SHA256
1
0
forked from pool/openssh
OBS User unknown 2007-01-07 16:26:05 +00:00 committed by Git OBS Bridge
commit b889e699cf
35 changed files with 3434 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

134
README.SuSE Normal file
View File

@ -0,0 +1,134 @@
Dear users,
This is OpenSSH version 4.4p1.
There is a very important change in sshd with SuSE Linux 9.1:
The "gssapi" support has been replaced with the "gssapi-with-mic" to fix
possible MITM attacks (to enable support for the deprecated 'gssapi'
authentication set GSSAPIEnableMITMAttack to 'yes'). These two versions
are not compatible. The option GSSAPICleanupCreds is obsoleted, use
GSSAPICleanupCredentials instead.
We disabled the new feature 'untrusted cookies' by default because it brings a
lot of problems. If you like to enable it, set ForwardX11Trusted to 'no' in
ssh_config.
The option UsePrivilegeSeparation was reverted to 'yes' because the problematic
calling of PAM modules in this mode was fixed.
The option KeepAlive has been obsoleted, use TCPKeepAlive instead.
There is an important change in sshd with SuSE Linux 9.0:
The value of option ChallengeResponseAuthentication is reverted to default
value yes, which is necessary for PAM authentication.
I this OpenSSH version is removed kerberos support from protocol SSH1,
since it has been replaced with GSSAPI, but keeps kerberos password
authentication for protocols SSH1 and SSH2. To enable Kerberos authentication
read README.kerberos file.
Important change in sshd with SuSE Linux 8.1 is that sshd X11 forwarding listens
on localhost by default. See sshd X11UseLocalhost option to revert to prior
behaviour if your older X11 clients do not function with this configuration.
The package openssh was splitted to openssh and the new package askpass.
OpenSSH supports two protocol versions (SSH1 and SSH2) which need to be
configured differently.
Protocol version 1 is the old protocol and protocol version 2 is the new
protocol that has several advantages from the security point of view.
Please note that the default ssh protocol version has been changed to
version 2 with SuSE Linux 8.0.
The change of the default protocol version brings one important change for
users who use identity keys for remote login with passphrases.
(Please note the difference: 'password' means a system password on a
given machine. The term 'passphrase', however, is usually used for the
string that an ssh private key is protected (encrypted) with.)
Protocol version 1 uses the key from file ~/.ssh/identity and compares
it with keys from file ~/.ssh/authorized_keys on the remote machine.
Protocol version 2 uses keys from files ~/.ssh/id_rsa or ~/.ssh/id_dsa
and they are compared with keys from file ~/.ssh/authorized_keys.
Note: Servers with OpenSSH < 2.9.9p1 use ~/.ssh/authorized_keys2 instead.
If you don't want to switch to protocol version 2 now, add a line saying
"Protocol 1,2" to /etc/ssh/ssh_config of the SuSE Linux 8.0 system to
retain the old ssh behaviour.
How to convert your environment to protocol version 2:
1) Creating the necessary identity keys for protocol version 2:
There are two ways:
A) You can use your old keys for protocol 1, but you have to convert them
to the format of protocol 2.
This can be done with the tool ssh-keyconverter:
Every user that will use protocol version 2 needs to do this:
cd ~/.ssh
ssh-keyconverter -k identity
- at this point you will be asked for the passphrase of ~/.ssh/identity
ssh-keyconverter -a authorized_keys
If OpenSSH < 2.9.9p1 is used on the server:
grep ssh- authorized_keys >>authorized_keys2
To enable login to other users with the converted protocol version 2 keys,
the other user has to add the new ~/.ssh/id_rsa.pub to his authorized keys.
You can do this by script by forcing version 1 with the -1 switch:
for host in .... ; do
ssh -1 user@$host 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub
ssh -1 user@$host 'cat >> .ssh/authorized_keys2' < ~/.ssh/id_rsa.pub
done
B) You can generate new keys for protocol 2 by "ssh-keygen -t rsa" or
"ssh-keygen -t dsa", then add id_rsa.pub (or id_dsa.pub) to
authorized_keys2 and copy authorized_keys2 to the remote machine. See
"man ssh" and "man ssh-keygen" for more info.
2) Handling of protocol version 2 with ssh-agent and ssh-add:
If you continue to use protocol version 1, there is nothing to do because
the default identity is still ~/.ssh/identity.
For protocol version 2, you have to pass the correct file (~/.ssh/id_rsa or
~/.ssh/id_dsa) to ssh-add. To support the version 1 key and the version 2
key you have to add both keys. Example:
eval `ssh-agent -s`
ssh-add ~/.ssh/identity ~/.ssh/id_rsa
This will add your version 1 and version 2 keys and if they have the same
passphrase, you only have to type it once.
Other changes:
The OpenSSH handling of ssh-add/ssh-askpass is solved different as
with OpenSSH 2.x You don't need to call ssh-askpass any longer. If
ssh-add is called and doesn't have a real TTY, it will launch
/usr/lib/ssh/ssh-askpass itself. Make sure that the DISPLAY variable
is always set correctly.
If you want to use ssh-agent under X windows, just edit the file .xsession
in your home directory and change usessh="no" to usessh="yes". After
logining in you only need to start ssh-add by hand, click or startup script.
If you want to use ssh-agent with startx, add the example above to your
~/.xinitrc before the window manager is started.
Your SuSE Team

23
README.kerberos Normal file
View File

@ -0,0 +1,23 @@
This version of the Kerbros/GSSAPI support avoids DNS lookups
for Kerberos-related names. These DNS lookups were problematic
for dialup users because they would lead to excessive delays
if DNS was not reachable.
In order to disable these lookups, I had to change the default
configuration, disabling GSSAPI authentication.
If you do use Kerberos, please make sure you edit the server and
client configuration files as follows:
/etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
/etc/ssh/ssh_config:
Host *
... lots of other options ...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

3
converter.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:da7ff204375259aef8aaf3ad89c7f311134354fe0129cddce927de5d4f7ab349
size 4792

View File

@ -0,0 +1,87 @@
--- sshd.c
+++ sshd.c
@@ -253,6 +253,62 @@
static void do_ssh1_kex(void);
static void do_ssh2_kex(void);
+char * isaddr(struct addrinfo *addr, char *name);
+void remove_duplicities(struct addrinfo *addr, char *port);
+
+/*
+ * returns port if addr equals name
+ */
+
+char*
+isaddr(struct addrinfo *addr, char *name)
+{
+ char ntop[NI_MAXHOST];
+ char *strport;
+
+ strport = (char*) malloc(NI_MAXSERV+1);
+ if (getnameinfo(addr->ai_addr, addr->ai_addrlen,
+ ntop, sizeof(ntop), strport, sizeof(strport),
+ NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+ error("getnameinfo failed");
+ free(strport);
+ return NULL;
+ }
+ if (!strcmp(ntop,name))
+ return strport;
+ else{
+ free(strport);
+ return NULL;
+ }
+
+}
+
+/*
+ * it removes all "0.0.0.0" elements with given port
+ * from the list
+ */
+
+void
+remove_duplicities(struct addrinfo *ai_start, char *port)
+{
+ struct addrinfo *ai, *ai1, *aiprev, *ainext;
+ char *port1;
+
+ aiprev=ai_start;
+ for (ai = ai_start->ai_next; ai; ai = ainext) {
+ ainext = ai->ai_next;
+ port1 = isaddr(ai, "0.0.0.0");
+ if (port1 && !strcmp(port,port1)){
+ aiprev->ai_next = ainext;
+ free(ai);
+ free(port1);
+ } else {
+ if (port1)
+ free(port1);
+ aiprev = ai;
+ }
+ }
+}
/*
* Close all listening sockets
@@ -941,6 +997,7 @@
int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+ char *port;
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -986,6 +1043,13 @@
continue;
}
listen_socks[num_listen_socks] = listen_sock;
+
+ port = isaddr(ai,"::");
+ if (port) {
+ remove_duplicities(ai, port);
+ free(port);
+ }
+
num_listen_socks++;
/* Start listening on the port. */

View File

@ -0,0 +1,72 @@
--- x11-ssh-askpass.c
+++ x11-ssh-askpass.c
@@ -1301,7 +1301,7 @@
}
}
-Bool eventIsInsideButton(AppInfo *app, XEvent *event, ButtonInfo button)
+Bool eventIsInsideButton(AppInfo *app, ButtonInfo button, XEvent *event)
{
/* 'gcc -Wall' complains about 'app' being an unused parameter.
* Tough. We might want to use it later, and then we don't have
@@ -1343,11 +1343,11 @@
return;
}
if (ButtonPress == event->type) {
- if (eventIsInsideButton(app, event, d->okButton)) {
+ if (eventIsInsideButton(app, d->okButton, event)) {
d->pressedButton = OK_BUTTON;
d->okButton.pressed = True;
paintButton(app, d->dialogWindow, d->okButton);
- } else if (eventIsInsideButton(app, event, d->cancelButton)) {
+ } else if (eventIsInsideButton(app, d->cancelButton, event)) {
d->pressedButton = CANCEL_BUTTON;
d->cancelButton.pressed = True;
paintButton(app, d->dialogWindow, d->cancelButton);
@@ -1356,7 +1356,7 @@
}
} else if (ButtonRelease == event->type) {
if (OK_BUTTON == d->pressedButton) {
- if (eventIsInsideButton(app, event, d->okButton)) {
+ if (eventIsInsideButton(app, d->okButton, event)) {
acceptAction(app);
} else {
if (d->okButton.pressed) {
@@ -1365,7 +1365,7 @@
}
}
} else if (CANCEL_BUTTON == d->pressedButton) {
- if (eventIsInsideButton(app, event, d->cancelButton)) {
+ if (eventIsInsideButton(app, d->cancelButton, event)) {
cancelAction(app);
} else {
if (d->cancelButton.pressed) {
@@ -1385,7 +1385,7 @@
if (NO_BUTTON == d->pressedButton) {
return;
} else if (OK_BUTTON == d->pressedButton) {
- if (eventIsInsideButton(app, event, d->okButton)) {
+ if (eventIsInsideButton(app, d->okButton, event)) {
if (!(d->okButton.pressed)) {
d->okButton.pressed = True;
paintButton(app, d->dialogWindow, d->okButton);
@@ -1397,7 +1397,7 @@
}
}
} else if (CANCEL_BUTTON == d->pressedButton) {
- if (eventIsInsideButton(app, event, d->cancelButton)) {
+ if (eventIsInsideButton(app, d->cancelButton, event)) {
if (!(d->cancelButton.pressed)) {
d->cancelButton.pressed = True;
paintButton(app, d->dialogWindow, d->cancelButton);
--- x11-ssh-askpass.h
+++ x11-ssh-askpass.h
@@ -258,7 +258,7 @@
void addToPassphrase(AppInfo *app, char c);
void handleKeyPress(AppInfo *app, XEvent *event);
-Bool eventIsInsideButton(AppInfo *app, XEvent *event, ButtonInfo button);
+Bool eventIsInsideButton(AppInfo *app, ButtonInfo button, XEvent *event);
void handleButtonPress(AppInfo *app, XEvent *event);
void handlePointerMotion(AppInfo *app, XEvent *event);

View File

@ -0,0 +1,42 @@
--- log.c
+++ log.c
@@ -50,6 +50,7 @@
#include "xmalloc.h"
#include "log.h"
+#include <signal.h>
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
@@ -313,6 +314,7 @@
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
+ sigset_t nset, oset;
if (level > log_level)
return;
@@ -351,6 +353,15 @@
pri = LOG_ERR;
break;
}
+ /* Prevent a race between the grace_alarm
+ * which writes a log message and terminates
+ * and main sshd code that leads to deadlock
+ * as syslog is not async safe.
+ */
+ sigemptyset(&nset);
+ sigaddset(&nset, SIGALRM);
+ sigprocmask(SIG_BLOCK, &nset, &oset);
+
if (txt != NULL) {
snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
@@ -372,5 +383,7 @@
syslog(pri, "%.500s", fmtbuf);
closelog();
#endif
+
+ sigprocmask(SIG_SETMASK, &oset, NULL);
}
}

View File

@ -0,0 +1,22 @@
--- ssh_config
+++ ssh_config
@@ -46,7 +46,7 @@
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
-# Protocol 2,1
+ Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
--- sshd_config
+++ sshd_config
@@ -11,7 +11,7 @@
# default value.
#Port 22
-#Protocol 2,1
+Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

51
openssh-4.5p1-eal3.diff Normal file
View File

@ -0,0 +1,51 @@
--- openssh-4.5p1/sshd.8
+++ openssh-4.5p1/sshd.8
@@ -739,7 +739,7 @@
The file format is described in
.Xr moduli 5 .
.Pp
-.It /etc/motd
+.It /etc/lib/motd
See
.Xr motd 5 .
.Pp
@@ -752,7 +752,7 @@
refused.
The file should be world-readable.
.Pp
-.It /etc/shosts.equiv
+.It /etc/ssh/shosts.equiv
This file is used in exactly the same way as
.Pa hosts.equiv ,
but allows host-based authentication without permitting login with
@@ -828,8 +828,7 @@
.Xr ssh-keygen 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
-.Xr login.conf 5 ,
-.Xr moduli 5 ,
+.Xr login.defs 5 ,
.Xr sshd_config 5 ,
.Xr inetd 8 ,
.Xr sftp-server 8
--- openssh-4.5p1/sshd_config.5
+++ openssh-4.5p1/sshd_config.5
@@ -169,9 +169,6 @@
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
The default is
.Dq yes .
.It Cm Ciphers
@@ -384,7 +381,7 @@
.Pp
.Pa /etc/hosts.equiv
and
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv
are still used.
The default is
.Dq yes .

132
openssh-4.5p1-engines.diff Normal file
View File

@ -0,0 +1,132 @@
# Load drivers for available hardware crypto accelerators.
# -- mludvig@suse.cz
Index: openssh-3.8p1/ssh-add.c
================================================================================
--- openssh-4.5p1/ssh-add.c
+++ openssh-4.5p1/ssh-add.c
@@ -42,6 +42,7 @@
#include <sys/param.h>
#include <openssl/evp.h>
+#include <openssl/engine.h>
#include <fcntl.h>
#include <pwd.h>
@@ -343,6 +344,10 @@
SSLeay_add_all_algorithms();
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
/* At first, get a connection to the authentication agent. */
ac = ssh_get_authentication_connection();
if (ac == NULL) {
--- openssh-4.5p1/ssh-agent.c
+++ openssh-4.5p1/ssh-agent.c
@@ -51,6 +51,7 @@
#include <openssl/evp.h>
#include <openssl/md5.h>
+#include <openssl/engine.h>
#include <errno.h>
#include <fcntl.h>
@@ -1044,6 +1045,10 @@
SSLeay_add_all_algorithms();
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
__progname = ssh_get_progname(av[0]);
init_rng();
seed_rng();
--- openssh-4.5p1/ssh-keygen.c
+++ openssh-4.5p1/ssh-keygen.c
@@ -21,6 +21,7 @@
#include <openssl/evp.h>
#include <openssl/pem.h>
+#include <openssl/engine.h>
#include <errno.h>
#include <fcntl.h>
@@ -1074,6 +1075,11 @@
__progname = ssh_get_progname(av[0]);
SSLeay_add_all_algorithms();
+
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
init_rng();
--- openssh-4.5p1/ssh-keysign.c
+++ openssh-4.5p1/ssh-keysign.c
@@ -38,6 +38,7 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/rsa.h>
+#include <openssl/engine.h>
#include "xmalloc.h"
#include "log.h"
@@ -195,6 +196,11 @@
fatal("could not open any host key");
SSLeay_add_all_algorithms();
+
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
for (i = 0; i < 256; i++)
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
--- openssh-4.5p1/ssh.c
+++ openssh-4.5p1/ssh.c
@@ -72,6 +72,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
+#include <openssl/engine.h>
#include "xmalloc.h"
#include "ssh.h"
@@ -556,6 +557,10 @@
SSLeay_add_all_algorithms();
ERR_load_crypto_strings();
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
/* Initialize the command to execute on remote host. */
buffer_init(&command);
--- openssh-4.5p1/sshd.c
+++ openssh-4.5p1/sshd.c
@@ -75,6 +75,7 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
#include <openssl/rand.h>
+#include <openssl/engine.h>
#ifdef HAVE_SECUREWARE
#include <sys/security.h>
#include <prot.h>
@@ -1444,6 +1445,10 @@
SSLeay_add_all_algorithms();
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
/*
* Force logging to stderr until we have loaded the private host
* key (unless started from inetd)

View File

@ -0,0 +1,10 @@
--- scard-opensc.c
+++ scard-opensc.c
@@ -31,6 +31,7 @@
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include <string.h>
#include <stdarg.h>
#include <opensc/opensc.h>

View File

@ -0,0 +1,242 @@
The patch below adds support for the deprecated 'gssapi' authentication
mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
in this release. The use of 'gssapi' is deprecated due to the presence of
potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
susceptible to.
To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling,
backwards compatibility may be obtained by supplying the
'GssapiEnableMitmAttack yes' option to either the client or server.
It should be noted that this patch is being made available purely as a means
of easing the process of moving to OpenSSH 3.8p1. Any new installations are
recommended to use the 'gssapi-with-mic' mechanism. Existing installations
are encouraged to upgrade as soon as possible.
Index: auth2-gss.c
================================================================================
--- auth2-gss.c
+++ auth2-gss.c
@@ -177,6 +177,15 @@
dispatch_set(
SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
&input_gssapi_exchange_complete);
+
+ /*
+ * Old style 'gssapi' didn't have the GSSAPI_MIC
+ * and went straight to sending exchange_complete
+ */
+ if (options.gss_enable_mitm)
+ dispatch_set(
+ SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
+ &input_gssapi_exchange_complete);
}
}
@@ -298,4 +307,10 @@
&options.gss_authentication
};
+Authmethod method_gssapi_old = {
+ "gssapi",
+ userauth_gssapi,
+ &options.gss_enable_mitm
+};
+
#endif /* GSSAPI */
--- auth2.c
+++ auth2.c
@@ -65,6 +65,7 @@
extern Authmethod method_hostbased;
#ifdef GSSAPI
extern Authmethod method_gssapi;
+extern Authmethod method_gssapi_old;
#endif
Authmethod *authmethods[] = {
@@ -72,6 +73,7 @@
&method_pubkey,
#ifdef GSSAPI
&method_gssapi,
+ &method_gssapi_old,
#endif
&method_passwd,
&method_kbdint,
--- readconf.c
+++ readconf.c
@@ -126,7 +126,7 @@
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
@@ -164,9 +164,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapienablemitmattack", oGssEnableMITM },
#else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapienablemitmattack", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -445,6 +447,10 @@
case oGssDelegateCreds:
intptr = &options->gss_deleg_creds;
goto parse_flag;
+
+ case oGssEnableMITM:
+ intptr = &options->gss_enable_mitm;
+ goto parse_flag;
case oBatchMode:
intptr = &options->batch_mode;
@@ -1012,6 +1018,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_enable_mitm = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1102,6 +1109,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_enable_mitm == -1)
+ options->gss_enable_mitm = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- readconf.h
+++ readconf.h
@@ -45,6 +45,7 @@
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_enable_mitm; /* Enable old style gssapi auth */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- servconf.c
+++ servconf.c
@@ -91,6 +91,7 @@
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
options->gss_cleanup_creds = -1;
+ options->gss_enable_mitm = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -206,6 +207,8 @@
options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
+ if (options->gss_enable_mitm == -1)
+ options->gss_enable_mitm = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -290,7 +293,7 @@
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
sMatch, sPermitOpen, sForceCommand,
sUsePrivilegeSeparation,
sDeprecated, sUnsupported
@@ -351,9 +354,11 @@
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+ { "gssapienablemitmattack", sGssEnableMITM },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapienablemitmattack", sUnsupported },
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
@@ -877,6 +882,10 @@
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
+
+ case sGssEnableMITM:
+ intptr = &options->gss_enable_mitm;
+ goto parse_flag;
case sPasswordAuthentication:
intptr = &options->password_authentication;
--- servconf.h
+++ servconf.h
@@ -88,6 +88,7 @@
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
+ int gss_enable_mitm; /* If true, enable old style GSSAPI */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
--- ssh_config
+++ ssh_config
@@ -53,3 +53,13 @@
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
+# GSSAPIAuthentication no
+# GSSAPIDelegateCredentials no
+
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
+# in this release. The use of 'gssapi' is deprecated due to the presence of
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
+# GSSAPIEnableMITMAttack no
+
+>>>>>>>
--- sshconnect2.c
+++ sshconnect2.c
@@ -242,6 +242,10 @@
userauth_gssapi,
&options.gss_authentication,
NULL},
+ {"gssapi",
+ userauth_gssapi,
+ &options.gss_enable_mitm,
+ NULL},
#endif
{"hostbased",
userauth_hostbased,
@@ -576,7 +580,9 @@
if (status == GSS_S_COMPLETE) {
/* send either complete or MIC, depending on mechanism */
- if (!(flags & GSS_C_INTEG_FLAG)) {
+
+ if (strcmp(authctxt->method->name,"gssapi")==0 ||
+ (!(flags & GSS_C_INTEG_FLAG))) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
packet_send();
} else {
--- sshd_config
+++ sshd_config
@@ -69,6 +69,13 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
+# in this release. The use of 'gssapi' is deprecated due to the presence of
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
+#GSSAPIEnableMITMAttack no
+
+
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and

View File

@ -0,0 +1,20 @@
--- sshd_config
+++ sshd_config
@@ -53,7 +53,7 @@
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -78,7 +78,7 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no

View File

@ -0,0 +1,13 @@
--- auth-pam.c
+++ auth-pam.c
@@ -785,7 +785,9 @@
fatal("Internal error: PAM auth "
"succeeded when it should have "
"failed");
- import_environments(&buffer);
+#ifndef USE_POSIX_THREADS
+ import_environments(&buffer);
+#endif
*num = 0;
**echo_on = 0;
ctxt->pam_done = 1;

View File

@ -0,0 +1,62 @@
--- openssh-4.5p1/misc.c
+++ openssh-4.5p1/misc.c
@@ -186,6 +186,29 @@
return (old);
}
+struct passwd *getpwuid_wh(uid_t uid) {
+ /* Return the password structure by lookup of the username in $ENV{USER},
+ but only when the UID matches a lookup-by-uid so as to not allow using
+ another users' .ssh files in case this function be used in superuser
+ context. */
+
+ const char *user = getenv("USER");
+ struct passwd *pe_nam, *pe_uid;
+
+ if(user == NULL || (pe_nam = getpwnam(user)) == NULL) {
+ return getpwuid(uid);
+ }
+
+ pe_nam = pwcopy(pe_nam);
+ if((pe_uid = getpwuid(uid)) == NULL || pe_nam->pw_uid != pe_uid->pw_uid) {
+ free(pe_nam);
+ return pe_uid;
+ }
+
+ free(pe_nam); // - need to return a non-pwcopy struct
+ return getpwnam(user);
+}
+
struct passwd *
pwcopy(struct passwd *pw)
{
@@ -524,7 +547,7 @@
user[slash] = '\0';
if ((pw = getpwnam(user)) == NULL)
fatal("tilde_expand_filename: No such user %s", user);
- } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
+ } else if ((pw = getpwuid_wh(uid)) == NULL) /* ~/path */
fatal("tilde_expand_filename: No such uid %d", uid);
if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
--- openssh-4.5p1/misc.h
+++ openssh-4.5p1/misc.h
@@ -34,6 +34,7 @@
char *tohex(const void *, size_t);
void sanitise_stdfd(void);
+struct passwd *getpwuid_wh(uid_t);
struct passwd *pwcopy(struct passwd *);
typedef struct arglist arglist;
--- openssh-4.5p1/ssh.c
+++ openssh-4.5p1/ssh.c
@@ -249,7 +249,7 @@
}
#endif
/* Get user data. */
- pw = getpwuid(original_real_uid);
+ pw = getpwuid_wh(original_real_uid);
if (!pw) {
logit("You don't exist, go away!");
exit(255);

View File

@ -0,0 +1,23 @@
--- sshd.c
+++ sshd.c
@@ -358,6 +358,7 @@
static void
sighup_restart(void)
{
+ int i;
logit("Received SIGHUP; restarting.");
close_listen_socks();
close_startup_pipes();
@@ -1317,7 +1318,11 @@
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
compat_init_setproctitle(ac, av);
- av = saved_argv;
+
+ av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1));
+ for (i = 0; i < saved_argc; i++)
+ av[i] = xstrdup(saved_argv[i]);
+ av[i] = NULL;
#endif
if (geteuid() == 0 && setgroups(0, NULL) == -1)

View File

@ -0,0 +1,25 @@
--- ssh_config
+++ ssh_config
@@ -62,4 +62,7 @@
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
# GSSAPIEnableMITMAttack no
->>>>>>>
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+SendEnv LC_IDENTIFICATION LC_ALL
--- sshd_config
+++ sshd_config
@@ -112,6 +112,11 @@
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no

View File

@ -0,0 +1,71 @@
--- readconf.c
+++ readconf.c
@@ -328,6 +328,7 @@
int opcode, *intptr, value, value2, scale;
long long orig, val64;
size_t len;
+ LogLevel *loglevelptr;
Forward fwd;
/* Strip trailing whitespace */
@@ -692,14 +693,14 @@
break;
case oLogLevel:
- intptr = (int *) &options->log_level;
+ loglevelptr = &options->log_level;
arg = strdelim(&s);
value = log_level_number(arg);
if (value == SYSLOG_LEVEL_NOT_SET)
fatal("%.200s line %d: unsupported log level '%s'",
filename, linenum, arg ? arg : "<NONE>");
- if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
- *intptr = (LogLevel) value;
+ if (*activep && *loglevelptr == SYSLOG_LEVEL_NOT_SET)
+ *loglevelptr = (LogLevel) value;
break;
case oLocalForward:
--- servconf.c
+++ servconf.c
@@ -622,6 +622,8 @@
{
char *cp, **charptr, *arg, *p;
int cmdline = 0, *intptr, value, n;
+ LogLevel *loglevelptr;
+ SyslogFacility *syslogfacilityptr;
ServerOpCodes opcode;
u_short port;
u_int i, flags = 0;
@@ -977,25 +979,25 @@
goto parse_flag;
case sLogFacility:
- intptr = (int *) &options->log_facility;
+ syslogfacilityptr = &options->log_facility;
arg = strdelim(&cp);
value = log_facility_number(arg);
if (value == SYSLOG_FACILITY_NOT_SET)
fatal("%.200s line %d: unsupported log facility '%s'",
filename, linenum, arg ? arg : "<NONE>");
- if (*intptr == -1)
- *intptr = (SyslogFacility) value;
+ if (*syslogfacilityptr == -1)
+ *syslogfacilityptr = (SyslogFacility) value;
break;
case sLogLevel:
- intptr = (int *) &options->log_level;
+ loglevelptr = &options->log_level;
arg = strdelim(&cp);
value = log_level_number(arg);
if (value == SYSLOG_LEVEL_NOT_SET)
fatal("%.200s line %d: unsupported log level '%s'",
filename, linenum, arg ? arg : "<NONE>");
- if (*intptr == -1)
- *intptr = (LogLevel) value;
+ if (*loglevelptr == -1)
+ *loglevelptr = (LogLevel) value;
break;
case sAllowTcpForwarding:

22
openssh-4.5p1-tmpdir.diff Normal file
View File

@ -0,0 +1,22 @@
--- ssh-agent.c
+++ ssh-agent.c
@@ -1127,8 +1127,18 @@
parent_pid = getpid();
if (agentsocket == NULL) {
+ char *tmp1, *tmp;
+ char *tmp2 = "ssh-XXXXXXXXXX";
+ size_t len;
+
+ if ((tmp1 = getenv("TMPDIR")) == NULL)
+ tmp1 = "/tmp";
+ len = strlen(tmp1) + strlen(tmp2) + 1;
+ tmp = malloc(len);
+ snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2);
/* Create private directory for agent socket */
- strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir);
+ strlcpy(socket_dir, tmp, sizeof socket_dir);
+ free(tmp);
if (mkdtemp(socket_dir) == NULL) {
perror("mkdtemp: private socket dir");
exit(1);

40
openssh-4.5p1-xauth.diff Normal file
View File

@ -0,0 +1,40 @@
--- session.c
+++ session.c
@@ -2250,8 +2250,37 @@
session_close(Session *s)
{
u_int i;
+ pid_t pid;
+ FILE *f = NULL;
+ char cmd[1024];
+ int do_xauth;
+ struct passwd * pw = s->pw;
+ do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
+
+ if (do_xauth && options.xauth_location != NULL) {
+
+ if ((pid = fork()) == 0) {
+ permanently_set_uid(pw);
+
+ /* Remove authority data from .Xauthority if appropriate. */
+ debug("Running %.500s remove %.100s\n",
+ options.xauth_location, s->auth_display);
+
+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -",
+ s->pw->pw_dir, options.xauth_location);
+ f = popen(cmd, "w");
+ if (f) {
+ fprintf(f, "remove %s\n", s->auth_display);
+ pclose(f);
+ } else
+ error("Could not run %s\n", cmd);
+ exit(0);
+ }
+ }
+
+
if (s->ttyfd != -1)
session_pty_cleanup(s);
if (s->term)

View File

@ -0,0 +1,76 @@
--- session.c
+++ session.c
@@ -996,7 +996,7 @@
}
static char **
-do_setup_env(Session *s, const char *shell)
+do_setup_env(Session *s, const char *shell, int *env_size)
{
char buf[256];
u_int i, envsize;
@@ -1183,6 +1183,8 @@
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
+
+ *env_size = envsize;
return env;
}
@@ -1191,7 +1193,7 @@
* first in this order).
*/
static void
-do_rc_files(Session *s, const char *shell)
+do_rc_files(Session *s, const char *shell, char **env, int *env_size)
{
FILE *f = NULL;
char cmd[1024];
@@ -1244,12 +1246,20 @@
options.xauth_location);
f = popen(cmd, "w");
if (f) {
+ char hostname[MAXHOSTNAMELEN];
+
fprintf(f, "remove %s\n",
s->auth_display);
fprintf(f, "add %s %s %s\n",
s->auth_display, s->auth_proto,
s->auth_data);
pclose(f);
+ if (gethostname(hostname,sizeof(hostname)) >= 0)
+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME",
+ hostname);
+ else
+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n",
+ strerror(errno));
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
@@ -1469,6 +1479,7 @@
{
extern char **environ;
char **env;
+ int env_size;
char *argv[10];
const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw;
@@ -1534,7 +1545,7 @@
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
- env = do_setup_env(s, shell);
+ env = do_setup_env(s, shell, &env_size);
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
@@ -1596,7 +1607,7 @@
}
if (!options.use_login)
- do_rc_files(s, shell);
+ do_rc_files(s, shell, env, &env_size);
/* restore SIGPIPE for child */
signal(SIGPIPE, SIG_DFL);

45
openssh-4.5p1.dif Normal file
View File

@ -0,0 +1,45 @@
--- ssh_config
+++ ssh_config
@@ -17,9 +17,20 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-# Host *
+Host *
# ForwardAgent no
# ForwardX11 no
+
+# If you do not trust your remote host (or its administrator), you
+# should not forward X11 connections to your local X11-display for
+# security reasons: Someone stealing the authentification data on the
+# remote side (the "spoofed" X-server by the remote sshd) can read your
+# keystrokes as you type, just like any other X11 client could do.
+# Set this to "no" here for global effect or in your own ~/.ssh/config
+# file if you want to have the remote X11 authentification data to
+# expire after two minutes after remote login.
+ForwardX11Trusted yes
+
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
--- sshd_config
+++ sshd_config
@@ -82,7 +82,7 @@
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
--- sshlogin.c
+++ sshlogin.c
@@ -126,6 +126,7 @@
li = login_alloc_entry(pid, user, host, tty);
login_set_addr(li, addr, addrlen);
+ li->uid=uid;
login_login(li);
login_free_entry(li);
}

3
openssh-4.5p1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1b2826c2c9b94cd2c2c441a3acf2b0f954b8556a0db6aa938cac13c44504e186
size 776871

3
openssh-SuSE.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f183c56221e52c71a00058675d9e94e1e34668b266d8a11c02cf4e91a151d65b
size 1914

View File

@ -0,0 +1,84 @@
-------------------------------------------------------------------
Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz
- update to 4.5p1
* Use privsep_pw if we have it, but only require it if we
absolutely need it.
* Correctly check for bad signatures in the monitor, otherwise
the monitor and the unpriv process can get out of sync.
* Clear errno before calling the strtol functions.
* exit instead of doing a blocking tcp send if we detect
a client/server timeout, since the tcp sendqueue might
be already full (of alive requests)
* include signal.h, errno.h, sys/in.h
* some more bugfixes
-------------------------------------------------------------------
Wed Oct 4 12:56:40 CEST 2006 - postadal@suse.cz
- updated to version 4.4p1 [#208662]
* fixed pre-authentication DoS, that would cause sshd(8) to spin
until the login grace time expired
* fixed unsafe signal hander, which was vulnerable to a race condition
that could be exploited to perform a pre-authentication DoS
* fixed a GSSAPI authentication abort that could be used to determine
the validity of usernames on some platforms
* implemented conditional configuration in sshd_config(5) using the
"Match" directive
* added support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
* added optional logging of transactions to sftp-server(8)
* ssh(1) will now record port numbers for hosts stored in
~/.ssh/authorized_keys when a non-standard port has been requested
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
a non-zero exit code) when requested port forwardings could not be
established
* extended sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments
- removed obsoleted patches: autoconf-fix.patch
-------------------------------------------------------------------
Tue Jul 25 13:40:10 CEST 2006 - schwab@suse.de
- Fix syntax error in configure script.
-------------------------------------------------------------------
Wed Jan 25 21:39:06 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Tue Jan 3 15:54:49 CET 2006 - postadal@suse.cz
- updated to version 4.2p1
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
-------------------------------------------------------------------
Thu Sep 8 16:20:06 CEST 2005 - postadal@suse.cz
- don't strip
-------------------------------------------------------------------
Thu Aug 4 11:30:18 CEST 2005 - uli@suse.de
- parallelize build
-------------------------------------------------------------------
Fri Jun 10 16:24:22 CEST 2005 - postadal@suse.cz
- updated to version 4.1p1
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
sendenv-fix, documentation-fix
-------------------------------------------------------------------
Wed Jan 19 18:25:29 CET 2005 - postadal@suse.cz
- renamed askpass-gnome package to openssh-askpass-gnome
-------------------------------------------------------------------
Wed Jan 19 15:58:07 CET 2005 - postadal@suse.cz
- splited spec file to decreas number of build dependencies

167
openssh-askpass-gnome.spec Normal file
View File

@ -0,0 +1,167 @@
#
# spec file for package openssh-askpass-gnome (Version 4.5p1)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: openssh-askpass-gnome
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: Other License(s), see package
Group: Productivity/Networking/SSH
Version: 4.5p1
Release: 11
Requires: openssh = %{version} openssh-askpass = %{version}
Autoreqprov: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
URL: http://www.openssh.com/
%define _name openssh
Source: %{_name}-%{version}.tar.bz2
Patch: %{_name}-%{version}.dif
Patch15: %{_name}-%{version}-pam-fix2.diff
Patch17: %{_name}-%{version}-strict-aliasing-fix.diff
Patch18: %{_name}-%{version}-saveargv-fix.diff
Patch19: %{_name}-%{version}-pam-fix3.diff
Patch21: %{_name}-%{version}-gssapimitm.patch
Patch26: %{_name}-%{version}-eal3.diff
Patch27: %{_name}-%{version}-engines.diff
Patch28: %{_name}-%{version}-blocksigalrm.diff
Patch42: %{_name}-gssapi_krb5-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
SSH (Secure Shell) is a program for logging into a remote machine and
for executing commands on a remote machine. This package contains a
GNOME-based passphrase dialog for OpenSSH.
Authors:
--------
Aaron Campbell
Bob Beck
Markus Friedl
Niels Provos
Theo de Raadt
Dug Song
Ben Taylor <bent@clark.net>
Chip Salzenberg <chip@valinux.com>
Chris Saia <csaia@wtower.com>
Dan Brosemer <odin@linuxfreak.com>
Jim Knoble <jmknoble@pobox.com>
Marc G. Fournier <marc.fournier@acadiau.ca>
Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Niels Kristian Bech Jensen <nkbj@image.dk>
Phil Hands <phil@hands.com>
Thomas Neumann <tom@smart.ruhr.de>
Tudor Bosman <tudorb@jm.nu>
Damien Miller <djm@ibs.com.au>
%define prefix /usr
%prep
%setup -q -n %{_name}-%{version}
%patch
%patch15
%patch17
%patch18
%patch19
%patch21
%patch26 -p1
%patch27 -p1
%patch28
%patch42
%build
%{?suse_update_config:%{suse_update_config}}
aclocal
autoheader
autoconf
CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" \
./configure \
--mandir=%{_mandir} \
--prefix=%{prefix} \
--infodir=%{_infodir} \
--sysconfdir=/etc/ssh \
--libexecdir=%{prefix}/%_lib/ssh \
--with-tcp-wrappers \
--with-pam \
--with-kerberos5=/usr \
--with-privsep-path=/var/lib/empty \
--with-opensc \
--disable-strip \
--target=%{_target_cpu}-suse-linux
cd contrib
make %{?jobs:-j%jobs} gnome-ssh-askpass2
mv gnome-ssh-askpass2 gnome-ssh-askpass
%install
install -d -m 755 $RPM_BUILD_ROOT/usr/%_lib/ssh/
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/%_lib/ssh/gnome-ssh-askpass
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass
%changelog -n openssh-askpass-gnome
* Tue Dec 12 2006 - anicka@suse.cz
- update to 4.5p1
* Use privsep_pw if we have it, but only require it if we
absolutely need it.
* Correctly check for bad signatures in the monitor, otherwise
the monitor and the unpriv process can get out of sync.
* Clear errno before calling the strtol functions.
* exit instead of doing a blocking tcp send if we detect
a client/server timeout, since the tcp sendqueue might
be already full (of alive requests)
* include signal.h, errno.h, sys/in.h
* some more bugfixes
* Wed Oct 04 2006 - postadal@suse.cz
- updated to version 4.4p1 [#208662]
* fixed pre-authentication DoS, that would cause sshd(8) to spin
until the login grace time expired
* fixed unsafe signal hander, which was vulnerable to a race condition
that could be exploited to perform a pre-authentication DoS
* fixed a GSSAPI authentication abort that could be used to determine
the validity of usernames on some platforms
* implemented conditional configuration in sshd_config(5) using the
"Match" directive
* added support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
* added optional logging of transactions to sftp-server(8)
* ssh(1) will now record port numbers for hosts stored in
~/.ssh/authorized_keys when a non-standard port has been requested
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
a non-zero exit code) when requested port forwardings could not be
established
* extended sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments
- removed obsoleted patches: autoconf-fix.patch
* Tue Jul 25 2006 - schwab@suse.de
- Fix syntax error in configure script.
* Wed Jan 25 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
* Tue Jan 03 2006 - postadal@suse.cz
- updated to version 4.2p1
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
* Thu Sep 08 2005 - postadal@suse.cz
- don't strip
* Thu Aug 04 2005 - uli@suse.de
- parallelize build
* Fri Jun 10 2005 - postadal@suse.cz
- updated to version 4.1p1
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
sendenv-fix, documentation-fix
* Wed Jan 19 2005 - postadal@suse.cz
- renamed askpass-gnome package to openssh-askpass-gnome
* Wed Jan 19 2005 - postadal@suse.cz
- splited spec file to decreas number of build dependencies

View File

@ -0,0 +1,18 @@
--- configure.ac
+++ configure.ac
@@ -3220,7 +3220,14 @@
K5LIBS="-lgssapi $K5LIBS" ],
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
[ AC_DEFINE(GSSAPI)
- K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ]
+ AC_CHECK_LIB(gssapi_krb5, gss_krb5_copy_ccache, [
+ K5LIBS="-lgssapi_krb5 $K5LIBS"
+ ], [
+ AC_MSG_WARN([Cannot find -lgssapi_krb5 with gss_krb5_copy_ccache()])
+ ],
+ $K5LIBS
+ ),
AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
$K5LIBS)
],

1033
openssh.changes Normal file

File diff suppressed because it is too large Load Diff

812
openssh.spec Normal file
View File

@ -0,0 +1,812 @@
#
# spec file for package openssh (Version 4.5p1)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: openssh
%define _prefix %(xft-config --prefix)
%if "%{_prefix}" == "/usr/X11R6"
%define _mandir %{_prefix}/man
%define _appdefdir %{_prefix}/lib/X11/app-defaults
%else
%define _appdefdir %{_prefix}/share/X11/app-defaults
%endif
BuildRequires: krb5-devel opensc-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel
License: BSD License and BSD-like, X11/MIT
Group: Productivity/Networking/SSH
Obsoletes: ssh
Provides: ssh
Requires: /bin/netstat
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh
Autoreqprov: on
Version: 4.5p1
Release: 11
%define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program)
URL: http://www.openssh.com/
Source: %{name}-%{version}.tar.bz2
Source1: %{name}-SuSE.tar.bz2
Source2: sshd.pamd
Source3: x11-ssh-askpass-%{xversion}.tar.bz2
Source4: README.SuSE
Source5: converter.tar.bz2
Source6: README.kerberos
Source7: ssh.reg
Source8: ssh-askpass
Patch: %{name}-%{version}.dif
Patch1: %{name}-%{version}-addrlist.dif
Patch12: %{name}-%{version}-askpass-fix.diff
Patch15: %{name}-%{version}-pam-fix2.diff
Patch17: %{name}-%{version}-strict-aliasing-fix.diff
Patch18: %{name}-%{version}-saveargv-fix.diff
Patch19: %{name}-%{version}-pam-fix3.diff
Patch21: %{name}-%{version}-gssapimitm.patch
Patch26: %{name}-%{version}-eal3.diff
Patch27: %{name}-%{version}-engines.diff
Patch28: %{name}-%{version}-blocksigalrm.diff
Patch35: %{name}-%{version}-send_locale.diff
Patch36: %{name}-%{version}-xauthlocalhostname.diff
Patch37: %{name}-%{version}-tmpdir.diff
Patch38: %{name}-%{version}-pwname-home.diff
Patch40: %{name}-%{version}-xauth.diff
Patch41: %{name}-%{version}-gcc-fix.patch
Patch42: %{name}-gssapi_krb5-fix.patch
Patch43: %{name}-%{version}-default-protocol.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%package askpass
Summary: A passphrase dialog for OpenSSH and the X Window System
Requires: openssh = %{version}
Provides: openssh:/usr/%_lib/ssh/ssh-askpass
Group: Productivity/Networking/SSH
%description
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rlogin and rsh and
provides secure encrypted communication between two untrusted hosts
over an insecure network. X Window System connections and arbitrary
TCP/IP ports can also be forwarded over the secure channel.
Authors:
--------
Aaron Campbell
Bob Beck
Markus Friedl
Niels Provos
Theo de Raadt
Dug Song
Ben Taylor <bent@clark.net>
Chip Salzenberg <chip@valinux.com>
Chris Saia <csaia@wtower.com>
Dan Brosemer <odin@linuxfreak.com>
Jim Knoble <jmknoble@pobox.com>
Marc G. Fournier <marc.fournier@acadiau.ca>
Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Niels Kristian Bech Jensen <nkbj@image.dk>
Phil Hands <phil@hands.com>
Thomas Neumann <tom@smart.ruhr.de>
Tudor Bosman <tudorb@jm.nu>
Damien Miller <djm@ibs.com.au>
%description askpass
Ssh (Secure Shell) is a program for logging into a remote machine and
for executing commands on a remote machine. This package contains an X
Window System passphrase dialog for OpenSSH.
Authors:
--------
Aaron Campbell
Bob Beck
Markus Friedl
Niels Provos
Theo de Raadt
Dug Song
Ben Taylor <bent@clark.net>
Chip Salzenberg <chip@valinux.com>
Chris Saia <csaia@wtower.com>
Dan Brosemer <odin@linuxfreak.com>
Jim Knoble <jmknoble@pobox.com>
Marc G. Fournier <marc.fournier@acadiau.ca>
Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Niels Kristian Bech Jensen <nkbj@image.dk>
Phil Hands <phil@hands.com>
Thomas Neumann <tom@smart.ruhr.de>
Tudor Bosman <tudorb@jm.nu>
Damien Miller <djm@ibs.com.au>
%define prefix /usr
%prep
%setup -q -b 3 -a 1 -a 5
%patch
%patch1
%patch15
%patch17
%patch18
%patch19
%patch21
%patch26 -p1
%patch27 -p1
%patch28
%patch35
%patch36
%patch37
%patch38 -p1
%patch40
%patch41
%patch42
%patch43
cp -v %{SOURCE4} .
cp -v %{SOURCE6} .
cd ../x11-ssh-askpass-%{xversion}
%patch12
%build
%if "%{_prefix}" != "/usr/X11R6"
for i in configure.ac Makefile.in pathnames.h ssh_config.0 ssh_config.5 sshd_config.0 sshd_config.5 ; do
sed -i -e 's@%{_prefix}@/usr@g' $i
done
%endif
%{?suse_update_config:%{suse_update_config}}
aclocal
autoheader
autoconf
%ifarch s390 s390x
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
#Obsoleted CFLAGS="-DUSE_POSIX_THREADS $RPM_OPT_FLAGS" CXXFLAGS="-DUSE_POSIX_THREADS $RPM_O \
#Obsoleted LDFLAGS="-lpthread" \
LDFLAGS="-pie" CFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" CXXFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" \
./configure \
--mandir=%{_mandir} \
--prefix=%{prefix} \
--infodir=%{_infodir} \
--sysconfdir=/etc/ssh \
--libexecdir=%{prefix}/%_lib/ssh \
--with-tcp-wrappers \
--with-pam \
--with-kerberos5=/usr \
--with-privsep-path=/var/lib/empty \
%ifnarch s390 s390x
--with-opensc \
%endif
--disable-strip \
--with-xauth=%{_prefix}/bin/xauth \
--target=%{_target_cpu}-suse-linux
# --with-afs=/usr \
make %{?jobs:-j%jobs}
(cd converter; make %{?jobs:-j%jobs})
cd contrib
cd ../../x11-ssh-askpass-%{xversion}
CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS"
./configure \
--mandir=%{_mandir} \
--prefix=%{_prefix} \
--libexecdir=%{prefix}/%_lib/ssh
xmkmf
make includes USRLIBDIR=%_prefix/%_lib
make %{?jobs:-j%jobs} USRLIBDIR=%_prefix/%_lib CCOPTIONS="$RPM_OPT_FLAGS"
%install
make DESTDIR=$RPM_BUILD_ROOT/ install
install -d -m 755 $RPM_BUILD_ROOT/etc/pam.d
install -d -m 755 $RPM_BUILD_ROOT/var/lib/sshd
install -m 644 %{S:2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -d -m 755 $RPM_BUILD_ROOT/etc/slp.reg.d/
install -m 644 %{S:7} $RPM_BUILD_ROOT/etc/slp.reg.d/
cp -a SuSE/* $RPM_BUILD_ROOT
# install shell script to automate the process of adding your public key to a remote machine
install -m 755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin
install -m 644 contrib/ssh-copy-id.1 $RPM_BUILD_ROOT/%{_mandir}/man1
(cd converter; make install DESTDIR=$RPM_BUILD_ROOT/)
cd ../x11-ssh-askpass-%{xversion}
make BINDIR=/usr/%_lib/ssh DESTDIR=$RPM_BUILD_ROOT install install.man
rm -rf $RPM_BUILD_ROOT/usr/%_lib/ssh/ssh-askpass
sed -e "s@usr/lib/ssh@usr/%_lib/ssh@" < %{S:8} > $RPM_BUILD_ROOT/usr/%_lib/ssh/ssh-askpass
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
sed -i -e s@/usr/libexec@/usr/%{_lib}@g $RPM_BUILD_ROOT/etc/ssh/sshd_config
%pre
/usr/sbin/groupadd -g 65 -o -r sshd 2> /dev/null || :
/usr/sbin/useradd -r -o -g sshd -u 71 -s /bin/false -c "SSH daemon" -d /var/lib/sshd sshd 2> /dev/null || :
%post
%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
%run_permissions
%verifyscript
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
%preun
%stop_on_removal sshd
%postun
%restart_on_update sshd
%{insserv_cleanup}
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%dir %attr(755,root,root) /var/lib/sshd
%doc README.SuSE README.kerberos ChangeLog OVERVIEW README RFC.nroff TODO LICENCE CREDITS
%attr(0755,root,root) %dir /etc/ssh
%attr(0600,root,root) %config(noreplace) /etc/ssh/moduli
%verify(not mode) %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config
%verify(not mode) %attr(0640,root,root) %config(noreplace) /etc/ssh/sshd_config
%attr(0644,root,root) %config /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/init.d/sshd
%attr(0755,root,root) /usr/bin/ssh
/usr/bin/scp
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh-*
/usr/sbin/*
%attr(444,root,root) %doc %{_mandir}/man1/scp.1.gz
%attr(444,root,root) %doc %{_mandir}/man1/ssh-keygen.1.gz
%attr(444,root,root) %doc /usr/share/man/man1/ssh-keyconverter.1.gz
%attr(444,root,root) %doc %{_mandir}/man1/ssh.1.gz
%attr(444,root,root) %doc %{_mandir}/man1/slogin.1.gz
%attr(444,root,root) %doc %{_mandir}/man1/ssh-agent.1*
%attr(444,root,root) %doc %{_mandir}/man1/ssh-add.1*
%attr(444,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
%attr(444,root,root) %doc %{_mandir}/man1/sftp.1*
%attr(444,root,root) %doc %{_mandir}/man1/ssh-copy-id.1*
%attr(444,root,root) %doc %{_mandir}/man5/*
%attr(444,root,root) %doc %{_mandir}/man8/*
%attr(0755,root,root) %dir /usr/%_lib/ssh
%attr(0755,root,root) /usr/%_lib/ssh/sftp-server
%attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign
%dir /etc/slp.reg.d
/etc/slp.reg.d/ssh.reg
/var/adm/fillup-templates/sysconfig.ssh
%files askpass
%defattr(-,root,root)
%attr(0755,root,root) /usr/%_lib/ssh/ssh-askpass
%attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass
%doc %_mandir/man1/ssh-askpass.1x.gz
%doc %_mandir/man1/x11-ssh-askpass.1x.gz
%config %_appdefdir/SshAskpass
%changelog -n openssh
* Sat Jan 06 2007 - anicka@suse.cz
- disable SSHv1 protocol in default configuration [#231808]
* Tue Dec 12 2006 - anicka@suse.cz
- update to 4.5p1
* Use privsep_pw if we have it, but only require it if we
absolutely need it.
* Correctly check for bad signatures in the monitor, otherwise
the monitor and the unpriv process can get out of sync.
* Clear errno before calling the strtol functions.
* exit instead of doing a blocking tcp send if we detect
a client/server timeout, since the tcp sendqueue might
be already full (of alive requests)
* include signal.h, errno.h, sys/in.h
* some more bugfixes
* Wed Nov 22 2006 - anicka@suse.cz
- fixed README.SuSE [#223025]
* Thu Nov 09 2006 - anicka@suse.cz
- backport security fixes from openssh 4.5 (#219115)
* Tue Nov 07 2006 - ro@suse.de
- fix manpage permissions
* Tue Oct 31 2006 - anicka@suse.cz
- fix gssapi_krb5-fix patch [#215615]
- fix xauth patch
* Tue Oct 10 2006 - postadal@suse.cz
- fixed building openssh from src.rpm [#176528] (gssapi_krb5-fix.patch)
* Tue Oct 03 2006 - postadal@suse.cz
- updated to version 4.4p1 [#208662]
* fixed pre-authentication DoS, that would cause sshd(8) to spin
until the login grace time expired
* fixed unsafe signal hander, which was vulnerable to a race condition
that could be exploited to perform a pre-authentication DoS
* fixed a GSSAPI authentication abort that could be used to determine
the validity of usernames on some platforms
* implemented conditional configuration in sshd_config(5) using the
"Match" directive
* added support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256
* added a "ForceCommand", "PermitOpen" directive to sshd_config(5)
* added optional logging of transactions to sftp-server(8)
* ssh(1) will now record port numbers for hosts stored in
~/.ssh/authorized_keys when a non-standard port has been requested
* added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
a non-zero exit code) when requested port forwardings could not be
established
* extended sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments
- removed obsoleted patches: autoconf-fix.patch, dos-fix.patch
- fixed gcc issues (gcc-fix.patch)
* Wed Sep 20 2006 - postadal@suse.cz
- fixed DoS by CRC compensation attack detector [#206917] (dos-fix.patch)
- fixed client NULL deref on protocol error
- cosmetic fix in init script [#203826]
* Fri Sep 01 2006 - kukuk@suse.de
- sshd.pamd: Add pam_loginuid, move pam_nologin to a better position
* Fri Aug 25 2006 - postadal@suse.cz
- fixed path for xauth [#198676]
* Thu Aug 03 2006 - postadal@suse.cz
- fixed build with X11R7
* Thu Jul 20 2006 - postadal@suse.cz
- updated to version 4.3p2
* experimental support for tunneling network packets via tun(4)
- removed obsoleted patches: pam-error.patch, CVE-2006-0225.patch,
scp.patch, sigalarm.patch
* Mon Feb 13 2006 - postadal@suse.cz
- upstream fixes
- fixed "scp a b c", when c is not directory (scp.patch)
- eliminate some code duplicated in privsep and non-privsep paths, and
explicitly clear SIGALRM handler (sigalarm.patch)
* Fri Feb 03 2006 - postadal@suse.cz
- fixed local arbitrary command execution vulnerability [#143435]
(CVE-2006-0225.patch)
* Thu Feb 02 2006 - postadal@suse.cz
- fixed xauth.diff for disabled UsePrivilegeSeparation mode [#145809]
- build on s390 without Smart card support (opensc) [#147383]
* Mon Jan 30 2006 - postadal@suse.cz
- fixed patch xauth.diff [#145809]
- fixed comments [#142989]
* Wed Jan 25 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
* Mon Jan 16 2006 - meissner@suse.de
- added -fstack-protector.
* Tue Jan 03 2006 - postadal@suse.cz
- updated to version 4.2p1
- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch
* Tue Nov 15 2005 - postadal@suse.cz
- do not delegate GSSAPI credentials to log in with a different method
than GSSAPI [#128928] (CAN-2005-2798, gssapi-secfix.patch)
* Sun Oct 23 2005 - postadal@suse.cz
- fixed PAM to send authentication failing mesaage to client [#130043]
(pam-error.patch)
* Wed Sep 14 2005 - postadal@suse.cz
- fixed uninitialized variable in patch xauth.diff [#98815]
* Thu Sep 08 2005 - postadal@suse.cz
- don't strip
* Mon Sep 05 2005 - postadal@suse.cz
- added patch xauth.diff prevent from polluting xauthority file [#98815]
* Mon Aug 22 2005 - postadal@suse.cz
- fixed problem when multiple accounts have same UID [#104773]
(pwname-home.diff)
- added fixes from upstream (upstream_fixes.diff)
* Thu Aug 18 2005 - postadal@suse.cz
- added patch tmpdir.diff for using $TMPDIR by ssh-agent [#95731]
* Thu Aug 04 2005 - uli@suse.de
- parallelize build
* Mon Aug 01 2005 - postadal@suse.cz
- added patch resolving problems with hostname changes [#98627]
(xauthlocalhostname.diff)
* Wed Jun 22 2005 - kukuk@suse.de
- Compile/link with -fpie/-pie
* Wed Jun 15 2005 - meissner@suse.de
- build x11-ask-pass with RPM_OPT_FLAGS.
* Fri Jun 10 2005 - postadal@suse.cz
- updated to version 4.1p1
- removed obsoleted patches: restore_terminal, pam-returnfromsession,
timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource,
sendenv-fix, documentation-fix
* Thu Mar 10 2005 - postadal@suse.cz
- fixed SendEnv config parsing bug
- documented timeout on untrusted x11 forwarding sessions (openssh#849)
- mentioned ForwardX11Trusted in ssh.1 (openssh#987)
* Thu Mar 03 2005 - postadal@suse.cz
- enabled accepting and sending locale environment variables in protocol 2
[#65747, #50091]
* Thu Feb 24 2005 - postadal@suse.cz
- added patches from cvs: gssapi-pam (openssh#918),
krb5ccname (openssh#445), logdenysource (openssh#909)
* Thu Feb 03 2005 - postadal@suse.cz
- fixed keyboard-interactive/pam/Kerberos leaks info about user existence
[#48329] (openssh#971, CAN-2003-0190)
* Wed Jan 19 2005 - postadal@suse.cz
- splited spec file to decreas number of build dependencies
- fixed restoring terminal setting after Ctrl+C during password prompt in scp/sftp [#43309]
- allowed users to see output from failing PAM session modules (openssh #890,
pam-returnfromsession.patch)
* Mon Nov 08 2004 - kukuk@suse.de
- Use common-* PAM config files for sshd PAM configuration
* Mon Oct 25 2004 - postadal@suse.cz
- switched heimdal-* to kerberos-devel-packages in #needforbuild
* Fri Sep 03 2004 - ro@suse.de
- fix lib64 issue
* Tue Aug 31 2004 - postadal@suse.cz
- updated to version 3.9p1
- removed obsoleted patches: scp-fix.diff and window_change-fix.diff
* Thu Aug 26 2004 - postadal@suse.cz
- added openssh-askpass-gnome subpackage
- added ssh-askpass script for choosing askpass depending on windowmanager
(by Robert Love <rml@novell.com>)
- build with Smart card support (opensc) [#44289]
* Tue Aug 17 2004 - postadal@suse.cz
- removed old implementation of "Update Messages" [#36059]
* Thu Aug 12 2004 - postadal@suse.cz
- updated to version 3.8p1
- removed obsoleted patches: sftp-progress-fix and pam-fix4
* Mon Jun 28 2004 - meissner@suse.de
- block sigalarm during syslog output or we might deadlock
on recursively entering syslog(). (LTC#9523, SUSE#42354)
* Wed May 26 2004 - postadal@suse.cz
- fixed commented default value for GSSAPI
* Thu May 20 2004 - mludvig@suse.cz
- Load drivers for available hardware crypto accelerators.
* Fri Apr 30 2004 - postadal@suse.cz
- updated README.kerberos (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials)
* Mon Apr 19 2004 - postadal@suse.cz
- updated README.SuSE (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials)
[#39010]
* Fri Mar 26 2004 - postadal@suse.cz
- fixed sshd(8) and sshd_config(5) man pages (EAL3)
- fixed spelling errors in README.SuSE [#37086]
* Thu Mar 25 2004 - postadal@suse.cz
- fixed change window request [#33177]
* Mon Mar 22 2004 - postadal@suse.cz
- updated README.SuSE
- removed %%verify from /usr/bin/ssh in specfile
* Thu Mar 18 2004 - postadal@suse.cz
- fixed previous fix of security bug in scp [#35443] (CAN-2004-0175)
(was too restrictive)
- fixed permission of /usr/bin/ssh
* Mon Mar 15 2004 - postadal@suse.cz
- fixed comments in sshd_config and ssh_config
* Mon Mar 15 2004 - postadal@suse.cz
- enabled privilege separation mode (new version fixes a lot of problematic PAM
calling [#30328])
- fixed security bug in scp [#35443] (CAN-2004-0175)
- reverted to old behaviour of ForwardingX11 [#35836]
(set ForwardX11Trusted to 'yes' by default)
- updated README.SuSE
- fixed pam code (pam-fix4.diff, backported from openssh-SNAP-20040311)
* Fri Mar 05 2004 - postadal@suse.cz
- updated README.SuSE (Remote x11 clients are now untrusted by default) [#35368]
- added gssapimitm patch (support for old GSSAPI)
* Mon Mar 01 2004 - postadal@suse.cz
- updated to version 3.8p1
* The "gssapi" support has been replaced with the "gssapi-with-mic"
to fix possible MITM attacks. These two versions are not compatible.
- removed obsoleted patches: krb5.patch, dns-lookups.patch, pam-fix.diff,
pam-end-fix.diff
- used process forking instead pthreads
(developers fixed bugs in pam calling and they recommended to don't use threads)
* Tue Feb 24 2004 - postadal@suse.cz
- fixed the problem with save_argv in sshd.c re-apeared again in version 3.7.1p2
(it caused bad behaviour after receiving SIGHUP - used by reload of init script)
[#34845]
* Wed Feb 18 2004 - kukuk@suse.de
- Real strict-aliasing patch
* Wed Feb 18 2004 - postadal@suse.cz
- fixed strict-aliasing patch [#34551]
* Sat Feb 14 2004 - adrian@suse.de
- provide SLP registration file /etc/slp.reg.d/ssh.reg
* Tue Feb 03 2004 - postadal@suse.cz
- used patch from pam-end-fix.diff [#33132]
- fixed instalation openssh without documentation [#33937]
- fixed auth-pam.c which breaks strict aliasing
* Mon Jan 19 2004 - meissner@suse.de
- Added a ; to ssh-key-converter.c to fix gcc 3.4 build.
* Fri Jan 16 2004 - kukuk@suse.de
- Add pam-devel to neededforbuild
* Thu Nov 06 2003 - postadal@suse.cz
- added /usr/bin/slogin explicitly to %%file list [#32921]
* Sun Nov 02 2003 - adrian@suse.de
- add %%run_permissions to fix build
* Tue Oct 14 2003 - postadal@suse.cz
- reverted value UsePAM to "yes" and set PasswordAuthentication to "no"
in file /etc/ssh/sshd_config (the version 3.7.1p2 disabled PAM support
by default) [#31749]
* Tue Sep 23 2003 - draht@suse.de
- New version 3.7.1p2; signature from 86FF9C48 Damien Miller
verified for source tarball. Bugs fixed with this version:
[#31637] (CAN-2003-0786, CAN-2003-0786). Briefly:
1) SSH1 PAM challenge response auth ignored the result of the
authentication (with privsep off)
2) The PAM conversation function trashed the stack, by referring
to the **resp parameter as an array of pointers rather than
as a pointer to an array of struct pam_responses.
At least security bug 1) is exploitable.
* Fri Sep 19 2003 - postadal@suse.cz
- use pthreads instead process forking (it needs by pam modules)
- fixed bug in calling pam_setcred [#31025]
(pam-fix.diff - string "FILE:" added to begin of KRB5CCNAME)
- updated README.SuSE
- reverted ChallengeResponseAuthentication option to default value yes
(necessary for pam authentication) [#31432]
* Thu Sep 18 2003 - postadal@suse.cz
- updated to version 3.7.1p1 (with security patches)
- removed obsoleted patches: chauthtok.patch, krb-include-fix.diff,
gssapi-fix.diff, saveargv-fix.diff, gssapi-20030430.diff, racecondition-fix
- updated README.kerberos
* Tue Sep 16 2003 - postadal@suse.cz
- fixed race condition in allocating memory [#31025] (CAN-2003-0693)
* Mon Sep 15 2003 - postadal@suse.cz
- disabled privilege separation, which caused some problems [#30328]
(updated README.SuSE)
* Thu Sep 04 2003 - postadal@suse.cz
- fixed bug in x11-ssh-askpass dialog [#25846] (askpass-fix.diff is workaround for gcc bug)
* Fri Aug 29 2003 - kukuk@suse.de
- Call useradd -r for system account [Bug #29611]
* Mon Aug 25 2003 - postadal@suse.cz
- use new stop_on_removal/restart_on_upate macros
- fixed lib64 problem in /etc/ssh/sshd_config [#28766]
* Tue Aug 19 2003 - mmj@suse.de
- Add sysconfig metadata [#28943]
* Fri Aug 01 2003 - ro@suse.de
- add e2fsprogs-devel to neededforbuild
* Thu Jul 24 2003 - postadal@suse.cz
- updated to version 3.6.1p2
- added the new version of patch for GSSAPI (gssapi-20030430.diff),
the older one was removed (gssapi.patch)
- added README.kerberos to filelist
* Tue Jun 03 2003 - mmj@suse.de
- Remove files we don't package
* Wed Apr 02 2003 - postadal@suse.cz
- fixed bad behaviour after receiving SIGHUP (this bug caused not working reload of init script)
* Tue Mar 18 2003 - postadal@suse.cz
- added $remote_fs to init.d script (needed if /usr is on remote fs [#25577])
* Thu Mar 13 2003 - postadal@suse.cz
- fixed segfault while using GSSAPI for authentication when connecting to localhost (took care about error value of ssh_gssapi_import_name() in function ssh_gssapi_client_ctx())
* Mon Mar 10 2003 - kukuk@suse.de
- Remove extra "/" from pid file path.
* Mon Mar 03 2003 - postadal@suse.cz
- modified init.d script (now checking sshd.init.pid instead of port 22) [#24263]
* Mon Mar 03 2003 - okir@suse.de
- added comment to /etc/pam.d/ssh on how to enable
support for resmgr (#24363).
* Fri Feb 21 2003 - postadal@suse.cz
- added ssh-copy-id shell script [#23745]
* Fri Feb 14 2003 - postadal@suse.cz
- given back gssapi and dns-lookups patches
* Wed Jan 22 2003 - postadal@suse.cz
- updated to version 3.5p1
- removed obsolete patches: owl-mm, forced-commands-only, krb
- added patch krb5 (for heimdal)
- temporarily removed gssapi patch and dns-lookups (needs rewriting)
- fix sysconfig metadata
* Thu Dec 05 2002 - okir@suse.de
- avoid Kerberos DNS lookups in the default config (#20395)
- added README.kerberos
* Thu Sep 19 2002 - postadal@suse.cz
- added info about changes in the new version of openssh
to README.SuSE [#19757]
* Mon Sep 02 2002 - okir@suse.de
- privsep directory now /var/lib/empty, which is provided by
filesystem package (#17556)
* Wed Aug 28 2002 - nashif@suse.de
- Added insserv & co to PreReq
* Mon Aug 26 2002 - okir@suse.de
- applied patch that adds GSSAPI support in protocol version 2 (#18239)
* Thu Aug 22 2002 - postadal@suse.cz
- added the patch to fix malfunction of PermitRootLogin seted to
forced-commands-only [#17149]
* Fri Aug 09 2002 - okir@suse.de
- syslog now reports kerberos auth method when logging in via
kerberos (#17469)
* Tue Jul 23 2002 - okir@suse.de
- enabled kerberos support
- added patch to support kerberos 5 authentication in privsep mode.
- added missing section 5 manpages
- added missing ssh-keysign to files list (new for privsep)
* Mon Jul 22 2002 - okir@suse.de
- fixed handling of expired passwords in privsep mode
* Tue Jul 09 2002 - mmj@suse.de
- Don't source rc.config
* Wed Jul 03 2002 - draht@suse.de
- ssh-keygen must be told to explicitly create type rsa1 keys
in the start script.
* Tue Jul 02 2002 - ro@suse.de
- useradd/groupadd in preinstall to standardize
* Sat Jun 29 2002 - ro@suse.de
- updated patch from solar: zero out bytes for no longer used pages
in mmap-fallback solution
* Thu Jun 27 2002 - ro@suse.de
- updated owl-fallback.diff from solar
* Thu Jun 27 2002 - ro@suse.de
- update to 3.4p1
o privilege separation support
o overflow fix from ISS
- unsplit openssh-server and openssh-client
* Tue Jun 18 2002 - mmj@suse.de
- Update to 3.2.3p1 which fixed following compared to 3.2.2p1
o a defect in the BSD_AUTH access control handling for
o login/tty problems on Solaris (bug #245)
o build problems on Cygwin systems
- Split the package to openssh, openssh-server, openssh-client and
openssh-askpass
* Sun May 19 2002 - mmj@suse.de
- Updated to 3.2.2p which includes security and several bugfixes.
* Fri Mar 15 2002 - ro@suse.de
- added "Obsoletes: ssh"
* Tue Mar 05 2002 - draht@suse.de
- security fix for bug in channels.c (channelbug.dif)
* Fri Mar 01 2002 - bk@suse.de
- fix ssh-agent example to use eval `ssh-agent -s` and a typo.
- add sentence on use of ssh-agent with startx
* Tue Feb 26 2002 - bk@suse.de
- update README.SuSE to improve documentation on protocol version
* Wed Feb 13 2002 - cihlar@suse.cz
- rewritten addrlist patch - "0.0.0.0" is removed from list
after "::" is successful [#8951]
* Mon Feb 11 2002 - cihlar@suse.cz
- added info about the change of the default protocol version
to README.SuSE
* Thu Feb 07 2002 - cihlar@suse.cz
- removed addrlist patch which fixed bug [#8951] as it breaks
functionality on machines with kernel without IPv6 support,
bug reopened, new solution will be find
- switched to default protocol version 2
- added ssh-keyconvert (thanks Olaf Kirch <okir@suse.de>)
- removed static linking against libcrypto, as crypt() was removed
from it [#5333]
* Tue Jan 22 2002 - kukuk@suse.de
- Add pam_nologin to account management (else it will not be
called if user does not do password authentification)
* Tue Jan 15 2002 - egmont@suselinux.hu
- removed colon from shutdown message
* Thu Jan 10 2002 - cihlar@suse.cz
- use %%{_lib}
* Thu Dec 13 2001 - ro@suse.de
- moved rc.config.d -> sysconfig
* Mon Dec 10 2001 - cihlar@suse.cz
- removed START_SSHD
* Fri Dec 07 2001 - cihlar@suse.cz
- update to version 3.0.2p1:
* CheckMail option in sshd_config is deprecated
* X11 cookies are now stored in $HOME
* fixed a vulnerability in the UseLogin option
* /etc/ssh_known_hosts2 and ~/.ssh/known_hosts2 are obsolete,
/etc/ssh_known_hosts and ~/.ssh/known_hosts can be used
* several minor fixes
- update x11-ssh-askpass to version 1.2.4.1:
* fixed Imakefile.in
- fixed bug in adresses "::" and "0.0.0.0" [#8951]
* Fri Oct 05 2001 - cihlar@suse.cz
- update to version 2.9.9p2
- removed obsolete clientloop and command patches
- uncommented "HostKey /etc/ssh/ssh_host_rsa_key" in sshd_config
- added German translation of e-mail to sysadmin
- init script fixed to work when more listening sshd runs
- added /bin/netstat to requires
* Mon Sep 24 2001 - cihlar@suse.cz
- fixed security problem with sftp & bypassing
keypair auth restrictions - patch based on CVS
- fixed status part of init script - it returned
running even if there were only sshd of connections
and no listening sshd [#11220]
- fixed stop part of init script - when there was no
/var/run/sshd.pid, all sshd were killed
* Thu Sep 06 2001 - nadvornik@suse.cz
- added patch for correct buffer flushing from CVS [bug #6450]
* Fri Jul 27 2001 - cihlar@suse.cz
- update x11-ssh-askpass to version 1.2.2
* Thu Jul 26 2001 - cihlar@suse.cz
- update to version 2.9p2
- removed obsolete "cookies" patch
* Mon Jun 11 2001 - cihlar@suse.cz
- fixed to compile with new xmkmf
* Thu Jun 07 2001 - cihlar@suse.cz
- fixed security bug when any file "cookies" could
be removed by anybody
* Tue Jun 05 2001 - bjacke@suse.de
- generate rsa host key in init script
* Tue Jun 05 2001 - cihlar@suse.cz
- removed complete path from PAM modules
* Thu May 03 2001 - cihlar@suse.cz
- update to version 2.9p1
- removed obsolete --with-openssl
- removed obsolete man patch
* Mon Apr 30 2001 - cihlar@suse.cz
- enable PAM support
* Fri Apr 13 2001 - ro@suse.de
- fixed specfile for extra README.SuSE
* Fri Apr 13 2001 - cihlar@suse.cz
- fixed init script by new skeleton
* Thu Mar 22 2001 - cihlar@suse.cz
- update to version 2.5.2p2
* Wed Mar 14 2001 - cihlar@suse.cz
- fixed ssh man page
* Mon Mar 12 2001 - cihlar@suse.cz
- update to version 2.5.1p2
- added xf86 to neededforbuild
* Fri Mar 09 2001 - schwab@suse.de
- Fix missing crypt declaration.
* Fri Feb 23 2001 - cihlar@suse.cz
- update to version 2.5.1p1
- update x11-ssh-askpass to version 1.2.0
* Tue Feb 20 2001 - cihlar@suse.cz
- modified README.SuSE [#4365]
- fixed start script to agree with skeleton
- fixed start script so "stop" kills only sshd
listening for connections
- compiled with --with-openssl
- "ListenAddress 0.0.0.0" in sshd_config commented out -
listen on both ipv4 and ipv6
- fixed var/adm/notify/messages/openssh_update [#6406]
* Thu Jan 25 2001 - smid@suse.cz
- startup script fixed [#5559]
* Tue Jan 16 2001 - nadvornik@suse.cz
- libcrypto linked static [#5333]
* Thu Jan 11 2001 - cihlar@suse.cz
- uncomment sftp-server part in sshd_config
- added /usr/X11R6/lib/X11/app-defaults/SshAskpass to %%files
* Thu Jan 11 2001 - cihlar@suse.cz
- fixed %%files [#5230]
- fixed installation of x11-ssh-askpass to BuildRoot
- added man pages of x11-ssh-askpass
* Wed Jan 10 2001 - smid@suse.cz
- notice about how to enable ipv6 added to mail
- for administrator [#5297]
* Wed Dec 13 2000 - smid@suse.cz
- default ipv6 listennig disabled (problems with libc2.2) [#4588]
* Tue Dec 05 2000 - smid@suse.cz
- notify message changed
* Mon Dec 04 2000 - lmuelle@suse.de
- fixed provides/ conflicts to ssh
* Thu Nov 30 2000 - smid@suse.cz
- path to ssh-askpass fixed
- stop in %%preun removed
- new init style
* Sun Nov 26 2000 - schwab@suse.de
- Restore rcsshd link.
* Sun Nov 26 2000 - kukuk@suse.de
- Add openssl-devel to neededforbuild
* Mon Nov 20 2000 - smid@suse.cz
- New version 2.3.0
* Wed Sep 06 2000 - smid@suse.cz
- remove --with-ipv4-default option
* Wed Jul 05 2000 - garloff@suse.de
- ... and tell the sysadmin and user more about what they can do
about it (schwab).
* Wed Jul 05 2000 - garloff@suse.de
- Inform the user (admin) about the fact that the default behaviour
with respect to X11-forwarding has been changed to be disabled.
* Wed Jun 28 2000 - smid@suse.cz
- warning that generating DSA key can an take a long time.
(bugzilla 3015)
- writing to wtmp and lastlog fixed (bugzilla 3024)
- reading config file (parameter Protocol) fixed
* Fri Jun 16 2000 - garloff@suse.de
- Added generation of ssh_host_dsa_key
* Tue Jun 13 2000 - nadvornik@suse.cz
- update to 2.1.1p1
* Thu Jun 08 2000 - cihlar@suse.cz
- uncommented %%clean
* Fri May 05 2000 - smid@suse.cz
- buildroot added
- upgrade to 1.2.3
* Tue Mar 21 2000 - kukuk@suse.de
- Update to 1.2.2p1
* Mon Mar 06 2000 - kukuk@suse.de
- Fix the diff.
* Sun Mar 05 2000 - kukuk@suse.de
- Add a README.SuSE with a short description how to use ssh-add
* Tue Feb 29 2000 - schwab@suse.de
- Update config.{guess,sub}.
* Fri Feb 25 2000 - kukuk@suse.de
- Fix need for build, add group tag.
* Wed Feb 02 2000 - kukuk@suse.de
- Change new defaults back to old one
* Sun Jan 30 2000 - kukuk@suse.de
- Add x11-ssh-askpass to filelist
* Fri Jan 28 2000 - kukuk@suse.de
- Update to OpenSSH 1.2.2
- Add x11-ssh-askpass-1.0
* Tue Jan 25 2000 - kukuk@suse.de
- Add reload and status to /sbin/init.d/sshd [Bug 1747]
* Thu Jan 20 2000 - kukuk@suse.de
- Update to 1.2.1pre27 with IPv6 support
* Fri Dec 31 1999 - kukuk@suse.de
- Initial version

0
ready Normal file
View File

44
ssh-askpass Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
SESSION=
case "$DESKTOP_SESSION" in
kde) SESSION=kde ;;
gnome) SESSION=gnome ;;
esac
if [ -z "$SESSION" ] ; then
WM="${WINDOWMANAGER##*/}"
case "$WM" in
*kde*) SESSION=kde ;;
*gnome*) SESSION=gnome ;;
esac
fi
if [ -z "$SESSION" ] ; then
if [ -n "$KDE_FULL_SESSION" ] ; then
SESSION=kde
fi
if [ -n "$GNOME_DESKTOP_SESSION_ID" ] ; then
SESSION=gnome
fi
fi
GNOME_SSH_ASKPASS="/usr/lib/ssh/gnome-ssh-askpass"
X11_SSH_ASKPASS="/usr/lib/ssh/x11-ssh-askpass"
# note: if there is ever a kde-ssh-askpass, just add it based on SESSION=kde
case "$SESSION" in
gnome)
if [ -f $GNOME_SSH_ASKPASS ]; then
exec $GNOME_SSH_ASKPASS ${1+"$@"}
else
exec $X11_SSH_ASKPASS ${1+"$@"}
fi
;;
*)
exec $X11_SSH_ASKPASS ${1+"$@"}
;;
esac

18
ssh.reg Normal file
View File

@ -0,0 +1,18 @@
#############################################################################
#
# OpenSLP registration file
#
# register SSH daemon
#
#############################################################################
# Register the usual sshd, if it is running
service:ssh://$HOSTNAME:22,en,65535
tcp-port=22
description=Secure Shell Daemon
# ssh can get used to copy files with konqueror using the fish:/ protocol
service:fish://$HOSTNAME:22,en,65535
tcp-port=22
description=KDE file transfer via SSH

10
sshd.pamd Normal file
View File

@ -0,0 +1,10 @@
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session optional pam_resmgr.so fake_ttyname

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:59352a27a324ae70cabb82e769aa6fbfc997ef8566fe8f12226388dcfe0f685f
size 27590