SHA256
1
0
forked from pool/openssh
OBS User unknown 2008-07-25 02:29:14 +00:00 committed by Git OBS Bridge
parent 0ee0f71602
commit 011c00b91f
23 changed files with 264 additions and 121 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fafd3e0fe129d372340f17906bcdee4150823c2435fe8e85208b23df27ee3d4b
size 810512

View File

@ -1,7 +1,7 @@
# add support for Linux audit (FATE #120269)
================================================================================
--- openssh-4.7p1/Makefile.in
+++ openssh-4.7p1/Makefile.in
--- openssh-5.1p1/Makefile.in
+++ openssh-5.1p1/Makefile.in
@@ -44,6 +44,7 @@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@ -10,7 +10,7 @@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
AR=@AR@
@@ -136,7 +137,7 @@
@@ -137,7 +138,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
@ -19,9 +19,9 @@
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-4.7p1/auth.c
+++ openssh-4.7p1/auth.c
@@ -286,6 +286,12 @@
--- openssh-5.1p1/auth.c
+++ openssh-5.1p1/auth.c
@@ -287,6 +287,12 @@
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
@ -34,7 +34,7 @@
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@
@@ -533,6 +539,10 @@
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
@ -45,9 +45,9 @@
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
--- openssh-4.7p1/config.h.in
+++ openssh-4.7p1/config.h.in
@@ -1334,6 +1334,9 @@
--- openssh-5.1p1/config.h.in
+++ openssh-5.1p1/config.h.in
@@ -1388,6 +1388,9 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
@ -57,9 +57,9 @@
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN
--- openssh-4.7p1/configure.ac
+++ openssh-4.7p1/configure.ac
@@ -3216,6 +3216,20 @@
--- openssh-5.1p1/configure.ac
+++ openssh-5.1p1/configure.ac
@@ -3314,6 +3314,20 @@
fi ]
)
@ -80,7 +80,7 @@
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -4036,6 +4050,7 @@
@@ -4134,6 +4148,7 @@
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
@ -88,8 +88,8 @@
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-4.7p1/loginrec.c
+++ openssh-4.7p1/loginrec.c
--- openssh-5.1p1/loginrec.c
+++ openssh-5.1p1/loginrec.c
@@ -176,6 +176,10 @@
#include "auth.h"
#include "buffer.h"
@ -174,8 +174,8 @@
/**
** Low-level libutil login() functions
**/
--- openssh-4.7p1/loginrec.h
+++ openssh-4.7p1/loginrec.h
--- openssh-5.1p1/loginrec.h
+++ openssh-5.1p1/loginrec.h
@@ -127,5 +127,9 @@
char *line_abbrevname(char *dst, const char *src, int dstsize);

View File

@ -8,7 +8,7 @@
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
@@ -314,6 +315,7 @@
@@ -336,6 +337,7 @@
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
@ -16,7 +16,7 @@
int saved_errno = errno;
if (level > log_level)
@@ -365,6 +367,14 @@
@@ -387,6 +389,14 @@
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
} else {
@ -31,7 +31,7 @@
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf);
@@ -374,6 +384,7 @@
@@ -396,6 +406,7 @@
syslog(pri, "%.500s", fmtbuf);
closelog();
#endif

View File

@ -1,6 +1,6 @@
--- openssh-4.6p1/sshd.8
+++ openssh-4.6p1/sshd.8
@@ -739,7 +739,7 @@
--- openssh-5.1p1/sshd.8
+++ openssh-5.1p1/sshd.8
@@ -785,7 +785,7 @@
The file format is described in
.Xr moduli 5 .
.Pp
@ -9,7 +9,7 @@
See
.Xr motd 5 .
.Pp
@@ -752,7 +752,7 @@
@@ -798,7 +798,7 @@
refused.
The file should be world-readable.
.Pp
@ -18,8 +18,8 @@
This file is used in exactly the same way as
.Pa hosts.equiv ,
but allows host-based authentication without permitting login with
@@ -828,8 +828,7 @@
.Xr ssh-keygen 1 ,
@@ -875,8 +875,7 @@
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
-.Xr login.conf 5 ,
@ -28,9 +28,9 @@
.Xr sshd_config 5 ,
.Xr inetd 8 ,
.Xr sftp-server 8
--- openssh-4.6p1/sshd_config.5
+++ openssh-4.6p1/sshd_config.5
@@ -167,9 +167,6 @@
--- openssh-5.1p1/sshd_config.5
+++ openssh-5.1p1/sshd_config.5
@@ -177,9 +177,6 @@
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed.
@ -39,8 +39,8 @@
-are supported.
The default is
.Dq yes .
.It Cm Ciphers
@@ -382,7 +379,7 @@
.It Cm ChrootDirectory
@@ -438,7 +435,7 @@
.Pp
.Pa /etc/hosts.equiv
and

View File

@ -1,5 +1,5 @@
--- openssh-4.9p1/ssh-add.c
+++ openssh-4.9p1/ssh-add.c
--- openssh-5.1p1/ssh-add.c
+++ openssh-5.1p1/ssh-add.c
@@ -43,6 +43,7 @@
#include <openssl/evp.h>
@ -19,8 +19,8 @@
/* At first, get a connection to the authentication agent. */
ac = ssh_get_authentication_connection();
if (ac == NULL) {
--- openssh-4.9p1/ssh-agent.c
+++ openssh-4.9p1/ssh-agent.c
--- openssh-5.1p1/ssh-agent.c
+++ openssh-5.1p1/ssh-agent.c
@@ -52,6 +52,7 @@
#include <openssl/evp.h>
#include <openssl/md5.h>
@ -29,7 +29,7 @@
#include <errno.h>
#include <fcntl.h>
@@ -1063,6 +1064,10 @@
@@ -1076,6 +1077,10 @@
SSLeay_add_all_algorithms();
@ -40,8 +40,8 @@
__progname = ssh_get_progname(av[0]);
init_rng();
seed_rng();
--- openssh-4.9p1/ssh-keygen.c
+++ openssh-4.9p1/ssh-keygen.c
--- openssh-5.1p1/ssh-keygen.c
+++ openssh-5.1p1/ssh-keygen.c
@@ -22,6 +22,7 @@
#include <openssl/evp.h>
#include <openssl/pem.h>
@ -50,7 +50,7 @@
#include <errno.h>
#include <fcntl.h>
@@ -1072,6 +1073,11 @@
@@ -1099,6 +1100,11 @@
__progname = ssh_get_progname(argv[0]);
SSLeay_add_all_algorithms();
@ -62,8 +62,8 @@
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
init_rng();
--- openssh-4.9p1/ssh-keysign.c
+++ openssh-4.9p1/ssh-keysign.c
--- openssh-5.1p1/ssh-keysign.c
+++ openssh-5.1p1/ssh-keysign.c
@@ -38,6 +38,7 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
@ -84,17 +84,17 @@
for (i = 0; i < 256; i++)
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
--- openssh-4.9p1/ssh.c
+++ openssh-4.9p1/ssh.c
--- openssh-5.1p1/ssh.c
+++ openssh-5.1p1/ssh.c
@@ -73,6 +73,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
+#include <openssl/engine.h>
#include "xmalloc.h"
#include "ssh.h"
@@ -561,6 +562,10 @@
@@ -562,6 +563,10 @@
SSLeay_add_all_algorithms();
ERR_load_crypto_strings();
@ -105,9 +105,9 @@
/* Initialize the command to execute on remote host. */
buffer_init(&command);
--- openssh-4.9p1/sshd.c
+++ openssh-4.9p1/sshd.c
@@ -76,6 +76,7 @@
--- openssh-5.1p1/sshd.c
+++ openssh-5.1p1/sshd.c
@@ -77,6 +77,7 @@
#include <openssl/md5.h>
#include <openssl/rand.h>
#include "openbsd-compat/openssl-compat.h"
@ -115,7 +115,7 @@
#ifdef HAVE_SECUREWARE
#include <sys/security.h>
@@ -1465,6 +1466,10 @@
@@ -1416,6 +1417,10 @@
SSLeay_add_all_algorithms();

View File

@ -46,7 +46,7 @@ Index: auth2-gss.c
#endif /* GSSAPI */
--- auth2.c
+++ auth2.c
@@ -65,6 +65,7 @@
@@ -70,6 +70,7 @@
extern Authmethod method_hostbased;
#ifdef GSSAPI
extern Authmethod method_gssapi;
@ -54,7 +54,7 @@ Index: auth2-gss.c
#endif
Authmethod *authmethods[] = {
@@ -72,6 +73,7 @@
@@ -77,6 +78,7 @@
&method_pubkey,
#ifdef GSSAPI
&method_gssapi,
@ -73,7 +73,7 @@ Index: auth2-gss.c
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
@@ -164,9 +164,11 @@
@@ -165,9 +165,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@ -85,7 +85,7 @@ Index: auth2-gss.c
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -445,6 +447,10 @@
@@ -447,6 +449,10 @@
case oGssDelegateCreds:
intptr = &options->gss_deleg_creds;
goto parse_flag;
@ -96,7 +96,7 @@ Index: auth2-gss.c
case oBatchMode:
intptr = &options->batch_mode;
@@ -1011,6 +1017,7 @@
@@ -1017,6 +1023,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
@ -104,7 +104,7 @@ Index: auth2-gss.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1101,6 +1108,8 @@
@@ -1108,6 +1115,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@ -125,7 +125,7 @@ Index: auth2-gss.c
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- servconf.c
+++ servconf.c
@@ -91,6 +91,7 @@
@@ -93,6 +93,7 @@
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
options->gss_cleanup_creds = -1;
@ -133,7 +133,7 @@ Index: auth2-gss.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -207,6 +208,8 @@
@@ -211,6 +212,8 @@
options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
@ -142,16 +142,16 @@ Index: auth2-gss.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -291,7 +294,7 @@
@@ -299,7 +302,7 @@
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sDeprecated, sUnsupported
@@ -352,9 +355,11 @@
@@ -360,9 +363,11 @@
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -163,7 +163,7 @@ Index: auth2-gss.c
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -878,6 +883,10 @@
@@ -885,6 +890,10 @@
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
@ -176,7 +176,7 @@ Index: auth2-gss.c
intptr = &options->password_authentication;
--- servconf.h
+++ servconf.h
@@ -91,6 +91,7 @@
@@ -92,6 +92,7 @@
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
@ -202,7 +202,7 @@ Index: auth2-gss.c
+>>>>>>>
--- sshconnect2.c
+++ sshconnect2.c
@@ -243,6 +243,10 @@
@@ -246,6 +246,10 @@
userauth_gssapi,
&options.gss_authentication,
NULL},
@ -213,7 +213,7 @@ Index: auth2-gss.c
#endif
{"hostbased",
userauth_hostbased,
@@ -577,7 +581,9 @@
@@ -587,7 +591,9 @@
if (status == GSS_S_COMPLETE) {
/* send either complete or MIC, depending on mechanism */
@ -226,7 +226,7 @@ Index: auth2-gss.c
} else {
--- sshd_config
+++ sshd_config
@@ -73,6 +73,13 @@
@@ -74,6 +74,13 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

View File

@ -1,6 +1,6 @@
--- sshd_config
+++ sshd_config
@@ -53,7 +53,7 @@
@@ -58,7 +58,7 @@
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
@ -9,12 +9,12 @@
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -78,7 +78,7 @@
@@ -83,7 +83,7 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no

View File

@ -1,6 +1,6 @@
--- auth-pam.c
+++ auth-pam.c
@@ -785,7 +785,9 @@
@@ -786,7 +786,9 @@
fatal("Internal error: PAM auth "
"succeeded when it should have "
"failed");

View File

@ -1,6 +1,6 @@
--- loginrec.c
+++ loginrec.c 2008-04-18 17:58:59.585065028 +0200
@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li)
+++ loginrec.c
@@ -549,7 +549,7 @@
* 1. The full filename (including '/dev')
* 2. The stripped name (excluding '/dev')
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
@ -9,7 +9,7 @@
*
* Form 3 is used on some systems to identify a .tmp.? entry when
* attempting to remove it. Typically both addition and removal is
@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s
@@ -610,6 +610,10 @@
if (strncmp(src, "tty", 3) == 0)
src += 3;
#endif

View File

@ -1,6 +1,6 @@
--- sshd.c
+++ sshd.c
@@ -358,6 +358,7 @@
@@ -305,6 +305,7 @@
static void
sighup_restart(void)
{
@ -8,7 +8,7 @@
logit("Received SIGHUP; restarting.");
close_listen_socks();
close_startup_pipes();
@@ -1318,7 +1319,11 @@
@@ -1270,7 +1271,11 @@
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
compat_init_setproctitle(ac, av);

View File

@ -1,6 +1,6 @@
--- ssh_config
+++ ssh_config
@@ -62,4 +62,7 @@
@@ -63,4 +63,7 @@
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
# GSSAPIEnableMITMAttack no
@ -11,7 +11,7 @@
+SendEnv LC_IDENTIFICATION LC_ALL
--- sshd_config
+++ sshd_config
@@ -112,6 +112,11 @@
@@ -119,6 +119,11 @@
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

View File

@ -1,6 +1,6 @@
--- ssh-agent.c
+++ ssh-agent.c
@@ -1126,8 +1126,18 @@
@@ -1159,8 +1159,18 @@
parent_pid = getpid();
if (agentsocket == NULL) {

View File

@ -1,6 +1,6 @@
--- session.c
+++ session.c
@@ -2250,8 +2250,41 @@
@@ -2487,8 +2487,41 @@
session_close(Session *s)
{
u_int i;

View File

@ -1,6 +1,6 @@
--- session.c
+++ session.c
@@ -997,7 +997,7 @@
@@ -1104,7 +1104,7 @@
}
static char **
@ -9,7 +9,7 @@
{
char buf[256];
u_int i, envsize;
@@ -1184,6 +1184,8 @@
@@ -1291,6 +1291,8 @@
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
@ -18,7 +18,7 @@
return env;
}
@@ -1192,7 +1194,7 @@
@@ -1299,7 +1301,7 @@
* first in this order).
*/
static void
@ -27,7 +27,7 @@
{
FILE *f = NULL;
char cmd[1024];
@@ -1246,12 +1248,20 @@
@@ -1353,12 +1355,20 @@
options.xauth_location);
f = popen(cmd, "w");
if (f) {
@ -48,7 +48,7 @@
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
@@ -1537,6 +1547,7 @@
@@ -1644,6 +1654,7 @@
{
extern char **environ;
char **env;
@ -56,7 +56,7 @@
char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw;
@@ -1602,7 +1613,7 @@
@@ -1710,7 +1721,7 @@
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
@ -65,7 +65,7 @@
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
@@ -1666,7 +1677,7 @@
@@ -1778,7 +1789,7 @@
closefrom(STDERR_FILENO + 1);
if (!options.use_login)

View File

@ -24,8 +24,8 @@
# PasswordAuthentication yes
--- sshd_config
+++ sshd_config
@@ -82,7 +82,7 @@
@@ -88,7 +88,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
@ -35,7 +35,7 @@
#PrintMotd yes
--- sshlogin.c
+++ sshlogin.c
@@ -126,6 +126,7 @@
@@ -125,6 +125,7 @@
li = login_alloc_entry(pid, user, host, tty);
login_set_addr(li, addr, addrlen);

3
openssh-5.1p1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bbe533aa4d2d083011035e3b63e558eaf8db83f7b062410a2035aeb822904472
size 835720

View File

@ -1,5 +1,5 @@
#
# spec file for package openssh-askpass-gnome (Version 5.0p1)
# spec file for package openssh-askpass-gnome (Version 5.1p1)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@ -15,8 +15,8 @@ Name: openssh-askpass-gnome
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: BSD 3-Clause
Group: Productivity/Networking/SSH
Version: 5.0p1
Release: 5
Version: 5.1p1
Release: 1
Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
@ -31,7 +31,6 @@ Patch21: %{_name}-%{version}-gssapimitm.patch
Patch26: %{_name}-%{version}-eal3.diff
Patch27: %{_name}-%{version}-engines.diff
Patch28: %{_name}-%{version}-blocksigalrm.diff
Patch42: %{_name}-gssapi_krb5-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -74,7 +73,6 @@ Authors:
%patch26 -p1
%patch27 -p1
%patch28
%patch42
%build
%{?suse_update_config:%{suse_update_config}}

View File

@ -1,18 +0,0 @@
--- configure.ac
+++ configure.ac
@@ -3283,7 +3283,14 @@
K5LIBS="-lgssapi $K5LIBS" ],
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
[ AC_DEFINE(GSSAPI)
- K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ]
+ AC_CHECK_LIB(gssapi_krb5, gss_krb5_copy_ccache, [
+ K5LIBS="-lgssapi_krb5 $K5LIBS"
+ ], [
+ AC_MSG_WARN([Cannot find -lgssapi_krb5 with gss_krb5_copy_ccache()])
+ ],
+ $K5LIBS
+ ),
AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
$K5LIBS)
],

View File

@ -1,3 +1,87 @@
-------------------------------------------------------------------
Tue Jul 22 20:39:29 CEST 2008 - anicka@suse.cz
- update to 5.1p1
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
other platforms) when X11UseLocalhost=no
* Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
ssh_config(5) option "VisualHostKey".
* sshd_config(5) now supports CIDR address/masklen matching in "Match
address" blocks, with a fallback to classic wildcard matching.
* sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
from="..." restrictions, also with a fallback to classic wildcard
matching.
* Added an extended test mode (-T) to sshd(8) to request that it write
its effective configuration to stdout and exit. Extended test mode
also supports the specification of connection parameters (username,
source address and hostname) to test the application of
sshd_config(5) Match rules.
* ssh(1) now prints the number of bytes transferred and the overall
connection throughput for SSH protocol 2 sessions when in verbose
mode (previously these statistics were displayed for protocol 1
connections only).
* sftp-server(8) now supports extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations.
* sftp(1) now has a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation (requires statvfs@openssh.com support on
the server)
* Added a MaxSessions option to sshd_config(5) to allow control of the
number of multiplexed sessions supported over a single TCP connection.
This allows increasing the number of allowed sessions above the
previous default of 10, disabling connection multiplexing
(MaxSessions=1) or disallowing login/shell/subsystem sessions
entirely (MaxSessions=0).
* Added a no-more-sessions@openssh.com global request extension that is
sent from ssh(1) to sshd(8) when the client knows that it will never
request another session (i.e. when session multiplexing is disabled).
This allows a server to disallow further session requests and
terminate the session in cases where the client has been hijacked.
* ssh-keygen(1) now supports the use of the -l option in combination
with -F to search for a host in ~/.ssh/known_hosts and display its
fingerprint.
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
"rsa1".
* Added an AllowAgentForwarding option to sshd_config(8) to control
whether authentication agent forwarding is permitted. Note that this
is a loose control, as a client may install their own unofficial
forwarder.
* ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
network data, resulting in a ~10% speedup
* ssh(1) and sshd(8) will now try additional addresses when connecting
to a port forward destination whose DNS name resolves to more than
one address. The previous behaviour was to try the only first address
and give up if that failed. (bz#383)
* ssh(1) and sshd(8) now support signalling that channels are
half-closed for writing, through a channel protocol extension
notification "eow@openssh.com". This allows propagation of closed
file descriptors, so that commands such as:
"ssh -2 localhost od /bin/ls | true"
do not send unnecessary data over the wire. (bz#85)
* sshd(8): increased the default size of ssh protocol 1 ephemeral keys
from 768 to 1024 bits.
* When ssh(1) has been requested to fork after authentication
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
after replies for any -R forwards have been seen. Allows for robust
detection of -R forward failure when using -f. (bz#92)
* "Match group" blocks in sshd_config(5) now support negation of
groups. E.g. "Match group staff,!guests" (bz#1315)
* sftp(1) and sftp-server(8) now allow chmod-like operations to set
set[ug]id/sticky bits. (bz#1310)
* The MaxAuthTries option is now permitted in sshd_config(5) match
blocks.
* Multiplexed ssh(1) sessions now support a subset of the ~ escapes
that are available to a primary connection. (bz#1331)
* ssh(1) connection multiplexing will now fall back to creating a new
connection in most error cases. (bz#1439 bz#1329)
* Added some basic interoperability tests against Twisted Conch.
* Documented OpenSSH's extensions to and deviations from the published
SSH protocols (the PROTOCOL file in the distribution)
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
* bugfixes
- remove gssapi_krb5-fix patch
-------------------------------------------------------------------
Fri Apr 18 17:53:30 CEST 2008 - werner@suse.de

View File

@ -1,5 +1,5 @@
#
# spec file for package openssh (Version 5.0p1)
# spec file for package openssh (Version 5.1p1)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@ -29,8 +29,8 @@ Requires: /bin/netstat
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh
AutoReqProv: on
Version: 5.0p1
Release: 4
Version: 5.1p1
Release: 1
%define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/
@ -58,7 +58,6 @@ Patch36: %{name}-%{version}-xauthlocalhostname.diff
Patch37: %{name}-%{version}-tmpdir.diff
Patch40: %{name}-%{version}-xauth.diff
Patch41: %{name}-%{version}-gcc-fix.patch
Patch42: %{name}-gssapi_krb5-fix.patch
Patch43: %{name}-%{version}-default-protocol.diff
Patch44: %{name}-%{version}-audit.patch
Patch45: %{name}-%{version}-pts.diff
@ -148,7 +147,6 @@ Authors:
%patch37
%patch40
%patch41
%patch42
%patch43
%patch44 -p1
%patch45
@ -252,7 +250,7 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%dir %attr(755,root,root) /var/lib/sshd
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS
%attr(0755,root,root) %dir /etc/ssh
%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config
@ -294,6 +292,87 @@ rm -rf $RPM_BUILD_ROOT
%config %_appdefdir/SshAskpass
%changelog
* Tue Jul 22 2008 anicka@suse.cz
- update to 5.1p1
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
other platforms) when X11UseLocalhost=no
* Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1)
and ssh-keygen(1). Visual fingerprinnt display is controlled by a new
ssh_config(5) option "VisualHostKey".
* sshd_config(5) now supports CIDR address/masklen matching in "Match
address" blocks, with a fallback to classic wildcard matching.
* sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys
from="..." restrictions, also with a fallback to classic wildcard
matching.
* Added an extended test mode (-T) to sshd(8) to request that it write
its effective configuration to stdout and exit. Extended test mode
also supports the specification of connection parameters (username,
source address and hostname) to test the application of
sshd_config(5) Match rules.
* ssh(1) now prints the number of bytes transferred and the overall
connection throughput for SSH protocol 2 sessions when in verbose
mode (previously these statistics were displayed for protocol 1
connections only).
* sftp-server(8) now supports extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations.
* sftp(1) now has a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation (requires statvfs@openssh.com support on
the server)
* Added a MaxSessions option to sshd_config(5) to allow control of the
number of multiplexed sessions supported over a single TCP connection.
This allows increasing the number of allowed sessions above the
previous default of 10, disabling connection multiplexing
(MaxSessions=1) or disallowing login/shell/subsystem sessions
entirely (MaxSessions=0).
* Added a no-more-sessions@openssh.com global request extension that is
sent from ssh(1) to sshd(8) when the client knows that it will never
request another session (i.e. when session multiplexing is disabled).
This allows a server to disallow further session requests and
terminate the session in cases where the client has been hijacked.
* ssh-keygen(1) now supports the use of the -l option in combination
with -F to search for a host in ~/.ssh/known_hosts and display its
fingerprint.
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
"rsa1".
* Added an AllowAgentForwarding option to sshd_config(8) to control
whether authentication agent forwarding is permitted. Note that this
is a loose control, as a client may install their own unofficial
forwarder.
* ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
network data, resulting in a ~10%% speedup
* ssh(1) and sshd(8) will now try additional addresses when connecting
to a port forward destination whose DNS name resolves to more than
one address. The previous behaviour was to try the only first address
and give up if that failed. (bz#383)
* ssh(1) and sshd(8) now support signalling that channels are
half-closed for writing, through a channel protocol extension
notification "eow@openssh.com". This allows propagation of closed
file descriptors, so that commands such as:
"ssh -2 localhost od /bin/ls | true"
do not send unnecessary data over the wire. (bz#85)
* sshd(8): increased the default size of ssh protocol 1 ephemeral keys
from 768 to 1024 bits.
* When ssh(1) has been requested to fork after authentication
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
after replies for any -R forwards have been seen. Allows for robust
detection of -R forward failure when using -f. (bz#92)
* "Match group" blocks in sshd_config(5) now support negation of
groups. E.g. "Match group staff,!guests" (bz#1315)
* sftp(1) and sftp-server(8) now allow chmod-like operations to set
set[ug]id/sticky bits. (bz#1310)
* The MaxAuthTries option is now permitted in sshd_config(5) match
blocks.
* Multiplexed ssh(1) sessions now support a subset of the ~ escapes
that are available to a primary connection. (bz#1331)
* ssh(1) connection multiplexing will now fall back to creating a new
connection in most error cases. (bz#1439 bz#1329)
* Added some basic interoperability tests against Twisted Conch.
* Documented OpenSSH's extensions to and deviations from the published
SSH protocols (the PROTOCOL file in the distribution)
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
* bugfixes
- remove gssapi_krb5-fix patch
* Fri Apr 18 2008 werner@suse.de
- Handle pts slave lines like utemper
* Wed Apr 09 2008 anicka@suse.cz