forked from pool/openssh
This commit is contained in:
parent
0ee0f71602
commit
011c00b91f
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:fafd3e0fe129d372340f17906bcdee4150823c2435fe8e85208b23df27ee3d4b
|
||||
size 810512
|
@ -1,7 +1,7 @@
|
||||
# add support for Linux audit (FATE #120269)
|
||||
================================================================================
|
||||
--- openssh-4.7p1/Makefile.in
|
||||
+++ openssh-4.7p1/Makefile.in
|
||||
--- openssh-5.1p1/Makefile.in
|
||||
+++ openssh-5.1p1/Makefile.in
|
||||
@@ -44,6 +44,7 @@
|
||||
CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
@ -10,7 +10,7 @@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
AR=@AR@
|
||||
@@ -136,7 +137,7 @@
|
||||
@@ -137,7 +138,7 @@
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
@ -19,9 +19,9 @@
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
--- openssh-4.7p1/auth.c
|
||||
+++ openssh-4.7p1/auth.c
|
||||
@@ -286,6 +286,12 @@
|
||||
--- openssh-5.1p1/auth.c
|
||||
+++ openssh-5.1p1/auth.c
|
||||
@@ -287,6 +287,12 @@
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
@ -34,7 +34,7 @@
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
@@ -492,6 +498,10 @@
|
||||
@@ -533,6 +539,10 @@
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
@ -45,9 +45,9 @@
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
--- openssh-4.7p1/config.h.in
|
||||
+++ openssh-4.7p1/config.h.in
|
||||
@@ -1334,6 +1334,9 @@
|
||||
--- openssh-5.1p1/config.h.in
|
||||
+++ openssh-5.1p1/config.h.in
|
||||
@@ -1388,6 +1388,9 @@
|
||||
/* Define if you want SELinux support. */
|
||||
#undef WITH_SELINUX
|
||||
|
||||
@ -57,9 +57,9 @@
|
||||
/* Define to 1 if your processor stores words with the most significant byte
|
||||
first (like Motorola and SPARC, unlike Intel and VAX). */
|
||||
#undef WORDS_BIGENDIAN
|
||||
--- openssh-4.7p1/configure.ac
|
||||
+++ openssh-4.7p1/configure.ac
|
||||
@@ -3216,6 +3216,20 @@
|
||||
--- openssh-5.1p1/configure.ac
|
||||
+++ openssh-5.1p1/configure.ac
|
||||
@@ -3314,6 +3314,20 @@
|
||||
fi ]
|
||||
)
|
||||
|
||||
@ -80,7 +80,7 @@
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
AC_ARG_WITH(kerberos5,
|
||||
@@ -4036,6 +4050,7 @@
|
||||
@@ -4134,6 +4148,7 @@
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
@ -88,8 +88,8 @@
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
--- openssh-4.7p1/loginrec.c
|
||||
+++ openssh-4.7p1/loginrec.c
|
||||
--- openssh-5.1p1/loginrec.c
|
||||
+++ openssh-5.1p1/loginrec.c
|
||||
@@ -176,6 +176,10 @@
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
@ -174,8 +174,8 @@
|
||||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
--- openssh-4.7p1/loginrec.h
|
||||
+++ openssh-4.7p1/loginrec.h
|
||||
--- openssh-5.1p1/loginrec.h
|
||||
+++ openssh-5.1p1/loginrec.h
|
||||
@@ -127,5 +127,9 @@
|
||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||
|
@ -8,7 +8,7 @@
|
||||
|
||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||
static int log_on_stderr = 1;
|
||||
@@ -314,6 +315,7 @@
|
||||
@@ -336,6 +337,7 @@
|
||||
char fmtbuf[MSGBUFSIZ];
|
||||
char *txt = NULL;
|
||||
int pri = LOG_INFO;
|
||||
@ -16,7 +16,7 @@
|
||||
int saved_errno = errno;
|
||||
|
||||
if (level > log_level)
|
||||
@@ -365,6 +367,14 @@
|
||||
@@ -387,6 +389,14 @@
|
||||
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
|
||||
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
|
||||
} else {
|
||||
@ -31,7 +31,7 @@
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||
@@ -374,6 +384,7 @@
|
||||
@@ -396,6 +406,7 @@
|
||||
syslog(pri, "%.500s", fmtbuf);
|
||||
closelog();
|
||||
#endif
|
@ -1,6 +1,6 @@
|
||||
--- openssh-4.6p1/sshd.8
|
||||
+++ openssh-4.6p1/sshd.8
|
||||
@@ -739,7 +739,7 @@
|
||||
--- openssh-5.1p1/sshd.8
|
||||
+++ openssh-5.1p1/sshd.8
|
||||
@@ -785,7 +785,7 @@
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.Pp
|
||||
@ -9,7 +9,7 @@
|
||||
See
|
||||
.Xr motd 5 .
|
||||
.Pp
|
||||
@@ -752,7 +752,7 @@
|
||||
@@ -798,7 +798,7 @@
|
||||
refused.
|
||||
The file should be world-readable.
|
||||
.Pp
|
||||
@ -18,8 +18,8 @@
|
||||
This file is used in exactly the same way as
|
||||
.Pa hosts.equiv ,
|
||||
but allows host-based authentication without permitting login with
|
||||
@@ -828,8 +828,7 @@
|
||||
.Xr ssh-keygen 1 ,
|
||||
@@ -875,8 +875,7 @@
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
.Xr hosts_access 5 ,
|
||||
-.Xr login.conf 5 ,
|
||||
@ -28,9 +28,9 @@
|
||||
.Xr sshd_config 5 ,
|
||||
.Xr inetd 8 ,
|
||||
.Xr sftp-server 8
|
||||
--- openssh-4.6p1/sshd_config.5
|
||||
+++ openssh-4.6p1/sshd_config.5
|
||||
@@ -167,9 +167,6 @@
|
||||
--- openssh-5.1p1/sshd_config.5
|
||||
+++ openssh-5.1p1/sshd_config.5
|
||||
@@ -177,9 +177,6 @@
|
||||
By default, no banner is displayed.
|
||||
.It Cm ChallengeResponseAuthentication
|
||||
Specifies whether challenge-response authentication is allowed.
|
||||
@ -39,8 +39,8 @@
|
||||
-are supported.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm Ciphers
|
||||
@@ -382,7 +379,7 @@
|
||||
.It Cm ChrootDirectory
|
||||
@@ -438,7 +435,7 @@
|
||||
.Pp
|
||||
.Pa /etc/hosts.equiv
|
||||
and
|
@ -1,5 +1,5 @@
|
||||
--- openssh-4.9p1/ssh-add.c
|
||||
+++ openssh-4.9p1/ssh-add.c
|
||||
--- openssh-5.1p1/ssh-add.c
|
||||
+++ openssh-5.1p1/ssh-add.c
|
||||
@@ -43,6 +43,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -19,8 +19,8 @@
|
||||
/* At first, get a connection to the authentication agent. */
|
||||
ac = ssh_get_authentication_connection();
|
||||
if (ac == NULL) {
|
||||
--- openssh-4.9p1/ssh-agent.c
|
||||
+++ openssh-4.9p1/ssh-agent.c
|
||||
--- openssh-5.1p1/ssh-agent.c
|
||||
+++ openssh-5.1p1/ssh-agent.c
|
||||
@@ -52,6 +52,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/md5.h>
|
||||
@ -29,7 +29,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
@@ -1063,6 +1064,10 @@
|
||||
@@ -1076,6 +1077,10 @@
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
|
||||
@ -40,8 +40,8 @@
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
init_rng();
|
||||
seed_rng();
|
||||
--- openssh-4.9p1/ssh-keygen.c
|
||||
+++ openssh-4.9p1/ssh-keygen.c
|
||||
--- openssh-5.1p1/ssh-keygen.c
|
||||
+++ openssh-5.1p1/ssh-keygen.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
@ -50,7 +50,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
@@ -1072,6 +1073,11 @@
|
||||
@@ -1099,6 +1100,11 @@
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
@ -62,8 +62,8 @@
|
||||
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
||||
|
||||
init_rng();
|
||||
--- openssh-4.9p1/ssh-keysign.c
|
||||
+++ openssh-4.9p1/ssh-keysign.c
|
||||
--- openssh-5.1p1/ssh-keysign.c
|
||||
+++ openssh-5.1p1/ssh-keysign.c
|
||||
@@ -38,6 +38,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rand.h>
|
||||
@ -84,17 +84,17 @@
|
||||
for (i = 0; i < 256; i++)
|
||||
rnd[i] = arc4random();
|
||||
RAND_seed(rnd, sizeof(rnd));
|
||||
--- openssh-4.9p1/ssh.c
|
||||
+++ openssh-4.9p1/ssh.c
|
||||
--- openssh-5.1p1/ssh.c
|
||||
+++ openssh-5.1p1/ssh.c
|
||||
@@ -73,6 +73,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
+#include <openssl/engine.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
@@ -561,6 +562,10 @@
|
||||
@@ -562,6 +563,10 @@
|
||||
SSLeay_add_all_algorithms();
|
||||
ERR_load_crypto_strings();
|
||||
|
||||
@ -105,9 +105,9 @@
|
||||
/* Initialize the command to execute on remote host. */
|
||||
buffer_init(&command);
|
||||
|
||||
--- openssh-4.9p1/sshd.c
|
||||
+++ openssh-4.9p1/sshd.c
|
||||
@@ -76,6 +76,7 @@
|
||||
--- openssh-5.1p1/sshd.c
|
||||
+++ openssh-5.1p1/sshd.c
|
||||
@@ -77,6 +77,7 @@
|
||||
#include <openssl/md5.h>
|
||||
#include <openssl/rand.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -115,7 +115,7 @@
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
#include <sys/security.h>
|
||||
@@ -1465,6 +1466,10 @@
|
||||
@@ -1416,6 +1417,10 @@
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
|
@ -46,7 +46,7 @@ Index: auth2-gss.c
|
||||
#endif /* GSSAPI */
|
||||
--- auth2.c
|
||||
+++ auth2.c
|
||||
@@ -65,6 +65,7 @@
|
||||
@@ -70,6 +70,7 @@
|
||||
extern Authmethod method_hostbased;
|
||||
#ifdef GSSAPI
|
||||
extern Authmethod method_gssapi;
|
||||
@ -54,7 +54,7 @@ Index: auth2-gss.c
|
||||
#endif
|
||||
|
||||
Authmethod *authmethods[] = {
|
||||
@@ -72,6 +73,7 @@
|
||||
@@ -77,6 +78,7 @@
|
||||
&method_pubkey,
|
||||
#ifdef GSSAPI
|
||||
&method_gssapi,
|
||||
@ -73,7 +73,7 @@ Index: auth2-gss.c
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
||||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
||||
@@ -164,9 +164,11 @@
|
||||
@@ -165,9 +165,11 @@
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
||||
@ -85,7 +85,7 @@ Index: auth2-gss.c
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -445,6 +447,10 @@
|
||||
@@ -447,6 +449,10 @@
|
||||
case oGssDelegateCreds:
|
||||
intptr = &options->gss_deleg_creds;
|
||||
goto parse_flag;
|
||||
@ -96,7 +96,7 @@ Index: auth2-gss.c
|
||||
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
@@ -1011,6 +1017,7 @@
|
||||
@@ -1017,6 +1023,7 @@
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
options->gss_deleg_creds = -1;
|
||||
@ -104,7 +104,7 @@ Index: auth2-gss.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1101,6 +1108,8 @@
|
||||
@@ -1108,6 +1115,8 @@
|
||||
options->gss_authentication = 0;
|
||||
if (options->gss_deleg_creds == -1)
|
||||
options->gss_deleg_creds = 0;
|
||||
@ -125,7 +125,7 @@ Index: auth2-gss.c
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
--- servconf.c
|
||||
+++ servconf.c
|
||||
@@ -91,6 +91,7 @@
|
||||
@@ -93,6 +93,7 @@
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
options->gss_cleanup_creds = -1;
|
||||
@ -133,7 +133,7 @@ Index: auth2-gss.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -207,6 +208,8 @@
|
||||
@@ -211,6 +212,8 @@
|
||||
options->gss_authentication = 0;
|
||||
if (options->gss_cleanup_creds == -1)
|
||||
options->gss_cleanup_creds = 1;
|
||||
@ -142,16 +142,16 @@ Index: auth2-gss.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -291,7 +294,7 @@
|
||||
@@ -299,7 +302,7 @@
|
||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sDeprecated, sUnsupported
|
||||
@@ -352,9 +355,11 @@
|
||||
@@ -360,9 +363,11 @@
|
||||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
@ -163,7 +163,7 @@ Index: auth2-gss.c
|
||||
#endif
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
@@ -878,6 +883,10 @@
|
||||
@@ -885,6 +890,10 @@
|
||||
case sGssCleanupCreds:
|
||||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
@ -176,7 +176,7 @@ Index: auth2-gss.c
|
||||
intptr = &options->password_authentication;
|
||||
--- servconf.h
|
||||
+++ servconf.h
|
||||
@@ -91,6 +91,7 @@
|
||||
@@ -92,6 +92,7 @@
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
@ -202,7 +202,7 @@ Index: auth2-gss.c
|
||||
+>>>>>>>
|
||||
--- sshconnect2.c
|
||||
+++ sshconnect2.c
|
||||
@@ -243,6 +243,10 @@
|
||||
@@ -246,6 +246,10 @@
|
||||
userauth_gssapi,
|
||||
&options.gss_authentication,
|
||||
NULL},
|
||||
@ -213,7 +213,7 @@ Index: auth2-gss.c
|
||||
#endif
|
||||
{"hostbased",
|
||||
userauth_hostbased,
|
||||
@@ -577,7 +581,9 @@
|
||||
@@ -587,7 +591,9 @@
|
||||
|
||||
if (status == GSS_S_COMPLETE) {
|
||||
/* send either complete or MIC, depending on mechanism */
|
||||
@ -226,7 +226,7 @@ Index: auth2-gss.c
|
||||
} else {
|
||||
--- sshd_config
|
||||
+++ sshd_config
|
||||
@@ -73,6 +73,13 @@
|
||||
@@ -74,6 +74,13 @@
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
@ -1,6 +1,6 @@
|
||||
--- sshd_config
|
||||
+++ sshd_config
|
||||
@@ -53,7 +53,7 @@
|
||||
@@ -58,7 +58,7 @@
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
@ -9,12 +9,12 @@
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
@@ -78,7 +78,7 @@
|
||||
@@ -83,7 +83,7 @@
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
@ -1,6 +1,6 @@
|
||||
--- auth-pam.c
|
||||
+++ auth-pam.c
|
||||
@@ -785,7 +785,9 @@
|
||||
@@ -786,7 +786,9 @@
|
||||
fatal("Internal error: PAM auth "
|
||||
"succeeded when it should have "
|
||||
"failed");
|
@ -1,6 +1,6 @@
|
||||
--- loginrec.c
|
||||
+++ loginrec.c 2008-04-18 17:58:59.585065028 +0200
|
||||
@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li)
|
||||
+++ loginrec.c
|
||||
@@ -549,7 +549,7 @@
|
||||
* 1. The full filename (including '/dev')
|
||||
* 2. The stripped name (excluding '/dev')
|
||||
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
||||
@ -9,7 +9,7 @@
|
||||
*
|
||||
* Form 3 is used on some systems to identify a .tmp.? entry when
|
||||
* attempting to remove it. Typically both addition and removal is
|
||||
@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s
|
||||
@@ -610,6 +610,10 @@
|
||||
if (strncmp(src, "tty", 3) == 0)
|
||||
src += 3;
|
||||
#endif
|
@ -1,6 +1,6 @@
|
||||
--- sshd.c
|
||||
+++ sshd.c
|
||||
@@ -358,6 +358,7 @@
|
||||
@@ -305,6 +305,7 @@
|
||||
static void
|
||||
sighup_restart(void)
|
||||
{
|
||||
@ -8,7 +8,7 @@
|
||||
logit("Received SIGHUP; restarting.");
|
||||
close_listen_socks();
|
||||
close_startup_pipes();
|
||||
@@ -1318,7 +1319,11 @@
|
||||
@@ -1270,7 +1271,11 @@
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
compat_init_setproctitle(ac, av);
|
@ -1,6 +1,6 @@
|
||||
--- ssh_config
|
||||
+++ ssh_config
|
||||
@@ -62,4 +62,7 @@
|
||||
@@ -63,4 +63,7 @@
|
||||
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
||||
# GSSAPIEnableMITMAttack no
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
+SendEnv LC_IDENTIFICATION LC_ALL
|
||||
--- sshd_config
|
||||
+++ sshd_config
|
||||
@@ -112,6 +112,11 @@
|
||||
@@ -119,6 +119,11 @@
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
@ -1,6 +1,6 @@
|
||||
--- ssh-agent.c
|
||||
+++ ssh-agent.c
|
||||
@@ -1126,8 +1126,18 @@
|
||||
@@ -1159,8 +1159,18 @@
|
||||
parent_pid = getpid();
|
||||
|
||||
if (agentsocket == NULL) {
|
@ -1,6 +1,6 @@
|
||||
--- session.c
|
||||
+++ session.c
|
||||
@@ -2250,8 +2250,41 @@
|
||||
@@ -2487,8 +2487,41 @@
|
||||
session_close(Session *s)
|
||||
{
|
||||
u_int i;
|
@ -1,6 +1,6 @@
|
||||
--- session.c
|
||||
+++ session.c
|
||||
@@ -997,7 +997,7 @@
|
||||
@@ -1104,7 +1104,7 @@
|
||||
}
|
||||
|
||||
static char **
|
||||
@ -9,7 +9,7 @@
|
||||
{
|
||||
char buf[256];
|
||||
u_int i, envsize;
|
||||
@@ -1184,6 +1184,8 @@
|
||||
@@ -1291,6 +1291,8 @@
|
||||
for (i = 0; env[i]; i++)
|
||||
fprintf(stderr, " %.200s\n", env[i]);
|
||||
}
|
||||
@ -18,7 +18,7 @@
|
||||
return env;
|
||||
}
|
||||
|
||||
@@ -1192,7 +1194,7 @@
|
||||
@@ -1299,7 +1301,7 @@
|
||||
* first in this order).
|
||||
*/
|
||||
static void
|
||||
@ -27,7 +27,7 @@
|
||||
{
|
||||
FILE *f = NULL;
|
||||
char cmd[1024];
|
||||
@@ -1246,12 +1248,20 @@
|
||||
@@ -1353,12 +1355,20 @@
|
||||
options.xauth_location);
|
||||
f = popen(cmd, "w");
|
||||
if (f) {
|
||||
@ -48,7 +48,7 @@
|
||||
} else {
|
||||
fprintf(stderr, "Could not run %s\n",
|
||||
cmd);
|
||||
@@ -1537,6 +1547,7 @@
|
||||
@@ -1644,6 +1654,7 @@
|
||||
{
|
||||
extern char **environ;
|
||||
char **env;
|
||||
@ -56,7 +56,7 @@
|
||||
char *argv[ARGV_MAX];
|
||||
const char *shell, *shell0, *hostname = NULL;
|
||||
struct passwd *pw = s->pw;
|
||||
@@ -1602,7 +1613,7 @@
|
||||
@@ -1710,7 +1721,7 @@
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
@ -65,7 +65,7 @@
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
@@ -1666,7 +1677,7 @@
|
||||
@@ -1778,7 +1789,7 @@
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
if (!options.use_login)
|
@ -24,8 +24,8 @@
|
||||
# PasswordAuthentication yes
|
||||
--- sshd_config
|
||||
+++ sshd_config
|
||||
@@ -82,7 +82,7 @@
|
||||
|
||||
@@ -88,7 +88,7 @@
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
-#X11Forwarding no
|
||||
@ -35,7 +35,7 @@
|
||||
#PrintMotd yes
|
||||
--- sshlogin.c
|
||||
+++ sshlogin.c
|
||||
@@ -126,6 +126,7 @@
|
||||
@@ -125,6 +125,7 @@
|
||||
|
||||
li = login_alloc_entry(pid, user, host, tty);
|
||||
login_set_addr(li, addr, addrlen);
|
3
openssh-5.1p1.tar.bz2
Normal file
3
openssh-5.1p1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:bbe533aa4d2d083011035e3b63e558eaf8db83f7b062410a2035aeb822904472
|
||||
size 835720
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome (Version 5.0p1)
|
||||
# spec file for package openssh-askpass-gnome (Version 5.1p1)
|
||||
#
|
||||
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# This file and all modifications and additions to the pristine
|
||||
@ -15,8 +15,8 @@ Name: openssh-askpass-gnome
|
||||
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
|
||||
License: BSD 3-Clause
|
||||
Group: Productivity/Networking/SSH
|
||||
Version: 5.0p1
|
||||
Release: 5
|
||||
Version: 5.1p1
|
||||
Release: 1
|
||||
Requires: openssh = %{version} openssh-askpass = %{version}
|
||||
AutoReqProv: on
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
@ -31,7 +31,6 @@ Patch21: %{_name}-%{version}-gssapimitm.patch
|
||||
Patch26: %{_name}-%{version}-eal3.diff
|
||||
Patch27: %{_name}-%{version}-engines.diff
|
||||
Patch28: %{_name}-%{version}-blocksigalrm.diff
|
||||
Patch42: %{_name}-gssapi_krb5-fix.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%description
|
||||
@ -74,7 +73,6 @@ Authors:
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28
|
||||
%patch42
|
||||
|
||||
%build
|
||||
%{?suse_update_config:%{suse_update_config}}
|
||||
|
@ -1,18 +0,0 @@
|
||||
--- configure.ac
|
||||
+++ configure.ac
|
||||
@@ -3283,7 +3283,14 @@
|
||||
K5LIBS="-lgssapi $K5LIBS" ],
|
||||
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
|
||||
[ AC_DEFINE(GSSAPI)
|
||||
- K5LIBS="-lgssapi_krb5 $K5LIBS" ],
|
||||
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ]
|
||||
+ AC_CHECK_LIB(gssapi_krb5, gss_krb5_copy_ccache, [
|
||||
+ K5LIBS="-lgssapi_krb5 $K5LIBS"
|
||||
+ ], [
|
||||
+ AC_MSG_WARN([Cannot find -lgssapi_krb5 with gss_krb5_copy_ccache()])
|
||||
+ ],
|
||||
+ $K5LIBS
|
||||
+ ),
|
||||
AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
|
||||
$K5LIBS)
|
||||
],
|
@ -1,3 +1,87 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 22 20:39:29 CEST 2008 - anicka@suse.cz
|
||||
|
||||
- update to 5.1p1
|
||||
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
|
||||
other platforms) when X11UseLocalhost=no
|
||||
* Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
|
||||
and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
|
||||
ssh_config(5) option "VisualHostKey".
|
||||
* sshd_config(5) now supports CIDR address/masklen matching in "Match
|
||||
address" blocks, with a fallback to classic wildcard matching.
|
||||
* sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
|
||||
from="..." restrictions, also with a fallback to classic wildcard
|
||||
matching.
|
||||
* Added an extended test mode (-T) to sshd(8) to request that it write
|
||||
its effective configuration to stdout and exit. Extended test mode
|
||||
also supports the specification of connection parameters (username,
|
||||
source address and hostname) to test the application of
|
||||
sshd_config(5) Match rules.
|
||||
* ssh(1) now prints the number of bytes transferred and the overall
|
||||
connection throughput for SSH protocol 2 sessions when in verbose
|
||||
mode (previously these statistics were displayed for protocol 1
|
||||
connections only).
|
||||
* sftp-server(8) now supports extension methods statvfs@openssh.com and
|
||||
fstatvfs@openssh.com that implement statvfs(2)-like operations.
|
||||
* sftp(1) now has a "df" command to the sftp client that uses the
|
||||
statvfs@openssh.com to produce a df(1)-like display of filesystem
|
||||
space and inode utilisation (requires statvfs@openssh.com support on
|
||||
the server)
|
||||
* Added a MaxSessions option to sshd_config(5) to allow control of the
|
||||
number of multiplexed sessions supported over a single TCP connection.
|
||||
This allows increasing the number of allowed sessions above the
|
||||
previous default of 10, disabling connection multiplexing
|
||||
(MaxSessions=1) or disallowing login/shell/subsystem sessions
|
||||
entirely (MaxSessions=0).
|
||||
* Added a no-more-sessions@openssh.com global request extension that is
|
||||
sent from ssh(1) to sshd(8) when the client knows that it will never
|
||||
request another session (i.e. when session multiplexing is disabled).
|
||||
This allows a server to disallow further session requests and
|
||||
terminate the session in cases where the client has been hijacked.
|
||||
* ssh-keygen(1) now supports the use of the -l option in combination
|
||||
with -F to search for a host in ~/.ssh/known_hosts and display its
|
||||
fingerprint.
|
||||
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
|
||||
"rsa1".
|
||||
* Added an AllowAgentForwarding option to sshd_config(8) to control
|
||||
whether authentication agent forwarding is permitted. Note that this
|
||||
is a loose control, as a client may install their own unofficial
|
||||
forwarder.
|
||||
* ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
|
||||
network data, resulting in a ~10% speedup
|
||||
* ssh(1) and sshd(8) will now try additional addresses when connecting
|
||||
to a port forward destination whose DNS name resolves to more than
|
||||
one address. The previous behaviour was to try the only first address
|
||||
and give up if that failed. (bz#383)
|
||||
* ssh(1) and sshd(8) now support signalling that channels are
|
||||
half-closed for writing, through a channel protocol extension
|
||||
notification "eow@openssh.com". This allows propagation of closed
|
||||
file descriptors, so that commands such as:
|
||||
"ssh -2 localhost od /bin/ls | true"
|
||||
do not send unnecessary data over the wire. (bz#85)
|
||||
* sshd(8): increased the default size of ssh protocol 1 ephemeral keys
|
||||
from 768 to 1024 bits.
|
||||
* When ssh(1) has been requested to fork after authentication
|
||||
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
|
||||
after replies for any -R forwards have been seen. Allows for robust
|
||||
detection of -R forward failure when using -f. (bz#92)
|
||||
* "Match group" blocks in sshd_config(5) now support negation of
|
||||
groups. E.g. "Match group staff,!guests" (bz#1315)
|
||||
* sftp(1) and sftp-server(8) now allow chmod-like operations to set
|
||||
set[ug]id/sticky bits. (bz#1310)
|
||||
* The MaxAuthTries option is now permitted in sshd_config(5) match
|
||||
blocks.
|
||||
* Multiplexed ssh(1) sessions now support a subset of the ~ escapes
|
||||
that are available to a primary connection. (bz#1331)
|
||||
* ssh(1) connection multiplexing will now fall back to creating a new
|
||||
connection in most error cases. (bz#1439 bz#1329)
|
||||
* Added some basic interoperability tests against Twisted Conch.
|
||||
* Documented OpenSSH's extensions to and deviations from the published
|
||||
SSH protocols (the PROTOCOL file in the distribution)
|
||||
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
|
||||
* bugfixes
|
||||
- remove gssapi_krb5-fix patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 18 17:53:30 CEST 2008 - werner@suse.de
|
||||
|
||||
|
91
openssh.spec
91
openssh.spec
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file for package openssh (Version 5.0p1)
|
||||
# spec file for package openssh (Version 5.1p1)
|
||||
#
|
||||
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# This file and all modifications and additions to the pristine
|
||||
@ -29,8 +29,8 @@ Requires: /bin/netstat
|
||||
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
|
||||
Conflicts: nonfreessh
|
||||
AutoReqProv: on
|
||||
Version: 5.0p1
|
||||
Release: 4
|
||||
Version: 5.1p1
|
||||
Release: 1
|
||||
%define xversion 1.2.4.1
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
Url: http://www.openssh.com/
|
||||
@ -58,7 +58,6 @@ Patch36: %{name}-%{version}-xauthlocalhostname.diff
|
||||
Patch37: %{name}-%{version}-tmpdir.diff
|
||||
Patch40: %{name}-%{version}-xauth.diff
|
||||
Patch41: %{name}-%{version}-gcc-fix.patch
|
||||
Patch42: %{name}-gssapi_krb5-fix.patch
|
||||
Patch43: %{name}-%{version}-default-protocol.diff
|
||||
Patch44: %{name}-%{version}-audit.patch
|
||||
Patch45: %{name}-%{version}-pts.diff
|
||||
@ -148,7 +147,6 @@ Authors:
|
||||
%patch37
|
||||
%patch40
|
||||
%patch41
|
||||
%patch42
|
||||
%patch43
|
||||
%patch44 -p1
|
||||
%patch45
|
||||
@ -252,7 +250,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%dir %attr(755,root,root) /var/lib/sshd
|
||||
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS
|
||||
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS
|
||||
%attr(0755,root,root) %dir /etc/ssh
|
||||
%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli
|
||||
%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config
|
||||
@ -294,6 +292,87 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%config %_appdefdir/SshAskpass
|
||||
|
||||
%changelog
|
||||
* Tue Jul 22 2008 anicka@suse.cz
|
||||
- update to 5.1p1
|
||||
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
|
||||
other platforms) when X11UseLocalhost=no
|
||||
* Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
|
||||
and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
|
||||
ssh_config(5) option "VisualHostKey".
|
||||
* sshd_config(5) now supports CIDR address/masklen matching in "Match
|
||||
address" blocks, with a fallback to classic wildcard matching.
|
||||
* sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
|
||||
from="..." restrictions, also with a fallback to classic wildcard
|
||||
matching.
|
||||
* Added an extended test mode (-T) to sshd(8) to request that it write
|
||||
its effective configuration to stdout and exit. Extended test mode
|
||||
also supports the specification of connection parameters (username,
|
||||
source address and hostname) to test the application of
|
||||
sshd_config(5) Match rules.
|
||||
* ssh(1) now prints the number of bytes transferred and the overall
|
||||
connection throughput for SSH protocol 2 sessions when in verbose
|
||||
mode (previously these statistics were displayed for protocol 1
|
||||
connections only).
|
||||
* sftp-server(8) now supports extension methods statvfs@openssh.com and
|
||||
fstatvfs@openssh.com that implement statvfs(2)-like operations.
|
||||
* sftp(1) now has a "df" command to the sftp client that uses the
|
||||
statvfs@openssh.com to produce a df(1)-like display of filesystem
|
||||
space and inode utilisation (requires statvfs@openssh.com support on
|
||||
the server)
|
||||
* Added a MaxSessions option to sshd_config(5) to allow control of the
|
||||
number of multiplexed sessions supported over a single TCP connection.
|
||||
This allows increasing the number of allowed sessions above the
|
||||
previous default of 10, disabling connection multiplexing
|
||||
(MaxSessions=1) or disallowing login/shell/subsystem sessions
|
||||
entirely (MaxSessions=0).
|
||||
* Added a no-more-sessions@openssh.com global request extension that is
|
||||
sent from ssh(1) to sshd(8) when the client knows that it will never
|
||||
request another session (i.e. when session multiplexing is disabled).
|
||||
This allows a server to disallow further session requests and
|
||||
terminate the session in cases where the client has been hijacked.
|
||||
* ssh-keygen(1) now supports the use of the -l option in combination
|
||||
with -F to search for a host in ~/.ssh/known_hosts and display its
|
||||
fingerprint.
|
||||
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
|
||||
"rsa1".
|
||||
* Added an AllowAgentForwarding option to sshd_config(8) to control
|
||||
whether authentication agent forwarding is permitted. Note that this
|
||||
is a loose control, as a client may install their own unofficial
|
||||
forwarder.
|
||||
* ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
|
||||
network data, resulting in a ~10%% speedup
|
||||
* ssh(1) and sshd(8) will now try additional addresses when connecting
|
||||
to a port forward destination whose DNS name resolves to more than
|
||||
one address. The previous behaviour was to try the only first address
|
||||
and give up if that failed. (bz#383)
|
||||
* ssh(1) and sshd(8) now support signalling that channels are
|
||||
half-closed for writing, through a channel protocol extension
|
||||
notification "eow@openssh.com". This allows propagation of closed
|
||||
file descriptors, so that commands such as:
|
||||
"ssh -2 localhost od /bin/ls | true"
|
||||
do not send unnecessary data over the wire. (bz#85)
|
||||
* sshd(8): increased the default size of ssh protocol 1 ephemeral keys
|
||||
from 768 to 1024 bits.
|
||||
* When ssh(1) has been requested to fork after authentication
|
||||
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
|
||||
after replies for any -R forwards have been seen. Allows for robust
|
||||
detection of -R forward failure when using -f. (bz#92)
|
||||
* "Match group" blocks in sshd_config(5) now support negation of
|
||||
groups. E.g. "Match group staff,!guests" (bz#1315)
|
||||
* sftp(1) and sftp-server(8) now allow chmod-like operations to set
|
||||
set[ug]id/sticky bits. (bz#1310)
|
||||
* The MaxAuthTries option is now permitted in sshd_config(5) match
|
||||
blocks.
|
||||
* Multiplexed ssh(1) sessions now support a subset of the ~ escapes
|
||||
that are available to a primary connection. (bz#1331)
|
||||
* ssh(1) connection multiplexing will now fall back to creating a new
|
||||
connection in most error cases. (bz#1439 bz#1329)
|
||||
* Added some basic interoperability tests against Twisted Conch.
|
||||
* Documented OpenSSH's extensions to and deviations from the published
|
||||
SSH protocols (the PROTOCOL file in the distribution)
|
||||
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
|
||||
* bugfixes
|
||||
- remove gssapi_krb5-fix patch
|
||||
* Fri Apr 18 2008 werner@suse.de
|
||||
- Handle pts slave lines like utemper
|
||||
* Wed Apr 09 2008 anicka@suse.cz
|
||||
|
Loading…
Reference in New Issue
Block a user