From 0dd322b22826859416c6a9123620d15b1216a70d033dfb09de6c12bfc2012908 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Wed, 31 Mar 2010 17:31:53 +0000 Subject: [PATCH] Accepting request 35865 from Base:System Copy from Base:System/openssh based on submit request 35865 from user dirkmueller OBS-URL: https://build.opensuse.org/request/show/35865 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=40 --- ...ssh-5.4p1-sshconfig-knownhostschanges.diff | 20 +++++++++++++++++++ openssh-askpass-gnome.spec | 2 +- openssh.changes | 7 +++++++ openssh.spec | 4 +++- 4 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 openssh-5.4p1-sshconfig-knownhostschanges.diff diff --git a/openssh-5.4p1-sshconfig-knownhostschanges.diff b/openssh-5.4p1-sshconfig-knownhostschanges.diff new file mode 100644 index 0000000..8bfb3b6 --- /dev/null +++ b/openssh-5.4p1-sshconfig-knownhostschanges.diff @@ -0,0 +1,20 @@ +Index: ssh_config +=================================================================== +--- ssh_config.orig ++++ ssh_config +@@ -67,5 +67,14 @@ ForwardX11Trusted yes + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL +-# VisualHostKey no ++# This will print the fingerprint of the host key in "visual" form ++# this should make it easier to also recognize bad things ++# (enabled for openSUSE Factory before 11.3, if too much people are against, ++# we can disable it again. meissner@novell.com) ++VisualHostKey yes ++ ++# This will hash new host keys and make them so unusable for malicious ++# people or software trying to use known_hosts to find further hops. ++HashKnownHosts yes ++ + # ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index a268237..386c773 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -23,7 +23,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev License: BSD3c(or similar) Group: Productivity/Networking/SSH Version: 5.4p1 -Release: 1 +Release: 2 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH diff --git a/openssh.changes b/openssh.changes index e696cc0..11e045a 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Mar 25 11:00:00 CET 2010 - meissner@suse.de + +- Enable VisualHostKey (ascii art of the hostkey fingerprint) and + HashHostKeys (hardening measure to make them unusable for worms/malicious + users for further host hopping). + ------------------------------------------------------------------- Tue Mar 23 18:57:07 CET 2010 - anicka@suse.cz diff --git a/openssh.spec b/openssh.spec index f5a4213..cbd7695 100644 --- a/openssh.spec +++ b/openssh.spec @@ -36,7 +36,7 @@ PreReq: pwdutils %insserv_prereq %fillup_prereq coreutils permissions Conflicts: nonfreessh AutoReqProv: on Version: 5.4p1 -Release: 1 +Release: 2 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -68,6 +68,7 @@ Patch15: %{name}-%{version}-audit.patch Patch16: %{name}-%{version}-pts.diff Patch17: %{name}-%{version}-forwards.diff Patch18: %{name}-%{version}-homechroot.patch +Patch19: %{name}-%{version}-sshconfig-knownhostschanges.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass @@ -112,6 +113,7 @@ Window System passphrase dialog for OpenSSH. %patch16 %patch17 %patch18 +%patch19 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion}