From b889e699cf327193cc915d71903606f3e63cafe064cbd955dd518fbe1b0dffea Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Sun, 7 Jan 2007 16:26:05 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 --- .gitattributes | 23 + .gitignore | 1 + README.SuSE | 134 +++ README.kerberos | 23 + converter.tar.bz2 | 3 + openssh-4.5p1-addrlist.dif | 87 ++ openssh-4.5p1-askpass-fix.diff | 72 ++ openssh-4.5p1-blocksigalrm.diff | 42 + openssh-4.5p1-default-protocol.diff | 22 + openssh-4.5p1-eal3.diff | 51 ++ openssh-4.5p1-engines.diff | 132 +++ openssh-4.5p1-gcc-fix.patch | 10 + openssh-4.5p1-gssapimitm.patch | 242 ++++++ openssh-4.5p1-pam-fix2.diff | 20 + openssh-4.5p1-pam-fix3.diff | 13 + openssh-4.5p1-pwname-home.diff | 62 ++ openssh-4.5p1-saveargv-fix.diff | 23 + openssh-4.5p1-send_locale.diff | 25 + openssh-4.5p1-strict-aliasing-fix.diff | 71 ++ openssh-4.5p1-tmpdir.diff | 22 + openssh-4.5p1-xauth.diff | 40 + openssh-4.5p1-xauthlocalhostname.diff | 76 ++ openssh-4.5p1.dif | 45 ++ openssh-4.5p1.tar.bz2 | 3 + openssh-SuSE.tar.bz2 | 3 + openssh-askpass-gnome.changes | 84 ++ openssh-askpass-gnome.spec | 167 ++++ openssh-gssapi_krb5-fix.patch | 18 + openssh.changes | 1033 ++++++++++++++++++++++++ openssh.spec | 812 +++++++++++++++++++ ready | 0 ssh-askpass | 44 + ssh.reg | 18 + sshd.pamd | 10 + x11-ssh-askpass-1.2.4.1.tar.bz2 | 3 + 35 files changed, 3434 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README.SuSE create mode 100644 README.kerberos create mode 100644 converter.tar.bz2 create mode 100644 openssh-4.5p1-addrlist.dif create mode 100644 openssh-4.5p1-askpass-fix.diff create mode 100644 openssh-4.5p1-blocksigalrm.diff create mode 100644 openssh-4.5p1-default-protocol.diff create mode 100644 openssh-4.5p1-eal3.diff create mode 100644 openssh-4.5p1-engines.diff create mode 100644 openssh-4.5p1-gcc-fix.patch create mode 100644 openssh-4.5p1-gssapimitm.patch create mode 100644 openssh-4.5p1-pam-fix2.diff create mode 100644 openssh-4.5p1-pam-fix3.diff create mode 100644 openssh-4.5p1-pwname-home.diff create mode 100644 openssh-4.5p1-saveargv-fix.diff create mode 100644 openssh-4.5p1-send_locale.diff create mode 100644 openssh-4.5p1-strict-aliasing-fix.diff create mode 100644 openssh-4.5p1-tmpdir.diff create mode 100644 openssh-4.5p1-xauth.diff create mode 100644 openssh-4.5p1-xauthlocalhostname.diff create mode 100644 openssh-4.5p1.dif create mode 100644 openssh-4.5p1.tar.bz2 create mode 100644 openssh-SuSE.tar.bz2 create mode 100644 openssh-askpass-gnome.changes create mode 100644 openssh-askpass-gnome.spec create mode 100644 openssh-gssapi_krb5-fix.patch create mode 100644 openssh.changes create mode 100644 openssh.spec create mode 100644 ready create mode 100644 ssh-askpass create mode 100644 ssh.reg create mode 100644 sshd.pamd create mode 100644 x11-ssh-askpass-1.2.4.1.tar.bz2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.SuSE b/README.SuSE new file mode 100644 index 0000000..5f3ec3e --- /dev/null +++ b/README.SuSE @@ -0,0 +1,134 @@ + + Dear users, + + +This is OpenSSH version 4.4p1. + +There is a very important change in sshd with SuSE Linux 9.1: + +The "gssapi" support has been replaced with the "gssapi-with-mic" to fix +possible MITM attacks (to enable support for the deprecated 'gssapi' +authentication set GSSAPIEnableMITMAttack to 'yes'). These two versions +are not compatible. The option GSSAPICleanupCreds is obsoleted, use +GSSAPICleanupCredentials instead. + +We disabled the new feature 'untrusted cookies' by default because it brings a +lot of problems. If you like to enable it, set ForwardX11Trusted to 'no' in +ssh_config. + +The option UsePrivilegeSeparation was reverted to 'yes' because the problematic +calling of PAM modules in this mode was fixed. + +The option KeepAlive has been obsoleted, use TCPKeepAlive instead. + +There is an important change in sshd with SuSE Linux 9.0: + +The value of option ChallengeResponseAuthentication is reverted to default +value yes, which is necessary for PAM authentication. + +I this OpenSSH version is removed kerberos support from protocol SSH1, +since it has been replaced with GSSAPI, but keeps kerberos password +authentication for protocols SSH1 and SSH2. To enable Kerberos authentication +read README.kerberos file. + +Important change in sshd with SuSE Linux 8.1 is that sshd X11 forwarding listens +on localhost by default. See sshd X11UseLocalhost option to revert to prior +behaviour if your older X11 clients do not function with this configuration. + +The package openssh was splitted to openssh and the new package askpass. + +OpenSSH supports two protocol versions (SSH1 and SSH2) which need to be +configured differently. +Protocol version 1 is the old protocol and protocol version 2 is the new +protocol that has several advantages from the security point of view. + +Please note that the default ssh protocol version has been changed to +version 2 with SuSE Linux 8.0. + +The change of the default protocol version brings one important change for +users who use identity keys for remote login with passphrases. + +(Please note the difference: 'password' means a system password on a +given machine. The term 'passphrase', however, is usually used for the +string that an ssh private key is protected (encrypted) with.) + +Protocol version 1 uses the key from file ~/.ssh/identity and compares +it with keys from file ~/.ssh/authorized_keys on the remote machine. + +Protocol version 2 uses keys from files ~/.ssh/id_rsa or ~/.ssh/id_dsa +and they are compared with keys from file ~/.ssh/authorized_keys. +Note: Servers with OpenSSH < 2.9.9p1 use ~/.ssh/authorized_keys2 instead. + +If you don't want to switch to protocol version 2 now, add a line saying +"Protocol 1,2" to /etc/ssh/ssh_config of the SuSE Linux 8.0 system to +retain the old ssh behaviour. + +How to convert your environment to protocol version 2: + +1) Creating the necessary identity keys for protocol version 2: + + There are two ways: + + A) You can use your old keys for protocol 1, but you have to convert them + to the format of protocol 2. + This can be done with the tool ssh-keyconverter: + + Every user that will use protocol version 2 needs to do this: + + cd ~/.ssh + ssh-keyconverter -k identity + - at this point you will be asked for the passphrase of ~/.ssh/identity + ssh-keyconverter -a authorized_keys + + If OpenSSH < 2.9.9p1 is used on the server: + + grep ssh- authorized_keys >>authorized_keys2 + + To enable login to other users with the converted protocol version 2 keys, + the other user has to add the new ~/.ssh/id_rsa.pub to his authorized keys. + + You can do this by script by forcing version 1 with the -1 switch: + + for host in .... ; do + ssh -1 user@$host 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub + ssh -1 user@$host 'cat >> .ssh/authorized_keys2' < ~/.ssh/id_rsa.pub + done + + + B) You can generate new keys for protocol 2 by "ssh-keygen -t rsa" or + "ssh-keygen -t dsa", then add id_rsa.pub (or id_dsa.pub) to + authorized_keys2 and copy authorized_keys2 to the remote machine. See + "man ssh" and "man ssh-keygen" for more info. + + +2) Handling of protocol version 2 with ssh-agent and ssh-add: + +If you continue to use protocol version 1, there is nothing to do because +the default identity is still ~/.ssh/identity. + +For protocol version 2, you have to pass the correct file (~/.ssh/id_rsa or +~/.ssh/id_dsa) to ssh-add. To support the version 1 key and the version 2 +key you have to add both keys. Example: + + eval `ssh-agent -s` + ssh-add ~/.ssh/identity ~/.ssh/id_rsa + +This will add your version 1 and version 2 keys and if they have the same +passphrase, you only have to type it once. + +Other changes: + +The OpenSSH handling of ssh-add/ssh-askpass is solved different as +with OpenSSH 2.x You don't need to call ssh-askpass any longer. If +ssh-add is called and doesn't have a real TTY, it will launch +/usr/lib/ssh/ssh-askpass itself. Make sure that the DISPLAY variable +is always set correctly. + +If you want to use ssh-agent under X windows, just edit the file .xsession +in your home directory and change usessh="no" to usessh="yes". After +logining in you only need to start ssh-add by hand, click or startup script. + +If you want to use ssh-agent with startx, add the example above to your +~/.xinitrc before the window manager is started. + + Your SuSE Team diff --git a/README.kerberos b/README.kerberos new file mode 100644 index 0000000..19fa209 --- /dev/null +++ b/README.kerberos @@ -0,0 +1,23 @@ + +This version of the Kerbros/GSSAPI support avoids DNS lookups +for Kerberos-related names. These DNS lookups were problematic +for dialup users because they would lead to excessive delays +if DNS was not reachable. + +In order to disable these lookups, I had to change the default +configuration, disabling GSSAPI authentication. + +If you do use Kerberos, please make sure you edit the server and +client configuration files as follows: + +/etc/ssh/sshd_config: + + GSSAPIAuthentication yes + GSSAPICleanupCredentials yes + +/etc/ssh/ssh_config: + Host * + ... lots of other options ... + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes + diff --git a/converter.tar.bz2 b/converter.tar.bz2 new file mode 100644 index 0000000..7a6af80 --- /dev/null +++ b/converter.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:da7ff204375259aef8aaf3ad89c7f311134354fe0129cddce927de5d4f7ab349 +size 4792 diff --git a/openssh-4.5p1-addrlist.dif b/openssh-4.5p1-addrlist.dif new file mode 100644 index 0000000..56b54d9 --- /dev/null +++ b/openssh-4.5p1-addrlist.dif @@ -0,0 +1,87 @@ +--- sshd.c ++++ sshd.c +@@ -253,6 +253,62 @@ + + static void do_ssh1_kex(void); + static void do_ssh2_kex(void); ++char * isaddr(struct addrinfo *addr, char *name); ++void remove_duplicities(struct addrinfo *addr, char *port); ++ ++/* ++ * returns port if addr equals name ++ */ ++ ++char* ++isaddr(struct addrinfo *addr, char *name) ++{ ++ char ntop[NI_MAXHOST]; ++ char *strport; ++ ++ strport = (char*) malloc(NI_MAXSERV+1); ++ if (getnameinfo(addr->ai_addr, addr->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV) != 0) { ++ error("getnameinfo failed"); ++ free(strport); ++ return NULL; ++ } ++ if (!strcmp(ntop,name)) ++ return strport; ++ else{ ++ free(strport); ++ return NULL; ++ } ++ ++} ++ ++/* ++ * it removes all "0.0.0.0" elements with given port ++ * from the list ++ */ ++ ++void ++remove_duplicities(struct addrinfo *ai_start, char *port) ++{ ++ struct addrinfo *ai, *ai1, *aiprev, *ainext; ++ char *port1; ++ ++ aiprev=ai_start; ++ for (ai = ai_start->ai_next; ai; ai = ainext) { ++ ainext = ai->ai_next; ++ port1 = isaddr(ai, "0.0.0.0"); ++ if (port1 && !strcmp(port,port1)){ ++ aiprev->ai_next = ainext; ++ free(ai); ++ free(port1); ++ } else { ++ if (port1) ++ free(port1); ++ aiprev = ai; ++ } ++ } ++} + + /* + * Close all listening sockets +@@ -941,6 +997,7 @@ + int ret, listen_sock, on = 1; + struct addrinfo *ai; + char ntop[NI_MAXHOST], strport[NI_MAXSERV]; ++ char *port; + + for (ai = options.listen_addrs; ai; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) +@@ -986,6 +1043,13 @@ + continue; + } + listen_socks[num_listen_socks] = listen_sock; ++ ++ port = isaddr(ai,"::"); ++ if (port) { ++ remove_duplicities(ai, port); ++ free(port); ++ } ++ + num_listen_socks++; + + /* Start listening on the port. */ diff --git a/openssh-4.5p1-askpass-fix.diff b/openssh-4.5p1-askpass-fix.diff new file mode 100644 index 0000000..8722163 --- /dev/null +++ b/openssh-4.5p1-askpass-fix.diff @@ -0,0 +1,72 @@ +--- x11-ssh-askpass.c ++++ x11-ssh-askpass.c +@@ -1301,7 +1301,7 @@ + } + } + +-Bool eventIsInsideButton(AppInfo *app, XEvent *event, ButtonInfo button) ++Bool eventIsInsideButton(AppInfo *app, ButtonInfo button, XEvent *event) + { + /* 'gcc -Wall' complains about 'app' being an unused parameter. + * Tough. We might want to use it later, and then we don't have +@@ -1343,11 +1343,11 @@ + return; + } + if (ButtonPress == event->type) { +- if (eventIsInsideButton(app, event, d->okButton)) { ++ if (eventIsInsideButton(app, d->okButton, event)) { + d->pressedButton = OK_BUTTON; + d->okButton.pressed = True; + paintButton(app, d->dialogWindow, d->okButton); +- } else if (eventIsInsideButton(app, event, d->cancelButton)) { ++ } else if (eventIsInsideButton(app, d->cancelButton, event)) { + d->pressedButton = CANCEL_BUTTON; + d->cancelButton.pressed = True; + paintButton(app, d->dialogWindow, d->cancelButton); +@@ -1356,7 +1356,7 @@ + } + } else if (ButtonRelease == event->type) { + if (OK_BUTTON == d->pressedButton) { +- if (eventIsInsideButton(app, event, d->okButton)) { ++ if (eventIsInsideButton(app, d->okButton, event)) { + acceptAction(app); + } else { + if (d->okButton.pressed) { +@@ -1365,7 +1365,7 @@ + } + } + } else if (CANCEL_BUTTON == d->pressedButton) { +- if (eventIsInsideButton(app, event, d->cancelButton)) { ++ if (eventIsInsideButton(app, d->cancelButton, event)) { + cancelAction(app); + } else { + if (d->cancelButton.pressed) { +@@ -1385,7 +1385,7 @@ + if (NO_BUTTON == d->pressedButton) { + return; + } else if (OK_BUTTON == d->pressedButton) { +- if (eventIsInsideButton(app, event, d->okButton)) { ++ if (eventIsInsideButton(app, d->okButton, event)) { + if (!(d->okButton.pressed)) { + d->okButton.pressed = True; + paintButton(app, d->dialogWindow, d->okButton); +@@ -1397,7 +1397,7 @@ + } + } + } else if (CANCEL_BUTTON == d->pressedButton) { +- if (eventIsInsideButton(app, event, d->cancelButton)) { ++ if (eventIsInsideButton(app, d->cancelButton, event)) { + if (!(d->cancelButton.pressed)) { + d->cancelButton.pressed = True; + paintButton(app, d->dialogWindow, d->cancelButton); +--- x11-ssh-askpass.h ++++ x11-ssh-askpass.h +@@ -258,7 +258,7 @@ + void addToPassphrase(AppInfo *app, char c); + + void handleKeyPress(AppInfo *app, XEvent *event); +-Bool eventIsInsideButton(AppInfo *app, XEvent *event, ButtonInfo button); ++Bool eventIsInsideButton(AppInfo *app, ButtonInfo button, XEvent *event); + void handleButtonPress(AppInfo *app, XEvent *event); + void handlePointerMotion(AppInfo *app, XEvent *event); + diff --git a/openssh-4.5p1-blocksigalrm.diff b/openssh-4.5p1-blocksigalrm.diff new file mode 100644 index 0000000..96d81b0 --- /dev/null +++ b/openssh-4.5p1-blocksigalrm.diff @@ -0,0 +1,42 @@ +--- log.c ++++ log.c +@@ -50,6 +50,7 @@ + + #include "xmalloc.h" + #include "log.h" ++#include + + static LogLevel log_level = SYSLOG_LEVEL_INFO; + static int log_on_stderr = 1; +@@ -313,6 +314,7 @@ + char fmtbuf[MSGBUFSIZ]; + char *txt = NULL; + int pri = LOG_INFO; ++ sigset_t nset, oset; + + if (level > log_level) + return; +@@ -351,6 +353,15 @@ + pri = LOG_ERR; + break; + } ++ /* Prevent a race between the grace_alarm ++ * which writes a log message and terminates ++ * and main sshd code that leads to deadlock ++ * as syslog is not async safe. ++ */ ++ sigemptyset(&nset); ++ sigaddset(&nset, SIGALRM); ++ sigprocmask(SIG_BLOCK, &nset, &oset); ++ + if (txt != NULL) { + snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt); + vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args); +@@ -372,5 +383,7 @@ + syslog(pri, "%.500s", fmtbuf); + closelog(); + #endif ++ ++ sigprocmask(SIG_SETMASK, &oset, NULL); + } + } diff --git a/openssh-4.5p1-default-protocol.diff b/openssh-4.5p1-default-protocol.diff new file mode 100644 index 0000000..8a99443 --- /dev/null +++ b/openssh-4.5p1-default-protocol.diff @@ -0,0 +1,22 @@ +--- ssh_config ++++ ssh_config +@@ -46,7 +46,7 @@ + # IdentityFile ~/.ssh/id_rsa + # IdentityFile ~/.ssh/id_dsa + # Port 22 +-# Protocol 2,1 ++ Protocol 2 + # Cipher 3des + # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc + # EscapeChar ~ +--- sshd_config ++++ sshd_config +@@ -11,7 +11,7 @@ + # default value. + + #Port 22 +-#Protocol 2,1 ++Protocol 2 + #AddressFamily any + #ListenAddress 0.0.0.0 + #ListenAddress :: diff --git a/openssh-4.5p1-eal3.diff b/openssh-4.5p1-eal3.diff new file mode 100644 index 0000000..1117294 --- /dev/null +++ b/openssh-4.5p1-eal3.diff @@ -0,0 +1,51 @@ +--- openssh-4.5p1/sshd.8 ++++ openssh-4.5p1/sshd.8 +@@ -739,7 +739,7 @@ + The file format is described in + .Xr moduli 5 . + .Pp +-.It /etc/motd ++.It /etc/lib/motd + See + .Xr motd 5 . + .Pp +@@ -752,7 +752,7 @@ + refused. + The file should be world-readable. + .Pp +-.It /etc/shosts.equiv ++.It /etc/ssh/shosts.equiv + This file is used in exactly the same way as + .Pa hosts.equiv , + but allows host-based authentication without permitting login with +@@ -828,8 +828,7 @@ + .Xr ssh-keygen 1 , + .Xr chroot 2 , + .Xr hosts_access 5 , +-.Xr login.conf 5 , +-.Xr moduli 5 , ++.Xr login.defs 5 , + .Xr sshd_config 5 , + .Xr inetd 8 , + .Xr sftp-server 8 +--- openssh-4.5p1/sshd_config.5 ++++ openssh-4.5p1/sshd_config.5 +@@ -169,9 +169,6 @@ + By default, no banner is displayed. + .It Cm ChallengeResponseAuthentication + Specifies whether challenge-response authentication is allowed. +-All authentication styles from +-.Xr login.conf 5 +-are supported. + The default is + .Dq yes . + .It Cm Ciphers +@@ -384,7 +381,7 @@ + .Pp + .Pa /etc/hosts.equiv + and +-.Pa /etc/shosts.equiv ++.Pa /etc/ssh/shosts.equiv + are still used. + The default is + .Dq yes . diff --git a/openssh-4.5p1-engines.diff b/openssh-4.5p1-engines.diff new file mode 100644 index 0000000..6aa8f20 --- /dev/null +++ b/openssh-4.5p1-engines.diff @@ -0,0 +1,132 @@ +# Load drivers for available hardware crypto accelerators. +# -- mludvig@suse.cz +Index: openssh-3.8p1/ssh-add.c +================================================================================ +--- openssh-4.5p1/ssh-add.c ++++ openssh-4.5p1/ssh-add.c +@@ -42,6 +42,7 @@ + #include + + #include ++#include + + #include + #include +@@ -343,6 +344,10 @@ + + SSLeay_add_all_algorithms(); + ++ /* Init available hardware crypto engines. */ ++ ENGINE_load_builtin_engines(); ++ ENGINE_register_all_complete(); ++ + /* At first, get a connection to the authentication agent. */ + ac = ssh_get_authentication_connection(); + if (ac == NULL) { +--- openssh-4.5p1/ssh-agent.c ++++ openssh-4.5p1/ssh-agent.c +@@ -51,6 +51,7 @@ + + #include + #include ++#include + + #include + #include +@@ -1044,6 +1045,10 @@ + + SSLeay_add_all_algorithms(); + ++ /* Init available hardware crypto engines. */ ++ ENGINE_load_builtin_engines(); ++ ENGINE_register_all_complete(); ++ + __progname = ssh_get_progname(av[0]); + init_rng(); + seed_rng(); +--- openssh-4.5p1/ssh-keygen.c ++++ openssh-4.5p1/ssh-keygen.c +@@ -21,6 +21,7 @@ + + #include + #include ++#include + + #include + #include +@@ -1074,6 +1075,11 @@ + __progname = ssh_get_progname(av[0]); + + SSLeay_add_all_algorithms(); ++ ++ /* Init available hardware crypto engines. */ ++ ENGINE_load_builtin_engines(); ++ ENGINE_register_all_complete(); ++ + log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + + init_rng(); +--- openssh-4.5p1/ssh-keysign.c ++++ openssh-4.5p1/ssh-keysign.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + #include "xmalloc.h" + #include "log.h" +@@ -195,6 +196,11 @@ + fatal("could not open any host key"); + + SSLeay_add_all_algorithms(); ++ ++ /* Init available hardware crypto engines. */ ++ ENGINE_load_builtin_engines(); ++ ENGINE_register_all_complete(); ++ + for (i = 0; i < 256; i++) + rnd[i] = arc4random(); + RAND_seed(rnd, sizeof(rnd)); +--- openssh-4.5p1/ssh.c ++++ openssh-4.5p1/ssh.c +@@ -72,6 +72,7 @@ + + #include + #include ++#include + + #include "xmalloc.h" + #include "ssh.h" +@@ -556,6 +557,10 @@ + SSLeay_add_all_algorithms(); + ERR_load_crypto_strings(); + ++ /* Init available hardware crypto engines. */ ++ ENGINE_load_builtin_engines(); ++ ENGINE_register_all_complete(); ++ + /* Initialize the command to execute on remote host. */ + buffer_init(&command); + +--- openssh-4.5p1/sshd.c ++++ openssh-4.5p1/sshd.c +@@ -75,6 +75,7 @@ + #include + #include + #include ++#include + #ifdef HAVE_SECUREWARE + #include + #include +@@ -1444,6 +1445,10 @@ + + SSLeay_add_all_algorithms(); + ++ /* Init available hardware crypto engines. */ ++ ENGINE_load_builtin_engines(); ++ ENGINE_register_all_complete(); ++ + /* + * Force logging to stderr until we have loaded the private host + * key (unless started from inetd) diff --git a/openssh-4.5p1-gcc-fix.patch b/openssh-4.5p1-gcc-fix.patch new file mode 100644 index 0000000..17f02cc --- /dev/null +++ b/openssh-4.5p1-gcc-fix.patch @@ -0,0 +1,10 @@ +--- scard-opensc.c ++++ scard-opensc.c +@@ -31,6 +31,7 @@ + #include + #include + ++#include + #include + + #include diff --git a/openssh-4.5p1-gssapimitm.patch b/openssh-4.5p1-gssapimitm.patch new file mode 100644 index 0000000..b755f84 --- /dev/null +++ b/openssh-4.5p1-gssapimitm.patch @@ -0,0 +1,242 @@ +The patch below adds support for the deprecated 'gssapi' authentication +mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included +in this release. The use of 'gssapi' is deprecated due to the presence of +potential man-in-the-middle attacks, which 'gssapi-with-mic' is not +susceptible to. + +To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling, +backwards compatibility may be obtained by supplying the +'GssapiEnableMitmAttack yes' option to either the client or server. + +It should be noted that this patch is being made available purely as a means +of easing the process of moving to OpenSSH 3.8p1. Any new installations are +recommended to use the 'gssapi-with-mic' mechanism. Existing installations +are encouraged to upgrade as soon as possible. + +Index: auth2-gss.c +================================================================================ +--- auth2-gss.c ++++ auth2-gss.c +@@ -177,6 +177,15 @@ + dispatch_set( + SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, + &input_gssapi_exchange_complete); ++ ++ /* ++ * Old style 'gssapi' didn't have the GSSAPI_MIC ++ * and went straight to sending exchange_complete ++ */ ++ if (options.gss_enable_mitm) ++ dispatch_set( ++ SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, ++ &input_gssapi_exchange_complete); + } + } + +@@ -298,4 +307,10 @@ + &options.gss_authentication + }; + ++Authmethod method_gssapi_old = { ++ "gssapi", ++ userauth_gssapi, ++ &options.gss_enable_mitm ++}; ++ + #endif /* GSSAPI */ +--- auth2.c ++++ auth2.c +@@ -65,6 +65,7 @@ + extern Authmethod method_hostbased; + #ifdef GSSAPI + extern Authmethod method_gssapi; ++extern Authmethod method_gssapi_old; + #endif + + Authmethod *authmethods[] = { +@@ -72,6 +73,7 @@ + &method_pubkey, + #ifdef GSSAPI + &method_gssapi, ++ &method_gssapi_old, + #endif + &method_passwd, + &method_kbdint, +--- readconf.c ++++ readconf.c +@@ -126,7 +126,7 @@ + oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, +- oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, +@@ -164,9 +164,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapienablemitmattack", oGssEnableMITM }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapienablemitmattack", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -445,6 +447,10 @@ + case oGssDelegateCreds: + intptr = &options->gss_deleg_creds; + goto parse_flag; ++ ++ case oGssEnableMITM: ++ intptr = &options->gss_enable_mitm; ++ goto parse_flag; + + case oBatchMode: + intptr = &options->batch_mode; +@@ -1012,6 +1018,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_enable_mitm = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1102,6 +1109,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_enable_mitm == -1) ++ options->gss_enable_mitm = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- readconf.h ++++ readconf.h +@@ -45,6 +45,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_enable_mitm; /* Enable old style gssapi auth */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- servconf.c ++++ servconf.c +@@ -91,6 +91,7 @@ + options->kerberos_get_afs_token = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; ++ options->gss_enable_mitm = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -206,6 +207,8 @@ + options->gss_authentication = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; ++ if (options->gss_enable_mitm == -1) ++ options->gss_enable_mitm = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -290,7 +293,7 @@ + sBanner, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, +- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, ++ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, + sMatch, sPermitOpen, sForceCommand, + sUsePrivilegeSeparation, + sDeprecated, sUnsupported +@@ -351,9 +354,11 @@ + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapienablemitmattack", sGssEnableMITM }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapienablemitmattack", sUnsupported }, + #endif + { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, +@@ -877,6 +882,10 @@ + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; + goto parse_flag; ++ ++ case sGssEnableMITM: ++ intptr = &options->gss_enable_mitm; ++ goto parse_flag; + + case sPasswordAuthentication: + intptr = &options->password_authentication; +--- servconf.h ++++ servconf.h +@@ -88,6 +88,7 @@ + * authenticated with Kerberos. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ ++ int gss_enable_mitm; /* If true, enable old style GSSAPI */ + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +--- ssh_config ++++ ssh_config +@@ -53,3 +53,13 @@ + # Tunnel no + # TunnelDevice any:any + # PermitLocalCommand no ++# GSSAPIAuthentication no ++# GSSAPIDelegateCredentials no ++ ++# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication ++# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included ++# in this release. The use of 'gssapi' is deprecated due to the presence of ++# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. ++# GSSAPIEnableMITMAttack no ++ ++>>>>>>> +--- sshconnect2.c ++++ sshconnect2.c +@@ -242,6 +242,10 @@ + userauth_gssapi, + &options.gss_authentication, + NULL}, ++ {"gssapi", ++ userauth_gssapi, ++ &options.gss_enable_mitm, ++ NULL}, + #endif + {"hostbased", + userauth_hostbased, +@@ -576,7 +580,9 @@ + + if (status == GSS_S_COMPLETE) { + /* send either complete or MIC, depending on mechanism */ +- if (!(flags & GSS_C_INTEG_FLAG)) { ++ ++ if (strcmp(authctxt->method->name,"gssapi")==0 || ++ (!(flags & GSS_C_INTEG_FLAG))) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); + packet_send(); + } else { +--- sshd_config ++++ sshd_config +@@ -69,6 +69,13 @@ + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + ++# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication ++# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included ++# in this release. The use of 'gssapi' is deprecated due to the presence of ++# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. ++#GSSAPIEnableMITMAttack no ++ ++ + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the ChallengeResponseAuthentication and diff --git a/openssh-4.5p1-pam-fix2.diff b/openssh-4.5p1-pam-fix2.diff new file mode 100644 index 0000000..6122a4a --- /dev/null +++ b/openssh-4.5p1-pam-fix2.diff @@ -0,0 +1,20 @@ +--- sshd_config ++++ sshd_config +@@ -53,7 +53,7 @@ + #IgnoreRhosts yes + + # To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes ++PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +@@ -78,7 +78,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowTcpForwarding yes + #GatewayPorts no diff --git a/openssh-4.5p1-pam-fix3.diff b/openssh-4.5p1-pam-fix3.diff new file mode 100644 index 0000000..da7bb7f --- /dev/null +++ b/openssh-4.5p1-pam-fix3.diff @@ -0,0 +1,13 @@ +--- auth-pam.c ++++ auth-pam.c +@@ -785,7 +785,9 @@ + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); +- import_environments(&buffer); ++#ifndef USE_POSIX_THREADS ++ import_environments(&buffer); ++#endif + *num = 0; + **echo_on = 0; + ctxt->pam_done = 1; diff --git a/openssh-4.5p1-pwname-home.diff b/openssh-4.5p1-pwname-home.diff new file mode 100644 index 0000000..024ede3 --- /dev/null +++ b/openssh-4.5p1-pwname-home.diff @@ -0,0 +1,62 @@ +--- openssh-4.5p1/misc.c ++++ openssh-4.5p1/misc.c +@@ -186,6 +186,29 @@ + return (old); + } + ++struct passwd *getpwuid_wh(uid_t uid) { ++ /* Return the password structure by lookup of the username in $ENV{USER}, ++ but only when the UID matches a lookup-by-uid so as to not allow using ++ another users' .ssh files in case this function be used in superuser ++ context. */ ++ ++ const char *user = getenv("USER"); ++ struct passwd *pe_nam, *pe_uid; ++ ++ if(user == NULL || (pe_nam = getpwnam(user)) == NULL) { ++ return getpwuid(uid); ++ } ++ ++ pe_nam = pwcopy(pe_nam); ++ if((pe_uid = getpwuid(uid)) == NULL || pe_nam->pw_uid != pe_uid->pw_uid) { ++ free(pe_nam); ++ return pe_uid; ++ } ++ ++ free(pe_nam); // - need to return a non-pwcopy struct ++ return getpwnam(user); ++} ++ + struct passwd * + pwcopy(struct passwd *pw) + { +@@ -524,7 +547,7 @@ + user[slash] = '\0'; + if ((pw = getpwnam(user)) == NULL) + fatal("tilde_expand_filename: No such user %s", user); +- } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ ++ } else if ((pw = getpwuid_wh(uid)) == NULL) /* ~/path */ + fatal("tilde_expand_filename: No such uid %d", uid); + + if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret)) +--- openssh-4.5p1/misc.h ++++ openssh-4.5p1/misc.h +@@ -34,6 +34,7 @@ + char *tohex(const void *, size_t); + void sanitise_stdfd(void); + ++struct passwd *getpwuid_wh(uid_t); + struct passwd *pwcopy(struct passwd *); + + typedef struct arglist arglist; +--- openssh-4.5p1/ssh.c ++++ openssh-4.5p1/ssh.c +@@ -249,7 +249,7 @@ + } + #endif + /* Get user data. */ +- pw = getpwuid(original_real_uid); ++ pw = getpwuid_wh(original_real_uid); + if (!pw) { + logit("You don't exist, go away!"); + exit(255); diff --git a/openssh-4.5p1-saveargv-fix.diff b/openssh-4.5p1-saveargv-fix.diff new file mode 100644 index 0000000..2f6ab7d --- /dev/null +++ b/openssh-4.5p1-saveargv-fix.diff @@ -0,0 +1,23 @@ +--- sshd.c ++++ sshd.c +@@ -358,6 +358,7 @@ + static void + sighup_restart(void) + { ++ int i; + logit("Received SIGHUP; restarting."); + close_listen_socks(); + close_startup_pipes(); +@@ -1317,7 +1318,11 @@ + #ifndef HAVE_SETPROCTITLE + /* Prepare for later setproctitle emulation */ + compat_init_setproctitle(ac, av); +- av = saved_argv; ++ ++ av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1)); ++ for (i = 0; i < saved_argc; i++) ++ av[i] = xstrdup(saved_argv[i]); ++ av[i] = NULL; + #endif + + if (geteuid() == 0 && setgroups(0, NULL) == -1) diff --git a/openssh-4.5p1-send_locale.diff b/openssh-4.5p1-send_locale.diff new file mode 100644 index 0000000..ddf1643 --- /dev/null +++ b/openssh-4.5p1-send_locale.diff @@ -0,0 +1,25 @@ +--- ssh_config ++++ ssh_config +@@ -62,4 +62,7 @@ + # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. + # GSSAPIEnableMITMAttack no + +->>>>>>> ++# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). ++SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++SendEnv LC_IDENTIFICATION LC_ALL +--- sshd_config ++++ sshd_config +@@ -112,6 +112,11 @@ + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server + ++# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL ++ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no diff --git a/openssh-4.5p1-strict-aliasing-fix.diff b/openssh-4.5p1-strict-aliasing-fix.diff new file mode 100644 index 0000000..98a251a --- /dev/null +++ b/openssh-4.5p1-strict-aliasing-fix.diff @@ -0,0 +1,71 @@ +--- readconf.c ++++ readconf.c +@@ -328,6 +328,7 @@ + int opcode, *intptr, value, value2, scale; + long long orig, val64; + size_t len; ++ LogLevel *loglevelptr; + Forward fwd; + + /* Strip trailing whitespace */ +@@ -692,14 +693,14 @@ + break; + + case oLogLevel: +- intptr = (int *) &options->log_level; ++ loglevelptr = &options->log_level; + arg = strdelim(&s); + value = log_level_number(arg); + if (value == SYSLOG_LEVEL_NOT_SET) + fatal("%.200s line %d: unsupported log level '%s'", + filename, linenum, arg ? arg : ""); +- if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET) +- *intptr = (LogLevel) value; ++ if (*activep && *loglevelptr == SYSLOG_LEVEL_NOT_SET) ++ *loglevelptr = (LogLevel) value; + break; + + case oLocalForward: +--- servconf.c ++++ servconf.c +@@ -622,6 +622,8 @@ + { + char *cp, **charptr, *arg, *p; + int cmdline = 0, *intptr, value, n; ++ LogLevel *loglevelptr; ++ SyslogFacility *syslogfacilityptr; + ServerOpCodes opcode; + u_short port; + u_int i, flags = 0; +@@ -977,25 +979,25 @@ + goto parse_flag; + + case sLogFacility: +- intptr = (int *) &options->log_facility; ++ syslogfacilityptr = &options->log_facility; + arg = strdelim(&cp); + value = log_facility_number(arg); + if (value == SYSLOG_FACILITY_NOT_SET) + fatal("%.200s line %d: unsupported log facility '%s'", + filename, linenum, arg ? arg : ""); +- if (*intptr == -1) +- *intptr = (SyslogFacility) value; ++ if (*syslogfacilityptr == -1) ++ *syslogfacilityptr = (SyslogFacility) value; + break; + + case sLogLevel: +- intptr = (int *) &options->log_level; ++ loglevelptr = &options->log_level; + arg = strdelim(&cp); + value = log_level_number(arg); + if (value == SYSLOG_LEVEL_NOT_SET) + fatal("%.200s line %d: unsupported log level '%s'", + filename, linenum, arg ? arg : ""); +- if (*intptr == -1) +- *intptr = (LogLevel) value; ++ if (*loglevelptr == -1) ++ *loglevelptr = (LogLevel) value; + break; + + case sAllowTcpForwarding: diff --git a/openssh-4.5p1-tmpdir.diff b/openssh-4.5p1-tmpdir.diff new file mode 100644 index 0000000..dcf9ac7 --- /dev/null +++ b/openssh-4.5p1-tmpdir.diff @@ -0,0 +1,22 @@ +--- ssh-agent.c ++++ ssh-agent.c +@@ -1127,8 +1127,18 @@ + parent_pid = getpid(); + + if (agentsocket == NULL) { ++ char *tmp1, *tmp; ++ char *tmp2 = "ssh-XXXXXXXXXX"; ++ size_t len; ++ ++ if ((tmp1 = getenv("TMPDIR")) == NULL) ++ tmp1 = "/tmp"; ++ len = strlen(tmp1) + strlen(tmp2) + 1; ++ tmp = malloc(len); ++ snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2); + /* Create private directory for agent socket */ +- strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir); ++ strlcpy(socket_dir, tmp, sizeof socket_dir); ++ free(tmp); + if (mkdtemp(socket_dir) == NULL) { + perror("mkdtemp: private socket dir"); + exit(1); diff --git a/openssh-4.5p1-xauth.diff b/openssh-4.5p1-xauth.diff new file mode 100644 index 0000000..7d76714 --- /dev/null +++ b/openssh-4.5p1-xauth.diff @@ -0,0 +1,40 @@ +--- session.c ++++ session.c +@@ -2250,8 +2250,37 @@ + session_close(Session *s) + { + u_int i; ++ pid_t pid; ++ FILE *f = NULL; ++ char cmd[1024]; ++ int do_xauth; ++ struct passwd * pw = s->pw; ++ do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; + + debug("session_close: session %d pid %ld", s->self, (long)s->pid); ++ ++ if (do_xauth && options.xauth_location != NULL) { ++ ++ if ((pid = fork()) == 0) { ++ permanently_set_uid(pw); ++ ++ /* Remove authority data from .Xauthority if appropriate. */ ++ debug("Running %.500s remove %.100s\n", ++ options.xauth_location, s->auth_display); ++ ++ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -", ++ s->pw->pw_dir, options.xauth_location); ++ f = popen(cmd, "w"); ++ if (f) { ++ fprintf(f, "remove %s\n", s->auth_display); ++ pclose(f); ++ } else ++ error("Could not run %s\n", cmd); ++ exit(0); ++ } ++ } ++ ++ + if (s->ttyfd != -1) + session_pty_cleanup(s); + if (s->term) diff --git a/openssh-4.5p1-xauthlocalhostname.diff b/openssh-4.5p1-xauthlocalhostname.diff new file mode 100644 index 0000000..7a96972 --- /dev/null +++ b/openssh-4.5p1-xauthlocalhostname.diff @@ -0,0 +1,76 @@ +--- session.c ++++ session.c +@@ -996,7 +996,7 @@ + } + + static char ** +-do_setup_env(Session *s, const char *shell) ++do_setup_env(Session *s, const char *shell, int *env_size) + { + char buf[256]; + u_int i, envsize; +@@ -1183,6 +1183,8 @@ + for (i = 0; env[i]; i++) + fprintf(stderr, " %.200s\n", env[i]); + } ++ ++ *env_size = envsize; + return env; + } + +@@ -1191,7 +1193,7 @@ + * first in this order). + */ + static void +-do_rc_files(Session *s, const char *shell) ++do_rc_files(Session *s, const char *shell, char **env, int *env_size) + { + FILE *f = NULL; + char cmd[1024]; +@@ -1244,12 +1246,20 @@ + options.xauth_location); + f = popen(cmd, "w"); + if (f) { ++ char hostname[MAXHOSTNAMELEN]; ++ + fprintf(f, "remove %s\n", + s->auth_display); + fprintf(f, "add %s %s %s\n", + s->auth_display, s->auth_proto, + s->auth_data); + pclose(f); ++ if (gethostname(hostname,sizeof(hostname)) >= 0) ++ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME", ++ hostname); ++ else ++ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n", ++ strerror(errno)); + } else { + fprintf(stderr, "Could not run %s\n", + cmd); +@@ -1469,6 +1479,7 @@ + { + extern char **environ; + char **env; ++ int env_size; + char *argv[10]; + const char *shell, *shell0, *hostname = NULL; + struct passwd *pw = s->pw; +@@ -1534,7 +1545,7 @@ + * Make sure $SHELL points to the shell from the password file, + * even if shell is overridden from login.conf + */ +- env = do_setup_env(s, shell); ++ env = do_setup_env(s, shell, &env_size); + + #ifdef HAVE_LOGIN_CAP + shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); +@@ -1596,7 +1607,7 @@ + } + + if (!options.use_login) +- do_rc_files(s, shell); ++ do_rc_files(s, shell, env, &env_size); + + /* restore SIGPIPE for child */ + signal(SIGPIPE, SIG_DFL); diff --git a/openssh-4.5p1.dif b/openssh-4.5p1.dif new file mode 100644 index 0000000..8de8a82 --- /dev/null +++ b/openssh-4.5p1.dif @@ -0,0 +1,45 @@ +--- ssh_config ++++ ssh_config +@@ -17,9 +17,20 @@ + # list of available options, their meanings and defaults, please see the + # ssh_config(5) man page. + +-# Host * ++Host * + # ForwardAgent no + # ForwardX11 no ++ ++# If you do not trust your remote host (or its administrator), you ++# should not forward X11 connections to your local X11-display for ++# security reasons: Someone stealing the authentification data on the ++# remote side (the "spoofed" X-server by the remote sshd) can read your ++# keystrokes as you type, just like any other X11 client could do. ++# Set this to "no" here for global effect or in your own ~/.ssh/config ++# file if you want to have the remote X11 authentification data to ++# expire after two minutes after remote login. ++ForwardX11Trusted yes ++ + # RhostsRSAAuthentication no + # RSAAuthentication yes + # PasswordAuthentication yes +--- sshd_config ++++ sshd_config +@@ -82,7 +82,7 @@ + + #AllowTcpForwarding yes + #GatewayPorts no +-#X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PrintMotd yes +--- sshlogin.c ++++ sshlogin.c +@@ -126,6 +126,7 @@ + + li = login_alloc_entry(pid, user, host, tty); + login_set_addr(li, addr, addrlen); ++ li->uid=uid; + login_login(li); + login_free_entry(li); + } diff --git a/openssh-4.5p1.tar.bz2 b/openssh-4.5p1.tar.bz2 new file mode 100644 index 0000000..a76b871 --- /dev/null +++ b/openssh-4.5p1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b2826c2c9b94cd2c2c441a3acf2b0f954b8556a0db6aa938cac13c44504e186 +size 776871 diff --git a/openssh-SuSE.tar.bz2 b/openssh-SuSE.tar.bz2 new file mode 100644 index 0000000..7b566d2 --- /dev/null +++ b/openssh-SuSE.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f183c56221e52c71a00058675d9e94e1e34668b266d8a11c02cf4e91a151d65b +size 1914 diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes new file mode 100644 index 0000000..9ceb4b0 --- /dev/null +++ b/openssh-askpass-gnome.changes @@ -0,0 +1,84 @@ +------------------------------------------------------------------- +Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz + +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes + +------------------------------------------------------------------- +Wed Oct 4 12:56:40 CEST 2006 - postadal@suse.cz + +- updated to version 4.4p1 [#208662] + * fixed pre-authentication DoS, that would cause sshd(8) to spin + until the login grace time expired + * fixed unsafe signal hander, which was vulnerable to a race condition + that could be exploited to perform a pre-authentication DoS + * fixed a GSSAPI authentication abort that could be used to determine + the validity of usernames on some platforms + * implemented conditional configuration in sshd_config(5) using the + "Match" directive + * added support for Diffie-Hellman group exchange key agreement with a + final hash of SHA256 + * added a "ForceCommand", "PermitOpen" directive to sshd_config(5) + * added optional logging of transactions to sftp-server(8) + * ssh(1) will now record port numbers for hosts stored in + ~/.ssh/authorized_keys when a non-standard port has been requested + * added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with + a non-zero exit code) when requested port forwardings could not be + established + * extended sshd_config(5) "SubSystem" declarations to allow the + specification of command-line arguments +- removed obsoleted patches: autoconf-fix.patch + +------------------------------------------------------------------- +Tue Jul 25 13:40:10 CEST 2006 - schwab@suse.de + +- Fix syntax error in configure script. + +------------------------------------------------------------------- +Wed Jan 25 21:39:06 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Tue Jan 3 15:54:49 CET 2006 - postadal@suse.cz + +- updated to version 4.2p1 +- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch + +------------------------------------------------------------------- +Thu Sep 8 16:20:06 CEST 2005 - postadal@suse.cz + +- don't strip + +------------------------------------------------------------------- +Thu Aug 4 11:30:18 CEST 2005 - uli@suse.de + +- parallelize build + +------------------------------------------------------------------- +Fri Jun 10 16:24:22 CEST 2005 - postadal@suse.cz + +- updated to version 4.1p1 +- removed obsoleted patches: restore_terminal, pam-returnfromsession, + timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource, + sendenv-fix, documentation-fix + +------------------------------------------------------------------- +Wed Jan 19 18:25:29 CET 2005 - postadal@suse.cz + +- renamed askpass-gnome package to openssh-askpass-gnome + +------------------------------------------------------------------- +Wed Jan 19 15:58:07 CET 2005 - postadal@suse.cz + +- splited spec file to decreas number of build dependencies + diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec new file mode 100644 index 0000000..47739a1 --- /dev/null +++ b/openssh-askpass-gnome.spec @@ -0,0 +1,167 @@ +# +# spec file for package openssh-askpass-gnome (Version 4.5p1) +# +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# This file and all modifications and additions to the pristine +# package are under the same license as the package itself. +# +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + +Name: openssh-askpass-gnome +BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files +License: Other License(s), see package +Group: Productivity/Networking/SSH +Version: 4.5p1 +Release: 11 +Requires: openssh = %{version} openssh-askpass = %{version} +Autoreqprov: on +Summary: A GNOME-Based Passphrase Dialog for OpenSSH +URL: http://www.openssh.com/ +%define _name openssh +Source: %{_name}-%{version}.tar.bz2 +Patch: %{_name}-%{version}.dif +Patch15: %{_name}-%{version}-pam-fix2.diff +Patch17: %{_name}-%{version}-strict-aliasing-fix.diff +Patch18: %{_name}-%{version}-saveargv-fix.diff +Patch19: %{_name}-%{version}-pam-fix3.diff +Patch21: %{_name}-%{version}-gssapimitm.patch +Patch26: %{_name}-%{version}-eal3.diff +Patch27: %{_name}-%{version}-engines.diff +Patch28: %{_name}-%{version}-blocksigalrm.diff +Patch42: %{_name}-gssapi_krb5-fix.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +SSH (Secure Shell) is a program for logging into a remote machine and +for executing commands on a remote machine. This package contains a +GNOME-based passphrase dialog for OpenSSH. + + + +Authors: +-------- + Aaron Campbell + Bob Beck + Markus Friedl + Niels Provos + Theo de Raadt + Dug Song + Ben Taylor + Chip Salzenberg + Chris Saia + Dan Brosemer + Jim Knoble + Marc G. Fournier + Nalin Dahyabhai + Niels Kristian Bech Jensen + Phil Hands + Thomas Neumann + Tudor Bosman + Damien Miller + +%define prefix /usr +%prep +%setup -q -n %{_name}-%{version} +%patch +%patch15 +%patch17 +%patch18 +%patch19 +%patch21 +%patch26 -p1 +%patch27 -p1 +%patch28 +%patch42 + +%build +%{?suse_update_config:%{suse_update_config}} +aclocal +autoheader +autoconf +CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" \ +./configure \ + --mandir=%{_mandir} \ + --prefix=%{prefix} \ + --infodir=%{_infodir} \ + --sysconfdir=/etc/ssh \ + --libexecdir=%{prefix}/%_lib/ssh \ + --with-tcp-wrappers \ + --with-pam \ + --with-kerberos5=/usr \ + --with-privsep-path=/var/lib/empty \ + --with-opensc \ + --disable-strip \ + --target=%{_target_cpu}-suse-linux +cd contrib +make %{?jobs:-j%jobs} gnome-ssh-askpass2 +mv gnome-ssh-askpass2 gnome-ssh-askpass + +%install +install -d -m 755 $RPM_BUILD_ROOT/usr/%_lib/ssh/ +install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/%_lib/ssh/gnome-ssh-askpass + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) +%attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass + +%changelog -n openssh-askpass-gnome +* Tue Dec 12 2006 - anicka@suse.cz +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes +* Wed Oct 04 2006 - postadal@suse.cz +- updated to version 4.4p1 [#208662] + * fixed pre-authentication DoS, that would cause sshd(8) to spin + until the login grace time expired + * fixed unsafe signal hander, which was vulnerable to a race condition + that could be exploited to perform a pre-authentication DoS + * fixed a GSSAPI authentication abort that could be used to determine + the validity of usernames on some platforms + * implemented conditional configuration in sshd_config(5) using the + "Match" directive + * added support for Diffie-Hellman group exchange key agreement with a + final hash of SHA256 + * added a "ForceCommand", "PermitOpen" directive to sshd_config(5) + * added optional logging of transactions to sftp-server(8) + * ssh(1) will now record port numbers for hosts stored in + ~/.ssh/authorized_keys when a non-standard port has been requested + * added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with + a non-zero exit code) when requested port forwardings could not be + established + * extended sshd_config(5) "SubSystem" declarations to allow the + specification of command-line arguments +- removed obsoleted patches: autoconf-fix.patch +* Tue Jul 25 2006 - schwab@suse.de +- Fix syntax error in configure script. +* Wed Jan 25 2006 - mls@suse.de +- converted neededforbuild to BuildRequires +* Tue Jan 03 2006 - postadal@suse.cz +- updated to version 4.2p1 +- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch +* Thu Sep 08 2005 - postadal@suse.cz +- don't strip +* Thu Aug 04 2005 - uli@suse.de +- parallelize build +* Fri Jun 10 2005 - postadal@suse.cz +- updated to version 4.1p1 +- removed obsoleted patches: restore_terminal, pam-returnfromsession, + timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource, + sendenv-fix, documentation-fix +* Wed Jan 19 2005 - postadal@suse.cz +- renamed askpass-gnome package to openssh-askpass-gnome +* Wed Jan 19 2005 - postadal@suse.cz +- splited spec file to decreas number of build dependencies diff --git a/openssh-gssapi_krb5-fix.patch b/openssh-gssapi_krb5-fix.patch new file mode 100644 index 0000000..4902c72 --- /dev/null +++ b/openssh-gssapi_krb5-fix.patch @@ -0,0 +1,18 @@ +--- configure.ac ++++ configure.ac +@@ -3220,7 +3220,14 @@ + K5LIBS="-lgssapi $K5LIBS" ], + [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) +- K5LIBS="-lgssapi_krb5 $K5LIBS" ], ++ K5LIBS="-lgssapi_krb5 $K5LIBS" ] ++ AC_CHECK_LIB(gssapi_krb5, gss_krb5_copy_ccache, [ ++ K5LIBS="-lgssapi_krb5 $K5LIBS" ++ ], [ ++ AC_MSG_WARN([Cannot find -lgssapi_krb5 with gss_krb5_copy_ccache()]) ++ ], ++ $K5LIBS ++ ), + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), + $K5LIBS) + ], diff --git a/openssh.changes b/openssh.changes new file mode 100644 index 0000000..653fd89 --- /dev/null +++ b/openssh.changes @@ -0,0 +1,1033 @@ +------------------------------------------------------------------- +Sat Jan 6 12:30:16 CET 2007 - anicka@suse.cz + +- disable SSHv1 protocol in default configuration [#231808] + +------------------------------------------------------------------- +Tue Dec 12 14:41:45 CET 2006 - anicka@suse.cz + +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes + +------------------------------------------------------------------- +Wed Nov 22 13:42:32 CET 2006 - anicka@suse.cz + +- fixed README.SuSE [#223025] + +------------------------------------------------------------------- +Thu Nov 9 13:59:35 CET 2006 - anicka@suse.cz + +- backport security fixes from openssh 4.5 (#219115) + +------------------------------------------------------------------- +Tue Nov 7 13:43:44 CET 2006 - ro@suse.de + +- fix manpage permissions + +------------------------------------------------------------------- +Tue Oct 31 14:04:52 CET 2006 - anicka@suse.cz + +- fix gssapi_krb5-fix patch [#215615] +- fix xauth patch + +------------------------------------------------------------------- +Tue Oct 10 16:07:11 CEST 2006 - postadal@suse.cz + +- fixed building openssh from src.rpm [#176528] (gssapi_krb5-fix.patch) + +------------------------------------------------------------------- +Tue Oct 3 14:44:08 CEST 2006 - postadal@suse.cz + +- updated to version 4.4p1 [#208662] + * fixed pre-authentication DoS, that would cause sshd(8) to spin + until the login grace time expired + * fixed unsafe signal hander, which was vulnerable to a race condition + that could be exploited to perform a pre-authentication DoS + * fixed a GSSAPI authentication abort that could be used to determine + the validity of usernames on some platforms + * implemented conditional configuration in sshd_config(5) using the + "Match" directive + * added support for Diffie-Hellman group exchange key agreement with a + final hash of SHA256 + * added a "ForceCommand", "PermitOpen" directive to sshd_config(5) + * added optional logging of transactions to sftp-server(8) + * ssh(1) will now record port numbers for hosts stored in + ~/.ssh/authorized_keys when a non-standard port has been requested + * added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with + a non-zero exit code) when requested port forwardings could not be + established + * extended sshd_config(5) "SubSystem" declarations to allow the + specification of command-line arguments +- removed obsoleted patches: autoconf-fix.patch, dos-fix.patch +- fixed gcc issues (gcc-fix.patch) + +------------------------------------------------------------------- +Wed Sep 20 17:34:54 CEST 2006 - postadal@suse.cz + +- fixed DoS by CRC compensation attack detector [#206917] (dos-fix.patch) +- fixed client NULL deref on protocol error +- cosmetic fix in init script [#203826] + +------------------------------------------------------------------- +Fri Sep 1 14:14:52 CEST 2006 - kukuk@suse.de + +- sshd.pamd: Add pam_loginuid, move pam_nologin to a better position + +------------------------------------------------------------------- +Fri Aug 25 15:37:46 CEST 2006 - postadal@suse.cz + +- fixed path for xauth [#198676] + +------------------------------------------------------------------- +Thu Aug 3 15:07:41 CEST 2006 - postadal@suse.cz + +- fixed build with X11R7 + +------------------------------------------------------------------- +Thu Jul 20 17:25:27 CEST 2006 - postadal@suse.cz + +- updated to version 4.3p2 + * experimental support for tunneling network packets via tun(4) +- removed obsoleted patches: pam-error.patch, CVE-2006-0225.patch, + scp.patch, sigalarm.patch + +------------------------------------------------------------------- +Mon Feb 13 12:54:28 CET 2006 - postadal@suse.cz + +- upstream fixes + - fixed "scp a b c", when c is not directory (scp.patch) + - eliminate some code duplicated in privsep and non-privsep paths, and + explicitly clear SIGALRM handler (sigalarm.patch) + +------------------------------------------------------------------- +Fri Feb 3 19:02:49 CET 2006 - postadal@suse.cz + +- fixed local arbitrary command execution vulnerability [#143435] + (CVE-2006-0225.patch) + +------------------------------------------------------------------- +Thu Feb 2 13:19:41 CET 2006 - postadal@suse.cz + +- fixed xauth.diff for disabled UsePrivilegeSeparation mode [#145809] +- build on s390 without Smart card support (opensc) [#147383] + +------------------------------------------------------------------- +Mon Jan 30 16:25:01 CET 2006 - postadal@suse.cz + +- fixed patch xauth.diff [#145809] +- fixed comments [#142989] + +------------------------------------------------------------------- +Wed Jan 25 21:39:06 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 16 18:05:44 CET 2006 - meissner@suse.de + +- added -fstack-protector. + +------------------------------------------------------------------- +Tue Jan 3 15:46:33 CET 2006 - postadal@suse.cz + +- updated to version 4.2p1 +- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch + +------------------------------------------------------------------- +Tue Nov 15 17:51:07 CET 2005 - postadal@suse.cz + +- do not delegate GSSAPI credentials to log in with a different method + than GSSAPI [#128928] (CAN-2005-2798, gssapi-secfix.patch) + +------------------------------------------------------------------- +Sun Oct 23 10:40:24 CEST 2005 - postadal@suse.cz + +- fixed PAM to send authentication failing mesaage to client [#130043] + (pam-error.patch) + +------------------------------------------------------------------- +Wed Sep 14 16:58:14 CEST 2005 - postadal@suse.cz + +- fixed uninitialized variable in patch xauth.diff [#98815] + +------------------------------------------------------------------- +Thu Sep 8 15:56:37 CEST 2005 - postadal@suse.cz + +- don't strip + +------------------------------------------------------------------- +Mon Sep 5 20:04:04 CEST 2005 - postadal@suse.cz + +- added patch xauth.diff prevent from polluting xauthority file [#98815] + +------------------------------------------------------------------- +Mon Aug 22 18:12:20 CEST 2005 - postadal@suse.cz + +- fixed problem when multiple accounts have same UID [#104773] + (pwname-home.diff) +- added fixes from upstream (upstream_fixes.diff) + +------------------------------------------------------------------- +Thu Aug 18 17:50:46 CEST 2005 - postadal@suse.cz + +- added patch tmpdir.diff for using $TMPDIR by ssh-agent [#95731] + +------------------------------------------------------------------- +Thu Aug 4 11:29:38 CEST 2005 - uli@suse.de + +- parallelize build + +------------------------------------------------------------------- +Mon Aug 1 17:48:02 CEST 2005 - postadal@suse.cz + +- added patch resolving problems with hostname changes [#98627] + (xauthlocalhostname.diff) + +------------------------------------------------------------------- +Wed Jun 22 18:42:57 CEST 2005 - kukuk@suse.de + +- Compile/link with -fpie/-pie + +------------------------------------------------------------------- +Wed Jun 15 17:41:24 CEST 2005 - meissner@suse.de + +- build x11-ask-pass with RPM_OPT_FLAGS. + +------------------------------------------------------------------- +Fri Jun 10 16:18:25 CEST 2005 - postadal@suse.cz + +- updated to version 4.1p1 +- removed obsoleted patches: restore_terminal, pam-returnfromsession, + timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource, + sendenv-fix, documentation-fix + +------------------------------------------------------------------- +Thu Mar 10 10:36:42 CET 2005 - postadal@suse.cz + +- fixed SendEnv config parsing bug +- documented timeout on untrusted x11 forwarding sessions (openssh#849) +- mentioned ForwardX11Trusted in ssh.1 (openssh#987) + +------------------------------------------------------------------- +Thu Mar 3 13:29:13 CET 2005 - postadal@suse.cz + +- enabled accepting and sending locale environment variables in protocol 2 + [#65747, #50091] + +------------------------------------------------------------------- +Thu Feb 24 16:33:54 CET 2005 - postadal@suse.cz + +- added patches from cvs: gssapi-pam (openssh#918), + krb5ccname (openssh#445), logdenysource (openssh#909) + +------------------------------------------------------------------- +Thu Feb 3 13:29:23 CET 2005 - postadal@suse.cz + +- fixed keyboard-interactive/pam/Kerberos leaks info about user existence + [#48329] (openssh#971, CAN-2003-0190) + +------------------------------------------------------------------- +Wed Jan 19 15:58:07 CET 2005 - postadal@suse.cz + +- splited spec file to decreas number of build dependencies +- fixed restoring terminal setting after Ctrl+C during password prompt in scp/sftp [#43309] +- allowed users to see output from failing PAM session modules (openssh #890, + pam-returnfromsession.patch) + +------------------------------------------------------------------- +Mon Nov 8 17:17:45 CET 2004 - kukuk@suse.de + +- Use common-* PAM config files for sshd PAM configuration + +------------------------------------------------------------------- +Mon Oct 25 15:14:49 CEST 2004 - postadal@suse.cz + +- switched heimdal-* to kerberos-devel-packages in #needforbuild + +------------------------------------------------------------------- +Fri Sep 3 15:03:01 CEST 2004 - ro@suse.de + +- fix lib64 issue + +------------------------------------------------------------------- +Tue Aug 31 16:03:54 CEST 2004 - postadal@suse.cz + +- updated to version 3.9p1 + +- removed obsoleted patches: scp-fix.diff and window_change-fix.diff + +------------------------------------------------------------------- +Thu Aug 26 15:40:53 CEST 2004 - postadal@suse.cz + +- added openssh-askpass-gnome subpackage +- added ssh-askpass script for choosing askpass depending on windowmanager + (by Robert Love ) +- build with Smart card support (opensc) [#44289] + +------------------------------------------------------------------- +Tue Aug 17 15:52:20 CEST 2004 - postadal@suse.cz + +- removed old implementation of "Update Messages" [#36059] + +------------------------------------------------------------------- +Thu Aug 12 16:36:53 CEST 2004 - postadal@suse.cz + +- updated to version 3.8p1 + +- removed obsoleted patches: sftp-progress-fix and pam-fix4 + +------------------------------------------------------------------- +Mon Jun 28 16:56:23 CEST 2004 - meissner@suse.de + +- block sigalarm during syslog output or we might deadlock + on recursively entering syslog(). (LTC#9523, SUSE#42354) + +------------------------------------------------------------------- +Wed May 26 15:27:32 CEST 2004 - postadal@suse.cz + +- fixed commented default value for GSSAPI + +------------------------------------------------------------------- +Thu May 20 21:23:27 CEST 2004 - mludvig@suse.cz + +- Load drivers for available hardware crypto accelerators. + +------------------------------------------------------------------- +Fri Apr 30 15:03:39 CEST 2004 - postadal@suse.cz + +- updated README.kerberos (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials) + +------------------------------------------------------------------- +Mon Apr 19 14:41:01 CEST 2004 - postadal@suse.cz + +- updated README.SuSE (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials) + [#39010] + +------------------------------------------------------------------- +Fri Mar 26 17:24:45 CET 2004 - postadal@suse.cz + +- fixed sshd(8) and sshd_config(5) man pages (EAL3) +- fixed spelling errors in README.SuSE [#37086] + +------------------------------------------------------------------- +Thu Mar 25 14:50:50 CET 2004 - postadal@suse.cz + +- fixed change window request [#33177] + +------------------------------------------------------------------- +Mon Mar 22 15:19:15 CET 2004 - postadal@suse.cz + +- updated README.SuSE +- removed %verify from /usr/bin/ssh in specfile + +------------------------------------------------------------------- +Thu Mar 18 15:48:52 CET 2004 - postadal@suse.cz + +- fixed previous fix of security bug in scp [#35443] (CAN-2004-0175) + (was too restrictive) +- fixed permission of /usr/bin/ssh + +------------------------------------------------------------------- +Mon Mar 15 17:56:06 CET 2004 - postadal@suse.cz + +- fixed comments in sshd_config and ssh_config + +------------------------------------------------------------------- +Mon Mar 15 17:25:08 CET 2004 - postadal@suse.cz + +- enabled privilege separation mode (new version fixes a lot of problematic PAM + calling [#30328]) +- fixed security bug in scp [#35443] (CAN-2004-0175) +- reverted to old behaviour of ForwardingX11 [#35836] + (set ForwardX11Trusted to 'yes' by default) +- updated README.SuSE +- fixed pam code (pam-fix4.diff, backported from openssh-SNAP-20040311) + +------------------------------------------------------------------- +Fri Mar 05 13:10:55 CET 2004 - postadal@suse.cz + +- updated README.SuSE (Remote x11 clients are now untrusted by default) [#35368] +- added gssapimitm patch (support for old GSSAPI) + +------------------------------------------------------------------- +Mon Mar 01 18:13:37 CET 2004 - postadal@suse.cz + +- updated to version 3.8p1 + * The "gssapi" support has been replaced with the "gssapi-with-mic" + to fix possible MITM attacks. These two versions are not compatible. + +- removed obsoleted patches: krb5.patch, dns-lookups.patch, pam-fix.diff, + pam-end-fix.diff +- used process forking instead pthreads + (developers fixed bugs in pam calling and they recommended to don't use threads) + +------------------------------------------------------------------- +Tue Feb 24 11:37:17 CET 2004 - postadal@suse.cz + +- fixed the problem with save_argv in sshd.c re-apeared again in version 3.7.1p2 + (it caused bad behaviour after receiving SIGHUP - used by reload of init script) + [#34845] + +------------------------------------------------------------------- +Wed Feb 18 18:06:20 CET 2004 - kukuk@suse.de + +- Real strict-aliasing patch + +------------------------------------------------------------------- +Wed Feb 18 16:04:17 CET 2004 - postadal@suse.cz + +- fixed strict-aliasing patch [#34551] + +------------------------------------------------------------------- +Sat Feb 14 00:20:09 CET 2004 - adrian@suse.de + +- provide SLP registration file /etc/slp.reg.d/ssh.reg + +------------------------------------------------------------------- +Tue Feb 03 15:18:36 CET 2004 - postadal@suse.cz + +- used patch from pam-end-fix.diff [#33132] +- fixed instalation openssh without documentation [#33937] +- fixed auth-pam.c which breaks strict aliasing + +------------------------------------------------------------------- +Mon Jan 19 13:19:32 CET 2004 - meissner@suse.de + +- Added a ; to ssh-key-converter.c to fix gcc 3.4 build. + +------------------------------------------------------------------- +Fri Jan 16 12:57:41 CET 2004 - kukuk@suse.de + +- Add pam-devel to neededforbuild + +------------------------------------------------------------------- +Thu Nov 06 10:14:31 CET 2003 - postadal@suse.cz + +- added /usr/bin/slogin explicitly to %file list [#32921] + +------------------------------------------------------------------- +Sun Nov 2 21:10:35 CET 2003 - adrian@suse.de + +- add %run_permissions to fix build + +------------------------------------------------------------------- +Tue Oct 14 12:23:36 CEST 2003 - postadal@suse.cz + +- reverted value UsePAM to "yes" and set PasswordAuthentication to "no" + in file /etc/ssh/sshd_config (the version 3.7.1p2 disabled PAM support + by default) [#31749] + +------------------------------------------------------------------- +Tue Sep 23 15:02:00 CEST 2003 - draht@suse.de + +- New version 3.7.1p2; signature from 86FF9C48 Damien Miller + verified for source tarball. Bugs fixed with this version: + #31637 (CAN-2003-0786, CAN-2003-0786). Briefly: + 1) SSH1 PAM challenge response auth ignored the result of the + authentication (with privsep off) + 2) The PAM conversation function trashed the stack, by referring + to the **resp parameter as an array of pointers rather than + as a pointer to an array of struct pam_responses. + At least security bug 1) is exploitable. + +------------------------------------------------------------------- +Fri Sep 19 19:56:01 CEST 2003 - postadal@suse.cz + +- use pthreads instead process forking (it needs by pam modules) +- fixed bug in calling pam_setcred [#31025] + (pam-fix.diff - string "FILE:" added to begin of KRB5CCNAME) +- updated README.SuSE +- reverted ChallengeResponseAuthentication option to default value yes + (necessary for pam authentication) [#31432] + +------------------------------------------------------------------- +Thu Sep 18 18:34:33 CEST 2003 - postadal@suse.cz + +- updated to version 3.7.1p1 (with security patches) +- removed obsoleted patches: chauthtok.patch, krb-include-fix.diff, + gssapi-fix.diff, saveargv-fix.diff, gssapi-20030430.diff, racecondition-fix +- updated README.kerberos + +------------------------------------------------------------------- +Tue Sep 16 16:57:02 CEST 2003 - postadal@suse.cz + +- fixed race condition in allocating memory [#31025] (CAN-2003-0693) + +------------------------------------------------------------------- +Mon Sep 15 11:52:20 CEST 2003 - postadal@suse.cz + +- disabled privilege separation, which caused some problems [#30328] + (updated README.SuSE) + +------------------------------------------------------------------- +Thu Sep 04 11:59:39 CEST 2003 - postadal@suse.cz + +- fixed bug in x11-ssh-askpass dialog [#25846] (askpass-fix.diff is workaround for gcc bug) + +------------------------------------------------------------------- +Fri Aug 29 11:39:40 CEST 2003 - kukuk@suse.de + +- Call useradd -r for system account [Bug #29611] + +------------------------------------------------------------------- +Mon Aug 25 10:40:37 CEST 2003 - postadal@suse.cz + +- use new stop_on_removal/restart_on_upate macros +- fixed lib64 problem in /etc/ssh/sshd_config [#28766] + +------------------------------------------------------------------- +Tue Aug 19 11:21:33 CEST 2003 - mmj@suse.de + +- Add sysconfig metadata [#28943] + +------------------------------------------------------------------- +Fri Aug 1 01:57:08 CEST 2003 - ro@suse.de + +- add e2fsprogs-devel to neededforbuild + +------------------------------------------------------------------- +Thu Jul 24 19:47:14 CEST 2003 - postadal@suse.cz + +- updated to version 3.6.1p2 +- added the new version of patch for GSSAPI (gssapi-20030430.diff), + the older one was removed (gssapi.patch) +- added README.kerberos to filelist + +------------------------------------------------------------------- +Tue Jun 3 00:41:08 CEST 2003 - mmj@suse.de + +- Remove files we don't package + +------------------------------------------------------------------- +Wed Apr 02 15:03:44 CEST 2003 - postadal@suse.cz + +- fixed bad behaviour after receiving SIGHUP (this bug caused not working reload of init script) + +------------------------------------------------------------------- +Tue Mar 18 14:25:08 CET 2003 - postadal@suse.cz + +- added $remote_fs to init.d script (needed if /usr is on remote fs [#25577]) + +------------------------------------------------------------------- +Thu Mar 13 17:02:52 CET 2003 - postadal@suse.cz + +- fixed segfault while using GSSAPI for authentication when connecting to localhost (took care about error value of ssh_gssapi_import_name() in function ssh_gssapi_client_ctx()) + +------------------------------------------------------------------- +Mon Mar 10 09:28:31 CET 2003 - kukuk@suse.de + +- Remove extra "/" from pid file path. + +------------------------------------------------------------------- +Mon Mar 03 16:49:24 CET 2003 - postadal@suse.cz + +- modified init.d script (now checking sshd.init.pid instead of port 22) [#24263] + +------------------------------------------------------------------- +Mon Mar 3 16:05:24 CET 2003 - okir@suse.de + +- added comment to /etc/pam.d/ssh on how to enable + support for resmgr (#24363). + +------------------------------------------------------------------- +Fri Feb 21 18:52:05 CET 2003 - postadal@suse.cz + +- added ssh-copy-id shell script [#23745] + +------------------------------------------------------------------- +Fri Feb 14 13:42:14 CET 2003 - postadal@suse.cz + +- given back gssapi and dns-lookups patches + +------------------------------------------------------------------- +Wed Jan 22 23:05:35 CET 2003 - postadal@suse.cz + +- updated to version 3.5p1 +- removed obsolete patches: owl-mm, forced-commands-only, krb +- added patch krb5 (for heimdal) +- temporarily removed gssapi patch and dns-lookups (needs rewriting) +- fix sysconfig metadata + +------------------------------------------------------------------- +Thu Dec 5 10:52:41 CET 2002 - okir@suse.de + +- avoid Kerberos DNS lookups in the default config (#20395) +- added README.kerberos + +------------------------------------------------------------------- +Thu Sep 19 11:00:46 CEST 2002 - postadal@suse.cz + +- added info about changes in the new version of openssh + to README.SuSE [#19757] + +------------------------------------------------------------------- +Mon Sep 2 10:39:24 CEST 2002 - okir@suse.de + +- privsep directory now /var/lib/empty, which is provided by + filesystem package (#17556) + +------------------------------------------------------------------- +Wed Aug 28 05:48:16 CEST 2002 - nashif@suse.de + +- Added insserv & co to PreReq + +------------------------------------------------------------------- +Mon Aug 26 11:57:20 CEST 2002 - okir@suse.de + +- applied patch that adds GSSAPI support in protocol version 2 (#18239) + +------------------------------------------------------------------- +Thu Aug 22 14:09:43 CEST 2002 - postadal@suse.cz + +- added the patch to fix malfunction of PermitRootLogin seted to + forced-commands-only [#17149] + +------------------------------------------------------------------- +Fri Aug 9 14:41:30 CEST 2002 - okir@suse.de + +- syslog now reports kerberos auth method when logging in via + kerberos (#17469) + +------------------------------------------------------------------- +Tue Jul 23 04:34:10 PDT 2002 - okir@suse.de + +- enabled kerberos support +- added patch to support kerberos 5 authentication in privsep mode. +- added missing section 5 manpages +- added missing ssh-keysign to files list (new for privsep) + +------------------------------------------------------------------- +Mon Jul 22 14:16:54 CEST 2002 - okir@suse.de + +- fixed handling of expired passwords in privsep mode + +------------------------------------------------------------------- +Tue Jul 9 13:48:52 CEST 2002 - mmj@suse.de + +- Don't source rc.config + +------------------------------------------------------------------- +Wed Jul 3 01:01:24 CEST 2002 - draht@suse.de + +- ssh-keygen must be told to explicitly create type rsa1 keys + in the start script. + +------------------------------------------------------------------- +Tue Jul 2 12:03:58 CEST 2002 - ro@suse.de + +- useradd/groupadd in preinstall to standardize + +------------------------------------------------------------------- +Sat Jun 29 10:33:18 CEST 2002 - ro@suse.de + +- updated patch from solar: zero out bytes for no longer used pages + in mmap-fallback solution + +------------------------------------------------------------------- +Thu Jun 27 18:07:37 CEST 2002 - ro@suse.de + +- updated owl-fallback.diff from solar + +------------------------------------------------------------------- +Thu Jun 27 17:04:16 CEST 2002 - ro@suse.de + +- update to 3.4p1 + o privilege separation support + o overflow fix from ISS +- unsplit openssh-server and openssh-client + +------------------------------------------------------------------- +Tue Jun 18 12:12:41 CEST 2002 - mmj@suse.de + +- Update to 3.2.3p1 which fixed following compared to 3.2.2p1 + o a defect in the BSD_AUTH access control handling for + o login/tty problems on Solaris (bug #245) + o build problems on Cygwin systems + +- Split the package to openssh, openssh-server, openssh-client and + openssh-askpass + +------------------------------------------------------------------- +Sun May 19 16:15:03 CEST 2002 - mmj@suse.de + +- Updated to 3.2.2p which includes security and several bugfixes. + +------------------------------------------------------------------- +Fri Mar 15 12:05:21 CET 2002 - ro@suse.de + +- added "Obsoletes: ssh" + +------------------------------------------------------------------- +Tue Mar 5 17:15:30 MET 2002 - draht@suse.de + +- security fix for bug in channels.c (channelbug.dif) + +------------------------------------------------------------------- +Fri Mar 1 15:40:59 CET 2002 - bk@suse.de + +- fix ssh-agent example to use eval `ssh-agent -s` and a typo. +- add sentence on use of ssh-agent with startx + +------------------------------------------------------------------- +Tue Feb 26 12:31:21 CET 2002 - bk@suse.de + +- update README.SuSE to improve documentation on protocol version + +------------------------------------------------------------------- +Wed Feb 13 13:15:41 CET 2002 - cihlar@suse.cz + +- rewritten addrlist patch - "0.0.0.0" is removed from list + after "::" is successful [#8951] + +------------------------------------------------------------------- +Mon Feb 11 15:17:32 CET 2002 - cihlar@suse.cz + +- added info about the change of the default protocol version + to README.SuSE + +------------------------------------------------------------------- +Thu Feb 7 12:42:53 CET 2002 - cihlar@suse.cz + +- removed addrlist patch which fixed bug [#8951] as it breaks + functionality on machines with kernel without IPv6 support, + bug reopened, new solution will be find +- switched to default protocol version 2 +- added ssh-keyconvert (thanks Olaf Kirch ) +- removed static linking against libcrypto, as crypt() was removed + from it [#5333] + +------------------------------------------------------------------- +Tue Jan 22 15:43:33 CET 2002 - kukuk@suse.de + +- Add pam_nologin to account management (else it will not be + called if user does not do password authentification) + +------------------------------------------------------------------- +Tue Jan 15 15:49:07 CET 2002 - egmont@suselinux.hu + +- removed colon from shutdown message + +------------------------------------------------------------------- +Thu Jan 10 09:27:50 CET 2002 - cihlar@suse.cz + +- use %{_lib} + +------------------------------------------------------------------- +Thu Dec 13 01:01:36 CET 2001 - ro@suse.de + +- moved rc.config.d -> sysconfig + +------------------------------------------------------------------- +Mon Dec 10 14:07:21 CET 2001 - cihlar@suse.cz + +- removed START_SSHD + +------------------------------------------------------------------- +Fri Dec 7 11:26:22 CET 2001 - cihlar@suse.cz + +- update to version 3.0.2p1: + * CheckMail option in sshd_config is deprecated + * X11 cookies are now stored in $HOME + * fixed a vulnerability in the UseLogin option + * /etc/ssh_known_hosts2 and ~/.ssh/known_hosts2 are obsolete, + /etc/ssh_known_hosts and ~/.ssh/known_hosts can be used + * several minor fixes +- update x11-ssh-askpass to version 1.2.4.1: + * fixed Imakefile.in +- fixed bug in adresses "::" and "0.0.0.0" [#8951] + +------------------------------------------------------------------- +Fri Oct 5 07:34:11 CEST 2001 - cihlar@suse.cz + +- update to version 2.9.9p2 +- removed obsolete clientloop and command patches +- uncommented "HostKey /etc/ssh/ssh_host_rsa_key" in sshd_config +- added German translation of e-mail to sysadmin +- init script fixed to work when more listening sshd runs +- added /bin/netstat to requires + +------------------------------------------------------------------- +Mon Sep 24 14:25:58 CEST 2001 - cihlar@suse.cz + +- fixed security problem with sftp & bypassing + keypair auth restrictions - patch based on CVS +- fixed status part of init script - it returned + running even if there were only sshd of connections + and no listening sshd [#11220] +- fixed stop part of init script - when there was no + /var/run/sshd.pid, all sshd were killed + +------------------------------------------------------------------- +Thu Sep 6 14:31:15 CEST 2001 - nadvornik@suse.cz + +- added patch for correct buffer flushing from CVS [bug #6450] + +------------------------------------------------------------------- +Fri Jul 27 09:05:24 CEST 2001 - cihlar@suse.cz + +- update x11-ssh-askpass to version 1.2.2 + +------------------------------------------------------------------- +Thu Jul 26 10:55:16 CEST 2001 - cihlar@suse.cz + +- update to version 2.9p2 +- removed obsolete "cookies" patch + +------------------------------------------------------------------- +Mon Jun 11 11:21:22 CEST 2001 - cihlar@suse.cz + +- fixed to compile with new xmkmf + +------------------------------------------------------------------- +Thu Jun 7 09:42:23 CEST 2001 - cihlar@suse.cz + +- fixed security bug when any file "cookies" could + be removed by anybody + +------------------------------------------------------------------- +Tue Jun 5 12:49:50 CEST 2001 - bjacke@suse.de + +- generate rsa host key in init script + +------------------------------------------------------------------- +Tue Jun 5 07:59:41 CEST 2001 - cihlar@suse.cz + +- removed complete path from PAM modules + +------------------------------------------------------------------- +Thu May 3 09:36:17 CEST 2001 - cihlar@suse.cz + +- update to version 2.9p1 +- removed obsolete --with-openssl +- removed obsolete man patch + +------------------------------------------------------------------- +Mon Apr 30 07:50:23 CEST 2001 - cihlar@suse.cz + +- enable PAM support + +------------------------------------------------------------------- +Fri Apr 13 11:50:26 CEST 2001 - ro@suse.de + +- fixed specfile for extra README.SuSE + +------------------------------------------------------------------- +Fri Apr 13 08:03:45 CEST 2001 - cihlar@suse.cz + +- fixed init script by new skeleton + +------------------------------------------------------------------- +Thu Mar 22 14:56:50 CET 2001 - cihlar@suse.cz + +- update to version 2.5.2p2 + +------------------------------------------------------------------- +Wed Mar 14 14:12:38 CET 2001 - cihlar@suse.cz + +- fixed ssh man page + +------------------------------------------------------------------- +Mon Mar 12 07:56:37 CET 2001 - cihlar@suse.cz + +- update to version 2.5.1p2 +- added xf86 to neededforbuild + +------------------------------------------------------------------- +Fri Mar 9 15:16:59 CET 2001 - schwab@suse.de + +- Fix missing crypt declaration. + +------------------------------------------------------------------- +Fri Feb 23 08:57:55 CET 2001 - cihlar@suse.cz + +- update to version 2.5.1p1 +- update x11-ssh-askpass to version 1.2.0 + +------------------------------------------------------------------- +Tue Feb 20 11:27:20 CET 2001 - cihlar@suse.cz + +- modified README.SuSE [#4365] +- fixed start script to agree with skeleton +- fixed start script so "stop" kills only sshd + listening for connections +- compiled with --with-openssl +- "ListenAddress 0.0.0.0" in sshd_config commented out - + listen on both ipv4 and ipv6 +- fixed var/adm/notify/messages/openssh_update [#6406] + +------------------------------------------------------------------- +Thu Jan 25 15:02:01 CET 2001 - smid@suse.cz + +- startup script fixed [#5559] + +------------------------------------------------------------------- +Tue Jan 16 09:40:50 CET 2001 - nadvornik@suse.cz + +- libcrypto linked static [#5333] + +------------------------------------------------------------------- +Thu Jan 11 13:41:48 CET 2001 - cihlar@suse.cz + +- uncomment sftp-server part in sshd_config +- added /usr/X11R6/lib/X11/app-defaults/SshAskpass to %files + +------------------------------------------------------------------- +Thu Jan 11 12:37:10 CET 2001 - cihlar@suse.cz + +- fixed %files [#5230] +- fixed installation of x11-ssh-askpass to BuildRoot +- added man pages of x11-ssh-askpass + +------------------------------------------------------------------- +Wed Jan 10 11:54:42 CET 2001 - smid@suse.cz + +- notice about how to enable ipv6 added to mail +- for administrator [#5297] + +------------------------------------------------------------------- +Wed Dec 13 10:43:25 CET 2000 - smid@suse.cz + +- default ipv6 listennig disabled (problems with libc2.2) [#4588] + +------------------------------------------------------------------- +Tue Dec 5 14:03:35 CET 2000 - smid@suse.cz + +- notify message changed + +------------------------------------------------------------------- +Mon Dec 4 21:45:35 CET 2000 - lmuelle@suse.de + +- fixed provides/ conflicts to ssh + +------------------------------------------------------------------- +Thu Nov 30 16:03:34 CET 2000 - smid@suse.cz + +- path to ssh-askpass fixed +- stop in %preun removed +- new init style + +------------------------------------------------------------------- +Sun Nov 26 23:53:53 CET 2000 - schwab@suse.de + +- Restore rcsshd link. + +------------------------------------------------------------------- +Sun Nov 26 15:34:12 CET 2000 - kukuk@suse.de + +- Add openssl-devel to neededforbuild + +------------------------------------------------------------------- +Mon Nov 20 16:11:34 CET 2000 - smid@suse.cz + +- New version 2.3.0 + +------------------------------------------------------------------- +Wed Sep 6 12:52:06 CEST 2000 - smid@suse.cz + +- remove --with-ipv4-default option + +------------------------------------------------------------------- +Wed Jul 5 19:04:28 CEST 2000 - garloff@suse.de + +- ... and tell the sysadmin and user more about what they can do + about it (schwab). + +------------------------------------------------------------------- +Wed Jul 5 00:55:37 CEST 2000 - garloff@suse.de + +- Inform the user (admin) about the fact that the default behaviour + with respect to X11-forwarding has been changed to be disabled. + +------------------------------------------------------------------- +Wed Jun 28 13:11:08 CEST 2000 - smid@suse.cz + +- warning that generating DSA key can an take a long time. + (bugzilla 3015) +- writing to wtmp and lastlog fixed (bugzilla 3024) +- reading config file (parameter Protocol) fixed + +------------------------------------------------------------------- +Fri Jun 16 10:42:52 CEST 2000 - garloff@suse.de + +- Added generation of ssh_host_dsa_key + +------------------------------------------------------------------- +Tue Jun 13 08:32:19 MEST 2000 - nadvornik@suse.cz + +- update to 2.1.1p1 + +------------------------------------------------------------------- +Thu Jun 8 10:10:55 MEST 2000 - cihlar@suse.cz + +- uncommented %clean + +------------------------------------------------------------------- +Fri May 5 13:08:15 CEST 2000 - smid@suse.cz + +- buildroot added +- upgrade to 1.2.3 + +------------------------------------------------------------------- +Tue Mar 21 09:50:57 CET 2000 - kukuk@suse.de + +- Update to 1.2.2p1 + +------------------------------------------------------------------- +Mon Mar 6 12:03:49 CET 2000 - kukuk@suse.de + +- Fix the diff. + +------------------------------------------------------------------- +Sun Mar 5 18:22:07 CET 2000 - kukuk@suse.de + +- Add a README.SuSE with a short description how to use ssh-add + +------------------------------------------------------------------- +Tue Feb 29 21:03:50 CET 2000 - schwab@suse.de + +- Update config.{guess,sub}. + +------------------------------------------------------------------- +Fri Feb 25 11:01:24 CET 2000 - kukuk@suse.de + +- Fix need for build, add group tag. + +------------------------------------------------------------------- +Wed Feb 2 09:23:13 CET 2000 - kukuk@suse.de + +- Change new defaults back to old one + +------------------------------------------------------------------- +Sun Jan 30 12:51:49 CET 2000 - kukuk@suse.de + +- Add x11-ssh-askpass to filelist + +------------------------------------------------------------------- +Fri Jan 28 18:03:50 CET 2000 - kukuk@suse.de + +- Update to OpenSSH 1.2.2 +- Add x11-ssh-askpass-1.0 + +------------------------------------------------------------------- +Tue Jan 25 15:57:09 CET 2000 - kukuk@suse.de + +- Add reload and status to /sbin/init.d/sshd [Bug 1747] + +------------------------------------------------------------------- +Thu Jan 20 17:26:02 CET 2000 - kukuk@suse.de + +- Update to 1.2.1pre27 with IPv6 support + +------------------------------------------------------------------- +Fri Dec 31 21:18:10 CET 1999 - kukuk@suse.de + +- Initial version diff --git a/openssh.spec b/openssh.spec new file mode 100644 index 0000000..f40f385 --- /dev/null +++ b/openssh.spec @@ -0,0 +1,812 @@ +# +# spec file for package openssh (Version 4.5p1) +# +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# This file and all modifications and additions to the pristine +# package are under the same license as the package itself. +# +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + +Name: openssh +%define _prefix %(xft-config --prefix) +%if "%{_prefix}" == "/usr/X11R6" +%define _mandir %{_prefix}/man +%define _appdefdir %{_prefix}/lib/X11/app-defaults +%else +%define _appdefdir %{_prefix}/share/X11/app-defaults +%endif +BuildRequires: krb5-devel opensc-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel +License: BSD License and BSD-like, X11/MIT +Group: Productivity/Networking/SSH +Obsoletes: ssh +Provides: ssh +Requires: /bin/netstat +PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions +Conflicts: nonfreessh +Autoreqprov: on +Version: 4.5p1 +Release: 11 +%define xversion 1.2.4.1 +Summary: Secure Shell Client and Server (Remote Login Program) +URL: http://www.openssh.com/ +Source: %{name}-%{version}.tar.bz2 +Source1: %{name}-SuSE.tar.bz2 +Source2: sshd.pamd +Source3: x11-ssh-askpass-%{xversion}.tar.bz2 +Source4: README.SuSE +Source5: converter.tar.bz2 +Source6: README.kerberos +Source7: ssh.reg +Source8: ssh-askpass +Patch: %{name}-%{version}.dif +Patch1: %{name}-%{version}-addrlist.dif +Patch12: %{name}-%{version}-askpass-fix.diff +Patch15: %{name}-%{version}-pam-fix2.diff +Patch17: %{name}-%{version}-strict-aliasing-fix.diff +Patch18: %{name}-%{version}-saveargv-fix.diff +Patch19: %{name}-%{version}-pam-fix3.diff +Patch21: %{name}-%{version}-gssapimitm.patch +Patch26: %{name}-%{version}-eal3.diff +Patch27: %{name}-%{version}-engines.diff +Patch28: %{name}-%{version}-blocksigalrm.diff +Patch35: %{name}-%{version}-send_locale.diff +Patch36: %{name}-%{version}-xauthlocalhostname.diff +Patch37: %{name}-%{version}-tmpdir.diff +Patch38: %{name}-%{version}-pwname-home.diff +Patch40: %{name}-%{version}-xauth.diff +Patch41: %{name}-%{version}-gcc-fix.patch +Patch42: %{name}-gssapi_krb5-fix.patch +Patch43: %{name}-%{version}-default-protocol.diff +BuildRoot: %{_tmppath}/%{name}-%{version}-build +%package askpass +Summary: A passphrase dialog for OpenSSH and the X Window System +Requires: openssh = %{version} +Provides: openssh:/usr/%_lib/ssh/ssh-askpass +Group: Productivity/Networking/SSH + +%description +SSH (Secure Shell) is a program for logging into and executing commands +on a remote machine. It is intended to replace rlogin and rsh and +provides secure encrypted communication between two untrusted hosts +over an insecure network. X Window System connections and arbitrary +TCP/IP ports can also be forwarded over the secure channel. + + + +Authors: +-------- + Aaron Campbell + Bob Beck + Markus Friedl + Niels Provos + Theo de Raadt + Dug Song + Ben Taylor + Chip Salzenberg + Chris Saia + Dan Brosemer + Jim Knoble + Marc G. Fournier + Nalin Dahyabhai + Niels Kristian Bech Jensen + Phil Hands + Thomas Neumann + Tudor Bosman + Damien Miller + + +%description askpass +Ssh (Secure Shell) is a program for logging into a remote machine and +for executing commands on a remote machine. This package contains an X +Window System passphrase dialog for OpenSSH. + + + +Authors: +-------- + Aaron Campbell + Bob Beck + Markus Friedl + Niels Provos + Theo de Raadt + Dug Song + Ben Taylor + Chip Salzenberg + Chris Saia + Dan Brosemer + Jim Knoble + Marc G. Fournier + Nalin Dahyabhai + Niels Kristian Bech Jensen + Phil Hands + Thomas Neumann + Tudor Bosman + Damien Miller + +%define prefix /usr +%prep +%setup -q -b 3 -a 1 -a 5 +%patch +%patch1 +%patch15 +%patch17 +%patch18 +%patch19 +%patch21 +%patch26 -p1 +%patch27 -p1 +%patch28 +%patch35 +%patch36 +%patch37 +%patch38 -p1 +%patch40 +%patch41 +%patch42 +%patch43 +cp -v %{SOURCE4} . +cp -v %{SOURCE6} . +cd ../x11-ssh-askpass-%{xversion} +%patch12 + +%build +%if "%{_prefix}" != "/usr/X11R6" + for i in configure.ac Makefile.in pathnames.h ssh_config.0 ssh_config.5 sshd_config.0 sshd_config.5 ; do + sed -i -e 's@%{_prefix}@/usr@g' $i + done +%endif +%{?suse_update_config:%{suse_update_config}} +aclocal +autoheader +autoconf +%ifarch s390 s390x +PIEFLAGS="-fPIE" +%else +PIEFLAGS="-fpie" +%endif +#Obsoleted CFLAGS="-DUSE_POSIX_THREADS $RPM_OPT_FLAGS" CXXFLAGS="-DUSE_POSIX_THREADS $RPM_O \ +#Obsoleted LDFLAGS="-lpthread" \ +LDFLAGS="-pie" CFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" CXXFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" \ +./configure \ + --mandir=%{_mandir} \ + --prefix=%{prefix} \ + --infodir=%{_infodir} \ + --sysconfdir=/etc/ssh \ + --libexecdir=%{prefix}/%_lib/ssh \ + --with-tcp-wrappers \ + --with-pam \ + --with-kerberos5=/usr \ + --with-privsep-path=/var/lib/empty \ +%ifnarch s390 s390x + --with-opensc \ +%endif + --disable-strip \ + --with-xauth=%{_prefix}/bin/xauth \ + --target=%{_target_cpu}-suse-linux +# --with-afs=/usr \ +make %{?jobs:-j%jobs} +(cd converter; make %{?jobs:-j%jobs}) +cd contrib +cd ../../x11-ssh-askpass-%{xversion} +CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" +./configure \ + --mandir=%{_mandir} \ + --prefix=%{_prefix} \ + --libexecdir=%{prefix}/%_lib/ssh +xmkmf +make includes USRLIBDIR=%_prefix/%_lib +make %{?jobs:-j%jobs} USRLIBDIR=%_prefix/%_lib CCOPTIONS="$RPM_OPT_FLAGS" + +%install +make DESTDIR=$RPM_BUILD_ROOT/ install +install -d -m 755 $RPM_BUILD_ROOT/etc/pam.d +install -d -m 755 $RPM_BUILD_ROOT/var/lib/sshd +install -m 644 %{S:2} $RPM_BUILD_ROOT/etc/pam.d/sshd +install -d -m 755 $RPM_BUILD_ROOT/etc/slp.reg.d/ +install -m 644 %{S:7} $RPM_BUILD_ROOT/etc/slp.reg.d/ +cp -a SuSE/* $RPM_BUILD_ROOT +# install shell script to automate the process of adding your public key to a remote machine +install -m 755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin +install -m 644 contrib/ssh-copy-id.1 $RPM_BUILD_ROOT/%{_mandir}/man1 +(cd converter; make install DESTDIR=$RPM_BUILD_ROOT/) +cd ../x11-ssh-askpass-%{xversion} +make BINDIR=/usr/%_lib/ssh DESTDIR=$RPM_BUILD_ROOT install install.man +rm -rf $RPM_BUILD_ROOT/usr/%_lib/ssh/ssh-askpass +sed -e "s@usr/lib/ssh@usr/%_lib/ssh@" < %{S:8} > $RPM_BUILD_ROOT/usr/%_lib/ssh/ssh-askpass +rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin +sed -i -e s@/usr/libexec@/usr/%{_lib}@g $RPM_BUILD_ROOT/etc/ssh/sshd_config + +%pre +/usr/sbin/groupadd -g 65 -o -r sshd 2> /dev/null || : +/usr/sbin/useradd -r -o -g sshd -u 71 -s /bin/false -c "SSH daemon" -d /var/lib/sshd sshd 2> /dev/null || : + +%post +%{fillup_and_insserv -n -s -y ssh sshd START_SSHD} +%run_permissions + +%verifyscript +%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh + +%preun +%stop_on_removal sshd + +%postun +%restart_on_update sshd +%{insserv_cleanup} + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) +%dir %attr(755,root,root) /var/lib/sshd +%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS +%attr(0755,root,root) %dir /etc/ssh +%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli +%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config +%verify(not mode) %attr(0640,root,root) %config(noreplace) /etc/ssh/sshd_config +%attr(0644,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/init.d/sshd +%attr(0755,root,root) /usr/bin/ssh +/usr/bin/scp +/usr/bin/sftp +/usr/bin/slogin +/usr/bin/ssh-* +/usr/sbin/* +%attr(444,root,root) %doc %{_mandir}/man1/scp.1.gz +%attr(444,root,root) %doc %{_mandir}/man1/ssh-keygen.1.gz +%attr(444,root,root) %doc /usr/share/man/man1/ssh-keyconverter.1.gz +%attr(444,root,root) %doc %{_mandir}/man1/ssh.1.gz +%attr(444,root,root) %doc %{_mandir}/man1/slogin.1.gz +%attr(444,root,root) %doc %{_mandir}/man1/ssh-agent.1* +%attr(444,root,root) %doc %{_mandir}/man1/ssh-add.1* +%attr(444,root,root) %doc %{_mandir}/man1/ssh-keyscan.1* +%attr(444,root,root) %doc %{_mandir}/man1/sftp.1* +%attr(444,root,root) %doc %{_mandir}/man1/ssh-copy-id.1* +%attr(444,root,root) %doc %{_mandir}/man5/* +%attr(444,root,root) %doc %{_mandir}/man8/* +%attr(0755,root,root) %dir /usr/%_lib/ssh +%attr(0755,root,root) /usr/%_lib/ssh/sftp-server +%attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign +%dir /etc/slp.reg.d +/etc/slp.reg.d/ssh.reg +/var/adm/fillup-templates/sysconfig.ssh + +%files askpass +%defattr(-,root,root) +%attr(0755,root,root) /usr/%_lib/ssh/ssh-askpass +%attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass +%doc %_mandir/man1/ssh-askpass.1x.gz +%doc %_mandir/man1/x11-ssh-askpass.1x.gz +%config %_appdefdir/SshAskpass + +%changelog -n openssh +* Sat Jan 06 2007 - anicka@suse.cz +- disable SSHv1 protocol in default configuration [#231808] +* Tue Dec 12 2006 - anicka@suse.cz +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes +* Wed Nov 22 2006 - anicka@suse.cz +- fixed README.SuSE [#223025] +* Thu Nov 09 2006 - anicka@suse.cz +- backport security fixes from openssh 4.5 (#219115) +* Tue Nov 07 2006 - ro@suse.de +- fix manpage permissions +* Tue Oct 31 2006 - anicka@suse.cz +- fix gssapi_krb5-fix patch [#215615] +- fix xauth patch +* Tue Oct 10 2006 - postadal@suse.cz +- fixed building openssh from src.rpm [#176528] (gssapi_krb5-fix.patch) +* Tue Oct 03 2006 - postadal@suse.cz +- updated to version 4.4p1 [#208662] + * fixed pre-authentication DoS, that would cause sshd(8) to spin + until the login grace time expired + * fixed unsafe signal hander, which was vulnerable to a race condition + that could be exploited to perform a pre-authentication DoS + * fixed a GSSAPI authentication abort that could be used to determine + the validity of usernames on some platforms + * implemented conditional configuration in sshd_config(5) using the + "Match" directive + * added support for Diffie-Hellman group exchange key agreement with a + final hash of SHA256 + * added a "ForceCommand", "PermitOpen" directive to sshd_config(5) + * added optional logging of transactions to sftp-server(8) + * ssh(1) will now record port numbers for hosts stored in + ~/.ssh/authorized_keys when a non-standard port has been requested + * added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with + a non-zero exit code) when requested port forwardings could not be + established + * extended sshd_config(5) "SubSystem" declarations to allow the + specification of command-line arguments +- removed obsoleted patches: autoconf-fix.patch, dos-fix.patch +- fixed gcc issues (gcc-fix.patch) +* Wed Sep 20 2006 - postadal@suse.cz +- fixed DoS by CRC compensation attack detector [#206917] (dos-fix.patch) +- fixed client NULL deref on protocol error +- cosmetic fix in init script [#203826] +* Fri Sep 01 2006 - kukuk@suse.de +- sshd.pamd: Add pam_loginuid, move pam_nologin to a better position +* Fri Aug 25 2006 - postadal@suse.cz +- fixed path for xauth [#198676] +* Thu Aug 03 2006 - postadal@suse.cz +- fixed build with X11R7 +* Thu Jul 20 2006 - postadal@suse.cz +- updated to version 4.3p2 + * experimental support for tunneling network packets via tun(4) +- removed obsoleted patches: pam-error.patch, CVE-2006-0225.patch, + scp.patch, sigalarm.patch +* Mon Feb 13 2006 - postadal@suse.cz +- upstream fixes + - fixed "scp a b c", when c is not directory (scp.patch) + - eliminate some code duplicated in privsep and non-privsep paths, and + explicitly clear SIGALRM handler (sigalarm.patch) +* Fri Feb 03 2006 - postadal@suse.cz +- fixed local arbitrary command execution vulnerability [#143435] + (CVE-2006-0225.patch) +* Thu Feb 02 2006 - postadal@suse.cz +- fixed xauth.diff for disabled UsePrivilegeSeparation mode [#145809] +- build on s390 without Smart card support (opensc) [#147383] +* Mon Jan 30 2006 - postadal@suse.cz +- fixed patch xauth.diff [#145809] +- fixed comments [#142989] +* Wed Jan 25 2006 - mls@suse.de +- converted neededforbuild to BuildRequires +* Mon Jan 16 2006 - meissner@suse.de +- added -fstack-protector. +* Tue Jan 03 2006 - postadal@suse.cz +- updated to version 4.2p1 +- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch +* Tue Nov 15 2005 - postadal@suse.cz +- do not delegate GSSAPI credentials to log in with a different method + than GSSAPI [#128928] (CAN-2005-2798, gssapi-secfix.patch) +* Sun Oct 23 2005 - postadal@suse.cz +- fixed PAM to send authentication failing mesaage to client [#130043] + (pam-error.patch) +* Wed Sep 14 2005 - postadal@suse.cz +- fixed uninitialized variable in patch xauth.diff [#98815] +* Thu Sep 08 2005 - postadal@suse.cz +- don't strip +* Mon Sep 05 2005 - postadal@suse.cz +- added patch xauth.diff prevent from polluting xauthority file [#98815] +* Mon Aug 22 2005 - postadal@suse.cz +- fixed problem when multiple accounts have same UID [#104773] + (pwname-home.diff) +- added fixes from upstream (upstream_fixes.diff) +* Thu Aug 18 2005 - postadal@suse.cz +- added patch tmpdir.diff for using $TMPDIR by ssh-agent [#95731] +* Thu Aug 04 2005 - uli@suse.de +- parallelize build +* Mon Aug 01 2005 - postadal@suse.cz +- added patch resolving problems with hostname changes [#98627] + (xauthlocalhostname.diff) +* Wed Jun 22 2005 - kukuk@suse.de +- Compile/link with -fpie/-pie +* Wed Jun 15 2005 - meissner@suse.de +- build x11-ask-pass with RPM_OPT_FLAGS. +* Fri Jun 10 2005 - postadal@suse.cz +- updated to version 4.1p1 +- removed obsoleted patches: restore_terminal, pam-returnfromsession, + timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource, + sendenv-fix, documentation-fix +* Thu Mar 10 2005 - postadal@suse.cz +- fixed SendEnv config parsing bug +- documented timeout on untrusted x11 forwarding sessions (openssh#849) +- mentioned ForwardX11Trusted in ssh.1 (openssh#987) +* Thu Mar 03 2005 - postadal@suse.cz +- enabled accepting and sending locale environment variables in protocol 2 + [#65747, #50091] +* Thu Feb 24 2005 - postadal@suse.cz +- added patches from cvs: gssapi-pam (openssh#918), + krb5ccname (openssh#445), logdenysource (openssh#909) +* Thu Feb 03 2005 - postadal@suse.cz +- fixed keyboard-interactive/pam/Kerberos leaks info about user existence + [#48329] (openssh#971, CAN-2003-0190) +* Wed Jan 19 2005 - postadal@suse.cz +- splited spec file to decreas number of build dependencies +- fixed restoring terminal setting after Ctrl+C during password prompt in scp/sftp [#43309] +- allowed users to see output from failing PAM session modules (openssh #890, + pam-returnfromsession.patch) +* Mon Nov 08 2004 - kukuk@suse.de +- Use common-* PAM config files for sshd PAM configuration +* Mon Oct 25 2004 - postadal@suse.cz +- switched heimdal-* to kerberos-devel-packages in #needforbuild +* Fri Sep 03 2004 - ro@suse.de +- fix lib64 issue +* Tue Aug 31 2004 - postadal@suse.cz +- updated to version 3.9p1 +- removed obsoleted patches: scp-fix.diff and window_change-fix.diff +* Thu Aug 26 2004 - postadal@suse.cz +- added openssh-askpass-gnome subpackage +- added ssh-askpass script for choosing askpass depending on windowmanager + (by Robert Love ) +- build with Smart card support (opensc) [#44289] +* Tue Aug 17 2004 - postadal@suse.cz +- removed old implementation of "Update Messages" [#36059] +* Thu Aug 12 2004 - postadal@suse.cz +- updated to version 3.8p1 +- removed obsoleted patches: sftp-progress-fix and pam-fix4 +* Mon Jun 28 2004 - meissner@suse.de +- block sigalarm during syslog output or we might deadlock + on recursively entering syslog(). (LTC#9523, SUSE#42354) +* Wed May 26 2004 - postadal@suse.cz +- fixed commented default value for GSSAPI +* Thu May 20 2004 - mludvig@suse.cz +- Load drivers for available hardware crypto accelerators. +* Fri Apr 30 2004 - postadal@suse.cz +- updated README.kerberos (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials) +* Mon Apr 19 2004 - postadal@suse.cz +- updated README.SuSE (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials) + [#39010] +* Fri Mar 26 2004 - postadal@suse.cz +- fixed sshd(8) and sshd_config(5) man pages (EAL3) +- fixed spelling errors in README.SuSE [#37086] +* Thu Mar 25 2004 - postadal@suse.cz +- fixed change window request [#33177] +* Mon Mar 22 2004 - postadal@suse.cz +- updated README.SuSE +- removed %%verify from /usr/bin/ssh in specfile +* Thu Mar 18 2004 - postadal@suse.cz +- fixed previous fix of security bug in scp [#35443] (CAN-2004-0175) + (was too restrictive) +- fixed permission of /usr/bin/ssh +* Mon Mar 15 2004 - postadal@suse.cz +- fixed comments in sshd_config and ssh_config +* Mon Mar 15 2004 - postadal@suse.cz +- enabled privilege separation mode (new version fixes a lot of problematic PAM + calling [#30328]) +- fixed security bug in scp [#35443] (CAN-2004-0175) +- reverted to old behaviour of ForwardingX11 [#35836] + (set ForwardX11Trusted to 'yes' by default) +- updated README.SuSE +- fixed pam code (pam-fix4.diff, backported from openssh-SNAP-20040311) +* Fri Mar 05 2004 - postadal@suse.cz +- updated README.SuSE (Remote x11 clients are now untrusted by default) [#35368] +- added gssapimitm patch (support for old GSSAPI) +* Mon Mar 01 2004 - postadal@suse.cz +- updated to version 3.8p1 + * The "gssapi" support has been replaced with the "gssapi-with-mic" + to fix possible MITM attacks. These two versions are not compatible. +- removed obsoleted patches: krb5.patch, dns-lookups.patch, pam-fix.diff, + pam-end-fix.diff +- used process forking instead pthreads + (developers fixed bugs in pam calling and they recommended to don't use threads) +* Tue Feb 24 2004 - postadal@suse.cz +- fixed the problem with save_argv in sshd.c re-apeared again in version 3.7.1p2 + (it caused bad behaviour after receiving SIGHUP - used by reload of init script) + [#34845] +* Wed Feb 18 2004 - kukuk@suse.de +- Real strict-aliasing patch +* Wed Feb 18 2004 - postadal@suse.cz +- fixed strict-aliasing patch [#34551] +* Sat Feb 14 2004 - adrian@suse.de +- provide SLP registration file /etc/slp.reg.d/ssh.reg +* Tue Feb 03 2004 - postadal@suse.cz +- used patch from pam-end-fix.diff [#33132] +- fixed instalation openssh without documentation [#33937] +- fixed auth-pam.c which breaks strict aliasing +* Mon Jan 19 2004 - meissner@suse.de +- Added a ; to ssh-key-converter.c to fix gcc 3.4 build. +* Fri Jan 16 2004 - kukuk@suse.de +- Add pam-devel to neededforbuild +* Thu Nov 06 2003 - postadal@suse.cz +- added /usr/bin/slogin explicitly to %%file list [#32921] +* Sun Nov 02 2003 - adrian@suse.de +- add %%run_permissions to fix build +* Tue Oct 14 2003 - postadal@suse.cz +- reverted value UsePAM to "yes" and set PasswordAuthentication to "no" + in file /etc/ssh/sshd_config (the version 3.7.1p2 disabled PAM support + by default) [#31749] +* Tue Sep 23 2003 - draht@suse.de +- New version 3.7.1p2; signature from 86FF9C48 Damien Miller + verified for source tarball. Bugs fixed with this version: + [#31637] (CAN-2003-0786, CAN-2003-0786). Briefly: + 1) SSH1 PAM challenge response auth ignored the result of the + authentication (with privsep off) + 2) The PAM conversation function trashed the stack, by referring + to the **resp parameter as an array of pointers rather than + as a pointer to an array of struct pam_responses. + At least security bug 1) is exploitable. +* Fri Sep 19 2003 - postadal@suse.cz +- use pthreads instead process forking (it needs by pam modules) +- fixed bug in calling pam_setcred [#31025] + (pam-fix.diff - string "FILE:" added to begin of KRB5CCNAME) +- updated README.SuSE +- reverted ChallengeResponseAuthentication option to default value yes + (necessary for pam authentication) [#31432] +* Thu Sep 18 2003 - postadal@suse.cz +- updated to version 3.7.1p1 (with security patches) +- removed obsoleted patches: chauthtok.patch, krb-include-fix.diff, + gssapi-fix.diff, saveargv-fix.diff, gssapi-20030430.diff, racecondition-fix +- updated README.kerberos +* Tue Sep 16 2003 - postadal@suse.cz +- fixed race condition in allocating memory [#31025] (CAN-2003-0693) +* Mon Sep 15 2003 - postadal@suse.cz +- disabled privilege separation, which caused some problems [#30328] + (updated README.SuSE) +* Thu Sep 04 2003 - postadal@suse.cz +- fixed bug in x11-ssh-askpass dialog [#25846] (askpass-fix.diff is workaround for gcc bug) +* Fri Aug 29 2003 - kukuk@suse.de +- Call useradd -r for system account [Bug #29611] +* Mon Aug 25 2003 - postadal@suse.cz +- use new stop_on_removal/restart_on_upate macros +- fixed lib64 problem in /etc/ssh/sshd_config [#28766] +* Tue Aug 19 2003 - mmj@suse.de +- Add sysconfig metadata [#28943] +* Fri Aug 01 2003 - ro@suse.de +- add e2fsprogs-devel to neededforbuild +* Thu Jul 24 2003 - postadal@suse.cz +- updated to version 3.6.1p2 +- added the new version of patch for GSSAPI (gssapi-20030430.diff), + the older one was removed (gssapi.patch) +- added README.kerberos to filelist +* Tue Jun 03 2003 - mmj@suse.de +- Remove files we don't package +* Wed Apr 02 2003 - postadal@suse.cz +- fixed bad behaviour after receiving SIGHUP (this bug caused not working reload of init script) +* Tue Mar 18 2003 - postadal@suse.cz +- added $remote_fs to init.d script (needed if /usr is on remote fs [#25577]) +* Thu Mar 13 2003 - postadal@suse.cz +- fixed segfault while using GSSAPI for authentication when connecting to localhost (took care about error value of ssh_gssapi_import_name() in function ssh_gssapi_client_ctx()) +* Mon Mar 10 2003 - kukuk@suse.de +- Remove extra "/" from pid file path. +* Mon Mar 03 2003 - postadal@suse.cz +- modified init.d script (now checking sshd.init.pid instead of port 22) [#24263] +* Mon Mar 03 2003 - okir@suse.de +- added comment to /etc/pam.d/ssh on how to enable + support for resmgr (#24363). +* Fri Feb 21 2003 - postadal@suse.cz +- added ssh-copy-id shell script [#23745] +* Fri Feb 14 2003 - postadal@suse.cz +- given back gssapi and dns-lookups patches +* Wed Jan 22 2003 - postadal@suse.cz +- updated to version 3.5p1 +- removed obsolete patches: owl-mm, forced-commands-only, krb +- added patch krb5 (for heimdal) +- temporarily removed gssapi patch and dns-lookups (needs rewriting) +- fix sysconfig metadata +* Thu Dec 05 2002 - okir@suse.de +- avoid Kerberos DNS lookups in the default config (#20395) +- added README.kerberos +* Thu Sep 19 2002 - postadal@suse.cz +- added info about changes in the new version of openssh + to README.SuSE [#19757] +* Mon Sep 02 2002 - okir@suse.de +- privsep directory now /var/lib/empty, which is provided by + filesystem package (#17556) +* Wed Aug 28 2002 - nashif@suse.de +- Added insserv & co to PreReq +* Mon Aug 26 2002 - okir@suse.de +- applied patch that adds GSSAPI support in protocol version 2 (#18239) +* Thu Aug 22 2002 - postadal@suse.cz +- added the patch to fix malfunction of PermitRootLogin seted to + forced-commands-only [#17149] +* Fri Aug 09 2002 - okir@suse.de +- syslog now reports kerberos auth method when logging in via + kerberos (#17469) +* Tue Jul 23 2002 - okir@suse.de +- enabled kerberos support +- added patch to support kerberos 5 authentication in privsep mode. +- added missing section 5 manpages +- added missing ssh-keysign to files list (new for privsep) +* Mon Jul 22 2002 - okir@suse.de +- fixed handling of expired passwords in privsep mode +* Tue Jul 09 2002 - mmj@suse.de +- Don't source rc.config +* Wed Jul 03 2002 - draht@suse.de +- ssh-keygen must be told to explicitly create type rsa1 keys + in the start script. +* Tue Jul 02 2002 - ro@suse.de +- useradd/groupadd in preinstall to standardize +* Sat Jun 29 2002 - ro@suse.de +- updated patch from solar: zero out bytes for no longer used pages + in mmap-fallback solution +* Thu Jun 27 2002 - ro@suse.de +- updated owl-fallback.diff from solar +* Thu Jun 27 2002 - ro@suse.de +- update to 3.4p1 + o privilege separation support + o overflow fix from ISS +- unsplit openssh-server and openssh-client +* Tue Jun 18 2002 - mmj@suse.de +- Update to 3.2.3p1 which fixed following compared to 3.2.2p1 + o a defect in the BSD_AUTH access control handling for + o login/tty problems on Solaris (bug #245) + o build problems on Cygwin systems +- Split the package to openssh, openssh-server, openssh-client and + openssh-askpass +* Sun May 19 2002 - mmj@suse.de +- Updated to 3.2.2p which includes security and several bugfixes. +* Fri Mar 15 2002 - ro@suse.de +- added "Obsoletes: ssh" +* Tue Mar 05 2002 - draht@suse.de +- security fix for bug in channels.c (channelbug.dif) +* Fri Mar 01 2002 - bk@suse.de +- fix ssh-agent example to use eval `ssh-agent -s` and a typo. +- add sentence on use of ssh-agent with startx +* Tue Feb 26 2002 - bk@suse.de +- update README.SuSE to improve documentation on protocol version +* Wed Feb 13 2002 - cihlar@suse.cz +- rewritten addrlist patch - "0.0.0.0" is removed from list + after "::" is successful [#8951] +* Mon Feb 11 2002 - cihlar@suse.cz +- added info about the change of the default protocol version + to README.SuSE +* Thu Feb 07 2002 - cihlar@suse.cz +- removed addrlist patch which fixed bug [#8951] as it breaks + functionality on machines with kernel without IPv6 support, + bug reopened, new solution will be find +- switched to default protocol version 2 +- added ssh-keyconvert (thanks Olaf Kirch ) +- removed static linking against libcrypto, as crypt() was removed + from it [#5333] +* Tue Jan 22 2002 - kukuk@suse.de +- Add pam_nologin to account management (else it will not be + called if user does not do password authentification) +* Tue Jan 15 2002 - egmont@suselinux.hu +- removed colon from shutdown message +* Thu Jan 10 2002 - cihlar@suse.cz +- use %%{_lib} +* Thu Dec 13 2001 - ro@suse.de +- moved rc.config.d -> sysconfig +* Mon Dec 10 2001 - cihlar@suse.cz +- removed START_SSHD +* Fri Dec 07 2001 - cihlar@suse.cz +- update to version 3.0.2p1: + * CheckMail option in sshd_config is deprecated + * X11 cookies are now stored in $HOME + * fixed a vulnerability in the UseLogin option + * /etc/ssh_known_hosts2 and ~/.ssh/known_hosts2 are obsolete, + /etc/ssh_known_hosts and ~/.ssh/known_hosts can be used + * several minor fixes +- update x11-ssh-askpass to version 1.2.4.1: + * fixed Imakefile.in +- fixed bug in adresses "::" and "0.0.0.0" [#8951] +* Fri Oct 05 2001 - cihlar@suse.cz +- update to version 2.9.9p2 +- removed obsolete clientloop and command patches +- uncommented "HostKey /etc/ssh/ssh_host_rsa_key" in sshd_config +- added German translation of e-mail to sysadmin +- init script fixed to work when more listening sshd runs +- added /bin/netstat to requires +* Mon Sep 24 2001 - cihlar@suse.cz +- fixed security problem with sftp & bypassing + keypair auth restrictions - patch based on CVS +- fixed status part of init script - it returned + running even if there were only sshd of connections + and no listening sshd [#11220] +- fixed stop part of init script - when there was no + /var/run/sshd.pid, all sshd were killed +* Thu Sep 06 2001 - nadvornik@suse.cz +- added patch for correct buffer flushing from CVS [bug #6450] +* Fri Jul 27 2001 - cihlar@suse.cz +- update x11-ssh-askpass to version 1.2.2 +* Thu Jul 26 2001 - cihlar@suse.cz +- update to version 2.9p2 +- removed obsolete "cookies" patch +* Mon Jun 11 2001 - cihlar@suse.cz +- fixed to compile with new xmkmf +* Thu Jun 07 2001 - cihlar@suse.cz +- fixed security bug when any file "cookies" could + be removed by anybody +* Tue Jun 05 2001 - bjacke@suse.de +- generate rsa host key in init script +* Tue Jun 05 2001 - cihlar@suse.cz +- removed complete path from PAM modules +* Thu May 03 2001 - cihlar@suse.cz +- update to version 2.9p1 +- removed obsolete --with-openssl +- removed obsolete man patch +* Mon Apr 30 2001 - cihlar@suse.cz +- enable PAM support +* Fri Apr 13 2001 - ro@suse.de +- fixed specfile for extra README.SuSE +* Fri Apr 13 2001 - cihlar@suse.cz +- fixed init script by new skeleton +* Thu Mar 22 2001 - cihlar@suse.cz +- update to version 2.5.2p2 +* Wed Mar 14 2001 - cihlar@suse.cz +- fixed ssh man page +* Mon Mar 12 2001 - cihlar@suse.cz +- update to version 2.5.1p2 +- added xf86 to neededforbuild +* Fri Mar 09 2001 - schwab@suse.de +- Fix missing crypt declaration. +* Fri Feb 23 2001 - cihlar@suse.cz +- update to version 2.5.1p1 +- update x11-ssh-askpass to version 1.2.0 +* Tue Feb 20 2001 - cihlar@suse.cz +- modified README.SuSE [#4365] +- fixed start script to agree with skeleton +- fixed start script so "stop" kills only sshd + listening for connections +- compiled with --with-openssl +- "ListenAddress 0.0.0.0" in sshd_config commented out - + listen on both ipv4 and ipv6 +- fixed var/adm/notify/messages/openssh_update [#6406] +* Thu Jan 25 2001 - smid@suse.cz +- startup script fixed [#5559] +* Tue Jan 16 2001 - nadvornik@suse.cz +- libcrypto linked static [#5333] +* Thu Jan 11 2001 - cihlar@suse.cz +- uncomment sftp-server part in sshd_config +- added /usr/X11R6/lib/X11/app-defaults/SshAskpass to %%files +* Thu Jan 11 2001 - cihlar@suse.cz +- fixed %%files [#5230] +- fixed installation of x11-ssh-askpass to BuildRoot +- added man pages of x11-ssh-askpass +* Wed Jan 10 2001 - smid@suse.cz +- notice about how to enable ipv6 added to mail +- for administrator [#5297] +* Wed Dec 13 2000 - smid@suse.cz +- default ipv6 listennig disabled (problems with libc2.2) [#4588] +* Tue Dec 05 2000 - smid@suse.cz +- notify message changed +* Mon Dec 04 2000 - lmuelle@suse.de +- fixed provides/ conflicts to ssh +* Thu Nov 30 2000 - smid@suse.cz +- path to ssh-askpass fixed +- stop in %%preun removed +- new init style +* Sun Nov 26 2000 - schwab@suse.de +- Restore rcsshd link. +* Sun Nov 26 2000 - kukuk@suse.de +- Add openssl-devel to neededforbuild +* Mon Nov 20 2000 - smid@suse.cz +- New version 2.3.0 +* Wed Sep 06 2000 - smid@suse.cz +- remove --with-ipv4-default option +* Wed Jul 05 2000 - garloff@suse.de +- ... and tell the sysadmin and user more about what they can do + about it (schwab). +* Wed Jul 05 2000 - garloff@suse.de +- Inform the user (admin) about the fact that the default behaviour + with respect to X11-forwarding has been changed to be disabled. +* Wed Jun 28 2000 - smid@suse.cz +- warning that generating DSA key can an take a long time. + (bugzilla 3015) +- writing to wtmp and lastlog fixed (bugzilla 3024) +- reading config file (parameter Protocol) fixed +* Fri Jun 16 2000 - garloff@suse.de +- Added generation of ssh_host_dsa_key +* Tue Jun 13 2000 - nadvornik@suse.cz +- update to 2.1.1p1 +* Thu Jun 08 2000 - cihlar@suse.cz +- uncommented %%clean +* Fri May 05 2000 - smid@suse.cz +- buildroot added +- upgrade to 1.2.3 +* Tue Mar 21 2000 - kukuk@suse.de +- Update to 1.2.2p1 +* Mon Mar 06 2000 - kukuk@suse.de +- Fix the diff. +* Sun Mar 05 2000 - kukuk@suse.de +- Add a README.SuSE with a short description how to use ssh-add +* Tue Feb 29 2000 - schwab@suse.de +- Update config.{guess,sub}. +* Fri Feb 25 2000 - kukuk@suse.de +- Fix need for build, add group tag. +* Wed Feb 02 2000 - kukuk@suse.de +- Change new defaults back to old one +* Sun Jan 30 2000 - kukuk@suse.de +- Add x11-ssh-askpass to filelist +* Fri Jan 28 2000 - kukuk@suse.de +- Update to OpenSSH 1.2.2 +- Add x11-ssh-askpass-1.0 +* Tue Jan 25 2000 - kukuk@suse.de +- Add reload and status to /sbin/init.d/sshd [Bug 1747] +* Thu Jan 20 2000 - kukuk@suse.de +- Update to 1.2.1pre27 with IPv6 support +* Fri Dec 31 1999 - kukuk@suse.de +- Initial version diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/ssh-askpass b/ssh-askpass new file mode 100644 index 0000000..c946f35 --- /dev/null +++ b/ssh-askpass @@ -0,0 +1,44 @@ +#!/bin/bash + +SESSION= + +case "$DESKTOP_SESSION" in + kde) SESSION=kde ;; + gnome) SESSION=gnome ;; +esac + +if [ -z "$SESSION" ] ; then + WM="${WINDOWMANAGER##*/}" + case "$WM" in + *kde*) SESSION=kde ;; + *gnome*) SESSION=gnome ;; + esac +fi + +if [ -z "$SESSION" ] ; then + if [ -n "$KDE_FULL_SESSION" ] ; then + SESSION=kde + fi + if [ -n "$GNOME_DESKTOP_SESSION_ID" ] ; then + SESSION=gnome + fi +fi + +GNOME_SSH_ASKPASS="/usr/lib/ssh/gnome-ssh-askpass" +X11_SSH_ASKPASS="/usr/lib/ssh/x11-ssh-askpass" + +# note: if there is ever a kde-ssh-askpass, just add it based on SESSION=kde + +case "$SESSION" in + gnome) + if [ -f $GNOME_SSH_ASKPASS ]; then + exec $GNOME_SSH_ASKPASS ${1+"$@"} + else + exec $X11_SSH_ASKPASS ${1+"$@"} + fi + ;; + *) + exec $X11_SSH_ASKPASS ${1+"$@"} + ;; +esac + diff --git a/ssh.reg b/ssh.reg new file mode 100644 index 0000000..a567084 --- /dev/null +++ b/ssh.reg @@ -0,0 +1,18 @@ +############################################################################# +# +# OpenSLP registration file +# +# register SSH daemon +# +############################################################################# + +# Register the usual sshd, if it is running +service:ssh://$HOSTNAME:22,en,65535 +tcp-port=22 +description=Secure Shell Daemon + +# ssh can get used to copy files with konqueror using the fish:/ protocol +service:fish://$HOSTNAME:22,en,65535 +tcp-port=22 +description=KDE file transfer via SSH + diff --git a/sshd.pamd b/sshd.pamd new file mode 100644 index 0000000..a25400e --- /dev/null +++ b/sshd.pamd @@ -0,0 +1,10 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth include common-auth +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session +# Enable the following line to get resmgr support for +# ssh sessions (see /usr/share/doc/packages/resmgr/README) +#session optional pam_resmgr.so fake_ttyname diff --git a/x11-ssh-askpass-1.2.4.1.tar.bz2 b/x11-ssh-askpass-1.2.4.1.tar.bz2 new file mode 100644 index 0000000..f4b12b3 --- /dev/null +++ b/x11-ssh-askpass-1.2.4.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:59352a27a324ae70cabb82e769aa6fbfc997ef8566fe8f12226388dcfe0f685f +size 27590