diff --git a/openssh-SuSE.tar.bz2 b/openssh-SuSE.tar.bz2 index 12eed5c..625f639 100644 --- a/openssh-SuSE.tar.bz2 +++ b/openssh-SuSE.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b28640ffbe61ece5631fc23516f0463c20d07f9ca698e1177d327c37cdbbfd17 -size 1938 +oid sha256:547af632678b57ceb5c8cd2f72536581f56f2d58866c83537544be755f7824a0 +size 20480 diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 2b88448..bb1ae1c 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -23,7 +23,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev License: BSD 3-clause (or similar) Group: Productivity/Networking/SSH Version: 5.2p1 -Release: 4 +Release: 5 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH @@ -118,72 +118,3 @@ rm -rf $RPM_BUILD_ROOT %attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass %changelog -* Mon Feb 23 2009 anicka@suse.cz -- update to 5.2p1 -* Wed Apr 09 2008 anicka@suse.cz -- update to 5.0p1 -* Wed Apr 02 2008 anicka@suse.cz -- update to 4.9p1 -* Wed Dec 05 2007 anicka@suse.cz -- - update to 4.7p1 - * Add "-K" flag for ssh to set GSSAPIAuthentication=yes and - GSSAPIDelegateCredentials=yes. This is symmetric with -k - * make scp try to skip FIFOs rather than blocking when nothing is - listening. - * increase default channel windows - * put the MAC list into a display - * many bugfixes -* Tue Dec 12 2006 anicka@suse.cz -- update to 4.5p1 - * Use privsep_pw if we have it, but only require it if we - absolutely need it. - * Correctly check for bad signatures in the monitor, otherwise - the monitor and the unpriv process can get out of sync. - * Clear errno before calling the strtol functions. - * exit instead of doing a blocking tcp send if we detect - a client/server timeout, since the tcp sendqueue might - be already full (of alive requests) - * include signal.h, errno.h, sys/in.h - * some more bugfixes -* Wed Oct 04 2006 postadal@suse.cz -- updated to version 4.4p1 [#208662] - * fixed pre-authentication DoS, that would cause sshd(8) to spin - until the login grace time expired - * fixed unsafe signal hander, which was vulnerable to a race condition - that could be exploited to perform a pre-authentication DoS - * fixed a GSSAPI authentication abort that could be used to determine - the validity of usernames on some platforms - * implemented conditional configuration in sshd_config(5) using the - "Match" directive - * added support for Diffie-Hellman group exchange key agreement with a - final hash of SHA256 - * added a "ForceCommand", "PermitOpen" directive to sshd_config(5) - * added optional logging of transactions to sftp-server(8) - * ssh(1) will now record port numbers for hosts stored in - ~/.ssh/authorized_keys when a non-standard port has been requested - * added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with - a non-zero exit code) when requested port forwardings could not be - established - * extended sshd_config(5) "SubSystem" declarations to allow the - specification of command-line arguments -- removed obsoleted patches: autoconf-fix.patch -* Tue Jul 25 2006 schwab@suse.de -- Fix syntax error in configure script. -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Tue Jan 03 2006 postadal@suse.cz -- updated to version 4.2p1 -- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch -* Thu Sep 08 2005 postadal@suse.cz -- don't strip -* Thu Aug 04 2005 uli@suse.de -- parallelize build -* Fri Jun 10 2005 postadal@suse.cz -- updated to version 4.1p1 -- removed obsoleted patches: restore_terminal, pam-returnfromsession, - timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource, - sendenv-fix, documentation-fix -* Wed Jan 19 2005 postadal@suse.cz -- renamed askpass-gnome package to openssh-askpass-gnome -* Wed Jan 19 2005 postadal@suse.cz -- splited spec file to decreas number of build dependencies diff --git a/openssh.changes b/openssh.changes index 7200d1d..10a5141 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Tue Jul 7 15:06:58 CEST 2009 - llunak@novell.com + +- Added a hook for ksshaskpass + +------------------------------------------------------------------- +Sun Jul 5 12:17:40 CEST 2009 - dmueller@novell.com + +- readd -f to startproc and remove -p instead to + ensure that sshd is started even though old instances + are still running (e.e. being logged in from remote) + ------------------------------------------------------------------- Fri Jun 19 10:35:46 CEST 2009 - coolo@novell.com diff --git a/openssh.spec b/openssh.spec index f00c0fc..90dd7f8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -38,7 +38,7 @@ PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_pr Conflicts: nonfreessh AutoReqProv: on Version: 5.2p1 -Release: 4 +Release: 5 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -308,793 +308,3 @@ rm -rf $RPM_BUILD_ROOT %_appdefdir/SshAskpass %changelog -* Fri Jun 19 2009 coolo@novell.com -- disable as-needed for this package as it fails to build with it -* Tue May 26 2009 anicka@suse.cz -- disable -f in startproc to calm the warning (bnc#506831) -* Thu Apr 23 2009 lnussel@suse.de -- do not enable sshd by default -* Mon Feb 23 2009 anicka@suse.cz -- update to 5.2p1 - * This release changes the default cipher order to prefer the AES CTR - modes and the revised "arcfour256" mode to CBC mode ciphers that are - susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - * This release also adds countermeasures to mitigate CPNI-957037-style - attacks against the SSH protocol's use of CBC-mode ciphers. Upon - detection of an invalid packet length or Message Authentication - Code, ssh/sshd will continue reading up to the maximum supported - packet length rather than immediately terminating the connection. - This eliminates most of the known differences in behaviour that - leaked information about the plaintext of injected data which formed - the basis of this attack. We believe that these attacks are rendered - infeasible by these changes. - * Added a -y option to ssh(1) to force logging to syslog rather than - stderr, which is useful when running daemonised (ssh -f) - * The sshd_config(5) ForceCommand directive now accepts commandline - arguments for the internal-sftp server. - * The ssh(1) ~C escape commandline now support runtime creation of - dynamic (-D) port forwards. - * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. - (bz#1482) - * Support remote port forwarding with a listen port of '0'. This - informs the server that it should dynamically allocate a listen - port and report it back to the client. (bz#1003) - * sshd(8) now supports setting PermitEmptyPasswords and - AllowAgentForwarding in Match blocks - * Repair a ssh(1) crash introduced in openssh-5.1 when the client is - sent a zero-length banner (bz#1496) - * Due to interoperability problems with certain - broken SSH implementations, the eow@openssh.com and - no-more-sessions@openssh.com protocol extensions are now only sent - to peers that identify themselves as OpenSSH. - * Make ssh(1) send the correct channel number for - SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to - avoid triggering 'Non-public channel' error messages on sshd(8) in - openssh-5.1. - * Avoid printing 'Non-public channel' warnings in sshd(8), since the - ssh(1) has sent incorrect channel numbers since ~2004 (this reverts - a behaviour introduced in openssh-5.1). - * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539) - * Correct fail-on-error behaviour in sftp(1) batchmode for remote - stat operations. (bz#1541) - * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave - connections. (bz#1543) - * Avoid hang in ssh(1) when attempting to connect to a server that - has MaxSessions=0 set. - * Multiple fixes to sshd(8) configuration test (-T) mode - * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, - 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540 - * Many manual page improvements. -* Mon Dec 01 2008 anicka@suse.cz -- respect SSH_MAX_FORWARDS_PER_DIRECTION (bnc#448775) -* Mon Nov 10 2008 anicka@suse.cz -- fix printing banner (bnc#443380) -* Fri Oct 24 2008 anicka@suse.cz -- call pam functions in the right order (bnc#438292) -- mention default forwarding of locale settings in - README.SuSE (bnc#434799) -* Tue Sep 09 2008 anicka@suse.cz -- remove pam_resmgr from sshd.pamd (bnc#422619) -* Sun Aug 24 2008 coolo@suse.de -- fix fillup macro usage -* Fri Aug 22 2008 prusnak@suse.cz -- enabled SELinux support [Fate#303662] -* Tue Jul 22 2008 anicka@suse.cz -- update to 5.1p1 - * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly - other platforms) when X11UseLocalhost=no - * Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) - and ssh-keygen(1). Visual fingerprinnt display is controlled by a new - ssh_config(5) option "VisualHostKey". - * sshd_config(5) now supports CIDR address/masklen matching in "Match - address" blocks, with a fallback to classic wildcard matching. - * sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys - from="..." restrictions, also with a fallback to classic wildcard - matching. - * Added an extended test mode (-T) to sshd(8) to request that it write - its effective configuration to stdout and exit. Extended test mode - also supports the specification of connection parameters (username, - source address and hostname) to test the application of - sshd_config(5) Match rules. - * ssh(1) now prints the number of bytes transferred and the overall - connection throughput for SSH protocol 2 sessions when in verbose - mode (previously these statistics were displayed for protocol 1 - connections only). - * sftp-server(8) now supports extension methods statvfs@openssh.com and - fstatvfs@openssh.com that implement statvfs(2)-like operations. - * sftp(1) now has a "df" command to the sftp client that uses the - statvfs@openssh.com to produce a df(1)-like display of filesystem - space and inode utilisation (requires statvfs@openssh.com support on - the server) - * Added a MaxSessions option to sshd_config(5) to allow control of the - number of multiplexed sessions supported over a single TCP connection. - This allows increasing the number of allowed sessions above the - previous default of 10, disabling connection multiplexing - (MaxSessions=1) or disallowing login/shell/subsystem sessions - entirely (MaxSessions=0). - * Added a no-more-sessions@openssh.com global request extension that is - sent from ssh(1) to sshd(8) when the client knows that it will never - request another session (i.e. when session multiplexing is disabled). - This allows a server to disallow further session requests and - terminate the session in cases where the client has been hijacked. - * ssh-keygen(1) now supports the use of the -l option in combination - with -F to search for a host in ~/.ssh/known_hosts and display its - fingerprint. - * ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of - "rsa1". - * Added an AllowAgentForwarding option to sshd_config(8) to control - whether authentication agent forwarding is permitted. Note that this - is a loose control, as a client may install their own unofficial - forwarder. - * ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving - network data, resulting in a ~10%% speedup - * ssh(1) and sshd(8) will now try additional addresses when connecting - to a port forward destination whose DNS name resolves to more than - one address. The previous behaviour was to try the only first address - and give up if that failed. (bz#383) - * ssh(1) and sshd(8) now support signalling that channels are - half-closed for writing, through a channel protocol extension - notification "eow@openssh.com". This allows propagation of closed - file descriptors, so that commands such as: - "ssh -2 localhost od /bin/ls | true" - do not send unnecessary data over the wire. (bz#85) - * sshd(8): increased the default size of ssh protocol 1 ephemeral keys - from 768 to 1024 bits. - * When ssh(1) has been requested to fork after authentication - ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until - after replies for any -R forwards have been seen. Allows for robust - detection of -R forward failure when using -f. (bz#92) - * "Match group" blocks in sshd_config(5) now support negation of - groups. E.g. "Match group staff,!guests" (bz#1315) - * sftp(1) and sftp-server(8) now allow chmod-like operations to set - set[ug]id/sticky bits. (bz#1310) - * The MaxAuthTries option is now permitted in sshd_config(5) match - blocks. - * Multiplexed ssh(1) sessions now support a subset of the ~ escapes - that are available to a primary connection. (bz#1331) - * ssh(1) connection multiplexing will now fall back to creating a new - connection in most error cases. (bz#1439 bz#1329) - * Added some basic interoperability tests against Twisted Conch. - * Documented OpenSSH's extensions to and deviations from the published - SSH protocols (the PROTOCOL file in the distribution) - * Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent). - * bugfixes -- remove gssapi_krb5-fix patch -* Fri Apr 18 2008 werner@suse.de -- Handle pts slave lines like utemper -* Wed Apr 09 2008 anicka@suse.cz -- update to 5.0p1 - * CVE-2008-1483: Avoid possible hijacking of X11-forwarded - connections by refusing to listen on a port unless all address - families bind successfully. -- remove CVE-2008-1483 patch -* Wed Apr 02 2008 anicka@suse.cz -- update to 4.9p1 - * Disable execution of ~/.ssh/rc for sessions where a command has been - forced by the sshd_config ForceCommand directive. Users who had - write access to this file could use it to execute abritrary commands. - This behaviour was documented, but was an unsafe default and an extra - hassle for administrators. - * Added chroot(2) support for sshd(8), controlled by a new option - "ChrootDirectory". Please refer to sshd_config(5) for details, and - please use this feature carefully. (bz#177 bz#1352) - * Linked sftp-server(8) into sshd(8). The internal sftp server is - used when the command "internal-sftp" is specified in a Subsystem - or ForceCommand declaration. When used with ChrootDirectory, the - internal sftp server requires no special configuration of files - inside the chroot environment. Please refer to sshd_config(5) for - more information. - * Added a "no-user-rc" option for authorized_keys to disable execution - of ~/.ssh/rc - * Added a protocol extension method "posix-rename@openssh.com" for - sftp-server(8) to perform POSIX atomic rename() operations. - (bz#1400) - * Removed the fixed limit of 100 file handles in sftp-server(8). The - server will now dynamically allocate handles up to the number of - available file descriptors. (bz#1397) - * ssh(8) will now skip generation of SSH protocol 1 ephemeral server - keys when in inetd mode and protocol 2 connections are negotiated. - This speeds up protocol 2 connections to inetd-mode servers that - also allow Protocol 1 (bz#440) - * Accept the PermitRootLogin directive in a sshd_config(5) Match - block. Allows for, e.g. permitting root only from the local - network. - * Reworked sftp(1) argument splitting and escaping to be more - internally consistent (i.e. between sftp commands) and more - consistent with sh(1). Please note that this will change the - interpretation of some quoted strings, especially those with - embedded backslash escape sequences. (bz#778) - * Support "Banner=none" in sshd_config(5) to disable sending of a - pre-login banner (e.g. in a Match block). - * ssh(1) ProxyCommands are now executed with $SHELL rather than - /bin/sh. - * ssh(1)'s ConnectTimeout option is now applied to both the TCP - connection and the SSH banner exchange (previously it just covered - the TCP connection). This allows callers of ssh(1) to better detect - and deal with stuck servers that accept a TCP connection but don't - progress the protocol, and also makes ConnectTimeout useful for - connections via a ProxyCommand. - * Many new regression tests, including interop tests against PuTTY's - plink. - * Support BSM auditing on Mac OS X - * bugfixes -- remove addrlist, pam_session_close, strict-aliasing-fix patches - (not needed anymore) -* Tue Mar 25 2008 anicka@suse.cz -- fix CVE-2008-1483 (bnc#373527) -* Fri Jan 04 2008 anicka@suse.cz -- fix privileges of a firewall definition file [#351193] -* Sat Dec 15 2007 anicka@suse.cz -- add patch calling pam with root privileges [#334559] -- drop pwname-home patch [#104773] -* Fri Dec 07 2007 anicka@suse.cz -- fix race condition in xauth patch -* Wed Dec 05 2007 anicka@suse.cz -- update to 4.7p1 - * Add "-K" flag for ssh to set GSSAPIAuthentication=yes and - GSSAPIDelegateCredentials=yes. This is symmetric with -k - * make scp try to skip FIFOs rather than blocking when nothing is - listening. - * increase default channel windows - * put the MAC list into a display - * many bugfixes -* Mon Oct 08 2007 anicka@suse.cz -- block SIGALRM only during calling syslog() [#331032] -* Thu Sep 13 2007 nadvornik@suse.cz -- fixed checking of an untrusted cookie, CVE-2007-4752 [#308521] -* Tue Aug 28 2007 anicka@suse.cz -- fix blocksigalrm patch to set old signal mask after - writing the log in every case [#304819] -* Tue Aug 21 2007 anicka@suse.cz -- avoid generating ssh keys when a non-standard location - is configured [#281228] -* Wed Jul 25 2007 anicka@suse.cz -- fixed typo in sshd.fw [#293764] -* Mon Mar 19 2007 nadvornik@suse.cz -- fixed default for ChallengeResponseAuthentication [#255374] -* Mon Mar 12 2007 anicka@suse.cz -- update to 4.6p1 - * sshd now allows the enabling and disabling of authentication - methods on a per user, group, host and network basis via the - Match directive in sshd_config. - * Allow multiple forwarding options to work when specified in a - PermitOpen directive - * Clear SIGALRM when restarting due to SIGHUP. Prevents stray - signal from taking down sshd if a connection was pending at - the time SIGHUP was received - * hang on exit" when background processes are running at the - time of exit on a ttyful/login session - * some more bugfixes -* Mon Mar 05 2007 anicka@suse.cz -- fix path for firewall definition -* Thu Mar 01 2007 anicka@suse.cz -- add support for Linux audit (FATE #120269) -* Wed Feb 21 2007 anicka@suse.cz -- add firewall definition [#246921], FATE #300687, - source: sshd.fw -* Sat Jan 06 2007 anicka@suse.cz -- disable SSHv1 protocol in default configuration [#231808] -* Tue Dec 12 2006 anicka@suse.cz -- update to 4.5p1 - * Use privsep_pw if we have it, but only require it if we - absolutely need it. - * Correctly check for bad signatures in the monitor, otherwise - the monitor and the unpriv process can get out of sync. - * Clear errno before calling the strtol functions. - * exit instead of doing a blocking tcp send if we detect - a client/server timeout, since the tcp sendqueue might - be already full (of alive requests) - * include signal.h, errno.h, sys/in.h - * some more bugfixes -* Wed Nov 22 2006 anicka@suse.cz -- fixed README.SuSE [#223025] -* Thu Nov 09 2006 anicka@suse.cz -- backport security fixes from openssh 4.5 (#219115) -* Tue Nov 07 2006 ro@suse.de -- fix manpage permissions -* Tue Oct 31 2006 anicka@suse.cz -- fix gssapi_krb5-fix patch [#215615] -- fix xauth patch -* Tue Oct 10 2006 postadal@suse.cz -- fixed building openssh from src.rpm [#176528] (gssapi_krb5-fix.patch) -* Tue Oct 03 2006 postadal@suse.cz -- updated to version 4.4p1 [#208662] - * fixed pre-authentication DoS, that would cause sshd(8) to spin - until the login grace time expired - * fixed unsafe signal hander, which was vulnerable to a race condition - that could be exploited to perform a pre-authentication DoS - * fixed a GSSAPI authentication abort that could be used to determine - the validity of usernames on some platforms - * implemented conditional configuration in sshd_config(5) using the - "Match" directive - * added support for Diffie-Hellman group exchange key agreement with a - final hash of SHA256 - * added a "ForceCommand", "PermitOpen" directive to sshd_config(5) - * added optional logging of transactions to sftp-server(8) - * ssh(1) will now record port numbers for hosts stored in - ~/.ssh/authorized_keys when a non-standard port has been requested - * added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with - a non-zero exit code) when requested port forwardings could not be - established - * extended sshd_config(5) "SubSystem" declarations to allow the - specification of command-line arguments -- removed obsoleted patches: autoconf-fix.patch, dos-fix.patch -- fixed gcc issues (gcc-fix.patch) -* Wed Sep 20 2006 postadal@suse.cz -- fixed DoS by CRC compensation attack detector [#206917] (dos-fix.patch) -- fixed client NULL deref on protocol error -- cosmetic fix in init script [#203826] -* Fri Sep 01 2006 kukuk@suse.de -- sshd.pamd: Add pam_loginuid, move pam_nologin to a better position -* Fri Aug 25 2006 postadal@suse.cz -- fixed path for xauth [#198676] -* Thu Aug 03 2006 postadal@suse.cz -- fixed build with X11R7 -* Thu Jul 20 2006 postadal@suse.cz -- updated to version 4.3p2 - * experimental support for tunneling network packets via tun(4) -- removed obsoleted patches: pam-error.patch, CVE-2006-0225.patch, - scp.patch, sigalarm.patch -* Mon Feb 13 2006 postadal@suse.cz -- upstream fixes - - fixed "scp a b c", when c is not directory (scp.patch) - - eliminate some code duplicated in privsep and non-privsep paths, and - explicitly clear SIGALRM handler (sigalarm.patch) -* Fri Feb 03 2006 postadal@suse.cz -- fixed local arbitrary command execution vulnerability [#143435] - (CVE-2006-0225.patch) -* Thu Feb 02 2006 postadal@suse.cz -- fixed xauth.diff for disabled UsePrivilegeSeparation mode [#145809] -- build on s390 without Smart card support (opensc) [#147383] -* Mon Jan 30 2006 postadal@suse.cz -- fixed patch xauth.diff [#145809] -- fixed comments [#142989] -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Mon Jan 16 2006 meissner@suse.de -- added -fstack-protector. -* Tue Jan 03 2006 postadal@suse.cz -- updated to version 4.2p1 -- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch -* Tue Nov 15 2005 postadal@suse.cz -- do not delegate GSSAPI credentials to log in with a different method - than GSSAPI [#128928] (CAN-2005-2798, gssapi-secfix.patch) -* Sun Oct 23 2005 postadal@suse.cz -- fixed PAM to send authentication failing mesaage to client [#130043] - (pam-error.patch) -* Wed Sep 14 2005 postadal@suse.cz -- fixed uninitialized variable in patch xauth.diff [#98815] -* Thu Sep 08 2005 postadal@suse.cz -- don't strip -* Mon Sep 05 2005 postadal@suse.cz -- added patch xauth.diff prevent from polluting xauthority file [#98815] -* Mon Aug 22 2005 postadal@suse.cz -- fixed problem when multiple accounts have same UID [#104773] - (pwname-home.diff) -- added fixes from upstream (upstream_fixes.diff) -* Thu Aug 18 2005 postadal@suse.cz -- added patch tmpdir.diff for using $TMPDIR by ssh-agent [#95731] -* Thu Aug 04 2005 uli@suse.de -- parallelize build -* Mon Aug 01 2005 postadal@suse.cz -- added patch resolving problems with hostname changes [#98627] - (xauthlocalhostname.diff) -* Wed Jun 22 2005 kukuk@suse.de -- Compile/link with -fpie/-pie -* Wed Jun 15 2005 meissner@suse.de -- build x11-ask-pass with RPM_OPT_FLAGS. -* Fri Jun 10 2005 postadal@suse.cz -- updated to version 4.1p1 -- removed obsoleted patches: restore_terminal, pam-returnfromsession, - timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource, - sendenv-fix, documentation-fix -* Thu Mar 10 2005 postadal@suse.cz -- fixed SendEnv config parsing bug -- documented timeout on untrusted x11 forwarding sessions (openssh#849) -- mentioned ForwardX11Trusted in ssh.1 (openssh#987) -* Thu Mar 03 2005 postadal@suse.cz -- enabled accepting and sending locale environment variables in protocol 2 - [#65747, #50091] -* Thu Feb 24 2005 postadal@suse.cz -- added patches from cvs: gssapi-pam (openssh#918), - krb5ccname (openssh#445), logdenysource (openssh#909) -* Thu Feb 03 2005 postadal@suse.cz -- fixed keyboard-interactive/pam/Kerberos leaks info about user existence - [#48329] (openssh#971, CAN-2003-0190) -* Wed Jan 19 2005 postadal@suse.cz -- splited spec file to decreas number of build dependencies -- fixed restoring terminal setting after Ctrl+C during password prompt in scp/sftp [#43309] -- allowed users to see output from failing PAM session modules (openssh #890, - pam-returnfromsession.patch) -* Mon Nov 08 2004 kukuk@suse.de -- Use common-* PAM config files for sshd PAM configuration -* Mon Oct 25 2004 postadal@suse.cz -- switched heimdal-* to kerberos-devel-packages in #needforbuild -* Fri Sep 03 2004 ro@suse.de -- fix lib64 issue -* Tue Aug 31 2004 postadal@suse.cz -- updated to version 3.9p1 -- removed obsoleted patches: scp-fix.diff and window_change-fix.diff -* Thu Aug 26 2004 postadal@suse.cz -- added openssh-askpass-gnome subpackage -- added ssh-askpass script for choosing askpass depending on windowmanager - (by Robert Love ) -- build with Smart card support (opensc) [#44289] -* Tue Aug 17 2004 postadal@suse.cz -- removed old implementation of "Update Messages" [#36059] -* Thu Aug 12 2004 postadal@suse.cz -- updated to version 3.8p1 -- removed obsoleted patches: sftp-progress-fix and pam-fix4 -* Mon Jun 28 2004 meissner@suse.de -- block sigalarm during syslog output or we might deadlock - on recursively entering syslog(). (LTC#9523, SUSE#42354) -* Wed May 26 2004 postadal@suse.cz -- fixed commented default value for GSSAPI -* Thu May 20 2004 mludvig@suse.cz -- Load drivers for available hardware crypto accelerators. -* Fri Apr 30 2004 postadal@suse.cz -- updated README.kerberos (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials) -* Mon Apr 19 2004 postadal@suse.cz -- updated README.SuSE (GSSAPICleanupCreds renamed to GSSAPICleanupCredentials) - [#39010] -* Fri Mar 26 2004 postadal@suse.cz -- fixed sshd(8) and sshd_config(5) man pages (EAL3) -- fixed spelling errors in README.SuSE [#37086] -* Thu Mar 25 2004 postadal@suse.cz -- fixed change window request [#33177] -* Mon Mar 22 2004 postadal@suse.cz -- updated README.SuSE -- removed %%verify from /usr/bin/ssh in specfile -* Thu Mar 18 2004 postadal@suse.cz -- fixed previous fix of security bug in scp [#35443] (CAN-2004-0175) - (was too restrictive) -- fixed permission of /usr/bin/ssh -* Mon Mar 15 2004 postadal@suse.cz -- fixed comments in sshd_config and ssh_config -* Mon Mar 15 2004 postadal@suse.cz -- enabled privilege separation mode (new version fixes a lot of problematic PAM - calling [#30328]) -- fixed security bug in scp [#35443] (CAN-2004-0175) -- reverted to old behaviour of ForwardingX11 [#35836] - (set ForwardX11Trusted to 'yes' by default) -- updated README.SuSE -- fixed pam code (pam-fix4.diff, backported from openssh-SNAP-20040311) -* Fri Mar 05 2004 postadal@suse.cz -- updated README.SuSE (Remote x11 clients are now untrusted by default) [#35368] -- added gssapimitm patch (support for old GSSAPI) -* Mon Mar 01 2004 postadal@suse.cz -- updated to version 3.8p1 - * The "gssapi" support has been replaced with the "gssapi-with-mic" - to fix possible MITM attacks. These two versions are not compatible. -- removed obsoleted patches: krb5.patch, dns-lookups.patch, pam-fix.diff, - pam-end-fix.diff -- used process forking instead pthreads - (developers fixed bugs in pam calling and they recommended to don't use threads) -* Tue Feb 24 2004 postadal@suse.cz -- fixed the problem with save_argv in sshd.c re-apeared again in version 3.7.1p2 - (it caused bad behaviour after receiving SIGHUP - used by reload of init script) - [#34845] -* Wed Feb 18 2004 kukuk@suse.de -- Real strict-aliasing patch -* Wed Feb 18 2004 postadal@suse.cz -- fixed strict-aliasing patch [#34551] -* Sat Feb 14 2004 adrian@suse.de -- provide SLP registration file /etc/slp.reg.d/ssh.reg -* Tue Feb 03 2004 postadal@suse.cz -- used patch from pam-end-fix.diff [#33132] -- fixed instalation openssh without documentation [#33937] -- fixed auth-pam.c which breaks strict aliasing -* Mon Jan 19 2004 meissner@suse.de -- Added a ; to ssh-key-converter.c to fix gcc 3.4 build. -* Fri Jan 16 2004 kukuk@suse.de -- Add pam-devel to neededforbuild -* Thu Nov 06 2003 postadal@suse.cz -- added /usr/bin/slogin explicitly to %%file list [#32921] -* Sun Nov 02 2003 adrian@suse.de -- add %%run_permissions to fix build -* Tue Oct 14 2003 postadal@suse.cz -- reverted value UsePAM to "yes" and set PasswordAuthentication to "no" - in file /etc/ssh/sshd_config (the version 3.7.1p2 disabled PAM support - by default) [#31749] -* Tue Sep 23 2003 draht@suse.de -- New version 3.7.1p2; signature from 86FF9C48 Damien Miller - verified for source tarball. Bugs fixed with this version: - [#31637] (CAN-2003-0786, CAN-2003-0786). Briefly: - 1) SSH1 PAM challenge response auth ignored the result of the - authentication (with privsep off) - 2) The PAM conversation function trashed the stack, by referring - to the **resp parameter as an array of pointers rather than - as a pointer to an array of struct pam_responses. - At least security bug 1) is exploitable. -* Fri Sep 19 2003 postadal@suse.cz -- use pthreads instead process forking (it needs by pam modules) -- fixed bug in calling pam_setcred [#31025] - (pam-fix.diff - string "FILE:" added to begin of KRB5CCNAME) -- updated README.SuSE -- reverted ChallengeResponseAuthentication option to default value yes - (necessary for pam authentication) [#31432] -* Thu Sep 18 2003 postadal@suse.cz -- updated to version 3.7.1p1 (with security patches) -- removed obsoleted patches: chauthtok.patch, krb-include-fix.diff, - gssapi-fix.diff, saveargv-fix.diff, gssapi-20030430.diff, racecondition-fix -- updated README.kerberos -* Tue Sep 16 2003 postadal@suse.cz -- fixed race condition in allocating memory [#31025] (CAN-2003-0693) -* Mon Sep 15 2003 postadal@suse.cz -- disabled privilege separation, which caused some problems [#30328] - (updated README.SuSE) -* Thu Sep 04 2003 postadal@suse.cz -- fixed bug in x11-ssh-askpass dialog [#25846] (askpass-fix.diff is workaround for gcc bug) -* Fri Aug 29 2003 kukuk@suse.de -- Call useradd -r for system account [Bug #29611] -* Mon Aug 25 2003 postadal@suse.cz -- use new stop_on_removal/restart_on_upate macros -- fixed lib64 problem in /etc/ssh/sshd_config [#28766] -* Tue Aug 19 2003 mmj@suse.de -- Add sysconfig metadata [#28943] -* Fri Aug 01 2003 ro@suse.de -- add e2fsprogs-devel to neededforbuild -* Thu Jul 24 2003 postadal@suse.cz -- updated to version 3.6.1p2 -- added the new version of patch for GSSAPI (gssapi-20030430.diff), - the older one was removed (gssapi.patch) -- added README.kerberos to filelist -* Tue Jun 03 2003 mmj@suse.de -- Remove files we don't package -* Wed Apr 02 2003 postadal@suse.cz -- fixed bad behaviour after receiving SIGHUP (this bug caused not working reload of init script) -* Tue Mar 18 2003 postadal@suse.cz -- added $remote_fs to init.d script (needed if /usr is on remote fs [#25577]) -* Thu Mar 13 2003 postadal@suse.cz -- fixed segfault while using GSSAPI for authentication when connecting to localhost (took care about error value of ssh_gssapi_import_name() in function ssh_gssapi_client_ctx()) -* Mon Mar 10 2003 kukuk@suse.de -- Remove extra "/" from pid file path. -* Mon Mar 03 2003 postadal@suse.cz -- modified init.d script (now checking sshd.init.pid instead of port 22) [#24263] -* Mon Mar 03 2003 okir@suse.de -- added comment to /etc/pam.d/ssh on how to enable - support for resmgr (#24363). -* Fri Feb 21 2003 postadal@suse.cz -- added ssh-copy-id shell script [#23745] -* Fri Feb 14 2003 postadal@suse.cz -- given back gssapi and dns-lookups patches -* Thu Jan 23 2003 postadal@suse.cz -- updated to version 3.5p1 -- removed obsolete patches: owl-mm, forced-commands-only, krb -- added patch krb5 (for heimdal) -- temporarily removed gssapi patch and dns-lookups (needs rewriting) -- fix sysconfig metadata -* Thu Dec 05 2002 okir@suse.de -- avoid Kerberos DNS lookups in the default config (#20395) -- added README.kerberos -* Thu Sep 19 2002 postadal@suse.cz -- added info about changes in the new version of openssh - to README.SuSE [#19757] -* Mon Sep 02 2002 okir@suse.de -- privsep directory now /var/lib/empty, which is provided by - filesystem package (#17556) -* Wed Aug 28 2002 nashif@suse.de -- Added insserv & co to PreReq -* Mon Aug 26 2002 okir@suse.de -- applied patch that adds GSSAPI support in protocol version 2 (#18239) -* Thu Aug 22 2002 postadal@suse.cz -- added the patch to fix malfunction of PermitRootLogin seted to - forced-commands-only [#17149] -* Fri Aug 09 2002 okir@suse.de -- syslog now reports kerberos auth method when logging in via - kerberos (#17469) -* Tue Jul 23 2002 okir@suse.de -- enabled kerberos support -- added patch to support kerberos 5 authentication in privsep mode. -- added missing section 5 manpages -- added missing ssh-keysign to files list (new for privsep) -* Mon Jul 22 2002 okir@suse.de -- fixed handling of expired passwords in privsep mode -* Tue Jul 09 2002 mmj@suse.de -- Don't source rc.config -* Wed Jul 03 2002 draht@suse.de -- ssh-keygen must be told to explicitly create type rsa1 keys - in the start script. -* Tue Jul 02 2002 ro@suse.de -- useradd/groupadd in preinstall to standardize -* Sat Jun 29 2002 ro@suse.de -- updated patch from solar: zero out bytes for no longer used pages - in mmap-fallback solution -* Thu Jun 27 2002 ro@suse.de -- updated owl-fallback.diff from solar -* Thu Jun 27 2002 ro@suse.de -- update to 3.4p1 - o privilege separation support - o overflow fix from ISS -- unsplit openssh-server and openssh-client -* Tue Jun 18 2002 mmj@suse.de -- Update to 3.2.3p1 which fixed following compared to 3.2.2p1 - o a defect in the BSD_AUTH access control handling for - o login/tty problems on Solaris (bug #245) - o build problems on Cygwin systems -- Split the package to openssh, openssh-server, openssh-client and - openssh-askpass -* Sun May 19 2002 mmj@suse.de -- Updated to 3.2.2p which includes security and several bugfixes. -* Fri Mar 15 2002 ro@suse.de -- added "Obsoletes: ssh" -* Tue Mar 05 2002 draht@suse.de -- security fix for bug in channels.c (channelbug.dif) -* Fri Mar 01 2002 bk@suse.de -- fix ssh-agent example to use eval `ssh-agent -s` and a typo. -- add sentence on use of ssh-agent with startx -* Tue Feb 26 2002 bk@suse.de -- update README.SuSE to improve documentation on protocol version -* Wed Feb 13 2002 cihlar@suse.cz -- rewritten addrlist patch - "0.0.0.0" is removed from list - after "::" is successful [#8951] -* Mon Feb 11 2002 cihlar@suse.cz -- added info about the change of the default protocol version - to README.SuSE -* Thu Feb 07 2002 cihlar@suse.cz -- removed addrlist patch which fixed bug [#8951] as it breaks - functionality on machines with kernel without IPv6 support, - bug reopened, new solution will be find -- switched to default protocol version 2 -- added ssh-keyconvert (thanks Olaf Kirch ) -- removed static linking against libcrypto, as crypt() was removed - from it [#5333] -* Tue Jan 22 2002 kukuk@suse.de -- Add pam_nologin to account management (else it will not be - called if user does not do password authentification) -* Tue Jan 15 2002 egmont@suselinux.hu -- removed colon from shutdown message -* Thu Jan 10 2002 cihlar@suse.cz -- use %%{_lib} -* Thu Dec 13 2001 ro@suse.de -- moved rc.config.d -> sysconfig -* Mon Dec 10 2001 cihlar@suse.cz -- removed START_SSHD -* Fri Dec 07 2001 cihlar@suse.cz -- update to version 3.0.2p1: - * CheckMail option in sshd_config is deprecated - * X11 cookies are now stored in $HOME - * fixed a vulnerability in the UseLogin option - * /etc/ssh_known_hosts2 and ~/.ssh/known_hosts2 are obsolete, - /etc/ssh_known_hosts and ~/.ssh/known_hosts can be used - * several minor fixes -- update x11-ssh-askpass to version 1.2.4.1: - * fixed Imakefile.in -- fixed bug in adresses "::" and "0.0.0.0" [#8951] -* Fri Oct 05 2001 cihlar@suse.cz -- update to version 2.9.9p2 -- removed obsolete clientloop and command patches -- uncommented "HostKey /etc/ssh/ssh_host_rsa_key" in sshd_config -- added German translation of e-mail to sysadmin -- init script fixed to work when more listening sshd runs -- added /bin/netstat to requires -* Mon Sep 24 2001 cihlar@suse.cz -- fixed security problem with sftp & bypassing - keypair auth restrictions - patch based on CVS -- fixed status part of init script - it returned - running even if there were only sshd of connections - and no listening sshd [#11220] -- fixed stop part of init script - when there was no - /var/run/sshd.pid, all sshd were killed -* Thu Sep 06 2001 nadvornik@suse.cz -- added patch for correct buffer flushing from CVS [bug #6450] -* Fri Jul 27 2001 cihlar@suse.cz -- update x11-ssh-askpass to version 1.2.2 -* Thu Jul 26 2001 cihlar@suse.cz -- update to version 2.9p2 -- removed obsolete "cookies" patch -* Mon Jun 11 2001 cihlar@suse.cz -- fixed to compile with new xmkmf -* Thu Jun 07 2001 cihlar@suse.cz -- fixed security bug when any file "cookies" could - be removed by anybody -* Tue Jun 05 2001 bjacke@suse.de -- generate rsa host key in init script -* Tue Jun 05 2001 cihlar@suse.cz -- removed complete path from PAM modules -* Thu May 03 2001 cihlar@suse.cz -- update to version 2.9p1 -- removed obsolete --with-openssl -- removed obsolete man patch -* Mon Apr 30 2001 cihlar@suse.cz -- enable PAM support -* Fri Apr 13 2001 ro@suse.de -- fixed specfile for extra README.SuSE -* Fri Apr 13 2001 cihlar@suse.cz -- fixed init script by new skeleton -* Thu Mar 22 2001 cihlar@suse.cz -- update to version 2.5.2p2 -* Wed Mar 14 2001 cihlar@suse.cz -- fixed ssh man page -* Mon Mar 12 2001 cihlar@suse.cz -- update to version 2.5.1p2 -- added xf86 to neededforbuild -* Fri Mar 09 2001 schwab@suse.de -- Fix missing crypt declaration. -* Fri Feb 23 2001 cihlar@suse.cz -- update to version 2.5.1p1 -- update x11-ssh-askpass to version 1.2.0 -* Tue Feb 20 2001 cihlar@suse.cz -- modified README.SuSE [#4365] -- fixed start script to agree with skeleton -- fixed start script so "stop" kills only sshd - listening for connections -- compiled with --with-openssl -- "ListenAddress 0.0.0.0" in sshd_config commented out - - listen on both ipv4 and ipv6 -- fixed var/adm/notify/messages/openssh_update [#6406] -* Thu Jan 25 2001 smid@suse.cz -- startup script fixed [#5559] -* Tue Jan 16 2001 nadvornik@suse.cz -- libcrypto linked static [#5333] -* Thu Jan 11 2001 cihlar@suse.cz -- uncomment sftp-server part in sshd_config -- added /usr/X11R6/lib/X11/app-defaults/SshAskpass to %%files -* Thu Jan 11 2001 cihlar@suse.cz -- fixed %%files [#5230] -- fixed installation of x11-ssh-askpass to BuildRoot -- added man pages of x11-ssh-askpass -* Wed Jan 10 2001 smid@suse.cz -- notice about how to enable ipv6 added to mail -- for administrator [#5297] -* Wed Dec 13 2000 smid@suse.cz -- default ipv6 listennig disabled (problems with libc2.2) [#4588] -* Tue Dec 05 2000 smid@suse.cz -- notify message changed -* Mon Dec 04 2000 lmuelle@suse.de -- fixed provides/ conflicts to ssh -* Thu Nov 30 2000 smid@suse.cz -- path to ssh-askpass fixed -- stop in %%preun removed -- new init style -* Mon Nov 27 2000 schwab@suse.de -- Restore rcsshd link. -* Sun Nov 26 2000 kukuk@suse.de -- Add openssl-devel to neededforbuild -* Mon Nov 20 2000 smid@suse.cz -- New version 2.3.0 -* Wed Sep 06 2000 smid@suse.cz -- remove --with-ipv4-default option -* Wed Jul 05 2000 garloff@suse.de -- ... and tell the sysadmin and user more about what they can do - about it (schwab). -* Wed Jul 05 2000 garloff@suse.de -- Inform the user (admin) about the fact that the default behaviour - with respect to X11-forwarding has been changed to be disabled. -* Wed Jun 28 2000 smid@suse.cz -- warning that generating DSA key can an take a long time. - (bugzilla 3015) -- writing to wtmp and lastlog fixed (bugzilla 3024) -- reading config file (parameter Protocol) fixed -* Fri Jun 16 2000 garloff@suse.de -- Added generation of ssh_host_dsa_key -* Tue Jun 13 2000 nadvornik@suse.cz -- update to 2.1.1p1 -* Thu Jun 08 2000 cihlar@suse.cz -- uncommented %%clean -* Fri May 05 2000 smid@suse.cz -- buildroot added -- upgrade to 1.2.3 -* Tue Mar 21 2000 kukuk@suse.de -- Update to 1.2.2p1 -* Mon Mar 06 2000 kukuk@suse.de -- Fix the diff. -* Sun Mar 05 2000 kukuk@suse.de -- Add a README.SuSE with a short description how to use ssh-add -* Tue Feb 29 2000 schwab@suse.de -- Update config.{guess,sub}. -* Fri Feb 25 2000 kukuk@suse.de -- Fix need for build, add group tag. -* Wed Feb 02 2000 kukuk@suse.de -- Change new defaults back to old one -* Sun Jan 30 2000 kukuk@suse.de -- Add x11-ssh-askpass to filelist -* Fri Jan 28 2000 kukuk@suse.de -- Update to OpenSSH 1.2.2 -- Add x11-ssh-askpass-1.0 -* Tue Jan 25 2000 kukuk@suse.de -- Add reload and status to /sbin/init.d/sshd [Bug 1747] -* Thu Jan 20 2000 kukuk@suse.de -- Update to 1.2.1pre27 with IPv6 support -* Fri Dec 31 1999 kukuk@suse.de -- Initial version diff --git a/ssh-askpass b/ssh-askpass index c946f35..c1b20b6 100644 --- a/ssh-askpass +++ b/ssh-askpass @@ -25,10 +25,9 @@ if [ -z "$SESSION" ] ; then fi GNOME_SSH_ASKPASS="/usr/lib/ssh/gnome-ssh-askpass" +KDE_SSH_ASKPASS="/usr/lib/ssh/ksshaskpass" X11_SSH_ASKPASS="/usr/lib/ssh/x11-ssh-askpass" -# note: if there is ever a kde-ssh-askpass, just add it based on SESSION=kde - case "$SESSION" in gnome) if [ -f $GNOME_SSH_ASKPASS ]; then @@ -37,6 +36,13 @@ case "$SESSION" in exec $X11_SSH_ASKPASS ${1+"$@"} fi ;; + kde) + if [ -f $KDE_SSH_ASKPASS ]; then + exec $KDE_SSH_ASKPASS ${1+"$@"} + else + exec $X11_SSH_ASKPASS ${1+"$@"} + fi + ;; *) exec $X11_SSH_ASKPASS ${1+"$@"} ;;