
|
||||||
|
pOW6R9tsxqYBwYaiXQ50APcYL8SpepnGU+b/iR15f7q3SU2XMVVtkVb149UdLOqK
|
||||||
|
smfurbDGwUKFb2Q009MUfEV/d9zq31tdSjphvkqAXCcmxc8siuOYWYcByuysie+m
|
||||||
|
NpaOpee0047L5JIxNSLsa2yZrJZhClP8LbTCH1Vfwr7l0KE5nvL2qAtPKI2XxGQC
|
||||||
|
3jXrDLzp10RFxV8sCym+QlY9pZyzGj9d3G7vCHtxWGQ1Y0Qt+xs18OeBpjiehRhl
|
||||||
|
WM3Y+cjoN35jBaGhOoHdh3ePZQdTUyZ16aSv0h/cUHOohiM7i/4XW+dQtkqsJsw4
|
||||||
|
a81O0E64WrL8ho3Ju9mwcVZ9A0aEaftJsmJPDB+qYBjF/i7xcnH32LginzP5pel7
|
||||||
|
/W0aS2C1ZNo3QKHezI6IA9MyENMZiAMy2ybvfmN0HgLBaBY1plJ8a5GvMwJc+Qwh
|
||||||
|
iCHLCQ6Qgf/1hh+F6liTXnhtedtFHneJdyqvd7XOoardDEipZjxcnGa4HthbDFU+
|
||||||
|
8XdHKnWWhn4BLA+y7KB3ZGURniQK+qibwkF6J63CuMU+LmG+bvQ=
|
||||||
|
=Ukrb
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
- Update to openssh 9.9p1:
|
||||||
|
* No changes for askpass, see main package changelog for
|
||||||
|
details.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
%define _name openssh
|
%define _name openssh
|
||||||
Name: openssh-askpass-gnome
|
Name: openssh-askpass-gnome
|
||||||
Version: 9.8p1
|
Version: 9.9p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
License: BSD-2-Clause
|
License: BSD-2-Clause
|
||||||
|
@ -334,11 +334,12 @@ Index: openssh-9.3p2/sshd-session.c
|
|||||||
in_cleanup = 1;
|
in_cleanup = 1;
|
||||||
extern int auth_attempted; /* monitor.c */
|
extern int auth_attempted; /* monitor.c */
|
||||||
|
|
||||||
@@ -1604,5 +1610,7 @@ cleanup_exit(int i)
|
@@ -1604,6 +1610,8 @@ cleanup_exit(int i)
|
||||||
mm_is_monitor())
|
mm_is_monitor())
|
||||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||||
#endif
|
#endif
|
||||||
+
|
+
|
||||||
+ clobber_stack();
|
+ clobber_stack();
|
||||||
_exit(i);
|
/* Override default fatal exit value when auth was attempted */
|
||||||
}
|
if (i == 255 && auth_attempted)
|
||||||
|
_exit(EXIT_AUTH_ATTEMPTED);
|
||||||
|
154
openssh.changes
154
openssh.changes
@ -1,3 +1,157 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 25 10:45:17 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
- Add a const to the openssl 1.1/RSA section of sshkey_is_private
|
||||||
|
to keep it similar to what it used before the 9.9 rebase:
|
||||||
|
* openssh-8.1p1-audit.patch
|
||||||
|
- Add a openssl11 bcond to the spec file for the SLE12 case
|
||||||
|
instead of checking suse_version in different parts.
|
||||||
|
- Move conditional patches to a number >= 1000.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
- Update to openssh 9.9p1:
|
||||||
|
= Future deprecation notice
|
||||||
|
* OpenSSH plans to remove support for the DSA signature algorithm
|
||||||
|
in early 2025. This release disables DSA by default at compile
|
||||||
|
time. DSA, as specified in the SSHv2 protocol, is inherently
|
||||||
|
weak - being limited to a 160 bit private key and use of the
|
||||||
|
SHA1 digest. Its estimated security level is only 80 bits
|
||||||
|
symmetric equivalent.
|
||||||
|
OpenSSH has disabled DSA keys by default since 2015 but has
|
||||||
|
retained run-time optional support for them. DSA was the only
|
||||||
|
mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
|
||||||
|
because alternative algorithms were encumbered by patents when
|
||||||
|
the SSHv2 protocol was specified.
|
||||||
|
This has not been the case for decades at this point and better
|
||||||
|
algorithms are well supported by all actively-maintained SSH
|
||||||
|
implementations. We do not consider the costs of maintaining
|
||||||
|
DSA in OpenSSH to be justified and hope that removing it from
|
||||||
|
OpenSSH can accelerate its wider deprecation in supporting
|
||||||
|
cryptography libraries.
|
||||||
|
|
||||||
|
= Potentially-incompatible changes
|
||||||
|
* ssh(1): remove support for pre-authentication compression.
|
||||||
|
OpenSSH has only supported post-authentication compression in
|
||||||
|
the server for some years. Compression before authentication
|
||||||
|
significantly increases the attack surface of SSH servers and
|
||||||
|
risks creating oracles that reveal information about
|
||||||
|
information sent during authentication.
|
||||||
|
* ssh(1), sshd(8): processing of the arguments to the "Match"
|
||||||
|
configuration directive now follows more shell-like rules for
|
||||||
|
quoted strings, including allowing nested quotes and \-escaped
|
||||||
|
characters. If configurations contained workarounds for the
|
||||||
|
previous simplistic quote handling then they may need to be
|
||||||
|
adjusted. If this is the case, it's most likely to be in the
|
||||||
|
arguments to a "Match exec" confition. In this case, moving the
|
||||||
|
command to be evaluated from the Match line to an external
|
||||||
|
shell script is easiest way to preserve compatibility with both
|
||||||
|
the old and new versions.
|
||||||
|
|
||||||
|
= New features
|
||||||
|
* ssh(1), sshd(8): add support for a new hybrid post-quantum key
|
||||||
|
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
|
||||||
|
mechanism (ML-KEM) combined with X25519 ECDH as described by
|
||||||
|
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
|
||||||
|
This algorithm "mlkem768x25519-sha256" is available by default.
|
||||||
|
* ssh(1): the ssh_config "Include" directive can now expand
|
||||||
|
environment as well as the same set of %-tokens "Match Exec"
|
||||||
|
supports.
|
||||||
|
* sshd(8): add a sshd_config "RefuseConnection" option that, if
|
||||||
|
set will terminate the connection at the first authentication
|
||||||
|
request.
|
||||||
|
* sshd(8): add a "refuseconnection" penalty class to sshd_config
|
||||||
|
PerSourcePenalties that is applied when a connection is dropped
|
||||||
|
by the new RefuseConnection keyword.
|
||||||
|
* sshd(8): add a "Match invalid-user" predicate to sshd_config
|
||||||
|
Match options that matches when the target username is not
|
||||||
|
valid on the server.
|
||||||
|
* ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
|
||||||
|
substantially faster implementation.
|
||||||
|
* ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key
|
||||||
|
exchange algorithm now has an IANA-assigned name in addition to
|
||||||
|
the "@openssh.com" vendor extension name. This algorithm is now
|
||||||
|
also available under this name "sntrup761x25519-sha512"
|
||||||
|
* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
|
||||||
|
included in core dump files for most of their lifespans. This
|
||||||
|
is in addition to pre-existing controls in ssh-agent(1) and
|
||||||
|
sshd(8) that prevented coredumps. This feature is supported on
|
||||||
|
OpenBSD, Linux and FreeBSD.
|
||||||
|
* All: convert key handling to use the libcrypto EVP_PKEY API,
|
||||||
|
with the exception of DSA.
|
||||||
|
* sshd(8): add a random amount of jitter (up to 4 seconds) to the
|
||||||
|
grace login time to make its expiry unpredictable.
|
||||||
|
|
||||||
|
= Bugfixes
|
||||||
|
* sshd(8): relax absolute path requirement back to what it was
|
||||||
|
prior to OpenSSH 9.8, which incorrectly required that sshd was
|
||||||
|
started with an absolute path in inetd mode. bz3717
|
||||||
|
* sshd(8): fix regression introduced in openssh-9.8 that swapped
|
||||||
|
the order of source and destination addresses in some sshd log
|
||||||
|
messages.
|
||||||
|
* sshd(8): do not apply authorized_keys options when signature
|
||||||
|
verification fails. Prevents more restrictive key options being
|
||||||
|
incorrectly applied to subsequent keys in authorized_keys.
|
||||||
|
bz3733
|
||||||
|
* ssh-keygen(1): include pathname in some of ssh-keygen's
|
||||||
|
passphrase prompts. Helps the user know what's going on when
|
||||||
|
ssh-keygen is invoked via other tools. Requested in GHPR503
|
||||||
|
* ssh(1), ssh-add(1): make parsing user@host consistently look
|
||||||
|
for the last '@' in the string rather than the first. This
|
||||||
|
makes it possible to more consistently use usernames that
|
||||||
|
contain '@' characters.
|
||||||
|
* ssh(1), sshd(8): be more strict in parsing key type names. Only
|
||||||
|
allow short names (e.g "rsa") in user-interface code and
|
||||||
|
require full SSH protocol names (e.g. "ssh-rsa") everywhere
|
||||||
|
else. bz3725
|
||||||
|
* regress: many performance and correctness improvements to the
|
||||||
|
re-keying regression test.
|
||||||
|
* ssh-keygen(1): clarify that ed25519 is the default key type
|
||||||
|
generated and clarify that rsa-sha2-512 is the default
|
||||||
|
signature scheme when RSA is in use. GHPR505
|
||||||
|
* sshd(8): fix minor memory leak in Subsystem option parsing;
|
||||||
|
GHPR515
|
||||||
|
* All: additional hardening and consistency checks for the sshbuf
|
||||||
|
code.
|
||||||
|
* sshd(8): reduce default logingrace penalty to ensure that a
|
||||||
|
single forgotton login that times out will be below the penalty
|
||||||
|
threshold.
|
||||||
|
* ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started
|
||||||
|
with ControlPersist then later has a forwarding added using mux
|
||||||
|
proxy connection and the forwarding was used, then when the mux
|
||||||
|
proxy session terminated, the mux master process would issue a
|
||||||
|
bad message that terminated the connection.
|
||||||
|
|
||||||
|
= Portability
|
||||||
|
* sync contrib/ssh-copy-id to the latest upstream version.
|
||||||
|
* regress: improve portablility for some awk(1) usage
|
||||||
|
(e.g. Solaris)
|
||||||
|
* In the contrib/redhat RPM spec file, without_openssl was
|
||||||
|
previously incorrectly enabled unconditionally.
|
||||||
|
* sshd(8) restore audit call before exit that regressed in
|
||||||
|
openssh-9.8. Fixes an issue where the SSH_CONNECTION_ABANDON
|
||||||
|
event was not recorded.
|
||||||
|
* sshd(8): add support for class-imposed loging restrictions on
|
||||||
|
FreeBSD. Allowing auth_hostok(3) and auth_timeok(3) to control
|
||||||
|
logins.
|
||||||
|
* Build fixes for Musl libc.
|
||||||
|
* Fix detection of setres*id on GNU/Hurd
|
||||||
|
|
||||||
|
- Drop patches that were already merged by upstream:
|
||||||
|
* fix-memleak-in-process_server_config_line_depth.patch
|
||||||
|
* fix-audit-fail-attempt.patch
|
||||||
|
- Rebase patch with significant changes:
|
||||||
|
* openssh-8.1p1-audit.patch
|
||||||
|
- Rebase patches with context or trivial changes:
|
||||||
|
* openssh-7.7p1-fips.patch
|
||||||
|
* openssh-8.0p1-gssapi-keyex.patch
|
||||||
|
* openssh-9.6p1-crypto-policies-man.patch
|
||||||
|
* openssh-mitigate-lingering-secrets.patch
|
||||||
|
- Several spec file fixes so the package builds and can be
|
||||||
|
installed in SLE 15 SP5 and SLE 12 SP5
|
||||||
|
- Use gcc11 when building in SLE12 and SLE15.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Sep 12 07:43:18 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
Thu Sep 12 07:43:18 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
67
openssh.spec
67
openssh.spec
@ -34,12 +34,24 @@
|
|||||||
%bcond_without allow_root_password_login_by_default
|
%bcond_without allow_root_password_login_by_default
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
|
||||||
|
%bcond_without crypto_policies
|
||||||
|
%else
|
||||||
|
%bcond_with crypto_policies
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?suse_version} < 1500
|
||||||
|
%bcond_without openssl11
|
||||||
|
%else
|
||||||
|
%bcond_with openssl11
|
||||||
|
%endif
|
||||||
|
|
||||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||||
%if ! %{defined _fillupdir}
|
%if ! %{defined _fillupdir}
|
||||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 9.8p1
|
Version: 9.9p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
License: BSD-2-Clause AND MIT
|
License: BSD-2-Clause AND MIT
|
||||||
@ -126,20 +138,22 @@ Patch103: openssh-6.6p1-privsep-selinux.patch
|
|||||||
Patch104: openssh-6.6p1-keycat.patch
|
Patch104: openssh-6.6p1-keycat.patch
|
||||||
Patch105: openssh-6.6.1p1-selinux-contexts.patch
|
Patch105: openssh-6.6.1p1-selinux-contexts.patch
|
||||||
Patch106: openssh-7.6p1-cleanup-selinux.patch
|
Patch106: openssh-7.6p1-cleanup-selinux.patch
|
||||||
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
# 200 - 300 -- Patches submitted to upstream
|
||||||
Patch107: openssh-9.6p1-crypto-policies.patch
|
|
||||||
Patch108: openssh-9.6p1-crypto-policies-man.patch
|
|
||||||
Patch109: fix-memleak-in-process_server_config_line_depth.patch
|
|
||||||
# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516
|
|
||||||
Patch110: fix-audit-fail-attempt.patch
|
|
||||||
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
|
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
|
||||||
Patch111: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
|
Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
|
||||||
|
# 1000 - 2000 -- Conditional patches
|
||||||
|
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
|
Patch1000: openssh-9.6p1-crypto-policies.patch
|
||||||
|
Patch1001: openssh-9.6p1-crypto-policies-man.patch
|
||||||
|
%endif
|
||||||
%if 0%{with allow_root_password_login_by_default}
|
%if 0%{with allow_root_password_login_by_default}
|
||||||
Patch1000: openssh-7.7p1-allow_root_password_login.patch
|
# PATCH-FIX-SLE Allow root login with password by default (for SLE12 and SLE15)
|
||||||
|
Patch1002: openssh-7.7p1-allow_root_password_login.patch
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
%if 0%{?sle_version} >= 150500
|
%if 0%{?suse_version} <= 1600
|
||||||
BuildRequires: gcc11
|
BuildRequires: gcc11
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: groff
|
BuildRequires: groff
|
||||||
@ -148,7 +162,12 @@ BuildRequires: libselinux-devel
|
|||||||
%if %{with ldap}
|
%if %{with ldap}
|
||||||
BuildRequires: openldap2-devel
|
BuildRequires: openldap2-devel
|
||||||
%endif
|
%endif
|
||||||
|
%if 0%{with openssl11}
|
||||||
|
BuildRequires: libopenssl-1_1-devel
|
||||||
|
BuildRequires: openssl-1_1
|
||||||
|
%else
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
|
%endif
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
@ -158,7 +177,7 @@ BuildRequires: sysuser-shadow
|
|||||||
BuildRequires: sysuser-tools
|
BuildRequires: sysuser-tools
|
||||||
Requires: %{name}-clients = %{version}-%{release}
|
Requires: %{name}-clients = %{version}-%{release}
|
||||||
Requires: %{name}-server = %{version}-%{release}
|
Requires: %{name}-server = %{version}-%{release}
|
||||||
%if 0%{?suse_version} >= 1550
|
%if 0%{?suse_version} >= 1550 || 0%{?suse_version} < 1500
|
||||||
BuildRequires: pkgconfig(krb5)
|
BuildRequires: pkgconfig(krb5)
|
||||||
%else
|
%else
|
||||||
BuildRequires: krb5-mini-devel
|
BuildRequires: krb5-mini-devel
|
||||||
@ -204,7 +223,9 @@ clients.
|
|||||||
Summary: SSH (Secure Shell) server
|
Summary: SSH (Secure Shell) server
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Requires: %{name}-common = %{version}-%{release}
|
Requires: %{name}-common = %{version}-%{release}
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
Requires: crypto-policies >= 20220824
|
Requires: crypto-policies >= 20220824
|
||||||
|
%endif
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
Requires(pre): findutils
|
Requires(pre): findutils
|
||||||
Requires(pre): grep
|
Requires(pre): grep
|
||||||
@ -260,7 +281,9 @@ ssh-copy-id(1).
|
|||||||
%package clients
|
%package clients
|
||||||
Summary: SSH (Secure Shell) client applications
|
Summary: SSH (Secure Shell) client applications
|
||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
Requires: crypto-policies >= 20220824
|
Requires: crypto-policies >= 20220824
|
||||||
|
%endif
|
||||||
Requires: %{name}-common = %{version}-%{release}
|
Requires: %{name}-common = %{version}-%{release}
|
||||||
Provides: openssh:%{_bindir}/ssh
|
Provides: openssh:%{_bindir}/ssh
|
||||||
|
|
||||||
@ -329,7 +352,7 @@ sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
|||||||
)
|
)
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%if 0%{?sle_version} >= 150500
|
%if 0%{?suse_version} <= 1600
|
||||||
export CC=gcc-11
|
export CC=gcc-11
|
||||||
%endif
|
%endif
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
@ -426,12 +449,14 @@ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buil
|
|||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
||||||
%if %{defined _distconfdir}
|
%if %{defined _distconfdir}
|
||||||
install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||||
%else
|
%else
|
||||||
install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%if 0%{?suse_version} < 1550
|
%if 0%{?suse_version} < 1550
|
||||||
# install firewall definitions
|
# install firewall definitions
|
||||||
@ -457,13 +482,19 @@ install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
|
|||||||
#
|
#
|
||||||
# this shows up earlier because otherwise the %%expand of
|
# this shows up earlier because otherwise the %%expand of
|
||||||
# the macro is too late.
|
# the macro is too late.
|
||||||
|
%if 0%{with openssl11}
|
||||||
|
%define opensslbin openssl-1_1
|
||||||
|
%else
|
||||||
|
%define opensslbin openssl
|
||||||
|
%endif
|
||||||
|
|
||||||
%{expand:%%global __os_install_post {%__os_install_post
|
%{expand:%%global __os_install_post {%__os_install_post
|
||||||
for b in \
|
for b in \
|
||||||
%{_bindir}/ssh \
|
%{_bindir}/ssh \
|
||||||
%{_sbindir}/sshd \
|
%{_sbindir}/sshd \
|
||||||
%{_libexecdir}/ssh/sftp-server \
|
%{_libexecdir}/ssh/sftp-server \
|
||||||
; do
|
; do
|
||||||
openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
|
%{opensslbin} dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
|
||||||
done
|
done
|
||||||
|
|
||||||
}}
|
}}
|
||||||
@ -481,6 +512,7 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
|
|||||||
%{fillup_only -n ssh}
|
%{fillup_only -n ssh}
|
||||||
%service_add_post sshd.service sshd.socket
|
%service_add_post sshd.service sshd.socket
|
||||||
|
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
%if ! %{defined _distconfdir}
|
%if ! %{defined _distconfdir}
|
||||||
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
||||||
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
|
echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
|
||||||
@ -489,6 +521,7 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
|
|||||||
echo "/etc/ssh/sshd_config :"
|
echo "/etc/ssh/sshd_config :"
|
||||||
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%preun server
|
%preun server
|
||||||
%service_del_preun sshd.service sshd.socket
|
%service_del_preun sshd.service sshd.socket
|
||||||
@ -503,6 +536,7 @@ else
|
|||||||
%service_del_postun sshd.service sshd.socket
|
%service_del_postun sshd.service sshd.socket
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
%if ! %{defined _distconfdir}
|
%if ! %{defined _distconfdir}
|
||||||
%post server-config-disallow-rootlogin
|
%post server-config-disallow-rootlogin
|
||||||
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
|
||||||
@ -512,6 +546,7 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
|
|||||||
echo "the following line is added at the start of /etc/ssh/sshd_config :"
|
echo "the following line is added at the start of /etc/ssh/sshd_config :"
|
||||||
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%if %{defined _distconfdir}
|
%if %{defined _distconfdir}
|
||||||
%posttrans server
|
%posttrans server
|
||||||
@ -526,6 +561,7 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
|
|||||||
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
|
test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
%if ! %{defined _distconfdir}
|
%if ! %{defined _distconfdir}
|
||||||
%post clients
|
%post clients
|
||||||
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
|
test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
|
||||||
@ -535,6 +571,7 @@ test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.con
|
|||||||
echo "/etc/ssh/ssh_config :"
|
echo "/etc/ssh/ssh_config :"
|
||||||
echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
|
echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%if %{defined _distconfdir}
|
%if %{defined _distconfdir}
|
||||||
%posttrans clients
|
%posttrans clients
|
||||||
@ -582,11 +619,13 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
|||||||
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
|
||||||
%endif
|
%endif
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
%if %{defined _distconfdir}
|
%if %{defined _distconfdir}
|
||||||
%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||||
%else
|
%else
|
||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||||
@ -624,8 +663,10 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
|
%if 0%{with crypto_policies}
|
||||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
|
||||||
|
%endif
|
||||||
%if %{defined _distconfdir}
|
%if %{defined _distconfdir}
|
||||||
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
|
||||||
%else
|
%else
|
||||||
|
Loading…
Reference in New Issue
Block a user