forked from pool/openssh
Accepting request 59094 from home:leonardocf:branches:network
ok OBS-URL: https://build.opensuse.org/request/show/59094 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=4
This commit is contained in:
parent
c87fe92d21
commit
2e210d7ee3
@ -1,16 +0,0 @@
|
||||
Index: openssh-5.5p1/sshconnect.c
|
||||
===================================================================
|
||||
--- openssh-5.5p1.orig/sshconnect.c
|
||||
+++ openssh-5.5p1/sshconnect.c
|
||||
@@ -916,6 +916,11 @@ check_host_key(char *hostname, struct so
|
||||
error("Add correct host key in %.100s to get rid of this message.",
|
||||
user_hostfile);
|
||||
error("Offending key in %s:%d", host_file, host_line);
|
||||
+ error("You can use following command to remove all keys for this IP:");
|
||||
+ if (ip_file)
|
||||
+ error("ssh-keygen -R %s -f %s", hostname, ip_file);
|
||||
+ else
|
||||
+ error("ssh-keygen -R %s", hostname);
|
||||
|
||||
/*
|
||||
* If strict host key checking is in use, the user will have
|
@ -1,24 +0,0 @@
|
||||
Index: ssh-agent.c
|
||||
===================================================================
|
||||
--- ssh-agent.c.orig
|
||||
+++ ssh-agent.c
|
||||
@@ -1177,8 +1177,18 @@ main(int ac, char **av)
|
||||
parent_pid = getpid();
|
||||
|
||||
if (agentsocket == NULL) {
|
||||
+ char *tmp1, *tmp;
|
||||
+ char *tmp2 = "ssh-XXXXXXXXXX";
|
||||
+ size_t len;
|
||||
+
|
||||
+ if ((tmp1 = getenv("TMPDIR")) == NULL)
|
||||
+ tmp1 = "/tmp";
|
||||
+ len = strlen(tmp1) + strlen(tmp2) + 1;
|
||||
+ tmp = malloc(len);
|
||||
+ snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2);
|
||||
/* Create private directory for agent socket */
|
||||
- strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir);
|
||||
+ strlcpy(socket_dir, tmp, sizeof socket_dir);
|
||||
+ free(tmp);
|
||||
if (mkdtemp(socket_dir) == NULL) {
|
||||
perror("mkdtemp: private socket dir");
|
||||
exit(1);
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:7ee242e0236597108ed3156420e6a7d517fffe21d89755c37f09cceb5d796e4c
|
||||
size 896204
|
@ -1,6 +1,8 @@
|
||||
--- x11-ssh-askpass.c
|
||||
Index: x11-ssh-askpass.c
|
||||
===================================================================
|
||||
--- x11-ssh-askpass.c.orig
|
||||
+++ x11-ssh-askpass.c
|
||||
@@ -1301,7 +1301,7 @@
|
||||
@@ -1301,7 +1301,7 @@ void handleKeyPress(AppInfo *app, XEvent
|
||||
}
|
||||
}
|
||||
|
||||
@ -9,7 +11,7 @@
|
||||
{
|
||||
/* 'gcc -Wall' complains about 'app' being an unused parameter.
|
||||
* Tough. We might want to use it later, and then we don't have
|
||||
@@ -1343,11 +1343,11 @@
|
||||
@@ -1343,11 +1343,11 @@ void handleButtonPress(AppInfo *app, XEv
|
||||
return;
|
||||
}
|
||||
if (ButtonPress == event->type) {
|
||||
@ -23,7 +25,7 @@
|
||||
d->pressedButton = CANCEL_BUTTON;
|
||||
d->cancelButton.pressed = True;
|
||||
paintButton(app, d->dialogWindow, d->cancelButton);
|
||||
@@ -1356,7 +1356,7 @@
|
||||
@@ -1356,7 +1356,7 @@ void handleButtonPress(AppInfo *app, XEv
|
||||
}
|
||||
} else if (ButtonRelease == event->type) {
|
||||
if (OK_BUTTON == d->pressedButton) {
|
||||
@ -32,7 +34,7 @@
|
||||
acceptAction(app);
|
||||
} else {
|
||||
if (d->okButton.pressed) {
|
||||
@@ -1365,7 +1365,7 @@
|
||||
@@ -1365,7 +1365,7 @@ void handleButtonPress(AppInfo *app, XEv
|
||||
}
|
||||
}
|
||||
} else if (CANCEL_BUTTON == d->pressedButton) {
|
||||
@ -41,7 +43,7 @@
|
||||
cancelAction(app);
|
||||
} else {
|
||||
if (d->cancelButton.pressed) {
|
||||
@@ -1385,7 +1385,7 @@
|
||||
@@ -1385,7 +1385,7 @@ void handlePointerMotion(AppInfo *app, X
|
||||
if (NO_BUTTON == d->pressedButton) {
|
||||
return;
|
||||
} else if (OK_BUTTON == d->pressedButton) {
|
||||
@ -50,7 +52,7 @@
|
||||
if (!(d->okButton.pressed)) {
|
||||
d->okButton.pressed = True;
|
||||
paintButton(app, d->dialogWindow, d->okButton);
|
||||
@@ -1397,7 +1397,7 @@
|
||||
@@ -1397,7 +1397,7 @@ void handlePointerMotion(AppInfo *app, X
|
||||
}
|
||||
}
|
||||
} else if (CANCEL_BUTTON == d->pressedButton) {
|
||||
@ -59,9 +61,11 @@
|
||||
if (!(d->cancelButton.pressed)) {
|
||||
d->cancelButton.pressed = True;
|
||||
paintButton(app, d->dialogWindow, d->cancelButton);
|
||||
--- x11-ssh-askpass.h
|
||||
Index: x11-ssh-askpass.h
|
||||
===================================================================
|
||||
--- x11-ssh-askpass.h.orig
|
||||
+++ x11-ssh-askpass.h
|
||||
@@ -258,7 +258,7 @@
|
||||
@@ -258,7 +258,7 @@ void erasePassphrase(AppInfo *app);
|
||||
void addToPassphrase(AppInfo *app, char c);
|
||||
|
||||
void handleKeyPress(AppInfo *app, XEvent *event);
|
@ -1,9 +1,9 @@
|
||||
# add support for Linux audit (FATE #120269)
|
||||
================================================================================
|
||||
Index: openssh-5.6p1/Makefile.in
|
||||
Index: openssh-5.7p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/Makefile.in
|
||||
+++ openssh-5.6p1/Makefile.in
|
||||
--- openssh-5.7p1.orig/Makefile.in
|
||||
+++ openssh-5.7p1/Makefile.in
|
||||
@@ -46,6 +46,7 @@ LD=@LD@
|
||||
CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
@ -12,7 +12,7 @@ Index: openssh-5.6p1/Makefile.in
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
AR=@AR@
|
||||
@@ -142,7 +143,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
|
||||
@@ -145,7 +146,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
@ -21,10 +21,10 @@ Index: openssh-5.6p1/Makefile.in
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
Index: openssh-5.6p1/auth.c
|
||||
Index: openssh-5.7p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/auth.c
|
||||
+++ openssh-5.6p1/auth.c
|
||||
--- openssh-5.7p1.orig/auth.c
|
||||
+++ openssh-5.7p1/auth.c
|
||||
@@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
@ -38,7 +38,7 @@ Index: openssh-5.6p1/auth.c
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
@@ -586,6 +592,10 @@ getpwnamallow(const char *user)
|
||||
@@ -592,6 +598,10 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
@ -49,11 +49,11 @@ Index: openssh-5.6p1/auth.c
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
Index: openssh-5.6p1/config.h.in
|
||||
Index: openssh-5.7p1/config.h.in
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/config.h.in
|
||||
+++ openssh-5.6p1/config.h.in
|
||||
@@ -1424,6 +1424,9 @@
|
||||
--- openssh-5.7p1.orig/config.h.in
|
||||
+++ openssh-5.7p1/config.h.in
|
||||
@@ -1460,6 +1460,9 @@
|
||||
/* Define if you want SELinux support. */
|
||||
#undef WITH_SELINUX
|
||||
|
||||
@ -63,11 +63,11 @@ Index: openssh-5.6p1/config.h.in
|
||||
/* Define to 1 if your processor stores words with the most significant byte
|
||||
first (like Motorola and SPARC, unlike Intel and VAX). */
|
||||
#undef WORDS_BIGENDIAN
|
||||
Index: openssh-5.6p1/configure.ac
|
||||
Index: openssh-5.7p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/configure.ac
|
||||
+++ openssh-5.6p1/configure.ac
|
||||
@@ -3393,6 +3393,20 @@ AC_ARG_WITH(selinux,
|
||||
--- openssh-5.7p1.orig/configure.ac
|
||||
+++ openssh-5.7p1/configure.ac
|
||||
@@ -3521,6 +3521,20 @@ AC_ARG_WITH(selinux,
|
||||
fi ]
|
||||
)
|
||||
|
||||
@ -88,7 +88,7 @@ Index: openssh-5.6p1/configure.ac
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
AC_ARG_WITH(kerberos5,
|
||||
@@ -4185,6 +4199,7 @@ echo " PAM support
|
||||
@@ -4315,6 +4329,7 @@ echo " PAM support
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
@ -96,10 +96,10 @@ Index: openssh-5.6p1/configure.ac
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
Index: openssh-5.6p1/loginrec.c
|
||||
Index: openssh-5.7p1/loginrec.c
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/loginrec.c
|
||||
+++ openssh-5.6p1/loginrec.c
|
||||
--- openssh-5.7p1.orig/loginrec.c
|
||||
+++ openssh-5.7p1/loginrec.c
|
||||
@@ -176,6 +176,10 @@
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
@ -121,7 +121,7 @@ Index: openssh-5.6p1/loginrec.c
|
||||
int lastlog_write_entry(struct logininfo *li);
|
||||
int syslogin_write_entry(struct logininfo *li);
|
||||
|
||||
@@ -441,6 +448,10 @@ login_write(struct logininfo *li)
|
||||
@@ -442,6 +449,10 @@ login_write(struct logininfo *li)
|
||||
|
||||
/* set the timestamp */
|
||||
login_set_current_time(li);
|
||||
@ -132,7 +132,7 @@ Index: openssh-5.6p1/loginrec.c
|
||||
#ifdef USE_LOGIN
|
||||
syslogin_write_entry(li);
|
||||
#endif
|
||||
@@ -1399,6 +1410,87 @@ wtmpx_get_entry(struct logininfo *li)
|
||||
@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li)
|
||||
}
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
@ -220,10 +220,10 @@ Index: openssh-5.6p1/loginrec.c
|
||||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
Index: openssh-5.6p1/loginrec.h
|
||||
Index: openssh-5.7p1/loginrec.h
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/loginrec.h
|
||||
+++ openssh-5.6p1/loginrec.h
|
||||
--- openssh-5.7p1.orig/loginrec.h
|
||||
+++ openssh-5.7p1/loginrec.h
|
||||
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
|
||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||
|
@ -1,4 +1,6 @@
|
||||
--- log.c
|
||||
Index: log.c
|
||||
===================================================================
|
||||
--- log.c.orig
|
||||
+++ log.c
|
||||
@@ -51,6 +51,7 @@
|
||||
|
||||
@ -8,7 +10,7 @@
|
||||
|
||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||
static int log_on_stderr = 1;
|
||||
@@ -336,6 +337,7 @@
|
||||
@@ -336,6 +337,7 @@ do_log(LogLevel level, const char *fmt,
|
||||
char fmtbuf[MSGBUFSIZ];
|
||||
char *txt = NULL;
|
||||
int pri = LOG_INFO;
|
||||
@ -16,7 +18,7 @@
|
||||
int saved_errno = errno;
|
||||
|
||||
if (level > log_level)
|
||||
@@ -387,6 +389,14 @@
|
||||
@@ -387,6 +389,14 @@ do_log(LogLevel level, const char *fmt,
|
||||
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
|
||||
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
|
||||
} else {
|
||||
@ -31,7 +33,7 @@
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
|
||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||
@@ -396,6 +406,7 @@
|
||||
@@ -396,6 +406,7 @@ do_log(LogLevel level, const char *fmt,
|
||||
syslog(pri, "%.500s", fmtbuf);
|
||||
closelog();
|
||||
#endif
|
@ -1,26 +1,26 @@
|
||||
Index: openssh-5.6p1/sshd.8
|
||||
Index: openssh-5.7p1/sshd.8
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/sshd.8
|
||||
+++ openssh-5.6p1/sshd.8
|
||||
@@ -850,7 +850,7 @@ Contains Diffie-Hellman groups used for
|
||||
--- openssh-5.7p1.orig/sshd.8
|
||||
+++ openssh-5.7p1/sshd.8
|
||||
@@ -855,7 +855,7 @@ Contains Diffie-Hellman groups used for
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.Pp
|
||||
-.It /etc/motd
|
||||
+.It /etc/lib/motd
|
||||
-.It Pa /etc/motd
|
||||
+.It Pa /etc/lib/motd
|
||||
See
|
||||
.Xr motd 5 .
|
||||
.Pp
|
||||
@@ -863,7 +863,7 @@ are displayed to anyone trying to log in
|
||||
@@ -868,7 +868,7 @@ are displayed to anyone trying to log in
|
||||
refused.
|
||||
The file should be world-readable.
|
||||
.Pp
|
||||
-.It /etc/shosts.equiv
|
||||
+.It /etc/ssh/shosts.equiv
|
||||
-.It Pa /etc/shosts.equiv
|
||||
+.It Pa /etc/ssh/shosts.equiv
|
||||
This file is used in exactly the same way as
|
||||
.Pa hosts.equiv ,
|
||||
but allows host-based authentication without permitting login with
|
||||
@@ -940,8 +940,7 @@ The content of this file is not sensitiv
|
||||
@@ -947,8 +947,7 @@ The content of this file is not sensitiv
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
.Xr hosts_access 5 ,
|
||||
@ -30,11 +30,11 @@ Index: openssh-5.6p1/sshd.8
|
||||
.Xr sshd_config 5 ,
|
||||
.Xr inetd 8 ,
|
||||
.Xr sftp-server 8
|
||||
Index: openssh-5.6p1/sshd_config.5
|
||||
Index: openssh-5.7p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/sshd_config.5
|
||||
+++ openssh-5.6p1/sshd_config.5
|
||||
@@ -496,7 +496,7 @@ or
|
||||
--- openssh-5.7p1.orig/sshd_config.5
|
||||
+++ openssh-5.7p1/sshd_config.5
|
||||
@@ -497,7 +497,7 @@ or
|
||||
.Pp
|
||||
.Pa /etc/hosts.equiv
|
||||
and
|
@ -1,7 +1,7 @@
|
||||
Index: openssh-5.6p1/ssh-add.c
|
||||
Index: openssh-5.7p1/ssh-add.c
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/ssh-add.c
|
||||
+++ openssh-5.6p1/ssh-add.c
|
||||
--- openssh-5.7p1.orig/ssh-add.c
|
||||
+++ openssh-5.7p1/ssh-add.c
|
||||
@@ -43,6 +43,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -10,9 +10,9 @@ Index: openssh-5.6p1/ssh-add.c
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <pwd.h>
|
||||
@@ -374,6 +375,10 @@ main(int argc, char **argv)
|
||||
@@ -377,6 +378,10 @@ main(int argc, char **argv)
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
OpenSSL_add_all_algorithms();
|
||||
|
||||
+ /* Init available hardware crypto engines. */
|
||||
+ ENGINE_load_builtin_engines();
|
||||
@ -21,10 +21,10 @@ Index: openssh-5.6p1/ssh-add.c
|
||||
/* At first, get a connection to the authentication agent. */
|
||||
ac = ssh_get_authentication_connection();
|
||||
if (ac == NULL) {
|
||||
Index: openssh-5.6p1/ssh-agent.c
|
||||
Index: openssh-5.7p1/ssh-agent.c
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/ssh-agent.c
|
||||
+++ openssh-5.6p1/ssh-agent.c
|
||||
--- openssh-5.7p1.orig/ssh-agent.c
|
||||
+++ openssh-5.7p1/ssh-agent.c
|
||||
@@ -52,6 +52,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/md5.h>
|
||||
@ -33,9 +33,9 @@ Index: openssh-5.6p1/ssh-agent.c
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
@@ -1094,6 +1095,10 @@ main(int ac, char **av)
|
||||
@@ -1153,6 +1154,10 @@ main(int ac, char **av)
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
OpenSSL_add_all_algorithms();
|
||||
|
||||
+ /* Init available hardware crypto engines. */
|
||||
+ ENGINE_load_builtin_engines();
|
||||
@ -44,10 +44,10 @@ Index: openssh-5.6p1/ssh-agent.c
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
init_rng();
|
||||
seed_rng();
|
||||
Index: openssh-5.6p1/ssh-keygen.c
|
||||
Index: openssh-5.7p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/ssh-keygen.c
|
||||
+++ openssh-5.6p1/ssh-keygen.c
|
||||
--- openssh-5.7p1.orig/ssh-keygen.c
|
||||
+++ openssh-5.7p1/ssh-keygen.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
@ -56,10 +56,10 @@ Index: openssh-5.6p1/ssh-keygen.c
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
@@ -1782,6 +1783,11 @@ main(int argc, char **argv)
|
||||
@@ -1815,6 +1816,11 @@ main(int argc, char **argv)
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
OpenSSL_add_all_algorithms();
|
||||
+
|
||||
+ /* Init available hardware crypto engines. */
|
||||
+ ENGINE_load_builtin_engines();
|
||||
@ -68,10 +68,10 @@ Index: openssh-5.6p1/ssh-keygen.c
|
||||
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
||||
|
||||
init_rng();
|
||||
Index: openssh-5.6p1/ssh-keysign.c
|
||||
Index: openssh-5.7p1/ssh-keysign.c
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/ssh-keysign.c
|
||||
+++ openssh-5.6p1/ssh-keysign.c
|
||||
--- openssh-5.7p1.orig/ssh-keysign.c
|
||||
+++ openssh-5.7p1/ssh-keysign.c
|
||||
@@ -38,6 +38,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rand.h>
|
||||
@ -83,7 +83,7 @@ Index: openssh-5.6p1/ssh-keysign.c
|
||||
@@ -195,6 +196,11 @@ main(int argc, char **argv)
|
||||
fatal("could not open any host key");
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
OpenSSL_add_all_algorithms();
|
||||
+
|
||||
+ /* Init available hardware crypto engines. */
|
||||
+ ENGINE_load_builtin_engines();
|
||||
@ -92,11 +92,11 @@ Index: openssh-5.6p1/ssh-keysign.c
|
||||
for (i = 0; i < 256; i++)
|
||||
rnd[i] = arc4random();
|
||||
RAND_seed(rnd, sizeof(rnd));
|
||||
Index: openssh-5.6p1/ssh.c
|
||||
Index: openssh-5.7p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/ssh.c
|
||||
+++ openssh-5.6p1/ssh.c
|
||||
@@ -74,6 +74,7 @@
|
||||
--- openssh-5.7p1.orig/ssh.c
|
||||
+++ openssh-5.7p1/ssh.c
|
||||
@@ -75,6 +75,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
@ -104,8 +104,8 @@ Index: openssh-5.6p1/ssh.c
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
@@ -602,6 +603,10 @@ main(int ac, char **av)
|
||||
SSLeay_add_all_algorithms();
|
||||
@@ -601,6 +602,10 @@ main(int ac, char **av)
|
||||
OpenSSL_add_all_algorithms();
|
||||
ERR_load_crypto_strings();
|
||||
|
||||
+ /* Init available hardware crypto engines. */
|
||||
@ -115,10 +115,10 @@ Index: openssh-5.6p1/ssh.c
|
||||
/* Initialize the command to execute on remote host. */
|
||||
buffer_init(&command);
|
||||
|
||||
Index: openssh-5.6p1/sshd.c
|
||||
Index: openssh-5.7p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-5.6p1.orig/sshd.c
|
||||
+++ openssh-5.6p1/sshd.c
|
||||
--- openssh-5.7p1.orig/sshd.c
|
||||
+++ openssh-5.7p1/sshd.c
|
||||
@@ -77,6 +77,7 @@
|
||||
#include <openssl/md5.h>
|
||||
#include <openssl/rand.h>
|
||||
@ -127,9 +127,9 @@ Index: openssh-5.6p1/sshd.c
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
#include <sys/security.h>
|
||||
@@ -1471,6 +1472,10 @@ main(int ac, char **av)
|
||||
@@ -1474,6 +1475,10 @@ main(int ac, char **av)
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
OpenSSL_add_all_algorithms();
|
||||
|
||||
+ /* Init available hardware crypto engines. */
|
||||
+ ENGINE_load_builtin_engines();
|
@ -68,7 +68,7 @@ Index: readconf.c
|
||||
===================================================================
|
||||
--- readconf.c.orig
|
||||
+++ readconf.c
|
||||
@@ -126,7 +126,7 @@ typedef enum {
|
||||
@@ -128,7 +128,7 @@ typedef enum {
|
||||
oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
@ -77,7 +77,7 @@ Index: readconf.c
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -167,9 +167,11 @@ static struct {
|
||||
@@ -170,9 +170,11 @@ static struct {
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
||||
@ -89,18 +89,18 @@ Index: readconf.c
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -477,6 +479,10 @@ parse_flag:
|
||||
case oGssDelegateCreds:
|
||||
@@ -483,6 +485,10 @@ parse_flag:
|
||||
intptr = &options->gss_deleg_creds;
|
||||
goto parse_flag;
|
||||
+
|
||||
|
||||
+ case oGssEnableMITM:
|
||||
+ intptr = &options->gss_enable_mitm;
|
||||
+ goto parse_flag;
|
||||
|
||||
+
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
@@ -1059,6 +1065,7 @@ initialize_options(Options * options)
|
||||
goto parse_flag;
|
||||
@@ -1093,6 +1099,7 @@ initialize_options(Options * options)
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
options->gss_deleg_creds = -1;
|
||||
@ -108,7 +108,7 @@ Index: readconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1158,6 +1165,8 @@ fill_default_options(Options * options)
|
||||
@@ -1195,6 +1202,8 @@ fill_default_options(Options * options)
|
||||
options->gss_authentication = 0;
|
||||
if (options->gss_deleg_creds == -1)
|
||||
options->gss_deleg_creds = 0;
|
||||
@ -133,7 +133,7 @@ Index: servconf.c
|
||||
===================================================================
|
||||
--- servconf.c.orig
|
||||
+++ servconf.c
|
||||
@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
|
||||
@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
options->gss_cleanup_creds = -1;
|
||||
@ -141,7 +141,7 @@ Index: servconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -217,6 +218,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption
|
||||
options->gss_authentication = 0;
|
||||
if (options->gss_cleanup_creds == -1)
|
||||
options->gss_cleanup_creds = 1;
|
||||
@ -150,7 +150,7 @@ Index: servconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -307,7 +310,7 @@ typedef enum {
|
||||
@@ -322,7 +325,7 @@ typedef enum {
|
||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
@ -159,7 +159,7 @@ Index: servconf.c
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
@@ -370,9 +373,11 @@ static struct {
|
||||
@@ -386,9 +389,11 @@ static struct {
|
||||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
@ -171,22 +171,22 @@ Index: servconf.c
|
||||
#endif
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
@@ -929,6 +934,10 @@ process_server_config_line(ServerOptions
|
||||
case sGssCleanupCreds:
|
||||
@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
+
|
||||
|
||||
+ case sGssEnableMITM:
|
||||
+ intptr = &options->gss_enable_mitm;
|
||||
+ goto parse_flag;
|
||||
|
||||
+
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
Index: servconf.h
|
||||
===================================================================
|
||||
--- servconf.h.orig
|
||||
+++ servconf.h
|
||||
@@ -95,6 +95,7 @@ typedef struct {
|
||||
@@ -98,6 +98,7 @@ typedef struct {
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
@ -218,7 +218,7 @@ Index: sshconnect2.c
|
||||
===================================================================
|
||||
--- sshconnect2.c.orig
|
||||
+++ sshconnect2.c
|
||||
@@ -263,6 +263,10 @@ Authmethod authmethods[] = {
|
||||
@@ -324,6 +324,10 @@ Authmethod authmethods[] = {
|
||||
NULL,
|
||||
&options.gss_authentication,
|
||||
NULL},
|
||||
@ -229,7 +229,7 @@ Index: sshconnect2.c
|
||||
#endif
|
||||
{"hostbased",
|
||||
userauth_hostbased,
|
||||
@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf
|
||||
@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf
|
||||
|
||||
if (status == GSS_S_COMPLETE) {
|
||||
/* send either complete or MIC, depending on mechanism */
|
||||
@ -244,7 +244,7 @@ Index: sshd_config
|
||||
===================================================================
|
||||
--- sshd_config.orig
|
||||
+++ sshd_config
|
||||
@@ -72,6 +72,13 @@ PasswordAuthentication no
|
||||
@@ -73,6 +73,12 @@ PasswordAuthentication no
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
@ -253,7 +253,6 @@ Index: sshd_config
|
||||
+# in this release. The use of 'gssapi' is deprecated due to the presence of
|
||||
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
|
||||
+#GSSAPIEnableMITMAttack no
|
||||
+
|
||||
+
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
@ -48,7 +48,7 @@ Index: session.c
|
||||
static void do_authenticated1(Authctxt *);
|
||||
static void do_authenticated2(Authctxt *);
|
||||
|
||||
@@ -806,6 +808,11 @@ do_exec(Session *s, const char *command)
|
||||
@@ -808,6 +810,11 @@ do_exec(Session *s, const char *command)
|
||||
debug("Forced command (key option) '%.900s'", command);
|
||||
}
|
||||
|
||||
@ -60,7 +60,7 @@ Index: session.c
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (command != NULL)
|
||||
PRIVSEP(audit_run_command(command));
|
||||
@@ -1419,6 +1426,63 @@ do_nologin(struct passwd *pw)
|
||||
@@ -1421,6 +1428,63 @@ do_nologin(struct passwd *pw)
|
||||
}
|
||||
|
||||
/*
|
||||
@ -124,7 +124,7 @@ Index: session.c
|
||||
* Chroot into a directory after checking it for safety: all path components
|
||||
* must be root-owned directories with strict permissions.
|
||||
*/
|
||||
@@ -1428,6 +1492,7 @@ safely_chroot(const char *path, uid_t ui
|
||||
@@ -1430,6 +1494,7 @@ safely_chroot(const char *path, uid_t ui
|
||||
const char *cp;
|
||||
char component[MAXPATHLEN];
|
||||
struct stat st;
|
||||
@ -132,7 +132,7 @@ Index: session.c
|
||||
|
||||
if (*path != '/')
|
||||
fatal("chroot path does not begin at root");
|
||||
@@ -1439,7 +1504,7 @@ safely_chroot(const char *path, uid_t ui
|
||||
@@ -1441,7 +1506,7 @@ safely_chroot(const char *path, uid_t ui
|
||||
* root-owned directory with strict permissions.
|
||||
*/
|
||||
for (cp = path; cp != NULL;) {
|
||||
@ -141,7 +141,7 @@ Index: session.c
|
||||
strlcpy(component, path, sizeof(component));
|
||||
else {
|
||||
cp++;
|
||||
@@ -1452,14 +1517,20 @@ safely_chroot(const char *path, uid_t ui
|
||||
@@ -1454,14 +1519,20 @@ safely_chroot(const char *path, uid_t ui
|
||||
if (stat(component, &st) != 0)
|
||||
fatal("%s: stat(\"%s\"): %s", __func__,
|
||||
component, strerror(errno));
|
||||
@ -163,7 +163,7 @@ Index: session.c
|
||||
}
|
||||
|
||||
if (chdir(path) == -1)
|
||||
@@ -1470,6 +1541,10 @@ safely_chroot(const char *path, uid_t ui
|
||||
@@ -1472,6 +1543,10 @@ safely_chroot(const char *path, uid_t ui
|
||||
if (chdir("/") == -1)
|
||||
fatal("%s: chdir(/) after chroot: %s",
|
||||
__func__, strerror(errno));
|
||||
@ -257,7 +257,7 @@ Index: sshd_config.5
|
||||
===================================================================
|
||||
--- sshd_config.5.orig
|
||||
+++ sshd_config.5
|
||||
@@ -269,6 +269,17 @@ inside the chroot directory (see
|
||||
@@ -268,6 +268,17 @@ inside the chroot directory (see
|
||||
.Xr sftp-server 8
|
||||
for details).
|
||||
.Pp
|
16
openssh-5.7p1-host_ident.diff
Normal file
16
openssh-5.7p1-host_ident.diff
Normal file
@ -0,0 +1,16 @@
|
||||
Index: openssh-5.7p1/sshconnect.c
|
||||
===================================================================
|
||||
--- openssh-5.7p1.orig/sshconnect.c
|
||||
+++ openssh-5.7p1/sshconnect.c
|
||||
@@ -958,6 +958,11 @@ check_host_key(char *hostname, struct so
|
||||
user_hostfile);
|
||||
error("Offending %s key in %s:%lu", key_type(host_found->key),
|
||||
host_found->file, host_found->line);
|
||||
+ error("You can use following command to remove all keys for this IP:");
|
||||
+ if (host_found->file)
|
||||
+ error("ssh-keygen -R %s -f %s", hostname, host_found->file);
|
||||
+ else
|
||||
+ error("ssh-keygen -R %s", hostname);
|
||||
|
||||
/*
|
||||
* If strict host key checking is in use, the user will have
|
@ -2,7 +2,7 @@ Index: sshd_config
|
||||
===================================================================
|
||||
--- sshd_config.orig
|
||||
+++ sshd_config
|
||||
@@ -56,7 +56,7 @@
|
||||
@@ -57,7 +57,7 @@
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
@ -11,7 +11,7 @@ Index: sshd_config
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
@@ -81,7 +81,7 @@
|
||||
@@ -82,7 +82,7 @@
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
@ -1,6 +1,8 @@
|
||||
--- auth-pam.c
|
||||
Index: auth-pam.c
|
||||
===================================================================
|
||||
--- auth-pam.c.orig
|
||||
+++ auth-pam.c
|
||||
@@ -786,7 +786,9 @@
|
||||
@@ -786,7 +786,9 @@ sshpam_query(void *ctx, char **name, cha
|
||||
fatal("Internal error: PAM auth "
|
||||
"succeeded when it should have "
|
||||
"failed");
|
@ -2,7 +2,7 @@ Index: loginrec.c
|
||||
===================================================================
|
||||
--- loginrec.c.orig
|
||||
+++ loginrec.c
|
||||
@@ -554,7 +554,7 @@ getlast_entry(struct logininfo *li)
|
||||
@@ -555,7 +555,7 @@ getlast_entry(struct logininfo *li)
|
||||
* 1. The full filename (including '/dev')
|
||||
* 2. The stripped name (excluding '/dev')
|
||||
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
|
||||
@ -11,7 +11,7 @@ Index: loginrec.c
|
||||
*
|
||||
* Form 3 is used on some systems to identify a .tmp.? entry when
|
||||
* attempting to remove it. Typically both addition and removal is
|
||||
@@ -615,6 +615,10 @@ line_abbrevname(char *dst, const char *s
|
||||
@@ -616,6 +616,10 @@ line_abbrevname(char *dst, const char *s
|
||||
if (strncmp(src, "tty", 3) == 0)
|
||||
src += 3;
|
||||
#endif
|
@ -10,7 +10,7 @@ Index: sshd.c
|
||||
logit("Received SIGHUP; restarting.");
|
||||
close_listen_socks();
|
||||
close_startup_pipes();
|
||||
@@ -1316,7 +1317,11 @@ main(int ac, char **av)
|
||||
@@ -1319,7 +1320,11 @@ main(int ac, char **av)
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
compat_init_setproctitle(ac, av);
|
173
openssh-5.7p1-selinux.diff
Normal file
173
openssh-5.7p1-selinux.diff
Normal file
@ -0,0 +1,173 @@
|
||||
Index: openssh-5.7p1/ChangeLog
|
||||
===================================================================
|
||||
--- openssh-5.7p1.orig/ChangeLog
|
||||
+++ openssh-5.7p1/ChangeLog
|
||||
@@ -1,3 +1,10 @@
|
||||
+20110125
|
||||
+ - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
|
||||
+ openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
|
||||
+ port-linux.c to avoid compilation errors. Add -lselinux to ssh when
|
||||
+ building with SELinux support to avoid linking failure; report from
|
||||
+ amk AT spamfence.net; ok dtucker
|
||||
+
|
||||
20110122
|
||||
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add
|
||||
RSA_get_default_method() for the benefit of openssl versions that don't
|
||||
Index: openssh-5.7p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-5.7p1.orig/configure.ac
|
||||
+++ openssh-5.7p1/configure.ac
|
||||
@@ -1,4 +1,4 @@
|
||||
-# $Id: configure.ac,v 1.469 2011/01/21 22:37:05 dtucker Exp $
|
||||
+# $Id: configure.ac,v 1.470 2011/01/25 01:16:17 djm Exp $
|
||||
#
|
||||
# Copyright (c) 1999-2004 Damien Miller
|
||||
#
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
|
||||
-AC_REVISION($Revision: 1.469 $)
|
||||
+AC_REVISION($Revision: 1.470 $)
|
||||
AC_CONFIG_SRCDIR([ssh.c])
|
||||
|
||||
# local macros
|
||||
@@ -737,7 +737,6 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
[ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
|
||||
[Define if you have Solaris process contracts])
|
||||
SSHDLIBS="$SSHDLIBS -lcontract"
|
||||
- AC_SUBST(SSHDLIBS)
|
||||
SPC_MSG="yes" ], )
|
||||
],
|
||||
)
|
||||
@@ -748,7 +747,6 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
[ AC_DEFINE(USE_SOLARIS_PROJECTS, 1,
|
||||
[Define if you have Solaris projects])
|
||||
SSHDLIBS="$SSHDLIBS -lproject"
|
||||
- AC_SUBST(SSHDLIBS)
|
||||
SP_MSG="yes" ], )
|
||||
],
|
||||
)
|
||||
@@ -3515,11 +3513,14 @@ AC_ARG_WITH(selinux,
|
||||
LIBS="$LIBS -lselinux"
|
||||
],
|
||||
AC_MSG_ERROR(SELinux support requires libselinux library))
|
||||
+ SSHLIBS="$SSHLIBS $LIBSELINUX"
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
+AC_SUBST(SSHLIBS)
|
||||
+AC_SUBST(SSHDLIBS)
|
||||
|
||||
# Check whether user wants Linux audit support
|
||||
LINUX_AUDIT_MSG="no"
|
||||
@@ -4356,6 +4357,9 @@ echo " Libraries: ${LIBS}"
|
||||
if test ! -z "${SSHDLIBS}"; then
|
||||
echo " +for sshd: ${SSHDLIBS}"
|
||||
fi
|
||||
+if test ! -z "${SSHLIBS}"; then
|
||||
+echo " +for ssh: ${SSHLIBS}"
|
||||
+fi
|
||||
|
||||
echo ""
|
||||
|
||||
Index: openssh-5.7p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-5.7p1.orig/Makefile.in
|
||||
+++ openssh-5.7p1/Makefile.in
|
||||
@@ -1,4 +1,4 @@
|
||||
-# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $
|
||||
+# $Id: Makefile.in,v 1.321 2011/01/25 01:16:16 djm Exp $
|
||||
|
||||
# uncomment if you run a non bourne compatable shell. Ie. csh
|
||||
#SHELL = @SH@
|
||||
@@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
LIBS=@LIBS@
|
||||
LIBAUDIT=@LIBAUDIT@
|
||||
+SSHLIBS=@SSHLIBS@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
AR=@AR@
|
||||
@@ -143,7 +144,7 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT)
|
||||
Index: openssh-5.7p1/openbsd-compat/port-linux.c
|
||||
===================================================================
|
||||
--- openssh-5.7p1.orig/openbsd-compat/port-linux.c
|
||||
+++ openssh-5.7p1/openbsd-compat/port-linux.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: port-linux.c,v 1.11 2011/01/17 07:50:24 dtucker Exp $ */
|
||||
+/* $Id: port-linux.c,v 1.12 2011/01/25 01:16:18 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
@@ -205,6 +205,20 @@ ssh_selinux_change_context(const char *n
|
||||
xfree(oldctx);
|
||||
xfree(newctx);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+ssh_selinux_setfscreatecon(const char *path)
|
||||
+{
|
||||
+ security_context_t context;
|
||||
+
|
||||
+ if (path == NULL) {
|
||||
+ setfscreatecon(NULL);
|
||||
+ return;
|
||||
+ }
|
||||
+ matchpathcon(path, 0700, &context);
|
||||
+ setfscreatecon(context);
|
||||
+}
|
||||
+
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-5.7p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-5.7p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-5.7p1/openbsd-compat/port-linux.h
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: port-linux.h,v 1.4 2009/12/08 02:39:48 dtucker Exp $ */
|
||||
+/* $Id: port-linux.h,v 1.5 2011/01/25 01:16:18 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2006 Damien Miller <djm@openbsd.org>
|
||||
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
+void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
Index: openssh-5.7p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-5.7p1.orig/ssh.c
|
||||
+++ openssh-5.7p1/ssh.c
|
||||
@@ -857,15 +857,12 @@ main(int ac, char **av)
|
||||
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
|
||||
if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
|
||||
#ifdef WITH_SELINUX
|
||||
- char *scon;
|
||||
-
|
||||
- matchpathcon(buf, 0700, &scon);
|
||||
- setfscreatecon(scon);
|
||||
+ ssh_selinux_setfscreatecon(buf);
|
||||
#endif
|
||||
if (mkdir(buf, 0700) < 0)
|
||||
error("Could not create directory '%.200s'.", buf);
|
||||
#ifdef WITH_SELINUX
|
||||
- setfscreatecon(NULL);
|
||||
+ ssh_selinux_setfscreatecon(NULL);
|
||||
#endif
|
||||
}
|
||||
/* load options.identity_files */
|
@ -2,11 +2,12 @@ Index: ssh_config
|
||||
===================================================================
|
||||
--- ssh_config.orig
|
||||
+++ ssh_config
|
||||
@@ -67,5 +67,12 @@ ForwardX11Trusted yes
|
||||
@@ -67,5 +67,13 @@ ForwardX11Trusted yes
|
||||
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
SendEnv LC_IDENTIFICATION LC_ALL
|
||||
-# VisualHostKey no
|
||||
+
|
||||
+# This will print the fingerprint of the host key in "visual" form
|
||||
+# this should make it easier to also recognize bad things
|
||||
+VisualHostKey no
|
@ -2,7 +2,7 @@ Index: session.c
|
||||
===================================================================
|
||||
--- session.c.orig
|
||||
+++ session.c
|
||||
@@ -2525,8 +2525,41 @@ void
|
||||
@@ -2463,8 +2463,41 @@ void
|
||||
session_close(Session *s)
|
||||
{
|
||||
u_int i;
|
@ -2,7 +2,7 @@ Index: session.c
|
||||
===================================================================
|
||||
--- session.c.orig
|
||||
+++ session.c
|
||||
@@ -1114,7 +1114,7 @@ copy_environment(char **source, char ***
|
||||
@@ -1116,7 +1116,7 @@ copy_environment(char **source, char ***
|
||||
}
|
||||
|
||||
static char **
|
||||
@ -11,7 +11,7 @@ Index: session.c
|
||||
{
|
||||
char buf[256];
|
||||
u_int i, envsize;
|
||||
@@ -1301,6 +1301,8 @@ do_setup_env(Session *s, const char *she
|
||||
@@ -1303,6 +1303,8 @@ do_setup_env(Session *s, const char *she
|
||||
for (i = 0; env[i]; i++)
|
||||
fprintf(stderr, " %.200s\n", env[i]);
|
||||
}
|
||||
@ -20,7 +20,7 @@ Index: session.c
|
||||
return env;
|
||||
}
|
||||
|
||||
@@ -1309,7 +1311,7 @@ do_setup_env(Session *s, const char *she
|
||||
@@ -1311,7 +1313,7 @@ do_setup_env(Session *s, const char *she
|
||||
* first in this order).
|
||||
*/
|
||||
static void
|
||||
@ -29,7 +29,7 @@ Index: session.c
|
||||
{
|
||||
FILE *f = NULL;
|
||||
char cmd[1024];
|
||||
@@ -1363,12 +1365,20 @@ do_rc_files(Session *s, const char *shel
|
||||
@@ -1365,12 +1367,20 @@ do_rc_files(Session *s, const char *shel
|
||||
options.xauth_location);
|
||||
f = popen(cmd, "w");
|
||||
if (f) {
|
||||
@ -50,7 +50,7 @@ Index: session.c
|
||||
} else {
|
||||
fprintf(stderr, "Could not run %s\n",
|
||||
cmd);
|
||||
@@ -1670,6 +1680,7 @@ do_child(Session *s, const char *command
|
||||
@@ -1608,6 +1618,7 @@ do_child(Session *s, const char *command
|
||||
{
|
||||
extern char **environ;
|
||||
char **env;
|
||||
@ -58,7 +58,7 @@ Index: session.c
|
||||
char *argv[ARGV_MAX];
|
||||
const char *shell, *shell0, *hostname = NULL;
|
||||
struct passwd *pw = s->pw;
|
||||
@@ -1736,7 +1747,7 @@ do_child(Session *s, const char *command
|
||||
@@ -1674,7 +1685,7 @@ do_child(Session *s, const char *command
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
@ -67,7 +67,7 @@ Index: session.c
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
@@ -1805,7 +1816,7 @@ do_child(Session *s, const char *command
|
||||
@@ -1743,7 +1754,7 @@ do_child(Session *s, const char *command
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
if (!options.use_login)
|
@ -28,7 +28,7 @@ Index: sshd_config
|
||||
===================================================================
|
||||
--- sshd_config.orig
|
||||
+++ sshd_config
|
||||
@@ -86,7 +86,7 @@
|
||||
@@ -87,7 +87,7 @@
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
3
openssh-5.7p1.tar.bz2
Normal file
3
openssh-5.7p1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e8e4d63cbfdd0c97f8856693b4412e0bda78bb152ec1cb6f426193dc16d412c3
|
||||
size 894451
|
@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0b46d50d58800dc184448c70485265894d97da90749019917708c22ac8845753
|
||||
size 1943
|
||||
oid sha256:a73f20ff86a679a64f3b94a666dc9e7e1b442fb2da09ddb56f9a01f4dbdbc241
|
||||
size 1975
|
||||
|
@ -1,3 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com
|
||||
|
||||
- Update to 5.7p1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome (Version 5.6p1)
|
||||
# spec file for package openssh-askpass-gnome (Version 5.7p1)
|
||||
#
|
||||
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
@ -22,8 +22,8 @@ Name: openssh-askpass-gnome
|
||||
BuildRequires: gtk2-devel krb5-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
|
||||
License: BSD3c(or similar)
|
||||
Group: Productivity/Networking/SSH
|
||||
Version: 5.6p1
|
||||
Release: 8
|
||||
Version: 5.7p1
|
||||
Release: 1
|
||||
Requires: openssh = %{version} openssh-askpass = %{version}
|
||||
AutoReqProv: on
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
|
@ -1,94 +0,0 @@
|
||||
Index: openbsd-compat/port-linux.c
|
||||
===================================================================
|
||||
RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/port-linux.c,v
|
||||
retrieving revision 1.9
|
||||
diff -u -p -r1.9 port-linux.c
|
||||
--- openbsd-compat/port-linux.c 10 Sep 2010 00:30:25 -0000 1.9
|
||||
+++ openbsd-compat/port-linux.c 16 Nov 2010 05:10:13 -0000
|
||||
@@ -208,14 +208,21 @@ ssh_selinux_change_context(const char *n
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
-#define OOM_ADJ_PATH "/proc/self/oom_adj"
|
||||
/*
|
||||
- * The magic "don't kill me", as documented in eg:
|
||||
+ * The magic "don't kill me" values, old and new, as documented in eg:
|
||||
* http://lxr.linux.no/#linux+v2.6.32/Documentation/filesystems/proc.txt
|
||||
+ * http://lxr.linux.no/#linux+v2.6.36/Documentation/filesystems/proc.txt
|
||||
*/
|
||||
-#define OOM_ADJ_NOKILL -17
|
||||
|
||||
static int oom_adj_save = INT_MIN;
|
||||
+static char *oom_adj_path = NULL;
|
||||
+struct {
|
||||
+ char *path;
|
||||
+ int value;
|
||||
+} oom_adjust[] = {
|
||||
+ {"/proc/self/oom_score_adj", -1000}, /* new values, 2.6.36 and up */
|
||||
+ {"/proc/self/oom_adj", -17}, /* old values, 2.6.35 and down */
|
||||
+};
|
||||
|
||||
/*
|
||||
* Tell the kernel's out-of-memory killer to avoid sshd.
|
||||
@@ -224,23 +231,31 @@ static int oom_adj_save = INT_MIN;
|
||||
void
|
||||
oom_adjust_setup(void)
|
||||
{
|
||||
+ int i, value;
|
||||
FILE *fp;
|
||||
|
||||
debug3("%s", __func__);
|
||||
- if ((fp = fopen(OOM_ADJ_PATH, "r+")) != NULL) {
|
||||
- if (fscanf(fp, "%d", &oom_adj_save) != 1)
|
||||
- verbose("error reading %s: %s", OOM_ADJ_PATH, strerror(errno));
|
||||
- else {
|
||||
- rewind(fp);
|
||||
- if (fprintf(fp, "%d\n", OOM_ADJ_NOKILL) <= 0)
|
||||
- verbose("error writing %s: %s",
|
||||
- OOM_ADJ_PATH, strerror(errno));
|
||||
- else
|
||||
- verbose("Set %s from %d to %d",
|
||||
- OOM_ADJ_PATH, oom_adj_save, OOM_ADJ_NOKILL);
|
||||
+ for (i = 0; i < 2; i++) {
|
||||
+ oom_adj_path = oom_adjust[i].path;
|
||||
+ value = oom_adjust[i].value;
|
||||
+ if ((fp = fopen(oom_adj_path, "r+")) != NULL) {
|
||||
+ if (fscanf(fp, "%d", &oom_adj_save) != 1)
|
||||
+ verbose("error reading %s: %s", oom_adj_path,
|
||||
+ strerror(errno));
|
||||
+ else {
|
||||
+ rewind(fp);
|
||||
+ if (fprintf(fp, "%d\n", value) <= 0)
|
||||
+ verbose("error writing %s: %s",
|
||||
+ oom_adj_path, strerror(errno));
|
||||
+ else
|
||||
+ verbose("Set %s from %d to %d",
|
||||
+ oom_adj_path, oom_adj_save, value);
|
||||
+ }
|
||||
+ fclose(fp);
|
||||
+ return;
|
||||
}
|
||||
- fclose(fp);
|
||||
}
|
||||
+ oom_adj_path = NULL;
|
||||
}
|
||||
|
||||
/* Restore the saved OOM adjustment */
|
||||
@@ -250,13 +265,14 @@ oom_adjust_restore(void)
|
||||
FILE *fp;
|
||||
|
||||
debug3("%s", __func__);
|
||||
- if (oom_adj_save == INT_MIN || (fp = fopen(OOM_ADJ_PATH, "w")) == NULL)
|
||||
+ if (oom_adj_save == INT_MIN || oom_adj_save == NULL ||
|
||||
+ (fp = fopen(oom_adj_path, "w")) == NULL)
|
||||
return;
|
||||
|
||||
if (fprintf(fp, "%d\n", oom_adj_save) <= 0)
|
||||
- verbose("error writing %s: %s", OOM_ADJ_PATH, strerror(errno));
|
||||
+ verbose("error writing %s: %s", oom_adj_path, strerror(errno));
|
||||
else
|
||||
- verbose("Set %s to %d", OOM_ADJ_PATH, oom_adj_save);
|
||||
+ verbose("Set %s to %d", oom_adj_path, oom_adj_save);
|
||||
|
||||
fclose(fp);
|
||||
return;
|
@ -1,3 +1,39 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 24 11:24:59 UTC 2011 - lchiquitto@novell.com
|
||||
|
||||
- Update to 5.7p1
|
||||
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
|
||||
and host/user keys (ECDSA) as specified by RFC5656.
|
||||
* sftp(1)/sftp-server(8): add a protocol extension to support a hard
|
||||
link operation.
|
||||
* scp(1): Add a new -3 option to scp: Copies between two remote hosts
|
||||
are transferred through the local host.
|
||||
* ssh(1): automatically order the hostkeys requested by the client
|
||||
based on which hostkeys are already recorded in known_hosts.
|
||||
* ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary
|
||||
TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
|
||||
* sftp(1): the sftp client is now significantly faster at performing
|
||||
directory listings, using OpenBSD glob(3) extensions to preserve
|
||||
the results of stat(3) operations performed in the course of its
|
||||
execution rather than performing expensive round trips to fetch
|
||||
them again afterwards.
|
||||
* ssh(1): "atomically" create the listening mux socket by binding it on
|
||||
a temporary name and then linking it into position after listen() has
|
||||
succeeded.
|
||||
* ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
|
||||
configuration to allow selection of which key exchange methods are
|
||||
used by ssh(1) and sshd(8) and their order of preference.
|
||||
* sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into
|
||||
a generic bandwidth limiter that can be attached using the atomicio
|
||||
callback mechanism and use it to add a bandwidth limit option to
|
||||
sftp(1).
|
||||
* Support building against openssl-1.0.0a.
|
||||
* Bug fixes.
|
||||
- Remove patches that are now upstream:
|
||||
* openssh-5.6p1-tmpdir.diff
|
||||
* openssh-linux-new-oomkill.patch
|
||||
- Add upstream patch to fix build with SELinux enabled.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
|
||||
|
||||
|
12
openssh.spec
12
openssh.spec
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file for package openssh (Version 5.6p1)
|
||||
# spec file for package openssh (Version 5.7p1)
|
||||
#
|
||||
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
@ -29,8 +29,8 @@ Requires: /bin/netstat
|
||||
PreReq: pwdutils %insserv_prereq %fillup_prereq coreutils
|
||||
Conflicts: nonfreessh
|
||||
AutoReqProv: on
|
||||
Version: 5.6p1
|
||||
Release: 8
|
||||
Version: 5.7p1
|
||||
Release: 1
|
||||
%define xversion 1.2.4.1
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
Url: http://www.openssh.com/
|
||||
@ -55,7 +55,6 @@ Patch7: %{name}-%{version}-engines.diff
|
||||
Patch8: %{name}-%{version}-blocksigalrm.diff
|
||||
Patch9: %{name}-%{version}-send_locale.diff
|
||||
Patch10: %{name}-%{version}-xauthlocalhostname.diff
|
||||
Patch11: %{name}-%{version}-tmpdir.diff
|
||||
Patch12: %{name}-%{version}-xauth.diff
|
||||
Patch14: %{name}-%{version}-default-protocol.diff
|
||||
Patch15: %{name}-%{version}-audit.patch
|
||||
@ -63,7 +62,7 @@ Patch16: %{name}-%{version}-pts.diff
|
||||
Patch17: %{name}-%{version}-homechroot.patch
|
||||
Patch18: %{name}-%{version}-sshconfig-knownhostschanges.diff
|
||||
Patch19: %{name}-%{version}-host_ident.diff
|
||||
Patch20: openssh-linux-new-oomkill.patch
|
||||
Patch20: %{name}-%{version}-selinux.diff
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%package askpass
|
||||
@ -101,7 +100,6 @@ Window System passphrase dialog for OpenSSH.
|
||||
%patch8
|
||||
%patch9
|
||||
%patch10
|
||||
%patch11
|
||||
%patch12
|
||||
%patch14
|
||||
%patch15 -p1
|
||||
@ -109,7 +107,7 @@ Window System passphrase dialog for OpenSSH.
|
||||
%patch17
|
||||
%patch18
|
||||
%patch19 -p1
|
||||
%patch20
|
||||
%patch20 -p1
|
||||
cp -v %{SOURCE4} .
|
||||
cp -v %{SOURCE6} .
|
||||
cd ../x11-ssh-askpass-%{xversion}
|
||||
|
Loading…
Reference in New Issue
Block a user