From 86b2d1c41c91bbff963539438155811f95330e47 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Thu, 13 May 2010 14:25:38 +0000 Subject: [PATCH] - Make the Ldap configuration widely compatible - create the aditional docs for LDAP support. --- openssh-5.5p1-gsskex.patch | 230 +++++++-------- openssh-5.5p1-pka-ldap.patch | 532 ++++++++++++++++++++++++++++++----- openssh.spec | 32 +-- 3 files changed, 592 insertions(+), 202 deletions(-) diff --git a/openssh-5.5p1-gsskex.patch b/openssh-5.5p1-gsskex.patch index 3ffaf85..249faa4 100644 --- a/openssh-5.5p1-gsskex.patch +++ b/openssh-5.5p1-gsskex.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c ---- openssh-5.4p1/auth2.c.gsskex 2010-03-01 18:14:24.000000000 +0100 -+++ openssh-5.4p1/auth2.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c +--- openssh-5.5p1/auth2.c.gsskex 2010-05-13 15:59:50.000000000 +0200 ++++ openssh-5.5p1/auth2.c 2010-05-13 15:59:58.000000000 +0200 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -35,9 +35,9 @@ diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c authctxt->failures++; if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS -diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c ---- openssh-5.4p1/auth2-gss.c.gsskex 2010-03-01 18:14:24.000000000 +0100 -+++ openssh-5.4p1/auth2-gss.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c +--- openssh-5.5p1/auth2-gss.c.gsskex 2010-05-13 15:59:50.000000000 +0200 ++++ openssh-5.5p1/auth2-gss.c 2010-05-13 15:59:58.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ @@ -137,9 +137,9 @@ diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h ---- openssh-5.4p1/auth.h.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/auth.h 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h +--- openssh-5.5p1/auth.h.gsskex 2010-05-13 15:59:50.000000000 +0200 ++++ openssh-5.5p1/auth.h 2010-05-13 15:59:58.000000000 +0200 @@ -53,6 +53,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; @@ -148,9 +148,9 @@ diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h int force_pwchange; char *user; /* username sent by the client */ char *service; -diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c ---- openssh-5.4p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 -+++ openssh-5.4p1/auth-krb5.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c +--- openssh-5.5p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 ++++ openssh-5.5p1/auth-krb5.c 2010-05-13 15:59:58.000000000 +0200 @@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c len = strlen(authctxt->krb5_ticket_file) + 6; @@ -198,9 +198,9 @@ diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c return (krb5_cc_resolve(ctx, ccname, ccache)); } -diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi ---- openssh-5.4p1/ChangeLog.gssapi.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/ChangeLog.gssapi 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi +--- openssh-5.5p1/ChangeLog.gssapi.gsskex 2010-05-13 15:59:58.000000000 +0200 ++++ openssh-5.5p1/ChangeLog.gssapi 2010-05-13 15:59:58.000000000 +0200 @@ -0,0 +1,95 @@ +20090615 + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c @@ -297,9 +297,9 @@ diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi + add support for GssapiTrustDns option for gssapi-with-mic + (from jbasney AT ncsa.uiuc.edu) + -diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c ---- openssh-5.4p1/clientloop.c.gsskex 2010-01-30 07:28:35.000000000 +0100 -+++ openssh-5.4p1/clientloop.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c +--- openssh-5.5p1/clientloop.c.gsskex 2010-03-21 19:54:02.000000000 +0100 ++++ openssh-5.5p1/clientloop.c 2010-05-13 15:59:58.000000000 +0200 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -325,9 +325,9 @@ diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); xxx_kex->done = 0; -diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac ---- openssh-5.4p1/configure.ac.gsskex 2010-03-01 18:14:27.000000000 +0100 -+++ openssh-5.4p1/configure.ac 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac +--- openssh-5.5p1/configure.ac.gsskex 2010-05-13 15:59:52.000000000 +0200 ++++ openssh-5.5p1/configure.ac 2010-05-13 15:59:58.000000000 +0200 @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE(SSH_TUN_PREPEND_AF, 1, @@ -359,9 +359,9 @@ diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac m4_pattern_allow(AU_IPv) AC_CHECK_DECL(AU_IPv4, [], AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) -diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c ---- openssh-5.4p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.4p1/gss-genr.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c +--- openssh-5.5p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.5p1/gss-genr.c 2010-05-13 15:59:58.000000000 +0200 @@ -39,12 +39,167 @@ #include "buffer.h" #include "log.h" @@ -700,9 +700,9 @@ diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c ---- openssh-5.4p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 -+++ openssh-5.4p1/gss-serv.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c +--- openssh-5.5p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 ++++ openssh-5.5p1/gss-serv.c 2010-05-13 15:59:58.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ @@ -1016,9 +1016,9 @@ diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c } #endif -diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c ---- openssh-5.4p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.4p1/gss-serv-krb5.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c +--- openssh-5.5p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.5p1/gss-serv-krb5.c 2010-05-13 15:59:59.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1139,9 +1139,9 @@ diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c }; #endif /* KRB5 */ -diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c ---- openssh-5.4p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 -+++ openssh-5.4p1/kex.c 2010-03-01 18:18:42.000000000 +0100 +diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c +--- openssh-5.5p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 ++++ openssh-5.5p1/kex.c 2010-05-13 15:59:59.000000000 +0200 @@ -50,6 +50,10 @@ #include "monitor.h" #include "roaming.h" @@ -1174,9 +1174,9 @@ diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c } else fatal("bad kex alg %s", k->name); } -diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c ---- openssh-5.4p1/kexgssc.c.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/kexgssc.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c +--- openssh-5.5p1/kexgssc.c.gsskex 2010-05-13 15:59:59.000000000 +0200 ++++ openssh-5.5p1/kexgssc.c 2010-05-13 15:59:59.000000000 +0200 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1512,9 +1512,9 @@ diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c ---- openssh-5.4p1/kexgsss.c.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/kexgsss.c 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c +--- openssh-5.5p1/kexgsss.c.gsskex 2010-05-13 15:59:59.000000000 +0200 ++++ openssh-5.5p1/kexgsss.c 2010-05-13 15:59:59.000000000 +0200 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1804,9 +1804,9 @@ diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h ---- openssh-5.4p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.4p1/kex.h 2010-03-01 18:14:28.000000000 +0100 +diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h +--- openssh-5.5p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.5p1/kex.h 2010-05-13 15:59:59.000000000 +0200 @@ -67,6 +67,9 @@ enum kex_exchange { KEX_DH_GRP14_SHA1, KEX_DH_GEX_SHA1, @@ -1842,10 +1842,10 @@ diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c ---- openssh-5.4p1/key.c.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.4p1/key.c 2010-03-01 18:20:43.000000000 +0100 -@@ -969,6 +969,8 @@ key_type_from_name(char *name) +diff -up openssh-5.5p1/key.c.gsskex openssh-5.5p1/key.c +--- openssh-5.5p1/key.c.gsskex 2010-03-21 19:58:24.000000000 +0100 ++++ openssh-5.5p1/key.c 2010-05-13 15:59:59.000000000 +0200 +@@ -982,6 +982,8 @@ key_type_from_name(char *name) return KEY_RSA_CERT; } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { return KEY_DSA_CERT; @@ -1854,9 +1854,9 @@ diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c } debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; -diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h ---- openssh-5.4p1/key.h.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.4p1/key.h 2010-03-01 18:21:22.000000000 +0100 +diff -up openssh-5.5p1/key.h.gsskex openssh-5.5p1/key.h +--- openssh-5.5p1/key.h.gsskex 2010-03-21 19:58:24.000000000 +0100 ++++ openssh-5.5p1/key.h 2010-05-13 15:59:59.000000000 +0200 @@ -37,6 +37,7 @@ enum types { KEY_DSA, KEY_RSA_CERT, @@ -1865,10 +1865,10 @@ diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h KEY_UNSPEC }; enum fp_type { -diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in ---- openssh-5.4p1/Makefile.in.gsskex 2010-03-01 18:14:27.000000000 +0100 -+++ openssh-5.4p1/Makefile.in 2010-03-01 18:23:31.000000000 +0100 -@@ -76,11 +76,11 @@ +diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in +--- openssh-5.5p1/Makefile.in.gsskex 2010-05-13 15:59:57.000000000 +0200 ++++ openssh-5.5p1/Makefile.in 2010-05-13 16:01:34.000000000 +0200 +@@ -76,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ entropy.o gss-genr.o umac.o jpake.o schnorr.o \ @@ -1882,18 +1882,18 @@ diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ -@@ -93,7 +93,7 @@ +@@ -93,7 +93,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o + roaming_common.o roaming_serv.o kexgsss.o - MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out - MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 -diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c ---- openssh-5.4p1/monitor.c.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/monitor.c 2010-03-01 18:14:29.000000000 +0100 + MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out + MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 +diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c +--- openssh-5.5p1/monitor.c.gsskex 2010-05-13 15:59:50.000000000 +0200 ++++ openssh-5.5p1/monitor.c 2010-05-13 15:59:59.000000000 +0200 @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -1946,7 +1946,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1738,6 +1755,13 @@ mm_get_kex(Buffer *m) +@@ -1723,6 +1740,13 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; @@ -1960,7 +1960,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -1944,6 +1968,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -1929,6 +1953,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -1970,7 +1970,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -1971,6 +1998,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1956,6 +1983,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1980,7 +1980,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -1988,6 +2018,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1973,6 +2003,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1988,7 +1988,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c } return (0); } -@@ -1999,6 +2030,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -1984,6 +2015,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -1998,7 +1998,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2025,7 +2059,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2010,7 +2044,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -2011,7 +2011,7 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2038,6 +2076,74 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2023,6 +2061,74 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2086,9 +2086,9 @@ diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h ---- openssh-5.4p1/monitor.h.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/monitor.h 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h +--- openssh-5.5p1/monitor.h.gsskex 2010-05-13 15:59:50.000000000 +0200 ++++ openssh-5.5p1/monitor.h 2010-05-13 15:59:59.000000000 +0200 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2098,10 +2098,10 @@ diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, -diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c ---- openssh-5.4p1/monitor_wrap.c.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 18:14:29.000000000 +0100 -@@ -1267,7 +1267,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss +diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c +--- openssh-5.5p1/monitor_wrap.c.gsskex 2010-05-13 15:59:51.000000000 +0200 ++++ openssh-5.5p1/monitor_wrap.c 2010-05-13 15:59:59.000000000 +0200 +@@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } int @@ -2110,7 +2110,7 @@ diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c { Buffer m; int authenticated = 0; -@@ -1284,6 +1284,51 @@ mm_ssh_gssapi_userok(char *user) +@@ -1267,6 +1267,51 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } @@ -2162,9 +2162,9 @@ diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h ---- openssh-5.4p1/monitor_wrap.h.gsskex 2010-03-01 18:14:25.000000000 +0100 -+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h +--- openssh-5.5p1/monitor_wrap.h.gsskex 2010-05-13 15:59:51.000000000 +0200 ++++ openssh-5.5p1/monitor_wrap.h 2010-05-13 15:59:59.000000000 +0200 @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2177,9 +2177,9 @@ diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c ---- openssh-5.4p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100 -+++ openssh-5.4p1/readconf.c 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c +--- openssh-5.5p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100 ++++ openssh-5.5p1/readconf.c 2010-05-13 15:59:59.000000000 +0200 @@ -127,6 +127,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -2261,9 +2261,9 @@ diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h ---- openssh-5.4p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100 -+++ openssh-5.4p1/readconf.h 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h +--- openssh-5.5p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100 ++++ openssh-5.5p1/readconf.h 2010-05-13 16:00:00.000000000 +0200 @@ -44,7 +44,11 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2276,9 +2276,9 @@ diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c ---- openssh-5.4p1/servconf.c.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/servconf.c 2010-03-01 18:25:32.000000000 +0100 +diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c +--- openssh-5.5p1/servconf.c.gsskex 2010-05-13 15:59:54.000000000 +0200 ++++ openssh-5.5p1/servconf.c 2010-05-13 16:00:00.000000000 +0200 @@ -93,7 +93,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; @@ -2290,7 +2290,7 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -215,8 +218,14 @@ fill_default_server_options(ServerOption +@@ -217,8 +220,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2305,7 +2305,7 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -310,7 +319,9 @@ typedef enum { +@@ -312,7 +321,9 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -2316,7 +2316,7 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -373,9 +384,15 @@ static struct { +@@ -376,9 +387,15 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2332,7 +2332,7 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -935,10 +952,22 @@ process_server_config_line(ServerOptions +@@ -939,10 +956,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2355,9 +2355,9 @@ diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h ---- openssh-5.4p1/servconf.h.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/servconf.h 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h +--- openssh-5.5p1/servconf.h.gsskex 2010-05-13 15:59:54.000000000 +0200 ++++ openssh-5.5p1/servconf.h 2010-05-13 16:00:00.000000000 +0200 @@ -94,7 +94,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -2369,9 +2369,9 @@ diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5 ---- openssh-5.4p1/ssh_config.5.gsskex 2010-02-11 23:26:02.000000000 +0100 -+++ openssh-5.4p1/ssh_config.5 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5 +--- openssh-5.5p1/ssh_config.5.gsskex 2010-03-26 02:09:13.000000000 +0100 ++++ openssh-5.5p1/ssh_config.5 2010-05-13 16:00:00.000000000 +0200 @@ -478,11 +478,38 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2412,9 +2412,9 @@ diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config ---- openssh-5.4p1/ssh_config.gsskex 2010-03-01 18:14:24.000000000 +0100 -+++ openssh-5.4p1/ssh_config 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config +--- openssh-5.5p1/ssh_config.gsskex 2010-05-13 15:59:48.000000000 +0200 ++++ openssh-5.5p1/ssh_config 2010-05-13 16:00:00.000000000 +0200 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2424,9 +2424,9 @@ diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config # BatchMode no # CheckHostIP yes # AddressFamily any -diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c ---- openssh-5.4p1/sshconnect2.c.gsskex 2010-03-01 18:14:27.000000000 +0100 -+++ openssh-5.4p1/sshconnect2.c 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c +--- openssh-5.5p1/sshconnect2.c.gsskex 2010-05-13 15:59:57.000000000 +0200 ++++ openssh-5.5p1/sshconnect2.c 2010-05-13 16:00:00.000000000 +0200 @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2624,9 +2624,9 @@ diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c #endif /* GSSAPI */ int -diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c ---- openssh-5.4p1/sshd.c.gsskex 2010-03-01 18:14:27.000000000 +0100 -+++ openssh-5.4p1/sshd.c 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c +--- openssh-5.5p1/sshd.c.gsskex 2010-05-13 15:59:57.000000000 +0200 ++++ openssh-5.5p1/sshd.c 2010-05-13 16:00:00.000000000 +0200 @@ -129,6 +129,10 @@ int allow_severity; int deny_severity; #endif /* LIBWRAP */ @@ -2713,7 +2713,7 @@ diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2314,12 +2375,61 @@ do_ssh2_kex(void) +@@ -2315,12 +2376,61 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); @@ -2775,9 +2775,9 @@ diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5 ---- openssh-5.4p1/sshd_config.5.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/sshd_config.5 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5 +--- openssh-5.5p1/sshd_config.5.gsskex 2010-05-13 15:59:54.000000000 +0200 ++++ openssh-5.5p1/sshd_config.5 2010-05-13 16:00:00.000000000 +0200 @@ -379,12 +379,40 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2819,9 +2819,9 @@ diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5 .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config ---- openssh-5.4p1/sshd_config.gsskex 2010-03-01 18:14:28.000000000 +0100 -+++ openssh-5.4p1/sshd_config 2010-03-01 18:14:29.000000000 +0100 +diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config +--- openssh-5.5p1/sshd_config.gsskex 2010-05-13 15:59:54.000000000 +0200 ++++ openssh-5.5p1/sshd_config 2010-05-13 16:00:00.000000000 +0200 @@ -78,6 +78,8 @@ ChallengeResponseAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes @@ -2831,9 +2831,9 @@ diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h ---- openssh-5.4p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 -+++ openssh-5.4p1/ssh-gss.h 2010-03-01 18:14:30.000000000 +0100 +diff -up openssh-5.5p1/ssh-gss.h.gsskex openssh-5.5p1/ssh-gss.h +--- openssh-5.5p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 ++++ openssh-5.5p1/ssh-gss.h 2010-05-13 16:00:00.000000000 +0200 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* diff --git a/openssh-5.5p1-pka-ldap.patch b/openssh-5.5p1-pka-ldap.patch index 58a7956..644b075 100644 --- a/openssh-5.5p1-pka-ldap.patch +++ b/openssh-5.5p1-pka-ldap.patch @@ -1,6 +1,6 @@ diff -up openssh-5.5p1/auth2-pubkey.c.pka openssh-5.5p1/auth2-pubkey.c ---- openssh-5.5p1/auth2-pubkey.c.pka 2010-05-06 15:49:14.000000000 +0200 -+++ openssh-5.5p1/auth2-pubkey.c 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/auth2-pubkey.c.pka 2010-05-12 21:53:55.000000000 +0200 ++++ openssh-5.5p1/auth2-pubkey.c 2010-05-12 21:53:58.000000000 +0200 @@ -186,27 +186,15 @@ done: /* return 1 if user allows given key */ @@ -196,7 +196,7 @@ diff -up openssh-5.5p1/auth2-pubkey.c.pka openssh-5.5p1/auth2-pubkey.c if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) diff -up openssh-5.5p1/config.h.in.pka openssh-5.5p1/config.h.in --- openssh-5.5p1/config.h.in.pka 2010-04-16 02:17:09.000000000 +0200 -+++ openssh-5.5p1/config.h.in 2010-05-06 15:49:15.000000000 +0200 ++++ openssh-5.5p1/config.h.in 2010-05-12 21:53:58.000000000 +0200 @@ -1,5 +1,8 @@ /* config.h.in. Generated from configure.ac by autoheader. */ @@ -362,8 +362,8 @@ diff -up openssh-5.5p1/config.h.in.pka openssh-5.5p1/config.h.in /* Define if xauth is found in your path */ #undef XAUTH_PATH diff -up openssh-5.5p1/configure.ac.pka openssh-5.5p1/configure.ac ---- openssh-5.5p1/configure.ac.pka 2010-05-06 15:49:14.000000000 +0200 -+++ openssh-5.5p1/configure.ac 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/configure.ac.pka 2010-05-12 21:53:57.000000000 +0200 ++++ openssh-5.5p1/configure.ac 2010-05-12 21:53:58.000000000 +0200 @@ -1346,6 +1346,118 @@ AC_ARG_WITH(audit, esac ] ) @@ -493,8 +493,8 @@ diff -up openssh-5.5p1/configure.ac.pka openssh-5.5p1/configure.ac echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" diff -up openssh-5.5p1/ldapbody.c.pka openssh-5.5p1/ldapbody.c ---- openssh-5.5p1/ldapbody.c.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldapbody.c 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/ldapbody.c.pka 2010-05-12 21:53:58.000000000 +0200 ++++ openssh-5.5p1/ldapbody.c 2010-05-12 21:53:58.000000000 +0200 @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -991,8 +991,8 @@ diff -up openssh-5.5p1/ldapbody.c.pka openssh-5.5p1/ldapbody.c +} + diff -up openssh-5.5p1/ldapbody.h.pka openssh-5.5p1/ldapbody.h ---- openssh-5.5p1/ldapbody.h.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldapbody.h 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/ldapbody.h.pka 2010-05-12 21:53:58.000000000 +0200 ++++ openssh-5.5p1/ldapbody.h 2010-05-12 21:53:58.000000000 +0200 @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1032,9 +1032,9 @@ diff -up openssh-5.5p1/ldapbody.h.pka openssh-5.5p1/ldapbody.h +#endif /* LDAPBODY_H */ + diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c ---- openssh-5.5p1/ldapconf.c.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldapconf.c 2010-05-06 15:47:43.000000000 +0200 -@@ -0,0 +1,673 @@ +--- openssh-5.5p1/ldapconf.c.pka 2010-05-12 21:53:58.000000000 +0200 ++++ openssh-5.5p1/ldapconf.c 2010-05-13 13:32:05.000000000 +0200 +@@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1076,9 +1076,9 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN, + lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit, + lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals, -+ lRestart, lTLS_CheckPeer, lTLS_Certificate, lTLS_CaCertFile, ++ lRestart, lTLS_CheckPeer, lTLS_CaCertFile, + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key, -+ lTLS_RandFile, lLogdir, lDebug, lSSH_Filter, ++ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, + lDeprecated, lUnsupported +} OpCodes; + @@ -1088,18 +1088,25 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + const char *name; + OpCodes opcode; +} keywords[] = { -+ { "Host", lHost }, + { "URI", lURI }, + { "Base", lBase }, + { "BindDN", lBindDN }, + { "BindPW", lBindPW }, + { "RootBindDN", lRootBindDN }, ++ { "Host", lHost }, ++ { "Port", lPort }, + { "Scope", lScope }, + { "Deref", lDeref }, -+ { "Port", lPort }, -+ { "Timelimit", lTimeLimit }, ++ { "TimeLimit", lTimeLimit }, ++ { "TimeOut", lTimeLimit }, + { "Bind_Timelimit", lBind_TimeLimit }, ++ { "Network_TimeOut", lBind_TimeLimit }, ++/* ++ * Todo ++ * SIZELIMIT ++ */ + { "Ldap_Version", lLdap_Version }, ++ { "Version", lLdap_Version }, + { "Bind_Policy", lBind_Policy }, + { "SSLPath", lSSLPath }, + { "SSL", lSSL }, @@ -1107,13 +1114,13 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + { "Restart", lRestart }, + { "TLS_CheckPeer", lTLS_CheckPeer }, + { "TLS_ReqCert", lTLS_CheckPeer }, -+ { "TLS_Certificate", lTLS_Certificate }, + { "TLS_CaCertFile", lTLS_CaCertFile }, + { "TLS_CaCert", lTLS_CaCertFile }, + { "TLS_CaCertDir", lTLS_CaCertDir }, + { "TLS_Ciphers", lTLS_Ciphers }, + { "TLS_Cipher_Suite", lTLS_Ciphers }, + { "TLS_Cert", lTLS_Cert }, ++ { "TLS_Certificate", lTLS_Cert }, + { "TLS_Key", lTLS_Key }, + { "TLS_RandFile", lTLS_RandFile }, +/* @@ -1121,7 +1128,7 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + * TLS_CRLCHECK + * TLS_CRLFILE + */ -+ { "Logdir", lLogdir }, ++ { "LogDir", lLogDir }, + { "Debug", lDebug }, + { "SSH_Filter", lSSH_Filter }, + { NULL, lBadOption } @@ -1230,11 +1237,11 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum); + value = 0; /* To avoid compiler warning... */ -+ if (!strcasecmp (arg, "sub")) ++ if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0) + value = LDAP_SCOPE_SUBTREE; -+ else if (!strcasecmp (arg, "one")) ++ else if (strcasecmp (arg, "one") == 0) + value = LDAP_SCOPE_ONELEVEL; -+ else if (!strcasecmp (arg, "base")) ++ else if (strcasecmp (arg, "base") == 0) + value = LDAP_SCOPE_BASE; + else + fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum); @@ -1307,7 +1314,7 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum); + value = 0; /* To avoid compiler warning... */ -+ if (strcasecmp(arg, "hard") == 0) ++ if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0) + value = 1; + else if (strcasecmp(arg, "soft") == 0) + value = 0; @@ -1404,7 +1411,7 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + charptr = &options.tls_randfile; + goto parse_string; + -+ case lLogdir: ++ case lLogDir: + charptr = &options.logdir; + goto parse_string; + @@ -1534,10 +1541,12 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + + if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) { + if (options.ssl == -1) { -+ if (strcmp (ludp->lud_scheme, "ldap") || strcmp (ludp->lud_scheme, "ldapi")) -+ options.ssl = 0; -+ else if (strcmp (ludp->lud_scheme, "ldaps")) ++ if (strcmp (ludp->lud_scheme, "ldap") == 0) + options.ssl = 2; ++ if (strcmp (ludp->lud_scheme, "ldapi") == 0) ++ options.ssl = 0; ++ else if (strcmp (ludp->lud_scheme, "ldaps") == 0) ++ options.ssl = 1; + } + if (options.host == NULL) + options.host = xstrdup (ludp->lud_host); @@ -1703,14 +1712,14 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + dump_cfg_string(lTLS_Cert, options.tls_cert); + dump_cfg_string(lTLS_Key, options.tls_key); + dump_cfg_string(lTLS_RandFile, options.tls_randfile); -+ dump_cfg_string(lLogdir, options.logdir); ++ dump_cfg_string(lLogDir, options.logdir); + dump_cfg_int(lDebug, options.debug); + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + diff -up openssh-5.5p1/ldapconf.h.pka openssh-5.5p1/ldapconf.h ---- openssh-5.5p1/ldapconf.h.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldapconf.h 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/ldapconf.h.pka 2010-05-12 21:53:58.000000000 +0200 ++++ openssh-5.5p1/ldapconf.h 2010-05-12 21:53:58.000000000 +0200 @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1784,8 +1793,8 @@ diff -up openssh-5.5p1/ldapconf.h.pka openssh-5.5p1/ldapconf.h + +#endif /* LDAPCONF_H */ diff -up openssh-5.5p1/ldap-helper.c.pka openssh-5.5p1/ldap-helper.c ---- openssh-5.5p1/ldap-helper.c.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldap-helper.c 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/ldap-helper.c.pka 2010-05-12 21:53:58.000000000 +0200 ++++ openssh-5.5p1/ldap-helper.c 2010-05-13 07:33:06.000000000 +0200 @@ -0,0 +1,154 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1823,7 +1832,7 @@ diff -up openssh-5.5p1/ldap-helper.c.pka openssh-5.5p1/ldap-helper.c + +static int config_debug = 0; +int config_exclusive_config_file = 0; -+static char *config_file_name = "/etc/ldap.conf"; ++static char *config_file_name = "/etc/ssh/ldap.conf"; +static char *config_single_user = NULL; +static int config_verbose = SYSLOG_LEVEL_VERBOSE; +int config_warning_config_file = 0; @@ -1837,7 +1846,7 @@ diff -up openssh-5.5p1/ldap-helper.c.pka openssh-5.5p1/ldap-helper.c + fprintf(stderr, "Options:\n"); + fprintf(stderr, " -d Output the log messages to stderr.\n"); + fprintf(stderr, " -e Check the config file for unknown commands.\n"); -+ fprintf(stderr, " -f file Use alternate config file (default is /etc/ldap.conf).\n"); ++ fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n"); + fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n"); + fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n"); + fprintf(stderr, " -w Warn on unknown commands int the config file.\n"); @@ -1942,8 +1951,8 @@ diff -up openssh-5.5p1/ldap-helper.c.pka openssh-5.5p1/ldap-helper.c +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + diff -up openssh-5.5p1/ldap-helper.h.pka openssh-5.5p1/ldap-helper.h ---- openssh-5.5p1/ldap-helper.h.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldap-helper.h 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/ldap-helper.h.pka 2010-05-12 21:53:59.000000000 +0200 ++++ openssh-5.5p1/ldap-helper.h 2010-05-12 21:53:59.000000000 +0200 @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1978,8 +1987,8 @@ diff -up openssh-5.5p1/ldap-helper.h.pka openssh-5.5p1/ldap-helper.h + +#endif /* LDAP_HELPER_H */ diff -up openssh-5.5p1/ldapincludes.h.pka openssh-5.5p1/ldapincludes.h ---- openssh-5.5p1/ldapincludes.h.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldapincludes.h 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/ldapincludes.h.pka 2010-05-12 21:53:59.000000000 +0200 ++++ openssh-5.5p1/ldapincludes.h 2010-05-12 21:53:59.000000000 +0200 @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2023,8 +2032,8 @@ diff -up openssh-5.5p1/ldapincludes.h.pka openssh-5.5p1/ldapincludes.h + +#endif /* LDAPINCLUDES_H */ diff -up openssh-5.5p1/ldapmisc.c.pka openssh-5.5p1/ldapmisc.c ---- openssh-5.5p1/ldapmisc.c.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldapmisc.c 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/ldapmisc.c.pka 2010-05-12 21:53:59.000000000 +0200 ++++ openssh-5.5p1/ldapmisc.c 2010-05-12 21:53:59.000000000 +0200 @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2106,8 +2115,8 @@ diff -up openssh-5.5p1/ldapmisc.c.pka openssh-5.5p1/ldapmisc.c +#endif + diff -up openssh-5.5p1/ldapmisc.h.pka openssh-5.5p1/ldapmisc.h ---- openssh-5.5p1/ldapmisc.h.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ldapmisc.h 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/ldapmisc.h.pka 2010-05-12 21:53:59.000000000 +0200 ++++ openssh-5.5p1/ldapmisc.h 2010-05-12 21:53:59.000000000 +0200 @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2145,8 +2154,8 @@ diff -up openssh-5.5p1/ldapmisc.h.pka openssh-5.5p1/ldapmisc.h +#endif /* LDAPMISC_H */ + diff -up openssh-5.5p1/lpk-user-example.txt.pka openssh-5.5p1/lpk-user-example.txt ---- openssh-5.5p1/lpk-user-example.txt.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/lpk-user-example.txt 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/lpk-user-example.txt.pka 2010-05-12 21:53:59.000000000 +0200 ++++ openssh-5.5p1/lpk-user-example.txt 2010-05-12 21:53:59.000000000 +0200 @@ -0,0 +1,117 @@ + +Post to ML -> User Made Quick Install Doc. @@ -2267,7 +2276,7 @@ diff -up openssh-5.5p1/lpk-user-example.txt.pka openssh-5.5p1/lpk-user-example.t +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ diff -up openssh-5.5p1/Makefile.in.pka openssh-5.5p1/Makefile.in --- openssh-5.5p1/Makefile.in.pka 2010-03-13 22:41:34.000000000 +0100 -+++ openssh-5.5p1/Makefile.in 2010-05-06 15:49:15.000000000 +0200 ++++ openssh-5.5p1/Makefile.in 2010-05-12 21:53:59.000000000 +0200 @@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -2293,8 +2302,8 @@ diff -up openssh-5.5p1/Makefile.in.pka openssh-5.5p1/Makefile.in -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out -+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out ++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out @@ -2318,17 +2327,18 @@ diff -up openssh-5.5p1/Makefile.in.pka openssh-5.5p1/Makefile.in $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -@@ -285,6 +293,9 @@ install-files: +@@ -285,6 +293,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ ++ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ + fi -rm -f $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -@@ -384,6 +395,7 @@ uninstall: +@@ -384,6 +396,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -2337,8 +2347,8 @@ diff -up openssh-5.5p1/Makefile.in.pka openssh-5.5p1/Makefile.in tests interop-tests: $(TARGETS) diff -up openssh-5.5p1/openssh-lpk-openldap.schema.pka openssh-5.5p1/openssh-lpk-openldap.schema ---- openssh-5.5p1/openssh-lpk-openldap.schema.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/openssh-lpk-openldap.schema 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/openssh-lpk-openldap.schema.pka 2010-05-12 21:53:59.000000000 +0200 ++++ openssh-5.5p1/openssh-lpk-openldap.schema 2010-05-12 21:53:59.000000000 +0200 @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2362,8 +2372,8 @@ diff -up openssh-5.5p1/openssh-lpk-openldap.schema.pka openssh-5.5p1/openssh-lpk + MUST ( sshPublicKey $ uid ) + ) diff -up openssh-5.5p1/openssh-lpk-sun.schema.pka openssh-5.5p1/openssh-lpk-sun.schema ---- openssh-5.5p1/openssh-lpk-sun.schema.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/openssh-lpk-sun.schema 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/openssh-lpk-sun.schema.pka 2010-05-12 21:53:59.000000000 +0200 ++++ openssh-5.5p1/openssh-lpk-sun.schema 2010-05-12 21:53:59.000000000 +0200 @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2389,9 +2399,9 @@ diff -up openssh-5.5p1/openssh-lpk-sun.schema.pka openssh-5.5p1/openssh-lpk-sun. + MUST ( sshPublicKey $ uid ) + ) diff -up openssh-5.5p1/README.lpk.pka openssh-5.5p1/README.lpk ---- openssh-5.5p1/README.lpk.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/README.lpk 2010-05-06 15:49:15.000000000 +0200 -@@ -0,0 +1,268 @@ +--- openssh-5.5p1/README.lpk.pka 2010-05-12 21:53:59.000000000 +0200 ++++ openssh-5.5p1/README.lpk 2010-05-12 21:53:59.000000000 +0200 +@@ -0,0 +1,274 @@ +OpenSSH LDAP PUBLIC KEY PATCH +Copyright (c) 2003 Eric AUGE (eau@phear.org) +All rights reserved. @@ -2636,7 +2646,13 @@ diff -up openssh-5.5p1/README.lpk.pka openssh-5.5p1/README.lpk + I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome. + +- TODO : -+ Redesign differently. ++ Possibility to reuse the ssh-ldap-helper. ++ Tune the LDAP part to all possible LDAP configurations. ++ ++- DIFFERENCES FROM ORIGINAL lpk ++ No LDAP code in sshd. ++ Support for various LDAP platforms and configurations. ++ LDAP is configured in separate ldap.conf file. + +- DOCS/LINK : + http://pacsec.jp/core05/psj05-barisani-en.pdf @@ -2661,8 +2677,8 @@ diff -up openssh-5.5p1/README.lpk.pka openssh-5.5p1/README.lpk + Jan F. Chadima + diff -up openssh-5.5p1/servconf.c.pka openssh-5.5p1/servconf.c ---- openssh-5.5p1/servconf.c.pka 2010-05-06 15:49:13.000000000 +0200 -+++ openssh-5.5p1/servconf.c 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/servconf.c.pka 2010-05-12 21:53:53.000000000 +0200 ++++ openssh-5.5p1/servconf.c 2010-05-12 21:53:59.000000000 +0200 @@ -129,6 +129,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; @@ -2734,8 +2750,8 @@ diff -up openssh-5.5p1/servconf.c.pka openssh-5.5p1/servconf.c /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff -up openssh-5.5p1/servconf.h.pka openssh-5.5p1/servconf.h ---- openssh-5.5p1/servconf.h.pka 2010-05-06 15:49:13.000000000 +0200 -+++ openssh-5.5p1/servconf.h 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/servconf.h.pka 2010-05-12 21:53:53.000000000 +0200 ++++ openssh-5.5p1/servconf.h 2010-05-12 21:54:00.000000000 +0200 @@ -157,6 +157,8 @@ typedef struct { char *chroot_directory; char *revoked_keys_file; @@ -2746,8 +2762,8 @@ diff -up openssh-5.5p1/servconf.h.pka openssh-5.5p1/servconf.h void initialize_server_options(ServerOptions *); diff -up openssh-5.5p1/sshd_config.0.pka openssh-5.5p1/sshd_config.0 ---- openssh-5.5p1/sshd_config.0.pka 2010-05-06 15:49:13.000000000 +0200 -+++ openssh-5.5p1/sshd_config.0 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/sshd_config.0.pka 2010-05-12 21:53:53.000000000 +0200 ++++ openssh-5.5p1/sshd_config.0 2010-05-12 21:54:00.000000000 +0200 @@ -352,7 +352,8 @@ DESCRIPTION KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, @@ -2777,8 +2793,8 @@ diff -up openssh-5.5p1/sshd_config.0.pka openssh-5.5p1/sshd_config.0 Specifies whether rhosts or /etc/hosts.equiv authentication to- gether with successful RSA host authentication is allowed. The diff -up openssh-5.5p1/sshd_config.5.pka openssh-5.5p1/sshd_config.5 ---- openssh-5.5p1/sshd_config.5.pka 2010-05-06 15:49:13.000000000 +0200 -+++ openssh-5.5p1/sshd_config.5 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/sshd_config.5.pka 2010-05-12 21:53:53.000000000 +0200 ++++ openssh-5.5p1/sshd_config.5 2010-05-12 21:54:00.000000000 +0200 @@ -618,6 +618,9 @@ Available keywords are .Cm KerberosAuthentication , .Cm MaxAuthTries , @@ -2807,8 +2823,8 @@ diff -up openssh-5.5p1/sshd_config.5.pka openssh-5.5p1/sshd_config.5 Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. diff -up openssh-5.5p1/sshd_config.pka openssh-5.5p1/sshd_config ---- openssh-5.5p1/sshd_config.pka 2010-05-06 15:49:13.000000000 +0200 -+++ openssh-5.5p1/sshd_config 2010-05-06 15:49:15.000000000 +0200 +--- openssh-5.5p1/sshd_config.pka 2010-05-12 21:53:53.000000000 +0200 ++++ openssh-5.5p1/sshd_config 2010-05-12 21:54:00.000000000 +0200 @@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV #RSAAuthentication yes #PubkeyAuthentication yes @@ -2818,10 +2834,383 @@ diff -up openssh-5.5p1/sshd_config.pka openssh-5.5p1/sshd_config # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no +diff -up openssh-5.5p1/ssh-ldap.conf.5.pka openssh-5.5p1/ssh-ldap.conf.5 +--- openssh-5.5p1/ssh-ldap.conf.5.pka 2010-05-12 21:54:00.000000000 +0200 ++++ openssh-5.5p1/ssh-ldap.conf.5 2010-05-13 13:33:27.000000000 +0200 +@@ -0,0 +1,369 @@ ++.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ ++.\" ++.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. ++.\" ++.\" Permission to use, copy, modify, and distribute this software for any ++.\" purpose with or without fee is hereby granted, provided that the above ++.\" copyright notice and this permission notice appear in all copies. ++.\" ++.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++.\" ++.Dd $Mdocdate: may 12 2010 $ ++.Dt SSH-LDAP.CONF 5 ++.Os ++.Sh NAME ++.Nm ssh-ldap.conf ++.Nd configuration file for ssh-ldap-helper ++.Sh SYNOPSIS ++.Nm /etc/ssh/ldap.conf ++.Sh DESCRIPTION ++.Xr ssh-ldap-helper 8 ++reads configuration data from ++.Pa /etc/ssh/ldap.conf ++(or the file specified with ++.Fl f ++on the command line). ++The file contains keyword-argument pairs, one per line. ++Lines starting with ++.Ql # ++and empty lines are interpreted as comments. ++.Pp ++The value starts with the first non-blank character after ++the keyword's name, and terminates at the end of the line, ++or at the last sequence of blanks before the end of the line. ++Quoting values that contain blanks ++may be incorrect, as the quotes would become part of the value. ++The possible keywords and their meanings are as follows (note that ++keywords are case-insensitive and arguments, on a case by case basis, may be case-sensitive). ++.Bl -tag -width Ds ++.It Cm URI ++The argument(s) are in the form ++.Pa ldap[si]://[name[:port]] ++they specifies the URI(s) of an LDAP server(s) to which the ++.Xr ssh-ldap-helper 8 ++should connect. The URI scheme may be any of ++.Dq ldap , ++.Dq ldaps ++or ++.Dq ldapi , ++which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP ++over IPC (UNIX domain sockets), respectively. ++Each server's name can be specified as a ++domain-style name or an IP address literal. Optionally, the ++server's name can followed by a ':' and the port number the LDAP ++server is listening on. If no port number is provided, the default ++port for the scheme is used (389 for ldap://, 636 for ldaps://). ++For LDAP over IPC, name is the name of the socket, and no port ++is required, nor allowed; note that directory separators must be ++URL-encoded, like any other characters that are special to URLs; ++A space separated list of URIs may be provided. ++There is no default. ++.It Cm Base ++Specifies the default base DN to use when performing ldap operations. ++The base must be specified as a Distinguished Name in LDAP format. ++There is no default. ++.It Cm BindDN ++Specifies the default bind DN to use when connecting to the ldap server. ++The bind DN must be specified as a Distinguished Name in LDAP format. ++There is no default. ++.It Cm BindPW ++Specifies the default password to use when connecting to the ldap server via ++.Cm BindDN . ++There is no default. ++.It Cm RootBindDN ++Intentionaly does nothing. Recognized for compatibility reasons. ++.It Cm Host ++The argument(s) specifies the name(s) of an LDAP server(s) to which the ++.Xr ssh-ldap-helper 8 ++should connect. Each server's name can be specified as a ++domain-style name or an IP address and optionally followed by a ':' and ++the port number the ldap server is listening on. A space separated ++list of hosts may be provided. ++There is no default. ++.Cm Host ++is deprecated in favor of ++.Cm URI . ++.It Cm Port ++Specifies the default port used when connecting to LDAP servers(s). ++The port may be specified as a number. ++The default port is 389 for ldap:// or 636 for ldaps:// respectively. ++.Cm Port ++is deprecated in favor of ++.Cm URI . ++.It Cm Scope ++Specifies the starting point of an LDAP search and the depth from the base DN to which the search should occur. ++There are three options (values) that can be assigned to the ++.Cm Scope parameter: ++.Dq base , ++.Dq one ++and ++.Dq subtree . ++Alias for the subtree is ++.Dq sub . ++The value ++.Dq base ++is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!). ++The value ++.Dq one ++is used to indicate searching all entries one level under the base DN - but not including the base DN and not including any entries under that one level under the base DN. ++The value ++.Dq subtree ++is used to indicate searching of all entries at all levels under and including the specified base DN. ++The default is ++.Dq subtree . ++.It Cm Deref ++Specifies how alias dereferencing is done when performing a search. There are four ++possible values that can be assigned to the ++.Cm Deref ++parameter: ++.Dq never , ++.Dq searching , ++.Dq finding , ++and ++.Dq always . ++The value ++.Dq never ++means that the aliases are never dereferenced. ++The value ++.Dq searching ++means that the aliases are dereferenced in subordinates of the base object, but ++not in locating the base object of the search. ++The value ++.Dq finding ++means that the aliases are only dereferenced when locating the base object of the search. ++The value ++.Dq always . ++means that the aliases are dereferenced both in searching and in locating the base object ++of the search. ++The default is ++.Dq never . ++.It Cm TimeLimit ++Specifies a time limit (in seconds) to use when performing searches. ++The number should be a non-negative integer. ++.Cm TimeLimit ++of zero (0) specifies unlimited search time to be used. Please note that the server ++may still apply any server-side limit on the duration of a search operation. ++The default value is 10. ++.It Cm TimeOut ++Is an aliast to ++.Cm TimeLimit . ++.It Cm Bind_TimeLimit ++Specifies the timeout (in seconds) after which the poll(2)/select(2) ++following a connect(2) returns in case of no activity. ++The default value is 10. ++.It Cm Network_TimeOut ++Is an alias to ++.Cm Bind_TimeLimit . ++.It Cm Ldap_Version ++Specifies what version of the LDAP protocol should be used. ++The allowed values are 2 or 3. The default is 3. ++.It Cm Version ++Is an alias to ++.Cm Ldap_Version . ++.It Cm Bind_Policy ++Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 awailable values: ++.Dq hard ++and ++.Dq soft. ++.Dq hard have 2 aliases ++.Dq hard_open ++and ++.Dq hard_init . ++The value ++.Dq hard ++means reconects that the ++Xr ssh-ldap-helper 8 ++tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying. ++The value ++.Dq soft ++means that ++Xr ssh-ldap-helper 8 ++fails immediatelly when cannot connect to the LDAP seerver. ++The deault is ++.Dq hard . ++.It Cm SSLPath ++Specifies the path to the X.509 certificate database. ++There is no default. ++.It Cm SSL ++Specifies whether to use SSL/TLS or not. ++There are three alloved values: ++.Dq yes , ++.Dq no ++and ++.Dq start_tls ++.Dq true ++and ++.Dq on ++are the aliases for ++.Dq yes . ++.Dq false ++and ++.Dq off ++are the aliases for ++.Dq no . ++If start_tls is specified then StartTLS is used rather than raw LDAP over SSL. ++The default is ++.Dq start_tls ++for the ldap:// ++.Dq yes ++for the ldaps:// ++and ++.Dq no ++for the ldapi:// . ++In case of host based configuration the default is ++.Dq start_tls . ++.It Cm Referrals ++Specifies if the client should automatically follow referrals returned ++by LDAP servers. ++The value can be or ++.Dq yes ++or ++.Dq no . ++.Dq true ++and ++.Dq on ++are the aliases for ++.Dq yes . ++.Dq false ++and ++.Dq off ++are the aliases for ++.Dq no . ++The default is yes. ++.It Cm Restart ++Specifies whether the LDAP client library should restart the select(2) system call when interrupted. ++The value can be or ++.Dq yes ++or ++.Dq no . ++.Dq true ++and ++.Dq on ++are the aliases for ++.Dq yes . ++.Dq false ++and ++.Dq off ++are the aliases for ++.Dq no . ++The default is yes. ++.It Cm TLS_CheckPeer ++Specifies what checks to perform on server certificates in a TLS session, ++if any. The value ++can be specified as one of the following keywords: ++.Dq never , ++.Dq hard , ++.Dq demand , ++.Dq allow ++and ++.Dq try . ++.Dq true , ++.Dq on ++and ++.Dq yes ++are the aliases for ++.Dq hard . ++.Dq false , ++.Dq off ++and ++.Dq no ++are the aliases for ++.Dq never . ++The value ++.Dq never ++means that the client will not request or check any server certificate. ++The value ++.Dq allow ++means that the server certificate is requested. If no certificate is provided, ++the session proceeds normally. If a bad certificate is provided, it will ++be ignored and the session proceeds normally. ++The value ++.Dq try ++means that the server certificate is requested. If no certificate is provided, ++the session proceeds normally. If a bad certificate is provided, ++the session is immediately terminated. ++The value ++.Dq demand ++Means that the server certificate is requested. If no ++certificate is provided, or a bad certificate is provided, the session ++is immediately terminated. ++The value ++.Dq hard ++is the same as ++.Dq demand . ++It requires the SSL connection. In the case of the plain conection the ++session is immediately terminated. ++The default is ++.Dq hard . ++.It Cm TLS_ReqCert ++Is an alias for ++.Cm TLS_CheckPeer . ++.It Cm TLS_CACertFile ++Specifies the file that contains certificates for all of the Certificate ++Authorities the client will recognize. ++There is no default. ++.It Cm TLS_CACert ++Is an alias for ++.Cm TLS_CACertFile . ++.It Cm TLS_CACertDIR ++Specifies the path of a directory that contains Certificate Authority ++certificates in separate individual files. The ++.Cm TLS_CACert ++is always used before ++.Cm TLS_CACertDir . ++The specified directory must be managed with the OpenSSL c_rehash utility. ++There is no default. ++.It Cm TLS_Ciphers ++Specifies acceptable cipher suite and preference order. ++The value should be a cipher specification for OpenSSL, ++e.g., ++.Dq HIGH:MEDIUM:+SSLv2 . ++The default is ++.Dq ALL . ++.It Cm TLS_Cipher_Suite ++Is an alias for ++.Cm TLS_Ciphers . ++.It Cm TLS_Cert ++Specifies the file that contains the client certificate. ++There is no default. ++.It Cm TLS_Certificate ++Is an alias for ++.Cm TLS_Cert . ++.It Cm TLS_Key ++Specifies the file that contains the private key that matches the certificate ++stored in the ++.Cm TLS_Cert ++file. Currently, the private key must not be protected with a password, so ++it is of critical importance that the key file is protected carefully. ++There is no default. ++.It Cm TLS_RandFile ++Specifies the file to obtain random bits from when /dev/[u]random is ++not available. Generally set to the name of the EGD/PRNGD socket. ++The environment variable RANDFILE can also be used to specify the filename. ++There is no default. ++.It Cm LogDir ++Specifies the directory used for logging by the LDAP client library. ++There is no default. ++.It Cm Debug ++Specifies the debug level used for logging by the LDAP client library. ++There is no default. ++.Sh FILES ++.Bl -tag -width Ds ++.It Pa /etc/ssh/ldap.conf ++Ldap configuration file for ++.Xr ssh-ldap-helper 8 . ++.Sh "SEE ALSO" ++.Xr ldap.conf 5 , ++.Xr ssh-ldap-helper 8 ++.Sh HISTORY ++.Nm ++first appeared in ++OpenSSH 5.5 + PKA-LDAP . ++.Sh AUTHORS ++.An Jan F. Chadima Aq jchadima@redhat.com diff -up openssh-5.5p1/ssh-ldap-helper.8.pka openssh-5.5p1/ssh-ldap-helper.8 ---- openssh-5.5p1/ssh-ldap-helper.8.pka 2010-05-06 15:49:15.000000000 +0200 -+++ openssh-5.5p1/ssh-ldap-helper.8 2010-05-06 15:49:15.000000000 +0200 -@@ -0,0 +1,78 @@ +--- openssh-5.5p1/ssh-ldap-helper.8.pka 2010-05-12 21:54:00.000000000 +0200 ++++ openssh-5.5p1/ssh-ldap-helper.8 2010-05-13 07:32:13.000000000 +0200 +@@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. @@ -2878,7 +3267,7 @@ diff -up openssh-5.5p1/ssh-ldap-helper.8.pka openssh-5.5p1/ssh-ldap-helper.8 +.Nm +halt when an unknown item is found in the ldap.conf file. +.It Fl f -+Default /etc/ldap.conf. ++Default /etc/ssh/ldap.conf. +.Nm +uses this file as a ldap configuration file. +.It Fl s @@ -2894,6 +3283,7 @@ diff -up openssh-5.5p1/ssh-ldap-helper.8.pka openssh-5.5p1/ssh-ldap-helper.8 +.Sh SEE ALSO +.Xr sshd 8 , +.Xr sshd_config 5 , ++.Xr ssh_ldap.conf 5 , +.Sh HISTORY +.Nm +first appeared in diff --git a/openssh.spec b/openssh.spec index 37e7226..088ab89 100644 --- a/openssh.spec +++ b/openssh.spec @@ -285,22 +285,22 @@ popd %endif %patch20 -p1 -b .pka -#%patch23 -p1 -b .keygen -#%patch24 -p1 -b .fromto-remote -#%patch27 -p1 -b .log-chroot -#%patch30 -p1 -b .exit-deadlock -#%patch35 -p1 -b .progress -#%patch38 -p1 -b .grab-info -#%patch44 -p1 -b .ip-opts -#%patch49 -p1 -b .canohost -#%patch62 -p1 -b .manpage -#%patch65 -p1 -b .fips -#%patch69 -p1 -b .selabel -#%patch71 -p1 -b .edns -#%patch73 -p1 -b .gsskex -#%patch74 -p1 -b .randclean -#%patch76 -p1 -b .staterr -#%patch77 -p1 -b .stderr +%patch23 -p1 -b .keygen +%patch24 -p1 -b .fromto-remote +%patch27 -p1 -b .log-chroot +%patch30 -p1 -b .exit-deadlock +%patch35 -p1 -b .progress +%patch38 -p1 -b .grab-info +%patch44 -p1 -b .ip-opts +%patch49 -p1 -b .canohost +%patch62 -p1 -b .manpage +%patch65 -p1 -b .fips +%patch69 -p1 -b .selabel +%patch71 -p1 -b .edns +%patch73 -p1 -b .gsskex +%patch74 -p1 -b .randclean +%patch76 -p1 -b .staterr +%patch77 -p1 -b .stderr autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}