openssh/openssh.spec

854 lines
33 KiB
RPMSpec

#
# spec file for package openssh (Version 4.6p1)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: openssh
%define _fwdefdir /etc/sysconfig/SuSEfirewall2.d/services
%define _prefix %(xft-config --prefix)
%if "%{_prefix}" == "/usr/X11R6"
%define _mandir %{_prefix}/man
%define _appdefdir %{_prefix}/lib/X11/app-defaults
%else
%define _appdefdir %{_prefix}/share/X11/app-defaults
%endif
BuildRequires: audit-devel krb5-devel opensc-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel
License: BSD 3-Clause, X11/MIT
Group: Productivity/Networking/SSH
Obsoletes: ssh
Provides: ssh
Requires: /bin/netstat
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh
Autoreqprov: on
Version: 4.6p1
Release: 43
%define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program)
URL: http://www.openssh.com/
Source: %{name}-%{version}.tar.bz2
Source1: %{name}-SuSE.tar.bz2
Source2: sshd.pamd
Source3: x11-ssh-askpass-%{xversion}.tar.bz2
Source4: README.SuSE
Source5: converter.tar.bz2
Source6: README.kerberos
Source7: ssh.reg
Source8: ssh-askpass
Source9: sshd.fw
Patch: %{name}-%{version}.dif
Patch1: %{name}-%{version}-addrlist.dif
Patch12: %{name}-%{version}-askpass-fix.diff
Patch15: %{name}-%{version}-pam-fix2.diff
Patch17: %{name}-%{version}-strict-aliasing-fix.diff
Patch18: %{name}-%{version}-saveargv-fix.diff
Patch19: %{name}-%{version}-pam-fix3.diff
Patch21: %{name}-%{version}-gssapimitm.patch
Patch26: %{name}-%{version}-eal3.diff
Patch27: %{name}-%{version}-engines.diff
Patch28: %{name}-%{version}-blocksigalrm.diff
Patch35: %{name}-%{version}-send_locale.diff
Patch36: %{name}-%{version}-xauthlocalhostname.diff
Patch37: %{name}-%{version}-tmpdir.diff
Patch38: %{name}-%{version}-pwname-home.diff
Patch40: %{name}-%{version}-xauth.diff
Patch41: %{name}-%{version}-gcc-fix.patch
Patch42: %{name}-gssapi_krb5-fix.patch
Patch43: %{name}-%{version}-default-protocol.diff
Patch44: %{name}-%{version}-audit.patch
Patch45: %{name}-%{version}-challenge.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%package askpass
Summary: A passphrase dialog for OpenSSH and the X Window System
Requires: openssh = %{version}
Provides: openssh:/usr/%_lib/ssh/ssh-askpass
Group: Productivity/Networking/SSH
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
provides openssl (secure encrypted communication) between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
Authors:
--------
Aaron Campbell
Bob Beck
Markus Friedl
Niels Provos
Theo de Raadt
Dug Song
Ben Taylor <bent@clark.net>
Chip Salzenberg <chip@valinux.com>
Chris Saia <csaia@wtower.com>
Dan Brosemer <odin@linuxfreak.com>
Jim Knoble <jmknoble@pobox.com>
Marc G. Fournier <marc.fournier@acadiau.ca>
Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Niels Kristian Bech Jensen <nkbj@image.dk>
Phil Hands <phil@hands.com>
Thomas Neumann <tom@smart.ruhr.de>
Tudor Bosman <tudorb@jm.nu>
Damien Miller <djm@ibs.com.au>
%description askpass
Ssh (Secure Shell) is a program for logging into a remote machine and
for executing commands on a remote machine. This package contains an X
Window System passphrase dialog for OpenSSH.
Authors:
--------
Aaron Campbell
Bob Beck
Markus Friedl
Niels Provos
Theo de Raadt
Dug Song
Ben Taylor <bent@clark.net>
Chip Salzenberg <chip@valinux.com>
Chris Saia <csaia@wtower.com>
Dan Brosemer <odin@linuxfreak.com>
Jim Knoble <jmknoble@pobox.com>
Marc G. Fournier <marc.fournier@acadiau.ca>
Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Niels Kristian Bech Jensen <nkbj@image.dk>
Phil Hands <phil@hands.com>
Thomas Neumann <tom@smart.ruhr.de>
Tudor Bosman <tudorb@jm.nu>
Damien Miller <djm@ibs.com.au>
%define prefix /usr
%prep
%setup -q -b 3 -a 1 -a 5
%patch
%patch1
%patch15
%patch17
%patch18
%patch19
%patch21
%patch26 -p1
%patch27 -p1
%patch28
%patch35
%patch36
%patch37
%patch38 -p1
%patch40
%patch41
%patch42
%patch43
%patch44 -p1
%patch45
cp -v %{SOURCE4} .
cp -v %{SOURCE6} .
cd ../x11-ssh-askpass-%{xversion}
%patch12
%build
%if "%{_prefix}" != "/usr/X11R6"
for i in configure.ac Makefile.in pathnames.h ssh_config.0 ssh_config.5 sshd_config.0 sshd_config.5 ; do
sed -i -e 's@%{_prefix}@/usr@g' $i
done
%endif
%{?suse_update_config:%{suse_update_config}}
aclocal
autoheader
autoconf
%ifarch s390 s390x
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
#Obsoleted CFLAGS="-DUSE_POSIX_THREADS $RPM_OPT_FLAGS" CXXFLAGS="-DUSE_POSIX_THREADS $RPM_O \
#Obsoleted LDFLAGS="-lpthread" \
LDFLAGS="-pie" CFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" CXXFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" \
./configure \
--mandir=%{_mandir} \
--prefix=%{prefix} \
--infodir=%{_infodir} \
--sysconfdir=/etc/ssh \
--libexecdir=%{prefix}/%_lib/ssh \
--with-tcp-wrappers \
--with-pam \
--with-kerberos5=/usr \
--with-privsep-path=/var/lib/empty \
%ifnarch s390 s390x
--with-opensc \
%endif
--disable-strip \
--with-linux-audit \
--with-xauth=%{_prefix}/bin/xauth \
--target=%{_target_cpu}-suse-linux
# --with-afs=/usr \
make %{?jobs:-j%jobs}
(cd converter; make %{?jobs:-j%jobs})
cd contrib
cd ../../x11-ssh-askpass-%{xversion}
CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS"
./configure \
--mandir=%{_mandir} \
--prefix=%{_prefix} \
--libexecdir=%{prefix}/%_lib/ssh
xmkmf
make includes USRLIBDIR=%_prefix/%_lib
make %{?jobs:-j%jobs} USRLIBDIR=%_prefix/%_lib CCOPTIONS="$RPM_OPT_FLAGS"
%install
make DESTDIR=$RPM_BUILD_ROOT/ install
install -d -m 755 $RPM_BUILD_ROOT/etc/pam.d
install -d -m 755 $RPM_BUILD_ROOT/var/lib/sshd
install -m 644 %{S:2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -d -m 755 $RPM_BUILD_ROOT/etc/slp.reg.d/
install -m 644 %{S:7} $RPM_BUILD_ROOT/etc/slp.reg.d/
cp -a SuSE/* $RPM_BUILD_ROOT
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin
install -m 644 contrib/ssh-copy-id.1 $RPM_BUILD_ROOT/%{_mandir}/man1
(cd converter; make install DESTDIR=$RPM_BUILD_ROOT/)
cd ../x11-ssh-askpass-%{xversion}
make BINDIR=/usr/%_lib/ssh DESTDIR=$RPM_BUILD_ROOT install install.man
rm -rf $RPM_BUILD_ROOT/usr/%_lib/ssh/ssh-askpass
sed -e "s@usr/lib/ssh@usr/%_lib/ssh@" < %{S:8} > $RPM_BUILD_ROOT/usr/%_lib/ssh/ssh-askpass
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
sed -i -e s@/usr/libexec@/usr/%{_lib}@g $RPM_BUILD_ROOT/etc/ssh/sshd_config
#install firewall definitions format is described here:
#/usr/share/SuSEfirewall2/services/TEMPLATE
mkdir -p $RPM_BUILD_ROOT/%{_fwdefdir}
install -m 755 %{S:9} $RPM_BUILD_ROOT/%{_fwdefdir}/sshd
%pre
/usr/sbin/groupadd -g 65 -o -r sshd 2> /dev/null || :
/usr/sbin/useradd -r -o -g sshd -u 71 -s /bin/false -c "SSH daemon" -d /var/lib/sshd sshd 2> /dev/null || :
%post
%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
%run_permissions
%verifyscript
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
%preun
%stop_on_removal sshd
%postun
%restart_on_update sshd
%{insserv_cleanup}
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%dir %attr(755,root,root) /var/lib/sshd
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS
%attr(0755,root,root) %dir /etc/ssh
%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config
%verify(not mode) %attr(0640,root,root) %config(noreplace) /etc/ssh/sshd_config
%attr(0644,root,root) %config /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/init.d/sshd
%attr(0755,root,root) /usr/bin/ssh
/usr/bin/scp
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh-*
/usr/sbin/*
%attr(444,root,root) %doc %{_mandir}/man1/scp.1.gz
%attr(444,root,root) %doc %{_mandir}/man1/ssh-keygen.1.gz
%attr(444,root,root) %doc /usr/share/man/man1/ssh-keyconverter.1.gz
%attr(444,root,root) %doc %{_mandir}/man1/ssh.1.gz
%attr(444,root,root) %doc %{_mandir}/man1/slogin.1.gz
%attr(444,root,root) %doc %{_mandir}/man1/ssh-agent.1*
%attr(444,root,root) %doc %{_mandir}/man1/ssh-add.1*
%attr(444,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
%attr(444,root,root) %doc %{_mandir}/man1/sftp.1*
%attr(444,root,root) %doc %{_mandir}/man1/ssh-copy-id.1*
%attr(444,root,root) %doc %{_mandir}/man5/*
%attr(444,root,root) %doc %{_mandir}/man8/*
%attr(0755,root,root) %dir /usr/%_lib/ssh
%attr(0755,root,root) /usr/%_lib/ssh/sftp-server
%attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign
%dir /etc/slp.reg.d
/etc/slp.reg.d/ssh.reg
/var/adm/fillup-templates/sysconfig.ssh
%config %{_fwdefdir}/sshd
%files askpass
%defattr(-,root,root)
%attr(0755,root,root) /usr/%_lib/ssh/ssh-askpass
%attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass
%doc %_mandir/man1/ssh-askpass.1x.gz
%doc %_mandir/man1/x11-ssh-askpass.1x.gz
%config %_appdefdir/SshAskpass
%changelog
* Tue Aug 21 2007 - anicka@suse.cz
- avoid generating ssh keys when a non-standard location
is configured [#281228]
* Wed Jul 25 2007 - anicka@suse.cz
- fixed typo in sshd.fw [#293764]
* Mon Mar 19 2007 - nadvornik@suse.cz
- fixed default for ChallengeResponseAuthentication [#255374]
* Mon Mar 12 2007 - anicka@suse.cz
- update to 4.6p1
* sshd now allows the enabling and disabling of authentication
methods on a per user, group, host and network basis via the
Match directive in sshd_config.
* Allow multiple forwarding options to work when specified in a
PermitOpen directive
* Clear SIGALRM when restarting due to SIGHUP. Prevents stray
signal from taking down sshd if a connection was pending at
the time SIGHUP was received
* hang on exit" when background processes are running at the
time of exit on a ttyful/login session
* some more bugfixes
* Mon Mar 05 2007 - anicka@suse.cz
- fix path for firewall definition
* Thu Mar 01 2007 - anicka@suse.cz
- add support for Linux audit (FATE #120269)
* Wed Feb 21 2007 - anicka@suse.cz
- add firewall definition [#246921], FATE #300687,
source: sshd.fw
* Sat Jan 06 2007 - anicka@suse.cz
- disable SSHv1 protocol in default configuration [#231808]
* Tue Dec 12 2006 - anicka@suse.cz
- update to 4.5p1
* Use privsep_pw if we have it, but only require it if we
absolutely need it.
* Correctly check for bad signatures in the monitor, otherwise
the monitor and the unpriv process can get out of sync.
* Clear errno before calling the strtol functions.
* exit instead of doing a blocking tcp send if we detect
a client/server timeout, since the tcp sendqueue might
be already full (of alive requests)
* include signal.h, errno.h, sys/in.h
* some more bugfixes
* Wed Nov 22 2006 - anicka@suse.cz
- fixed README.SuSE [#223025]
* Thu Nov 09 2006 - anicka@suse.cz
- backport security fixes from openssh 4.5 (#219115)
* Tue Nov 07 2006 - ro@suse.de
- fix manpage permissions
* Tue Oct 31 2006 - anicka@suse.cz
- fix gssapi_krb5-fix patch [#215615]
- fix xauth patch
* Tue Oct 10 2006 - postadal@suse.cz
- fixed building openssh from src.rpm [#176528] (gssapi_krb5-fix.patch)
* Tue Oct 03 2006 - postadal@suse.cz
- updated to version 4.4p1 [#208662]
* fixed pre-authentication DoS, that would cause sshd(8) to spin
until the login grace time expired
* fixed unsafe signal hander, which was vulnerable to a race condition
that could be exploited to perform a pre-authentication DoS
* fixed a GSSAPI authentication abort that could be used to determine
the validity of usernames on some platforms
* implemented conditional configuration in sshd_config(5) using the
"Match" directive
* added support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
* added optional logging of transactions to sftp-server(8)
* ssh(1) will now record port numbers for hosts stored in
~/.ssh/authorized_keys when a non-standard port has been requested
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
a non-zero exit code) when requested port forwardings could not be
established
* extended sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments
- removed obsoleted patches: autoconf-fix.patch, dos-fix.patch
- fixed gcc issues (gcc-fix.patch)
* Wed Sep 20 2006 - postadal@suse.cz
- fixed DoS by CRC compensation attack detector [#206917] (dos-fix.patch)
- fixed client NULL deref on protocol error
- cosmetic fix in init script [#203826]
* Fri Sep 01 2006 - kukuk@suse.de
- sshd.pamd: Add pam_loginuid, move pam_nologin to a better position
* Fri Aug 25 2006 - postadal@suse.cz
- fixed path for xauth [#198676]
* Thu Aug 03 2006 - postadal@suse.cz
- fixed build with X11R7
* Thu Jul 20 2006 - postadal@suse.cz
- updated to version 4.3p2
* experimental support for tunneling network packets via tun(4)
- removed obsoleted patches: pam-error.patch, CVE-2006-0225.patch,
scp.patch, sigalarm.patch
* Mon Feb 13 2006 - postadal@suse.cz
- upstream fixes
- fixed "scp a b c", when c is not directory (scp.patch)
- eliminate some code duplicated in privsep and non-privsep paths, and
explicitly clear SIGALRM handler (sigalarm.patch)
* Fri Feb 03 2006 - postadal@suse.cz
- fixed local arbitrary command execution vulnerability [#143435]
(CVE-2006-0225.patch)
* Thu Feb 02 2006 - postadal@suse.cz
- fixed xauth.diff for disabled UsePrivilegeSeparation mode [#145809]
- build on s390 without Smart card support (opensc) [#147383]
* Mon Jan 30 2006 - postadal@suse.cz
- fixed patch xauth.diff [#145809]
- fixed comments [#142989]
* Wed Jan 25 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
* Mon Jan 16 2006 - meissner@suse.de
- added -fstack-protector.
* Tue Jan 03 2006 - postadal@suse.cz
- updated to version 4.2p1
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
* Tue Nov 15 2005 - postadal@suse.cz
- do not delegate GSSAPI credentials to log in with a different method
than GSSAPI [#128928] (CAN-2005-2798, gssapi-secfix.patch)
* Sun Oct 23 2005 - postadal@suse.cz
- fixed PAM to send authentication failing mesaage to client [#130043]
(pam-error.patch)
* Wed Sep 14 2005 - postadal@suse.cz
- fixed uninitialized variable in patch xauth.diff [#98815]
* Thu Sep 08 2005 - postadal@suse.cz
- don't strip
* Mon Sep 05 2005 - postadal@suse.cz
- added patch xauth.diff prevent from polluting xauthority file [#98815]
* Mon Aug 22 2005 - postadal@suse.cz
- fixed problem when multiple accounts have same UID [#104773]
(pwname-home.diff)
- added fixes from upstream (upstream_fixes.diff)
* Thu Aug 18 2005 - postadal@suse.cz
- added patch tmpdir.diff for using $TMPDIR by ssh-agent [#95731]
* Thu Aug 04 2005 - uli@suse.de
- parallelize build
* Mon Aug 01 2005 - postadal@suse.cz
- added patch resolving problems with hostname changes [#98627]
(xauthlocalhostname.diff)
* Wed Jun 22 2005 - kukuk@suse.de
- Compile/link with -fpie/-pie
* Wed Jun 15 2005 - meissner@suse.de
- build x11-ask-pass with RPM_OPT_FLAGS.
* Fri Jun 10 2005 - postadal@suse.cz
- updated to version 4.1p1
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
sendenv-fix, documentation-fix
* Thu Mar 10 2005 - postadal@suse.cz
- fixed SendEnv config parsing bug
- documented timeout on untrusted x11 forwarding sessions (openssh#849)
- mentioned ForwardX11Trusted in ssh.1 (openssh#987)
* Thu Mar 03 2005 - postadal@suse.cz
- enabled accepting and sending locale environment variables in protocol 2
[#65747, #50091]
* Thu Feb 24 2005 - postadal@suse.cz
- added patches from cvs: gssapi-pam (openssh#918),
krb5ccname (openssh#445), logdenysource (openssh#909)
* Thu Feb 03 2005 - postadal@suse.cz
- fixed keyboard-interactive/pam/Kerberos leaks info about user existence
[#48329] (openssh#971, CAN-2003-0190)
* Wed Jan 19 2005 - postadal@suse.cz
- splited spec file to decreas number of build dependencies
- fixed restoring terminal setting after Ctrl+C during password prompt in scp/sftp [#43309]
- allowed users to see output from failing PAM session modules (openssh #890,
pam-returnfromsession.patch)
* Mon Nov 08 2004 - kukuk@suse.de
- Use common-* PAM config files for sshd PAM configuration
* Mon Oct 25 2004 - postadal@suse.cz
- switched heimdal-* to kerberos-devel-packages in #needforbuild
* Fri Sep 03 2004 - ro@suse.de
- fix lib64 issue
* Tue Aug 31 2004 - postadal@suse.cz
- updated to version 3.9p1
- removed obsoleted patches: scp-fix.diff and window_change-fix.diff
* Thu Aug 26 2004 - postadal@suse.cz
- added openssh-askpass-gnome subpackage
- added ssh-askpass script for choosing askpass depending on windowmanager
(by Robert Love <rml@novell.com>)
- build with Smart card support (opensc) [#44289]
* Tue Aug 17 2004 - postadal@suse.cz
- removed old implementation of "Update Messages" [#36059]
* Thu Aug 12 2004 - postadal@suse.cz
- updated to version 3.8p1
- removed obsoleted patches: sftp-progress-fix and pam-fix4
* Mon Jun 28 2004 - meissner@suse.de
- block sigalarm during syslog output or we might deadlock
on recursively entering syslog(). (LTC#9523, SUSE#42354)
* Wed May 26 2004 - postadal@suse.cz
- fixed commented default value for GSSAPI
* Thu May 20 2004 - mludvig@suse.cz
- Load drivers for available hardware crypto accelerators.
* Fri Apr 30 2004 - postadal@suse.cz
- updated README.kerberos (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials)
* Mon Apr 19 2004 - postadal@suse.cz
- updated README.SuSE (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials)
[#39010]
* Fri Mar 26 2004 - postadal@suse.cz
- fixed sshd(8) and sshd_config(5) man pages (EAL3)
- fixed spelling errors in README.SuSE [#37086]
* Thu Mar 25 2004 - postadal@suse.cz
- fixed change window request [#33177]
* Mon Mar 22 2004 - postadal@suse.cz
- updated README.SuSE
- removed %%verify from /usr/bin/ssh in specfile
* Thu Mar 18 2004 - postadal@suse.cz
- fixed previous fix of security bug in scp [#35443] (CAN-2004-0175)
(was too restrictive)
- fixed permission of /usr/bin/ssh
* Mon Mar 15 2004 - postadal@suse.cz
- fixed comments in sshd_config and ssh_config
* Mon Mar 15 2004 - postadal@suse.cz
- enabled privilege separation mode (new version fixes a lot of problematic PAM
calling [#30328])
- fixed security bug in scp [#35443] (CAN-2004-0175)
- reverted to old behaviour of ForwardingX11 [#35836]
(set ForwardX11Trusted to 'yes' by default)
- updated README.SuSE
- fixed pam code (pam-fix4.diff, backported from openssh-SNAP-20040311)
* Fri Mar 05 2004 - postadal@suse.cz
- updated README.SuSE (Remote x11 clients are now untrusted by default) [#35368]
- added gssapimitm patch (support for old GSSAPI)
* Mon Mar 01 2004 - postadal@suse.cz
- updated to version 3.8p1
* The "gssapi" support has been replaced with the "gssapi-with-mic"
to fix possible MITM attacks. These two versions are not compatible.
- removed obsoleted patches: krb5.patch, dns-lookups.patch, pam-fix.diff,
pam-end-fix.diff
- used process forking instead pthreads
(developers fixed bugs in pam calling and they recommended to don't use threads)
* Tue Feb 24 2004 - postadal@suse.cz
- fixed the problem with save_argv in sshd.c re-apeared again in version 3.7.1p2
(it caused bad behaviour after receiving SIGHUP - used by reload of init script)
[#34845]
* Wed Feb 18 2004 - kukuk@suse.de
- Real strict-aliasing patch
* Wed Feb 18 2004 - postadal@suse.cz
- fixed strict-aliasing patch [#34551]
* Sat Feb 14 2004 - adrian@suse.de
- provide SLP registration file /etc/slp.reg.d/ssh.reg
* Tue Feb 03 2004 - postadal@suse.cz
- used patch from pam-end-fix.diff [#33132]
- fixed instalation openssh without documentation [#33937]
- fixed auth-pam.c which breaks strict aliasing
* Mon Jan 19 2004 - meissner@suse.de
- Added a ; to ssh-key-converter.c to fix gcc 3.4 build.
* Fri Jan 16 2004 - kukuk@suse.de
- Add pam-devel to neededforbuild
* Thu Nov 06 2003 - postadal@suse.cz
- added /usr/bin/slogin explicitly to %%file list [#32921]
* Sun Nov 02 2003 - adrian@suse.de
- add %%run_permissions to fix build
* Tue Oct 14 2003 - postadal@suse.cz
- reverted value UsePAM to "yes" and set PasswordAuthentication to "no"
in file /etc/ssh/sshd_config (the version 3.7.1p2 disabled PAM support
by default) [#31749]
* Tue Sep 23 2003 - draht@suse.de
- New version 3.7.1p2; signature from 86FF9C48 Damien Miller
verified for source tarball. Bugs fixed with this version:
[#31637] (CAN-2003-0786, CAN-2003-0786). Briefly:
1) SSH1 PAM challenge response auth ignored the result of the
authentication (with privsep off)
2) The PAM conversation function trashed the stack, by referring
to the **resp parameter as an array of pointers rather than
as a pointer to an array of struct pam_responses.
At least security bug 1) is exploitable.
* Fri Sep 19 2003 - postadal@suse.cz
- use pthreads instead process forking (it needs by pam modules)
- fixed bug in calling pam_setcred [#31025]
(pam-fix.diff - string "FILE:" added to begin of KRB5CCNAME)
- updated README.SuSE
- reverted ChallengeResponseAuthentication option to default value yes
(necessary for pam authentication) [#31432]
* Thu Sep 18 2003 - postadal@suse.cz
- updated to version 3.7.1p1 (with security patches)
- removed obsoleted patches: chauthtok.patch, krb-include-fix.diff,
gssapi-fix.diff, saveargv-fix.diff, gssapi-20030430.diff, racecondition-fix
- updated README.kerberos
* Tue Sep 16 2003 - postadal@suse.cz
- fixed race condition in allocating memory [#31025] (CAN-2003-0693)
* Mon Sep 15 2003 - postadal@suse.cz
- disabled privilege separation, which caused some problems [#30328]
(updated README.SuSE)
* Thu Sep 04 2003 - postadal@suse.cz
- fixed bug in x11-ssh-askpass dialog [#25846] (askpass-fix.diff is workaround for gcc bug)
* Fri Aug 29 2003 - kukuk@suse.de
- Call useradd -r for system account [Bug #29611]
* Mon Aug 25 2003 - postadal@suse.cz
- use new stop_on_removal/restart_on_upate macros
- fixed lib64 problem in /etc/ssh/sshd_config [#28766]
* Tue Aug 19 2003 - mmj@suse.de
- Add sysconfig metadata [#28943]
* Fri Aug 01 2003 - ro@suse.de
- add e2fsprogs-devel to neededforbuild
* Thu Jul 24 2003 - postadal@suse.cz
- updated to version 3.6.1p2
- added the new version of patch for GSSAPI (gssapi-20030430.diff),
the older one was removed (gssapi.patch)
- added README.kerberos to filelist
* Tue Jun 03 2003 - mmj@suse.de
- Remove files we don't package
* Wed Apr 02 2003 - postadal@suse.cz
- fixed bad behaviour after receiving SIGHUP (this bug caused not working reload of init script)
* Tue Mar 18 2003 - postadal@suse.cz
- added $remote_fs to init.d script (needed if /usr is on remote fs [#25577])
* Thu Mar 13 2003 - postadal@suse.cz
- fixed segfault while using GSSAPI for authentication when connecting to localhost (took care about error value of ssh_gssapi_import_name() in function ssh_gssapi_client_ctx())
* Mon Mar 10 2003 - kukuk@suse.de
- Remove extra "/" from pid file path.
* Mon Mar 03 2003 - postadal@suse.cz
- modified init.d script (now checking sshd.init.pid instead of port 22) [#24263]
* Mon Mar 03 2003 - okir@suse.de
- added comment to /etc/pam.d/ssh on how to enable
support for resmgr (#24363).
* Fri Feb 21 2003 - postadal@suse.cz
- added ssh-copy-id shell script [#23745]
* Fri Feb 14 2003 - postadal@suse.cz
- given back gssapi and dns-lookups patches
* Wed Jan 22 2003 - postadal@suse.cz
- updated to version 3.5p1
- removed obsolete patches: owl-mm, forced-commands-only, krb
- added patch krb5 (for heimdal)
- temporarily removed gssapi patch and dns-lookups (needs rewriting)
- fix sysconfig metadata
* Thu Dec 05 2002 - okir@suse.de
- avoid Kerberos DNS lookups in the default config (#20395)
- added README.kerberos
* Thu Sep 19 2002 - postadal@suse.cz
- added info about changes in the new version of openssh
to README.SuSE [#19757]
* Mon Sep 02 2002 - okir@suse.de
- privsep directory now /var/lib/empty, which is provided by
filesystem package (#17556)
* Wed Aug 28 2002 - nashif@suse.de
- Added insserv & co to PreReq
* Mon Aug 26 2002 - okir@suse.de
- applied patch that adds GSSAPI support in protocol version 2 (#18239)
* Thu Aug 22 2002 - postadal@suse.cz
- added the patch to fix malfunction of PermitRootLogin seted to
forced-commands-only [#17149]
* Fri Aug 09 2002 - okir@suse.de
- syslog now reports kerberos auth method when logging in via
kerberos (#17469)
* Tue Jul 23 2002 - okir@suse.de
- enabled kerberos support
- added patch to support kerberos 5 authentication in privsep mode.
- added missing section 5 manpages
- added missing ssh-keysign to files list (new for privsep)
* Mon Jul 22 2002 - okir@suse.de
- fixed handling of expired passwords in privsep mode
* Tue Jul 09 2002 - mmj@suse.de
- Don't source rc.config
* Wed Jul 03 2002 - draht@suse.de
- ssh-keygen must be told to explicitly create type rsa1 keys
in the start script.
* Tue Jul 02 2002 - ro@suse.de
- useradd/groupadd in preinstall to standardize
* Sat Jun 29 2002 - ro@suse.de
- updated patch from solar: zero out bytes for no longer used pages
in mmap-fallback solution
* Thu Jun 27 2002 - ro@suse.de
- updated owl-fallback.diff from solar
* Thu Jun 27 2002 - ro@suse.de
- update to 3.4p1
o privilege separation support
o overflow fix from ISS
- unsplit openssh-server and openssh-client
* Tue Jun 18 2002 - mmj@suse.de
- Update to 3.2.3p1 which fixed following compared to 3.2.2p1
o a defect in the BSD_AUTH access control handling for
o login/tty problems on Solaris (bug #245)
o build problems on Cygwin systems
- Split the package to openssh, openssh-server, openssh-client and
openssh-askpass
* Sun May 19 2002 - mmj@suse.de
- Updated to 3.2.2p which includes security and several bugfixes.
* Fri Mar 15 2002 - ro@suse.de
- added "Obsoletes: ssh"
* Tue Mar 05 2002 - draht@suse.de
- security fix for bug in channels.c (channelbug.dif)
* Fri Mar 01 2002 - bk@suse.de
- fix ssh-agent example to use eval `ssh-agent -s` and a typo.
- add sentence on use of ssh-agent with startx
* Tue Feb 26 2002 - bk@suse.de
- update README.SuSE to improve documentation on protocol version
* Wed Feb 13 2002 - cihlar@suse.cz
- rewritten addrlist patch - "0.0.0.0" is removed from list
after "::" is successful [#8951]
* Mon Feb 11 2002 - cihlar@suse.cz
- added info about the change of the default protocol version
to README.SuSE
* Thu Feb 07 2002 - cihlar@suse.cz
- removed addrlist patch which fixed bug [#8951] as it breaks
functionality on machines with kernel without IPv6 support,
bug reopened, new solution will be find
- switched to default protocol version 2
- added ssh-keyconvert (thanks Olaf Kirch <okir@suse.de>)
- removed static linking against libcrypto, as crypt() was removed
from it [#5333]
* Tue Jan 22 2002 - kukuk@suse.de
- Add pam_nologin to account management (else it will not be
called if user does not do password authentification)
* Tue Jan 15 2002 - egmont@suselinux.hu
- removed colon from shutdown message
* Thu Jan 10 2002 - cihlar@suse.cz
- use %%{_lib}
* Thu Dec 13 2001 - ro@suse.de
- moved rc.config.d -> sysconfig
* Mon Dec 10 2001 - cihlar@suse.cz
- removed START_SSHD
* Fri Dec 07 2001 - cihlar@suse.cz
- update to version 3.0.2p1:
* CheckMail option in sshd_config is deprecated
* X11 cookies are now stored in $HOME
* fixed a vulnerability in the UseLogin option
* /etc/ssh_known_hosts2 and ~/.ssh/known_hosts2 are obsolete,
/etc/ssh_known_hosts and ~/.ssh/known_hosts can be used
* several minor fixes
- update x11-ssh-askpass to version 1.2.4.1:
* fixed Imakefile.in
- fixed bug in adresses "::" and "0.0.0.0" [#8951]
* Fri Oct 05 2001 - cihlar@suse.cz
- update to version 2.9.9p2
- removed obsolete clientloop and command patches
- uncommented "HostKey /etc/ssh/ssh_host_rsa_key" in sshd_config
- added German translation of e-mail to sysadmin
- init script fixed to work when more listening sshd runs
- added /bin/netstat to requires
* Mon Sep 24 2001 - cihlar@suse.cz
- fixed security problem with sftp & bypassing
keypair auth restrictions - patch based on CVS
- fixed status part of init script - it returned
running even if there were only sshd of connections
and no listening sshd [#11220]
- fixed stop part of init script - when there was no
/var/run/sshd.pid, all sshd were killed
* Thu Sep 06 2001 - nadvornik@suse.cz
- added patch for correct buffer flushing from CVS [bug #6450]
* Fri Jul 27 2001 - cihlar@suse.cz
- update x11-ssh-askpass to version 1.2.2
* Thu Jul 26 2001 - cihlar@suse.cz
- update to version 2.9p2
- removed obsolete "cookies" patch
* Mon Jun 11 2001 - cihlar@suse.cz
- fixed to compile with new xmkmf
* Thu Jun 07 2001 - cihlar@suse.cz
- fixed security bug when any file "cookies" could
be removed by anybody
* Tue Jun 05 2001 - bjacke@suse.de
- generate rsa host key in init script
* Tue Jun 05 2001 - cihlar@suse.cz
- removed complete path from PAM modules
* Thu May 03 2001 - cihlar@suse.cz
- update to version 2.9p1
- removed obsolete --with-openssl
- removed obsolete man patch
* Mon Apr 30 2001 - cihlar@suse.cz
- enable PAM support
* Fri Apr 13 2001 - ro@suse.de
- fixed specfile for extra README.SuSE
* Fri Apr 13 2001 - cihlar@suse.cz
- fixed init script by new skeleton
* Thu Mar 22 2001 - cihlar@suse.cz
- update to version 2.5.2p2
* Wed Mar 14 2001 - cihlar@suse.cz
- fixed ssh man page
* Mon Mar 12 2001 - cihlar@suse.cz
- update to version 2.5.1p2
- added xf86 to neededforbuild
* Fri Mar 09 2001 - schwab@suse.de
- Fix missing crypt declaration.
* Fri Feb 23 2001 - cihlar@suse.cz
- update to version 2.5.1p1
- update x11-ssh-askpass to version 1.2.0
* Tue Feb 20 2001 - cihlar@suse.cz
- modified README.SuSE [#4365]
- fixed start script to agree with skeleton
- fixed start script so "stop" kills only sshd
listening for connections
- compiled with --with-openssl
- "ListenAddress 0.0.0.0" in sshd_config commented out -
listen on both ipv4 and ipv6
- fixed var/adm/notify/messages/openssh_update [#6406]
* Thu Jan 25 2001 - smid@suse.cz
- startup script fixed [#5559]
* Tue Jan 16 2001 - nadvornik@suse.cz
- libcrypto linked static [#5333]
* Thu Jan 11 2001 - cihlar@suse.cz
- uncomment sftp-server part in sshd_config
- added /usr/X11R6/lib/X11/app-defaults/SshAskpass to %%files
* Thu Jan 11 2001 - cihlar@suse.cz
- fixed %%files [#5230]
- fixed installation of x11-ssh-askpass to BuildRoot
- added man pages of x11-ssh-askpass
* Wed Jan 10 2001 - smid@suse.cz
- notice about how to enable ipv6 added to mail
- for administrator [#5297]
* Wed Dec 13 2000 - smid@suse.cz
- default ipv6 listennig disabled (problems with libc2.2) [#4588]
* Tue Dec 05 2000 - smid@suse.cz
- notify message changed
* Mon Dec 04 2000 - lmuelle@suse.de
- fixed provides/ conflicts to ssh
* Thu Nov 30 2000 - smid@suse.cz
- path to ssh-askpass fixed
- stop in %%preun removed
- new init style
* Sun Nov 26 2000 - schwab@suse.de
- Restore rcsshd link.
* Sun Nov 26 2000 - kukuk@suse.de
- Add openssl-devel to neededforbuild
* Mon Nov 20 2000 - smid@suse.cz
- New version 2.3.0
* Wed Sep 06 2000 - smid@suse.cz
- remove --with-ipv4-default option
* Wed Jul 05 2000 - garloff@suse.de
- ... and tell the sysadmin and user more about what they can do
about it (schwab).
* Wed Jul 05 2000 - garloff@suse.de
- Inform the user (admin) about the fact that the default behaviour
with respect to X11-forwarding has been changed to be disabled.
* Wed Jun 28 2000 - smid@suse.cz
- warning that generating DSA key can an take a long time.
(bugzilla 3015)
- writing to wtmp and lastlog fixed (bugzilla 3024)
- reading config file (parameter Protocol) fixed
* Fri Jun 16 2000 - garloff@suse.de
- Added generation of ssh_host_dsa_key
* Tue Jun 13 2000 - nadvornik@suse.cz
- update to 2.1.1p1
* Thu Jun 08 2000 - cihlar@suse.cz
- uncommented %%clean
* Fri May 05 2000 - smid@suse.cz
- buildroot added
- upgrade to 1.2.3
* Tue Mar 21 2000 - kukuk@suse.de
- Update to 1.2.2p1
* Mon Mar 06 2000 - kukuk@suse.de
- Fix the diff.
* Sun Mar 05 2000 - kukuk@suse.de
- Add a README.SuSE with a short description how to use ssh-add
* Tue Feb 29 2000 - schwab@suse.de
- Update config.{guess,sub}.
* Fri Feb 25 2000 - kukuk@suse.de
- Fix need for build, add group tag.
* Wed Feb 02 2000 - kukuk@suse.de
- Change new defaults back to old one
* Sun Jan 30 2000 - kukuk@suse.de
- Add x11-ssh-askpass to filelist
* Fri Jan 28 2000 - kukuk@suse.de
- Update to OpenSSH 1.2.2
- Add x11-ssh-askpass-1.0
* Tue Jan 25 2000 - kukuk@suse.de
- Add reload and status to /sbin/init.d/sshd [Bug 1747]
* Thu Jan 20 2000 - kukuk@suse.de
- Update to 1.2.1pre27 with IPv6 support
* Fri Dec 31 1999 - kukuk@suse.de
- Initial version