diff --git a/openssh-5.6p1-host_ident.diff b/openssh-5.6p1-host_ident.diff deleted file mode 100644 index 521923a..0000000 --- a/openssh-5.6p1-host_ident.diff +++ /dev/null @@ -1,16 +0,0 @@ -Index: openssh-5.5p1/sshconnect.c -=================================================================== ---- openssh-5.5p1.orig/sshconnect.c -+++ openssh-5.5p1/sshconnect.c -@@ -916,6 +916,11 @@ check_host_key(char *hostname, struct so - error("Add correct host key in %.100s to get rid of this message.", - user_hostfile); - error("Offending key in %s:%d", host_file, host_line); -+ error("You can use following command to remove all keys for this IP:"); -+ if (ip_file) -+ error("ssh-keygen -R %s -f %s", hostname, ip_file); -+ else -+ error("ssh-keygen -R %s", hostname); - - /* - * If strict host key checking is in use, the user will have diff --git a/openssh-5.6p1-tmpdir.diff b/openssh-5.6p1-tmpdir.diff deleted file mode 100644 index e04287d..0000000 --- a/openssh-5.6p1-tmpdir.diff +++ /dev/null @@ -1,24 +0,0 @@ -Index: ssh-agent.c -=================================================================== ---- ssh-agent.c.orig -+++ ssh-agent.c -@@ -1177,8 +1177,18 @@ main(int ac, char **av) - parent_pid = getpid(); - - if (agentsocket == NULL) { -+ char *tmp1, *tmp; -+ char *tmp2 = "ssh-XXXXXXXXXX"; -+ size_t len; -+ -+ if ((tmp1 = getenv("TMPDIR")) == NULL) -+ tmp1 = "/tmp"; -+ len = strlen(tmp1) + strlen(tmp2) + 1; -+ tmp = malloc(len); -+ snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2); - /* Create private directory for agent socket */ -- strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir); -+ strlcpy(socket_dir, tmp, sizeof socket_dir); -+ free(tmp); - if (mkdtemp(socket_dir) == NULL) { - perror("mkdtemp: private socket dir"); - exit(1); diff --git a/openssh-5.6p1.tar.bz2 b/openssh-5.6p1.tar.bz2 deleted file mode 100644 index ba8d545..0000000 --- a/openssh-5.6p1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7ee242e0236597108ed3156420e6a7d517fffe21d89755c37f09cceb5d796e4c -size 896204 diff --git a/openssh-5.6p1-askpass-fix.diff b/openssh-5.7p1-askpass-fix.diff similarity index 78% rename from openssh-5.6p1-askpass-fix.diff rename to openssh-5.7p1-askpass-fix.diff index 8722163..31f6d0c 100644 --- a/openssh-5.6p1-askpass-fix.diff +++ b/openssh-5.7p1-askpass-fix.diff @@ -1,6 +1,8 @@ ---- x11-ssh-askpass.c +Index: x11-ssh-askpass.c +=================================================================== +--- x11-ssh-askpass.c.orig +++ x11-ssh-askpass.c -@@ -1301,7 +1301,7 @@ +@@ -1301,7 +1301,7 @@ void handleKeyPress(AppInfo *app, XEvent } } @@ -9,7 +11,7 @@ { /* 'gcc -Wall' complains about 'app' being an unused parameter. * Tough. We might want to use it later, and then we don't have -@@ -1343,11 +1343,11 @@ +@@ -1343,11 +1343,11 @@ void handleButtonPress(AppInfo *app, XEv return; } if (ButtonPress == event->type) { @@ -23,7 +25,7 @@ d->pressedButton = CANCEL_BUTTON; d->cancelButton.pressed = True; paintButton(app, d->dialogWindow, d->cancelButton); -@@ -1356,7 +1356,7 @@ +@@ -1356,7 +1356,7 @@ void handleButtonPress(AppInfo *app, XEv } } else if (ButtonRelease == event->type) { if (OK_BUTTON == d->pressedButton) { @@ -32,7 +34,7 @@ acceptAction(app); } else { if (d->okButton.pressed) { -@@ -1365,7 +1365,7 @@ +@@ -1365,7 +1365,7 @@ void handleButtonPress(AppInfo *app, XEv } } } else if (CANCEL_BUTTON == d->pressedButton) { @@ -41,7 +43,7 @@ cancelAction(app); } else { if (d->cancelButton.pressed) { -@@ -1385,7 +1385,7 @@ +@@ -1385,7 +1385,7 @@ void handlePointerMotion(AppInfo *app, X if (NO_BUTTON == d->pressedButton) { return; } else if (OK_BUTTON == d->pressedButton) { @@ -50,7 +52,7 @@ if (!(d->okButton.pressed)) { d->okButton.pressed = True; paintButton(app, d->dialogWindow, d->okButton); -@@ -1397,7 +1397,7 @@ +@@ -1397,7 +1397,7 @@ void handlePointerMotion(AppInfo *app, X } } } else if (CANCEL_BUTTON == d->pressedButton) { @@ -59,9 +61,11 @@ if (!(d->cancelButton.pressed)) { d->cancelButton.pressed = True; paintButton(app, d->dialogWindow, d->cancelButton); ---- x11-ssh-askpass.h +Index: x11-ssh-askpass.h +=================================================================== +--- x11-ssh-askpass.h.orig +++ x11-ssh-askpass.h -@@ -258,7 +258,7 @@ +@@ -258,7 +258,7 @@ void erasePassphrase(AppInfo *app); void addToPassphrase(AppInfo *app, char c); void handleKeyPress(AppInfo *app, XEvent *event); diff --git a/openssh-5.6p1-audit.patch b/openssh-5.7p1-audit.patch similarity index 87% rename from openssh-5.6p1-audit.patch rename to openssh-5.7p1-audit.patch index 6c8ea40..fbab4af 100644 --- a/openssh-5.6p1-audit.patch +++ b/openssh-5.7p1-audit.patch @@ -1,9 +1,9 @@ # add support for Linux audit (FATE #120269) ================================================================================ -Index: openssh-5.6p1/Makefile.in +Index: openssh-5.7p1/Makefile.in =================================================================== ---- openssh-5.6p1.orig/Makefile.in -+++ openssh-5.6p1/Makefile.in +--- openssh-5.7p1.orig/Makefile.in ++++ openssh-5.7p1/Makefile.in @@ -46,6 +46,7 @@ LD=@LD@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ @@ -12,7 +12,7 @@ Index: openssh-5.6p1/Makefile.in SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ AR=@AR@ -@@ -142,7 +143,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS +@@ -145,7 +146,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) @@ -21,10 +21,10 @@ Index: openssh-5.6p1/Makefile.in scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -Index: openssh-5.6p1/auth.c +Index: openssh-5.7p1/auth.c =================================================================== ---- openssh-5.6p1.orig/auth.c -+++ openssh-5.6p1/auth.c +--- openssh-5.7p1.orig/auth.c ++++ openssh-5.7p1/auth.c @@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif @@ -38,7 +38,7 @@ Index: openssh-5.6p1/auth.c #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); -@@ -586,6 +592,10 @@ getpwnamallow(const char *user) +@@ -592,6 +598,10 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -49,11 +49,11 @@ Index: openssh-5.6p1/auth.c #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ -Index: openssh-5.6p1/config.h.in +Index: openssh-5.7p1/config.h.in =================================================================== ---- openssh-5.6p1.orig/config.h.in -+++ openssh-5.6p1/config.h.in -@@ -1424,6 +1424,9 @@ +--- openssh-5.7p1.orig/config.h.in ++++ openssh-5.7p1/config.h.in +@@ -1460,6 +1460,9 @@ /* Define if you want SELinux support. */ #undef WITH_SELINUX @@ -63,11 +63,11 @@ Index: openssh-5.6p1/config.h.in /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN -Index: openssh-5.6p1/configure.ac +Index: openssh-5.7p1/configure.ac =================================================================== ---- openssh-5.6p1.orig/configure.ac -+++ openssh-5.6p1/configure.ac -@@ -3393,6 +3393,20 @@ AC_ARG_WITH(selinux, +--- openssh-5.7p1.orig/configure.ac ++++ openssh-5.7p1/configure.ac +@@ -3521,6 +3521,20 @@ AC_ARG_WITH(selinux, fi ] ) @@ -88,7 +88,7 @@ Index: openssh-5.6p1/configure.ac # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, -@@ -4185,6 +4199,7 @@ echo " PAM support +@@ -4315,6 +4329,7 @@ echo " PAM support echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" @@ -96,10 +96,10 @@ Index: openssh-5.6p1/configure.ac echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" -Index: openssh-5.6p1/loginrec.c +Index: openssh-5.7p1/loginrec.c =================================================================== ---- openssh-5.6p1.orig/loginrec.c -+++ openssh-5.6p1/loginrec.c +--- openssh-5.7p1.orig/loginrec.c ++++ openssh-5.7p1/loginrec.c @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" @@ -121,7 +121,7 @@ Index: openssh-5.6p1/loginrec.c int lastlog_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li); -@@ -441,6 +448,10 @@ login_write(struct logininfo *li) +@@ -442,6 +449,10 @@ login_write(struct logininfo *li) /* set the timestamp */ login_set_current_time(li); @@ -132,7 +132,7 @@ Index: openssh-5.6p1/loginrec.c #ifdef USE_LOGIN syslogin_write_entry(li); #endif -@@ -1399,6 +1410,87 @@ wtmpx_get_entry(struct logininfo *li) +@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li) } #endif /* USE_WTMPX */ @@ -220,10 +220,10 @@ Index: openssh-5.6p1/loginrec.c /** ** Low-level libutil login() functions **/ -Index: openssh-5.6p1/loginrec.h +Index: openssh-5.7p1/loginrec.h =================================================================== ---- openssh-5.6p1.orig/loginrec.h -+++ openssh-5.6p1/loginrec.h +--- openssh-5.7p1.orig/loginrec.h ++++ openssh-5.7p1/loginrec.h @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch char *line_abbrevname(char *dst, const char *src, int dstsize); diff --git a/openssh-5.6p1-blocksigalrm.diff b/openssh-5.7p1-blocksigalrm.diff similarity index 74% rename from openssh-5.6p1-blocksigalrm.diff rename to openssh-5.7p1-blocksigalrm.diff index 81f4c95..5b44ed0 100644 --- a/openssh-5.6p1-blocksigalrm.diff +++ b/openssh-5.7p1-blocksigalrm.diff @@ -1,4 +1,6 @@ ---- log.c +Index: log.c +=================================================================== +--- log.c.orig +++ log.c @@ -51,6 +51,7 @@ @@ -8,7 +10,7 @@ static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; -@@ -336,6 +337,7 @@ +@@ -336,6 +337,7 @@ do_log(LogLevel level, const char *fmt, char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; @@ -16,22 +18,22 @@ int saved_errno = errno; if (level > log_level) -@@ -387,6 +389,14 @@ +@@ -387,6 +389,14 @@ do_log(LogLevel level, const char *fmt, snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { + /* Prevent a race between the grace_alarm + * which writes a log message and terminates -+ * and main sshd code that leads to deadlock ++ * and main sshd code that leads to deadlock + * as syslog is not async safe. -+ */ ++ */ + sigemptyset(&nset); + sigaddset(&nset, SIGALRM); + sigprocmask(SIG_BLOCK, &nset, &oset); #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); syslog_r(pri, &sdata, "%.500s", fmtbuf); -@@ -396,6 +406,7 @@ +@@ -396,6 +406,7 @@ do_log(LogLevel level, const char *fmt, syslog(pri, "%.500s", fmtbuf); closelog(); #endif diff --git a/openssh-5.6p1-default-protocol.diff b/openssh-5.7p1-default-protocol.diff similarity index 100% rename from openssh-5.6p1-default-protocol.diff rename to openssh-5.7p1-default-protocol.diff diff --git a/openssh-5.6p1-eal3.diff b/openssh-5.7p1-eal3.diff similarity index 58% rename from openssh-5.6p1-eal3.diff rename to openssh-5.7p1-eal3.diff index 8e31b05..7ebdb22 100644 --- a/openssh-5.6p1-eal3.diff +++ b/openssh-5.7p1-eal3.diff @@ -1,26 +1,26 @@ -Index: openssh-5.6p1/sshd.8 +Index: openssh-5.7p1/sshd.8 =================================================================== ---- openssh-5.6p1.orig/sshd.8 -+++ openssh-5.6p1/sshd.8 -@@ -850,7 +850,7 @@ Contains Diffie-Hellman groups used for +--- openssh-5.7p1.orig/sshd.8 ++++ openssh-5.7p1/sshd.8 +@@ -855,7 +855,7 @@ Contains Diffie-Hellman groups used for The file format is described in .Xr moduli 5 . .Pp --.It /etc/motd -+.It /etc/lib/motd +-.It Pa /etc/motd ++.It Pa /etc/lib/motd See .Xr motd 5 . .Pp -@@ -863,7 +863,7 @@ are displayed to anyone trying to log in +@@ -868,7 +868,7 @@ are displayed to anyone trying to log in refused. The file should be world-readable. .Pp --.It /etc/shosts.equiv -+.It /etc/ssh/shosts.equiv +-.It Pa /etc/shosts.equiv ++.It Pa /etc/ssh/shosts.equiv This file is used in exactly the same way as .Pa hosts.equiv , but allows host-based authentication without permitting login with -@@ -940,8 +940,7 @@ The content of this file is not sensitiv +@@ -947,8 +947,7 @@ The content of this file is not sensitiv .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , @@ -30,11 +30,11 @@ Index: openssh-5.6p1/sshd.8 .Xr sshd_config 5 , .Xr inetd 8 , .Xr sftp-server 8 -Index: openssh-5.6p1/sshd_config.5 +Index: openssh-5.7p1/sshd_config.5 =================================================================== ---- openssh-5.6p1.orig/sshd_config.5 -+++ openssh-5.6p1/sshd_config.5 -@@ -496,7 +496,7 @@ or +--- openssh-5.7p1.orig/sshd_config.5 ++++ openssh-5.7p1/sshd_config.5 +@@ -497,7 +497,7 @@ or .Pp .Pa /etc/hosts.equiv and diff --git a/openssh-5.6p1-engines.diff b/openssh-5.7p1-engines.diff similarity index 74% rename from openssh-5.6p1-engines.diff rename to openssh-5.7p1-engines.diff index 53edf52..a1ff2f0 100644 --- a/openssh-5.6p1-engines.diff +++ b/openssh-5.7p1-engines.diff @@ -1,7 +1,7 @@ -Index: openssh-5.6p1/ssh-add.c +Index: openssh-5.7p1/ssh-add.c =================================================================== ---- openssh-5.6p1.orig/ssh-add.c -+++ openssh-5.6p1/ssh-add.c +--- openssh-5.7p1.orig/ssh-add.c ++++ openssh-5.7p1/ssh-add.c @@ -43,6 +43,7 @@ #include @@ -10,9 +10,9 @@ Index: openssh-5.6p1/ssh-add.c #include #include -@@ -374,6 +375,10 @@ main(int argc, char **argv) +@@ -377,6 +378,10 @@ main(int argc, char **argv) - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); @@ -21,10 +21,10 @@ Index: openssh-5.6p1/ssh-add.c /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); if (ac == NULL) { -Index: openssh-5.6p1/ssh-agent.c +Index: openssh-5.7p1/ssh-agent.c =================================================================== ---- openssh-5.6p1.orig/ssh-agent.c -+++ openssh-5.6p1/ssh-agent.c +--- openssh-5.7p1.orig/ssh-agent.c ++++ openssh-5.7p1/ssh-agent.c @@ -52,6 +52,7 @@ #include #include @@ -33,9 +33,9 @@ Index: openssh-5.6p1/ssh-agent.c #include #include -@@ -1094,6 +1095,10 @@ main(int ac, char **av) +@@ -1153,6 +1154,10 @@ main(int ac, char **av) - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); @@ -44,10 +44,10 @@ Index: openssh-5.6p1/ssh-agent.c __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); -Index: openssh-5.6p1/ssh-keygen.c +Index: openssh-5.7p1/ssh-keygen.c =================================================================== ---- openssh-5.6p1.orig/ssh-keygen.c -+++ openssh-5.6p1/ssh-keygen.c +--- openssh-5.7p1.orig/ssh-keygen.c ++++ openssh-5.7p1/ssh-keygen.c @@ -22,6 +22,7 @@ #include #include @@ -56,10 +56,10 @@ Index: openssh-5.6p1/ssh-keygen.c #include #include -@@ -1782,6 +1783,11 @@ main(int argc, char **argv) +@@ -1815,6 +1816,11 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); @@ -68,10 +68,10 @@ Index: openssh-5.6p1/ssh-keygen.c log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); init_rng(); -Index: openssh-5.6p1/ssh-keysign.c +Index: openssh-5.7p1/ssh-keysign.c =================================================================== ---- openssh-5.6p1.orig/ssh-keysign.c -+++ openssh-5.6p1/ssh-keysign.c +--- openssh-5.7p1.orig/ssh-keysign.c ++++ openssh-5.7p1/ssh-keysign.c @@ -38,6 +38,7 @@ #include #include @@ -83,7 +83,7 @@ Index: openssh-5.6p1/ssh-keysign.c @@ -195,6 +196,11 @@ main(int argc, char **argv) fatal("could not open any host key"); - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); @@ -92,11 +92,11 @@ Index: openssh-5.6p1/ssh-keysign.c for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); -Index: openssh-5.6p1/ssh.c +Index: openssh-5.7p1/ssh.c =================================================================== ---- openssh-5.6p1.orig/ssh.c -+++ openssh-5.6p1/ssh.c -@@ -74,6 +74,7 @@ +--- openssh-5.7p1.orig/ssh.c ++++ openssh-5.7p1/ssh.c +@@ -75,6 +75,7 @@ #include #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" @@ -104,8 +104,8 @@ Index: openssh-5.6p1/ssh.c #include "xmalloc.h" #include "ssh.h" -@@ -602,6 +603,10 @@ main(int ac, char **av) - SSLeay_add_all_algorithms(); +@@ -601,6 +602,10 @@ main(int ac, char **av) + OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); + /* Init available hardware crypto engines. */ @@ -115,10 +115,10 @@ Index: openssh-5.6p1/ssh.c /* Initialize the command to execute on remote host. */ buffer_init(&command); -Index: openssh-5.6p1/sshd.c +Index: openssh-5.7p1/sshd.c =================================================================== ---- openssh-5.6p1.orig/sshd.c -+++ openssh-5.6p1/sshd.c +--- openssh-5.7p1.orig/sshd.c ++++ openssh-5.7p1/sshd.c @@ -77,6 +77,7 @@ #include #include @@ -127,9 +127,9 @@ Index: openssh-5.6p1/sshd.c #ifdef HAVE_SECUREWARE #include -@@ -1471,6 +1472,10 @@ main(int ac, char **av) +@@ -1474,6 +1475,10 @@ main(int ac, char **av) - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); diff --git a/openssh-5.6p1-gssapimitm.patch b/openssh-5.7p1-gssapimitm.patch similarity index 90% rename from openssh-5.6p1-gssapimitm.patch rename to openssh-5.7p1-gssapimitm.patch index 1209f88..fbb2c81 100644 --- a/openssh-5.6p1-gssapimitm.patch +++ b/openssh-5.7p1-gssapimitm.patch @@ -22,9 +22,9 @@ Index: auth2-gss.c SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, &input_gssapi_exchange_complete); + -+ /* -+ * Old style 'gssapi' didn't have the GSSAPI_MIC -+ * and went straight to sending exchange_complete ++ /* ++ * Old style 'gssapi' didn't have the GSSAPI_MIC ++ * and went straight to sending exchange_complete + */ + if (options.gss_enable_mitm) + dispatch_set( @@ -68,7 +68,7 @@ Index: readconf.c =================================================================== --- readconf.c.orig +++ readconf.c -@@ -126,7 +126,7 @@ typedef enum { +@@ -128,7 +128,7 @@ typedef enum { oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -77,7 +77,7 @@ Index: readconf.c oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -167,9 +167,11 @@ static struct { +@@ -170,9 +170,11 @@ static struct { #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, @@ -89,18 +89,18 @@ Index: readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -477,6 +479,10 @@ parse_flag: - case oGssDelegateCreds: +@@ -483,6 +485,10 @@ parse_flag: intptr = &options->gss_deleg_creds; goto parse_flag; -+ + + case oGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; - ++ case oBatchMode: intptr = &options->batch_mode; -@@ -1059,6 +1065,7 @@ initialize_options(Options * options) + goto parse_flag; +@@ -1093,6 +1099,7 @@ initialize_options(Options * options) options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; @@ -108,7 +108,7 @@ Index: readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1158,6 +1165,8 @@ fill_default_options(Options * options) +@@ -1195,6 +1202,8 @@ fill_default_options(Options * options) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; @@ -133,7 +133,7 @@ Index: servconf.c =================================================================== --- servconf.c.orig +++ servconf.c -@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions +@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; @@ -141,7 +141,7 @@ Index: servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -217,6 +218,8 @@ fill_default_server_options(ServerOption +@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; @@ -150,7 +150,7 @@ Index: servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -307,7 +310,7 @@ typedef enum { +@@ -322,7 +325,7 @@ typedef enum { sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -159,7 +159,7 @@ Index: servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -370,9 +373,11 @@ static struct { +@@ -386,9 +389,11 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -171,22 +171,22 @@ Index: servconf.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -929,6 +934,10 @@ process_server_config_line(ServerOptions - case sGssCleanupCreds: +@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions intptr = &options->gss_cleanup_creds; goto parse_flag; -+ + + case sGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; - ++ case sPasswordAuthentication: intptr = &options->password_authentication; + goto parse_flag; Index: servconf.h =================================================================== --- servconf.h.orig +++ servconf.h -@@ -95,6 +95,7 @@ typedef struct { +@@ -98,6 +98,7 @@ typedef struct { * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ @@ -203,11 +203,11 @@ Index: ssh_config # TunnelDevice any:any # PermitLocalCommand no +# GSSAPIAuthentication no -+# GSSAPIDelegateCredentials no ++# GSSAPIDelegateCredentials no + +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included -+# in this release. The use of 'gssapi' is deprecated due to the presence of ++# in this release. The use of 'gssapi' is deprecated due to the presence of +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. +# GSSAPIEnableMITMAttack no + @@ -218,7 +218,7 @@ Index: sshconnect2.c =================================================================== --- sshconnect2.c.orig +++ sshconnect2.c -@@ -263,6 +263,10 @@ Authmethod authmethods[] = { +@@ -324,6 +324,10 @@ Authmethod authmethods[] = { NULL, &options.gss_authentication, NULL}, @@ -229,12 +229,12 @@ Index: sshconnect2.c #endif {"hostbased", userauth_hostbased, -@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf if (status == GSS_S_COMPLETE) { /* send either complete or MIC, depending on mechanism */ - if (!(flags & GSS_C_INTEG_FLAG)) { -+ ++ + if (strcmp(authctxt->method->name,"gssapi")==0 || + (!(flags & GSS_C_INTEG_FLAG))) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); @@ -244,16 +244,15 @@ Index: sshd_config =================================================================== --- sshd_config.orig +++ sshd_config -@@ -72,6 +72,13 @@ PasswordAuthentication no +@@ -73,6 +73,12 @@ PasswordAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included -+# in this release. The use of 'gssapi' is deprecated due to the presence of ++# in this release. The use of 'gssapi' is deprecated due to the presence of +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. +#GSSAPIEnableMITMAttack no -+ + # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will diff --git a/openssh-5.6p1-homechroot.patch b/openssh-5.7p1-homechroot.patch similarity index 94% rename from openssh-5.6p1-homechroot.patch rename to openssh-5.7p1-homechroot.patch index bf86237..b0457a1 100644 --- a/openssh-5.6p1-homechroot.patch +++ b/openssh-5.7p1-homechroot.patch @@ -48,7 +48,7 @@ Index: session.c static void do_authenticated1(Authctxt *); static void do_authenticated2(Authctxt *); -@@ -806,6 +808,11 @@ do_exec(Session *s, const char *command) +@@ -808,6 +810,11 @@ do_exec(Session *s, const char *command) debug("Forced command (key option) '%.900s'", command); } @@ -60,7 +60,7 @@ Index: session.c #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); -@@ -1419,6 +1426,63 @@ do_nologin(struct passwd *pw) +@@ -1421,6 +1428,63 @@ do_nologin(struct passwd *pw) } /* @@ -117,14 +117,14 @@ Index: session.c + } + } + fatal ("chroot into directory without nodev or nosuid"); -+ } ++ } +} + +/* * Chroot into a directory after checking it for safety: all path components * must be root-owned directories with strict permissions. */ -@@ -1428,6 +1492,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1430,6 +1494,7 @@ safely_chroot(const char *path, uid_t ui const char *cp; char component[MAXPATHLEN]; struct stat st; @@ -132,7 +132,7 @@ Index: session.c if (*path != '/') fatal("chroot path does not begin at root"); -@@ -1439,7 +1504,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1441,7 +1506,7 @@ safely_chroot(const char *path, uid_t ui * root-owned directory with strict permissions. */ for (cp = path; cp != NULL;) { @@ -141,7 +141,7 @@ Index: session.c strlcpy(component, path, sizeof(component)); else { cp++; -@@ -1452,14 +1517,20 @@ safely_chroot(const char *path, uid_t ui +@@ -1454,14 +1519,20 @@ safely_chroot(const char *path, uid_t ui if (stat(component, &st) != 0) fatal("%s: stat(\"%s\"): %s", __func__, component, strerror(errno)); @@ -163,7 +163,7 @@ Index: session.c } if (chdir(path) == -1) -@@ -1470,6 +1541,10 @@ safely_chroot(const char *path, uid_t ui +@@ -1472,6 +1543,10 @@ safely_chroot(const char *path, uid_t ui if (chdir("/") == -1) fatal("%s: chdir(/) after chroot: %s", __func__, strerror(errno)); @@ -257,7 +257,7 @@ Index: sshd_config.5 =================================================================== --- sshd_config.5.orig +++ sshd_config.5 -@@ -269,6 +269,17 @@ inside the chroot directory (see +@@ -268,6 +268,17 @@ inside the chroot directory (see .Xr sftp-server 8 for details). .Pp @@ -267,7 +267,7 @@ Index: sshd_config.5 +%h or +.Cm ChrootDirectory +/some/path/%u. The file system containing this directory must be -+mounted with options nodev and either nosuid or noexec. The owner of the ++mounted with options nodev and either nosuid or noexec. The owner of the +directory should be the user. The ownership of the other components of the path +must fulfill the usual conditions. No aditional files are required to be present +in the directory. diff --git a/openssh-5.7p1-host_ident.diff b/openssh-5.7p1-host_ident.diff new file mode 100644 index 0000000..cd47914 --- /dev/null +++ b/openssh-5.7p1-host_ident.diff @@ -0,0 +1,16 @@ +Index: openssh-5.7p1/sshconnect.c +=================================================================== +--- openssh-5.7p1.orig/sshconnect.c ++++ openssh-5.7p1/sshconnect.c +@@ -958,6 +958,11 @@ check_host_key(char *hostname, struct so + user_hostfile); + error("Offending %s key in %s:%lu", key_type(host_found->key), + host_found->file, host_found->line); ++ error("You can use following command to remove all keys for this IP:"); ++ if (host_found->file) ++ error("ssh-keygen -R %s -f %s", hostname, host_found->file); ++ else ++ error("ssh-keygen -R %s", hostname); + + /* + * If strict host key checking is in use, the user will have diff --git a/openssh-5.6p1-pam-fix2.diff b/openssh-5.7p1-pam-fix2.diff similarity index 94% rename from openssh-5.6p1-pam-fix2.diff rename to openssh-5.7p1-pam-fix2.diff index aced460..ff9a74d 100644 --- a/openssh-5.6p1-pam-fix2.diff +++ b/openssh-5.7p1-pam-fix2.diff @@ -2,7 +2,7 @@ Index: sshd_config =================================================================== --- sshd_config.orig +++ sshd_config -@@ -56,7 +56,7 @@ +@@ -57,7 +57,7 @@ #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! @@ -11,7 +11,7 @@ Index: sshd_config #PermitEmptyPasswords no # Change to no to disable s/key passwords -@@ -81,7 +81,7 @@ +@@ -82,7 +82,7 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. diff --git a/openssh-5.6p1-pam-fix3.diff b/openssh-5.7p1-pam-fix3.diff similarity index 63% rename from openssh-5.6p1-pam-fix3.diff rename to openssh-5.7p1-pam-fix3.diff index 3944982..00f907f 100644 --- a/openssh-5.6p1-pam-fix3.diff +++ b/openssh-5.7p1-pam-fix3.diff @@ -1,6 +1,8 @@ ---- auth-pam.c +Index: auth-pam.c +=================================================================== +--- auth-pam.c.orig +++ auth-pam.c -@@ -786,7 +786,9 @@ +@@ -786,7 +786,9 @@ sshpam_query(void *ctx, char **name, cha fatal("Internal error: PAM auth " "succeeded when it should have " "failed"); diff --git a/openssh-5.6p1-pts.diff b/openssh-5.7p1-pts.diff similarity index 85% rename from openssh-5.6p1-pts.diff rename to openssh-5.7p1-pts.diff index d961a44..0b0588c 100644 --- a/openssh-5.6p1-pts.diff +++ b/openssh-5.7p1-pts.diff @@ -2,7 +2,7 @@ Index: loginrec.c =================================================================== --- loginrec.c.orig +++ loginrec.c -@@ -554,7 +554,7 @@ getlast_entry(struct logininfo *li) +@@ -555,7 +555,7 @@ getlast_entry(struct logininfo *li) * 1. The full filename (including '/dev') * 2. The stripped name (excluding '/dev') * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 @@ -11,7 +11,7 @@ Index: loginrec.c * * Form 3 is used on some systems to identify a .tmp.? entry when * attempting to remove it. Typically both addition and removal is -@@ -615,6 +615,10 @@ line_abbrevname(char *dst, const char *s +@@ -616,6 +616,10 @@ line_abbrevname(char *dst, const char *s if (strncmp(src, "tty", 3) == 0) src += 3; #endif diff --git a/openssh-5.6p1-saveargv-fix.diff b/openssh-5.7p1-saveargv-fix.diff similarity index 93% rename from openssh-5.6p1-saveargv-fix.diff rename to openssh-5.7p1-saveargv-fix.diff index be151a1..5615eb9 100644 --- a/openssh-5.6p1-saveargv-fix.diff +++ b/openssh-5.7p1-saveargv-fix.diff @@ -10,7 +10,7 @@ Index: sshd.c logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); -@@ -1316,7 +1317,11 @@ main(int ac, char **av) +@@ -1319,7 +1320,11 @@ main(int ac, char **av) #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ compat_init_setproctitle(ac, av); diff --git a/openssh-5.7p1-selinux.diff b/openssh-5.7p1-selinux.diff new file mode 100644 index 0000000..cb00e8e --- /dev/null +++ b/openssh-5.7p1-selinux.diff @@ -0,0 +1,173 @@ +Index: openssh-5.7p1/ChangeLog +=================================================================== +--- openssh-5.7p1.orig/ChangeLog ++++ openssh-5.7p1/ChangeLog +@@ -1,3 +1,10 @@ ++20110125 ++ - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c ++ openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to ++ port-linux.c to avoid compilation errors. Add -lselinux to ssh when ++ building with SELinux support to avoid linking failure; report from ++ amk AT spamfence.net; ok dtucker ++ + 20110122 + - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add + RSA_get_default_method() for the benefit of openssl versions that don't +Index: openssh-5.7p1/configure.ac +=================================================================== +--- openssh-5.7p1.orig/configure.ac ++++ openssh-5.7p1/configure.ac +@@ -1,4 +1,4 @@ +-# $Id: configure.ac,v 1.469 2011/01/21 22:37:05 dtucker Exp $ ++# $Id: configure.ac,v 1.470 2011/01/25 01:16:17 djm Exp $ + # + # Copyright (c) 1999-2004 Damien Miller + # +@@ -15,7 +15,7 @@ + # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) +-AC_REVISION($Revision: 1.469 $) ++AC_REVISION($Revision: 1.470 $) + AC_CONFIG_SRCDIR([ssh.c]) + + # local macros +@@ -737,7 +737,6 @@ mips-sony-bsd|mips-sony-newsos4) + [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1, + [Define if you have Solaris process contracts]) + SSHDLIBS="$SSHDLIBS -lcontract" +- AC_SUBST(SSHDLIBS) + SPC_MSG="yes" ], ) + ], + ) +@@ -748,7 +747,6 @@ mips-sony-bsd|mips-sony-newsos4) + [ AC_DEFINE(USE_SOLARIS_PROJECTS, 1, + [Define if you have Solaris projects]) + SSHDLIBS="$SSHDLIBS -lproject" +- AC_SUBST(SSHDLIBS) + SP_MSG="yes" ], ) + ], + ) +@@ -3515,11 +3513,14 @@ AC_ARG_WITH(selinux, + LIBS="$LIBS -lselinux" + ], + AC_MSG_ERROR(SELinux support requires libselinux library)) ++ SSHLIBS="$SSHLIBS $LIBSELINUX" + SSHDLIBS="$SSHDLIBS $LIBSELINUX" + AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) + LIBS="$save_LIBS" + fi ] + ) ++AC_SUBST(SSHLIBS) ++AC_SUBST(SSHDLIBS) + + # Check whether user wants Linux audit support + LINUX_AUDIT_MSG="no" +@@ -4356,6 +4357,9 @@ echo " Libraries: ${LIBS}" + if test ! -z "${SSHDLIBS}"; then + echo " +for sshd: ${SSHDLIBS}" + fi ++if test ! -z "${SSHLIBS}"; then ++echo " +for ssh: ${SSHLIBS}" ++fi + + echo "" + +Index: openssh-5.7p1/Makefile.in +=================================================================== +--- openssh-5.7p1.orig/Makefile.in ++++ openssh-5.7p1/Makefile.in +@@ -1,4 +1,4 @@ +-# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $ ++# $Id: Makefile.in,v 1.321 2011/01/25 01:16:16 djm Exp $ + + # uncomment if you run a non bourne compatable shell. Ie. csh + #SHELL = @SH@ +@@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@ + CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + LIBAUDIT=@LIBAUDIT@ ++SSHLIBS=@SSHLIBS@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + AR=@AR@ +@@ -143,7 +144,7 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ + + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT) +Index: openssh-5.7p1/openbsd-compat/port-linux.c +=================================================================== +--- openssh-5.7p1.orig/openbsd-compat/port-linux.c ++++ openssh-5.7p1/openbsd-compat/port-linux.c +@@ -1,4 +1,4 @@ +-/* $Id: port-linux.c,v 1.11 2011/01/17 07:50:24 dtucker Exp $ */ ++/* $Id: port-linux.c,v 1.12 2011/01/25 01:16:18 djm Exp $ */ + + /* + * Copyright (c) 2005 Daniel Walsh +@@ -205,6 +205,20 @@ ssh_selinux_change_context(const char *n + xfree(oldctx); + xfree(newctx); + } ++ ++void ++ssh_selinux_setfscreatecon(const char *path) ++{ ++ security_context_t context; ++ ++ if (path == NULL) { ++ setfscreatecon(NULL); ++ return; ++ } ++ matchpathcon(path, 0700, &context); ++ setfscreatecon(context); ++} ++ + #endif /* WITH_SELINUX */ + + #ifdef LINUX_OOM_ADJUST +Index: openssh-5.7p1/openbsd-compat/port-linux.h +=================================================================== +--- openssh-5.7p1.orig/openbsd-compat/port-linux.h ++++ openssh-5.7p1/openbsd-compat/port-linux.h +@@ -1,4 +1,4 @@ +-/* $Id: port-linux.h,v 1.4 2009/12/08 02:39:48 dtucker Exp $ */ ++/* $Id: port-linux.h,v 1.5 2011/01/25 01:16:18 djm Exp $ */ + + /* + * Copyright (c) 2006 Damien Miller +@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void); + void ssh_selinux_setup_pty(char *, const char *); + void ssh_selinux_setup_exec_context(char *); + void ssh_selinux_change_context(const char *); ++void ssh_selinux_setfscreatecon(const char *); + #endif + + #ifdef LINUX_OOM_ADJUST +Index: openssh-5.7p1/ssh.c +=================================================================== +--- openssh-5.7p1.orig/ssh.c ++++ openssh-5.7p1/ssh.c +@@ -857,15 +857,12 @@ main(int ac, char **av) + strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); + if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) { + #ifdef WITH_SELINUX +- char *scon; +- +- matchpathcon(buf, 0700, &scon); +- setfscreatecon(scon); ++ ssh_selinux_setfscreatecon(buf); + #endif + if (mkdir(buf, 0700) < 0) + error("Could not create directory '%.200s'.", buf); + #ifdef WITH_SELINUX +- setfscreatecon(NULL); ++ ssh_selinux_setfscreatecon(NULL); + #endif + } + /* load options.identity_files */ diff --git a/openssh-5.6p1-send_locale.diff b/openssh-5.7p1-send_locale.diff similarity index 97% rename from openssh-5.6p1-send_locale.diff rename to openssh-5.7p1-send_locale.diff index 0140a84..615fe4b 100644 --- a/openssh-5.6p1-send_locale.diff +++ b/openssh-5.7p1-send_locale.diff @@ -8,8 +8,8 @@ Index: ssh_config ->>>>>>> +# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). -+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +SendEnv LC_IDENTIFICATION LC_ALL # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com @@ -22,8 +22,8 @@ Index: sshd_config Subsystem sftp /usr/libexec/sftp-server +# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + # Example of overriding settings on a per-user basis diff --git a/openssh-5.6p1-sshconfig-knownhostschanges.diff b/openssh-5.7p1-sshconfig-knownhostschanges.diff similarity index 92% rename from openssh-5.6p1-sshconfig-knownhostschanges.diff rename to openssh-5.7p1-sshconfig-knownhostschanges.diff index 1468a63..3c40d16 100644 --- a/openssh-5.6p1-sshconfig-knownhostschanges.diff +++ b/openssh-5.7p1-sshconfig-knownhostschanges.diff @@ -2,11 +2,12 @@ Index: ssh_config =================================================================== --- ssh_config.orig +++ ssh_config -@@ -67,5 +67,12 @@ ForwardX11Trusted yes - SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES - SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +@@ -67,5 +67,13 @@ ForwardX11Trusted yes + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL -# VisualHostKey no ++ +# This will print the fingerprint of the host key in "visual" form +# this should make it easier to also recognize bad things +VisualHostKey no diff --git a/openssh-5.6p1-xauth.diff b/openssh-5.7p1-xauth.diff similarity index 97% rename from openssh-5.6p1-xauth.diff rename to openssh-5.7p1-xauth.diff index d78e48a..fa26468 100644 --- a/openssh-5.6p1-xauth.diff +++ b/openssh-5.7p1-xauth.diff @@ -2,7 +2,7 @@ Index: session.c =================================================================== --- session.c.orig +++ session.c -@@ -2525,8 +2525,41 @@ void +@@ -2463,8 +2463,41 @@ void session_close(Session *s) { u_int i; diff --git a/openssh-5.6p1-xauthlocalhostname.diff b/openssh-5.7p1-xauthlocalhostname.diff similarity index 80% rename from openssh-5.6p1-xauthlocalhostname.diff rename to openssh-5.7p1-xauthlocalhostname.diff index ead1794..31e548f 100644 --- a/openssh-5.6p1-xauthlocalhostname.diff +++ b/openssh-5.7p1-xauthlocalhostname.diff @@ -2,7 +2,7 @@ Index: session.c =================================================================== --- session.c.orig +++ session.c -@@ -1114,7 +1114,7 @@ copy_environment(char **source, char *** +@@ -1116,7 +1116,7 @@ copy_environment(char **source, char *** } static char ** @@ -11,7 +11,7 @@ Index: session.c { char buf[256]; u_int i, envsize; -@@ -1301,6 +1301,8 @@ do_setup_env(Session *s, const char *she +@@ -1303,6 +1303,8 @@ do_setup_env(Session *s, const char *she for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -20,7 +20,7 @@ Index: session.c return env; } -@@ -1309,7 +1311,7 @@ do_setup_env(Session *s, const char *she +@@ -1311,7 +1313,7 @@ do_setup_env(Session *s, const char *she * first in this order). */ static void @@ -29,12 +29,12 @@ Index: session.c { FILE *f = NULL; char cmd[1024]; -@@ -1363,12 +1365,20 @@ do_rc_files(Session *s, const char *shel +@@ -1365,12 +1367,20 @@ do_rc_files(Session *s, const char *shel options.xauth_location); f = popen(cmd, "w"); if (f) { + char hostname[MAXHOSTNAMELEN]; -+ ++ fprintf(f, "remove %s\n", s->auth_display); fprintf(f, "add %s %s %s\n", @@ -50,7 +50,7 @@ Index: session.c } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1670,6 +1680,7 @@ do_child(Session *s, const char *command +@@ -1608,6 +1618,7 @@ do_child(Session *s, const char *command { extern char **environ; char **env; @@ -58,7 +58,7 @@ Index: session.c char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; -@@ -1736,7 +1747,7 @@ do_child(Session *s, const char *command +@@ -1674,7 +1685,7 @@ do_child(Session *s, const char *command * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -67,7 +67,7 @@ Index: session.c #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1805,7 +1816,7 @@ do_child(Session *s, const char *command +@@ -1743,7 +1754,7 @@ do_child(Session *s, const char *command closefrom(STDERR_FILENO + 1); if (!options.use_login) diff --git a/openssh-5.6p1.dif b/openssh-5.7p1.dif similarity index 97% rename from openssh-5.6p1.dif rename to openssh-5.7p1.dif index d5e2d6e..6272e6e 100644 --- a/openssh-5.6p1.dif +++ b/openssh-5.7p1.dif @@ -17,7 +17,7 @@ Index: ssh_config +# remote side (the "spoofed" X-server by the remote sshd) can read your +# keystrokes as you type, just like any other X11 client could do. +# Set this to "no" here for global effect or in your own ~/.ssh/config -+# file if you want to have the remote X11 authentification data to ++# file if you want to have the remote X11 authentification data to +# expire after two minutes after remote login. +ForwardX11Trusted yes + @@ -28,12 +28,12 @@ Index: sshd_config =================================================================== --- sshd_config.orig +++ sshd_config -@@ -86,7 +86,7 @@ +@@ -87,7 +87,7 @@ #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no -+X11Forwarding yes ++X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes diff --git a/openssh-5.7p1.tar.bz2 b/openssh-5.7p1.tar.bz2 new file mode 100644 index 0000000..187903c --- /dev/null +++ b/openssh-5.7p1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e8e4d63cbfdd0c97f8856693b4412e0bda78bb152ec1cb6f426193dc16d412c3 +size 894451 diff --git a/openssh-SuSE.tar.bz2 b/openssh-SuSE.tar.bz2 index e003337..8708b10 100644 --- a/openssh-SuSE.tar.bz2 +++ b/openssh-SuSE.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0b46d50d58800dc184448c70485265894d97da90749019917708c22ac8845753 -size 1943 +oid sha256:a73f20ff86a679a64f3b94a666dc9e7e1b442fb2da09ddb56f9a01f4dbdbc241 +size 1975 diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 0ec2e59..55fec3e 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com + +- Update to 5.7p1 + ------------------------------------------------------------------- Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 0845be4..9894733 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,5 +1,5 @@ # -# spec file for package openssh-askpass-gnome (Version 5.6p1) +# spec file for package openssh-askpass-gnome (Version 5.7p1) # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,8 +22,8 @@ Name: openssh-askpass-gnome BuildRequires: gtk2-devel krb5-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files License: BSD3c(or similar) Group: Productivity/Networking/SSH -Version: 5.6p1 -Release: 8 +Version: 5.7p1 +Release: 1 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH diff --git a/openssh-linux-new-oomkill.patch b/openssh-linux-new-oomkill.patch deleted file mode 100644 index fee09c3..0000000 --- a/openssh-linux-new-oomkill.patch +++ /dev/null @@ -1,94 +0,0 @@ -Index: openbsd-compat/port-linux.c -=================================================================== -RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/port-linux.c,v -retrieving revision 1.9 -diff -u -p -r1.9 port-linux.c ---- openbsd-compat/port-linux.c 10 Sep 2010 00:30:25 -0000 1.9 -+++ openbsd-compat/port-linux.c 16 Nov 2010 05:10:13 -0000 -@@ -208,14 +208,21 @@ ssh_selinux_change_context(const char *n - #endif /* WITH_SELINUX */ - - #ifdef LINUX_OOM_ADJUST --#define OOM_ADJ_PATH "/proc/self/oom_adj" - /* -- * The magic "don't kill me", as documented in eg: -+ * The magic "don't kill me" values, old and new, as documented in eg: - * http://lxr.linux.no/#linux+v2.6.32/Documentation/filesystems/proc.txt -+ * http://lxr.linux.no/#linux+v2.6.36/Documentation/filesystems/proc.txt - */ --#define OOM_ADJ_NOKILL -17 - - static int oom_adj_save = INT_MIN; -+static char *oom_adj_path = NULL; -+struct { -+ char *path; -+ int value; -+} oom_adjust[] = { -+ {"/proc/self/oom_score_adj", -1000}, /* new values, 2.6.36 and up */ -+ {"/proc/self/oom_adj", -17}, /* old values, 2.6.35 and down */ -+}; - - /* - * Tell the kernel's out-of-memory killer to avoid sshd. -@@ -224,23 +231,31 @@ static int oom_adj_save = INT_MIN; - void - oom_adjust_setup(void) - { -+ int i, value; - FILE *fp; - - debug3("%s", __func__); -- if ((fp = fopen(OOM_ADJ_PATH, "r+")) != NULL) { -- if (fscanf(fp, "%d", &oom_adj_save) != 1) -- verbose("error reading %s: %s", OOM_ADJ_PATH, strerror(errno)); -- else { -- rewind(fp); -- if (fprintf(fp, "%d\n", OOM_ADJ_NOKILL) <= 0) -- verbose("error writing %s: %s", -- OOM_ADJ_PATH, strerror(errno)); -- else -- verbose("Set %s from %d to %d", -- OOM_ADJ_PATH, oom_adj_save, OOM_ADJ_NOKILL); -+ for (i = 0; i < 2; i++) { -+ oom_adj_path = oom_adjust[i].path; -+ value = oom_adjust[i].value; -+ if ((fp = fopen(oom_adj_path, "r+")) != NULL) { -+ if (fscanf(fp, "%d", &oom_adj_save) != 1) -+ verbose("error reading %s: %s", oom_adj_path, -+ strerror(errno)); -+ else { -+ rewind(fp); -+ if (fprintf(fp, "%d\n", value) <= 0) -+ verbose("error writing %s: %s", -+ oom_adj_path, strerror(errno)); -+ else -+ verbose("Set %s from %d to %d", -+ oom_adj_path, oom_adj_save, value); -+ } -+ fclose(fp); -+ return; - } -- fclose(fp); - } -+ oom_adj_path = NULL; - } - - /* Restore the saved OOM adjustment */ -@@ -250,13 +265,14 @@ oom_adjust_restore(void) - FILE *fp; - - debug3("%s", __func__); -- if (oom_adj_save == INT_MIN || (fp = fopen(OOM_ADJ_PATH, "w")) == NULL) -+ if (oom_adj_save == INT_MIN || oom_adj_save == NULL || -+ (fp = fopen(oom_adj_path, "w")) == NULL) - return; - - if (fprintf(fp, "%d\n", oom_adj_save) <= 0) -- verbose("error writing %s: %s", OOM_ADJ_PATH, strerror(errno)); -+ verbose("error writing %s: %s", oom_adj_path, strerror(errno)); - else -- verbose("Set %s to %d", OOM_ADJ_PATH, oom_adj_save); -+ verbose("Set %s to %d", oom_adj_path, oom_adj_save); - - fclose(fp); - return; diff --git a/openssh.changes b/openssh.changes index 97a12f7..23de35e 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Mon Jan 24 11:24:59 UTC 2011 - lchiquitto@novell.com + +- Update to 5.7p1 + * Implement Elliptic Curve Cryptography modes for key exchange (ECDH) + and host/user keys (ECDSA) as specified by RFC5656. + * sftp(1)/sftp-server(8): add a protocol extension to support a hard + link operation. + * scp(1): Add a new -3 option to scp: Copies between two remote hosts + are transferred through the local host. + * ssh(1): automatically order the hostkeys requested by the client + based on which hostkeys are already recorded in known_hosts. + * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary + TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. + * sftp(1): the sftp client is now significantly faster at performing + directory listings, using OpenBSD glob(3) extensions to preserve + the results of stat(3) operations performed in the course of its + execution rather than performing expensive round trips to fetch + them again afterwards. + * ssh(1): "atomically" create the listening mux socket by binding it on + a temporary name and then linking it into position after listen() has + succeeded. + * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server + configuration to allow selection of which key exchange methods are + used by ssh(1) and sshd(8) and their order of preference. + * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into + a generic bandwidth limiter that can be attached using the atomicio + callback mechanism and use it to add a bandwidth limit option to + sftp(1). + * Support building against openssl-1.0.0a. + * Bug fixes. +- Remove patches that are now upstream: + * openssh-5.6p1-tmpdir.diff + * openssh-linux-new-oomkill.patch +- Add upstream patch to fix build with SELinux enabled. + ------------------------------------------------------------------- Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz diff --git a/openssh.spec b/openssh.spec index 1fe45c2..1a36f5b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,5 +1,5 @@ # -# spec file for package openssh (Version 5.6p1) +# spec file for package openssh (Version 5.7p1) # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -29,8 +29,8 @@ Requires: /bin/netstat PreReq: pwdutils %insserv_prereq %fillup_prereq coreutils Conflicts: nonfreessh AutoReqProv: on -Version: 5.6p1 -Release: 8 +Version: 5.7p1 +Release: 1 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -55,7 +55,6 @@ Patch7: %{name}-%{version}-engines.diff Patch8: %{name}-%{version}-blocksigalrm.diff Patch9: %{name}-%{version}-send_locale.diff Patch10: %{name}-%{version}-xauthlocalhostname.diff -Patch11: %{name}-%{version}-tmpdir.diff Patch12: %{name}-%{version}-xauth.diff Patch14: %{name}-%{version}-default-protocol.diff Patch15: %{name}-%{version}-audit.patch @@ -63,7 +62,7 @@ Patch16: %{name}-%{version}-pts.diff Patch17: %{name}-%{version}-homechroot.patch Patch18: %{name}-%{version}-sshconfig-knownhostschanges.diff Patch19: %{name}-%{version}-host_ident.diff -Patch20: openssh-linux-new-oomkill.patch +Patch20: %{name}-%{version}-selinux.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass @@ -101,7 +100,6 @@ Window System passphrase dialog for OpenSSH. %patch8 %patch9 %patch10 -%patch11 %patch12 %patch14 %patch15 -p1 @@ -109,7 +107,7 @@ Window System passphrase dialog for OpenSSH. %patch17 %patch18 %patch19 -p1 -%patch20 +%patch20 -p1 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion}