diff --git a/.cvsignore b/.cvsignore index 64c495c..f1bc577 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,2 @@ openssh-5.4p1-snap20100302-noacss.tar.bz2 +pam_ssh_agent_auth-0.9.2.tar.bz2 diff --git a/openssh-3.9p1-askpass-keep-above.patch b/openssh-3.9p1-askpass-keep-above.patch deleted file mode 100644 index 1b9f48c..0000000 --- a/openssh-3.9p1-askpass-keep-above.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssh-3.9p1/contrib/gnome-ssh-askpass2.c.keep-above 2003-11-21 13:48:56.000000000 +0100 -+++ openssh-3.9p1/contrib/gnome-ssh-askpass2.c 2005-02-08 08:44:02.099739294 +0100 -@@ -119,6 +119,8 @@ - g_signal_connect(G_OBJECT(entry), "activate", - G_CALLBACK(ok_dialog), dialog); - -+ gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); -+ - /* Grab focus */ - gtk_widget_show_now(dialog); - if (grab_pointer) { diff --git a/openssh-3.9p1.tar.gz.sig b/openssh-3.9p1.tar.gz.sig deleted file mode 100644 index 9b64804..0000000 --- a/openssh-3.9p1.tar.gz.sig +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.2.2 (OpenBSD) - -iD8DBQBBIgAxzo7LA4b/nEgRArlqAJ0UhIfcfbz+oAxn8AsiOeHBVMwFXwCgkXcX -hxmfq8nv/+hpiid1j9lAUx8= -=P4zN ------END PGP SIGNATURE----- diff --git a/openssh-5.2p1-engine.patch b/openssh-5.2p1-engine.patch deleted file mode 100644 index 132653d..0000000 --- a/openssh-5.2p1-engine.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- openssh-5.2p1/openbsd-compat/openssl-compat.c~ 2010-01-27 17:36:29.000000000 -0500 -+++ openssh-5.2p1/openbsd-compat/openssl-compat.c 2010-01-28 10:52:53.000000000 -0500 -@@ -58,5 +58,6 @@ - /* Enable use of crypto hardware */ - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); -+ OPENSSL_config(NULL); - } - #endif diff --git a/openssh-5.2p1-sesftp.patch b/openssh-5.2p1-sesftp.patch deleted file mode 100644 index 3470e8f..0000000 --- a/openssh-5.2p1-sesftp.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c ---- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp 2009-08-12 00:29:37.712368892 +0200 -+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-12 00:29:37.732544890 +0200 -@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons - freecon(user_ctx); - debug3("%s: done", __func__); - } -+ -+void -+ssh_selinux_change_context(const char *newname) -+{ -+ int len, newlen; -+ char *oldctx, *newctx, *cx; -+ -+ if (!ssh_selinux_enabled()) -+ return; -+ -+ if (getcon((security_context_t *)&oldctx) < 0) { -+ logit("%s: getcon failed with %s", __func__, strerror (errno)); -+ return; -+ } -+ if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == NULL) { -+ logit ("%s: unparseable context %s", __func__, oldctx); -+ return; -+ } -+ -+ newlen = strlen(oldctx) + strlen(newname) + 1; -+ newctx = xmalloc(newlen); -+ len = cx - oldctx + 1; -+ memcpy(newctx, oldctx, len); -+ strlcpy(newctx + len, newname, newlen - len); -+ if ((cx = index(cx + 1, ':'))) -+ strlcat(newctx, cx, newlen); -+ debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx); -+ if (setcon(newctx) < 0) -+ logit("%s: setcon failed with %s", __func__, strerror (errno)); -+ xfree(oldctx); -+ xfree(newctx); -+} - #endif /* WITH_SELINUX */ -diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h ---- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100 -+++ openssh-5.2p1/openbsd-compat/port-linux.h 2009-08-12 00:29:37.733388083 +0200 -@@ -23,6 +23,7 @@ - int ssh_selinux_enabled(void); - void ssh_selinux_setup_pty(char *, const char *); - void ssh_selinux_setup_exec_context(char *); -+void ssh_selinux_change_context(const char *); - #endif - - #endif /* ! _PORT_LINUX_H */ -diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c ---- openssh-5.2p1/session.c.sesftp 2009-08-12 00:29:37.659250161 +0200 -+++ openssh-5.2p1/session.c 2009-08-12 00:29:37.729578695 +0200 -@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command - argv[i] = NULL; - optind = optreset = 1; - __progname = argv[0]; -+#ifdef WITH_SELINUX -+ ssh_selinux_change_context("sftpd_t"); -+#endif - exit(sftp_server_main(i, argv, s->pw)); - } - diff --git a/openssh-5.4p1-1.fc14.src.rpm b/openssh-5.4p1-1.fc14.src.rpm deleted file mode 100644 index d4251e2..0000000 Binary files a/openssh-5.4p1-1.fc14.src.rpm and /dev/null differ diff --git a/openssh-5.4p1-23.fc14.src.rpm b/openssh-5.4p1-23.fc14.src.rpm deleted file mode 100644 index f456db7..0000000 Binary files a/openssh-5.4p1-23.fc14.src.rpm and /dev/null differ diff --git a/openssh-5.3p1-fips.patch b/openssh-5.4p1-fips.patch similarity index 78% rename from openssh-5.3p1-fips.patch rename to openssh-5.4p1-fips.patch index 01a715c..943ab0f 100644 --- a/openssh-5.3p1-fips.patch +++ b/openssh-5.4p1-fips.patch @@ -1,15 +1,15 @@ -diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c ---- openssh-5.3p1/auth2-pubkey.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/auth2-pubkey.c 2009-10-02 14:12:00.000000000 +0200 -@@ -33,6 +33,7 @@ - #include - #include +diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c +--- openssh-5.4p1/auth2-pubkey.c.fips 2010-03-01 17:55:26.000000000 +0100 ++++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 17:57:56.000000000 +0100 +@@ -35,6 +35,7 @@ + #include + #include #include +#include #include "xmalloc.h" #include "ssh.h" -@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key +@@ -269,7 +270,7 @@ user_key_allowed2(struct passwd *pw, Key found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); @@ -18,10 +18,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c verbose("Found matching %s key: %s", key_type(found), fp); xfree(fp); -diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c ---- openssh-5.3p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.3p1/authfile.c 2009-10-02 14:12:00.000000000 +0200 -@@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch +diff -up openssh-5.4p1/authfile.c.fips openssh-5.4p1/authfile.c +--- openssh-5.4p1/authfile.c.fips 2010-01-12 09:42:29.000000000 +0100 ++++ openssh-5.4p1/authfile.c 2010-03-01 17:55:28.000000000 +0100 +@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch /* Allocate space for the private part of the key in the buffer. */ cp = buffer_append_space(&encrypted, buffer_len(&buffer)); @@ -38,7 +38,7 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c cipher_crypt(&ciphercontext, cp, buffer_ptr(&buffer), buffer_len(&buffer)); cipher_cleanup(&ciphercontext); -@@ -414,8 +420,14 @@ key_load_private_rsa1(int fd, const char +@@ -421,8 +427,14 @@ key_load_private_rsa1(int fd, const char cp = buffer_append_space(&decrypted, buffer_len(&buffer)); /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ @@ -55,9 +55,9 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c cipher_crypt(&ciphercontext, cp, buffer_ptr(&buffer), buffer_len(&buffer)); cipher_cleanup(&ciphercontext); -diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c ---- openssh-5.3p1/cipher.c.fips 2009-10-02 13:44:03.000000000 +0200 -+++ openssh-5.3p1/cipher.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/cipher.c.fips openssh-5.4p1/cipher.c +--- openssh-5.4p1/cipher.c.fips 2010-03-01 15:09:22.000000000 +0100 ++++ openssh-5.4p1/cipher.c 2010-03-01 17:55:28.000000000 +0100 @@ -40,6 +40,7 @@ #include @@ -142,9 +142,9 @@ diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c } /* -diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c ---- openssh-5.3p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 -+++ openssh-5.3p1/cipher-ctr.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/cipher-ctr.c.fips openssh-5.4p1/cipher-ctr.c +--- openssh-5.4p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 ++++ openssh-5.4p1/cipher-ctr.c 2010-03-01 17:55:28.000000000 +0100 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -155,9 +155,9 @@ diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c #endif return (&aes_ctr); } -diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h ---- openssh-5.3p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 -+++ openssh-5.3p1/cipher.h 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/cipher.h.fips openssh-5.4p1/cipher.h +--- openssh-5.4p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 ++++ openssh-5.4p1/cipher.h 2010-03-01 17:55:28.000000000 +0100 @@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); @@ -167,9 +167,9 @@ diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); u_int cipher_is_cbc(const Cipher *); -diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c ---- openssh-5.3p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.3p1/mac.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/mac.c.fips openssh-5.4p1/mac.c +--- openssh-5.4p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 ++++ openssh-5.4p1/mac.c 2010-03-01 17:55:28.000000000 +0100 @@ -28,6 +28,7 @@ #include @@ -219,10 +219,10 @@ diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c for (i = 0; macs[i].name; i++) { if (strcmp(name, macs[i].name) == 0) { -diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in ---- openssh-5.3p1/Makefile.in.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/Makefile.in 2009-10-02 14:20:18.000000000 +0200 -@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS) +diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in +--- openssh-5.4p1/Makefile.in.fips 2010-02-24 08:18:51.000000000 +0100 ++++ openssh-5.4p1/Makefile.in 2010-03-01 17:55:28.000000000 +0100 +@@ -139,31 +139,31 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -240,28 +240,31 @@ diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in - $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o -- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o +- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o - $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h ---- openssh-5.3p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 -+++ openssh-5.3p1/myproposal.h 2009-10-02 14:12:00.000000000 +0200 -@@ -53,7 +53,12 @@ +diff -up openssh-5.4p1/myproposal.h.fips openssh-5.4p1/myproposal.h +--- openssh-5.4p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/myproposal.h 2010-03-01 17:55:28.000000000 +0100 +@@ -55,7 +55,12 @@ "hmac-sha1-96,hmac-md5-96" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" @@ -275,23 +278,9 @@ diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, -diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c ---- openssh-5.3p1/nsskeys.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/nsskeys.c 2009-10-02 14:12:00.000000000 +0200 -@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k) - break; - } - -- p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); -- debug("fingerprint %u %s", key_size(k), p); -+ p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX); -+ debug("SHA1 fingerprint %u %s", key_size(k), p); - xfree(p); - - return 0; -diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c ---- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 -+++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.4p1/openbsd-compat/bsd-arc4random.c +--- openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 ++++ openssh-5.4p1/openbsd-compat/bsd-arc4random.c 2010-03-01 17:55:28.000000000 +0100 @@ -39,6 +39,7 @@ static int rc4_ready = 0; static RC4_KEY rc4; @@ -333,9 +322,9 @@ diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbs #endif /* !HAVE_ARC4RANDOM */ #ifndef ARC4RANDOM_BUF -diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c ---- openssh-5.3p1/ssh-add.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/ssh-add.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c +--- openssh-5.4p1/ssh-add.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/ssh-add.c 2010-03-01 17:55:28.000000000 +0100 @@ -42,6 +42,7 @@ #include @@ -343,8 +332,8 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c +#include #include "openbsd-compat/openssl-compat.h" - #ifdef HAVE_LIBNSS -@@ -254,7 +255,7 @@ list_identities(AuthenticationConnection + #include +@@ -270,7 +271,7 @@ list_identities(AuthenticationConnection key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; if (do_fp) { @@ -353,9 +342,9 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); -diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c ---- openssh-5.3p1/ssh-agent.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/ssh-agent.c.fips openssh-5.4p1/ssh-agent.c +--- openssh-5.4p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/ssh-agent.c 2010-03-01 17:55:28.000000000 +0100 @@ -51,6 +51,7 @@ #include @@ -364,7 +353,7 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c #include "openbsd-compat/openssl-compat.h" #include -@@ -200,9 +201,9 @@ confirm_key(Identity *id) +@@ -199,9 +200,9 @@ confirm_key(Identity *id) char *p; int ret = -1; @@ -377,9 +366,9 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c ret = 0; xfree(p); -diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c ---- openssh-5.3p1/ssh.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/ssh.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/ssh.c.fips openssh-5.4p1/ssh.c +--- openssh-5.4p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/ssh.c 2010-03-01 17:55:28.000000000 +0100 @@ -72,6 +72,8 @@ #include @@ -389,7 +378,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -221,6 +223,10 @@ main(int ac, char **av) +@@ -225,6 +227,10 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); @@ -400,8 +389,8 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c init_rng(); /* -@@ -281,6 +287,9 @@ main(int ac, char **av) - "ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) { +@@ -285,6 +291,9 @@ main(int ac, char **av) + "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': + if (FIPS_mode()) { @@ -410,7 +399,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c options.protocol = SSH_PROTO_1; break; case '2': -@@ -552,7 +561,6 @@ main(int ac, char **av) +@@ -581,7 +590,6 @@ main(int ac, char **av) if (!host) usage(); @@ -418,7 +407,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c ERR_load_crypto_strings(); /* Initialize the command to execute on remote host. */ -@@ -638,6 +646,10 @@ main(int ac, char **av) +@@ -667,6 +675,10 @@ main(int ac, char **av) seed_rng(); @@ -429,7 +418,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c if (options.user == NULL) options.user = xstrdup(pw->pw_name); -@@ -704,6 +716,12 @@ main(int ac, char **av) +@@ -733,6 +745,12 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; @@ -442,9 +431,9 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, -diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c ---- openssh-5.3p1/sshconnect2.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/sshconnect2.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/sshconnect2.c.fips openssh-5.4p1/sshconnect2.c +--- openssh-5.4p1/sshconnect2.c.fips 2010-03-01 17:55:28.000000000 +0100 ++++ openssh-5.4p1/sshconnect2.c 2010-03-01 17:55:29.000000000 +0100 @@ -44,6 +44,8 @@ #include #endif @@ -477,7 +466,7 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.hostkeyalgorithms; -@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t +@@ -529,8 +539,8 @@ input_userauth_pk_ok(int type, u_int32_t key->type, pktype); goto done; } @@ -488,19 +477,19 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c xfree(fp); /* -diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c ---- openssh-5.3p1/sshconnect.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/sshconnect.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c +--- openssh-5.4p1/sshconnect.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/sshconnect.c 2010-03-01 17:55:29.000000000 +0100 @@ -40,6 +40,8 @@ + #include #include - #include +#include + #include "xmalloc.h" #include "key.h" #include "hostfile.h" -@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so +@@ -789,6 +791,7 @@ check_host_key(char *hostname, struct so goto fail; } else if (options.strict_host_key_checking == 2) { char msg1[1024], msg2[1024]; @@ -508,7 +497,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c if (show_other_keys(host, host_key)) snprintf(msg1, sizeof(msg1), -@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so +@@ -797,8 +800,8 @@ check_host_key(char *hostname, struct so else snprintf(msg1, sizeof(msg1), "."); /* The default */ @@ -519,7 +508,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c SSH_FP_RANDOMART); msg2[0] = '\0'; if (options.verify_host_key_dns) { -@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so +@@ -814,10 +817,10 @@ check_host_key(char *hostname, struct so snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" @@ -532,7 +521,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c options.visual_host_key ? "\n" : "", options.visual_host_key ? ra : "", msg2); -@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con +@@ -1131,17 +1134,18 @@ show_key_from_file(const char *file, con Key *found; char *fp, *ra; int line, ret; @@ -555,7 +544,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c xfree(ra); xfree(fp); } -@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key) +@@ -1187,8 +1191,9 @@ warn_changed_key(Key *host_key) { char *fp; const char *type = key_type(host_key); @@ -566,7 +555,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); -@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key) +@@ -1196,8 +1201,8 @@ warn_changed_key(Key *host_key) error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that the %s host key has just been changed.", type); @@ -577,9 +566,9 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c error("Please contact your system administrator."); xfree(fp); -diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c ---- openssh-5.3p1/sshd.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/sshd.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c +--- openssh-5.4p1/sshd.c.fips 2010-03-01 17:55:27.000000000 +0100 ++++ openssh-5.4p1/sshd.c 2010-03-01 17:55:29.000000000 +0100 @@ -76,6 +76,8 @@ #include #include @@ -589,7 +578,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1261,6 +1263,12 @@ main(int ac, char **av) +@@ -1298,6 +1300,12 @@ main(int ac, char **av) (void)set_auth_parameters(ac, av); #endif __progname = ssh_get_progname(av[0]); @@ -602,7 +591,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c init_rng(); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -@@ -1413,8 +1421,6 @@ main(int ac, char **av) +@@ -1459,8 +1467,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -611,7 +600,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) -@@ -1532,6 +1538,10 @@ main(int ac, char **av) +@@ -1578,6 +1584,10 @@ main(int ac, char **av) debug("private host key: #%d type %d %s", i, key->type, key_type(key)); } @@ -622,7 +611,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1656,6 +1666,10 @@ main(int ac, char **av) +@@ -1742,6 +1752,10 @@ main(int ac, char **av) /* Initialize the random number generator. */ arc4random_stir(); @@ -633,7 +622,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c /* Chdir to the root directory so that the current disk can be unmounted if desired. */ chdir("/"); -@@ -2183,6 +2197,9 @@ do_ssh2_kex(void) +@@ -2274,6 +2288,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -643,7 +632,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2192,6 +2209,9 @@ do_ssh2_kex(void) +@@ -2283,6 +2300,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -653,9 +642,9 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c } if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = -diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c ---- openssh-5.3p1/ssh-keygen.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c +--- openssh-5.4p1/ssh-keygen.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/ssh-keygen.c 2010-03-01 17:55:29.000000000 +0100 @@ -21,6 +21,7 @@ #include @@ -664,7 +653,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c #include "openbsd-compat/openssl-compat.h" #include -@@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw) +@@ -524,7 +525,7 @@ do_fingerprint(struct passwd *pw) enum fp_type fptype; struct stat st; @@ -673,7 +662,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; if (!have_identity) -@@ -1506,14 +1507,15 @@ passphrase_again: +@@ -1808,14 +1809,15 @@ passphrase_again: fclose(f); if (!quiet) { diff --git a/openssh-5.3p1-gsskex.patch b/openssh-5.4p1-gsskex.patch similarity index 90% rename from openssh-5.3p1-gsskex.patch rename to openssh-5.4p1-gsskex.patch index 0ff0d54..8a626a4 100644 --- a/openssh-5.3p1-gsskex.patch +++ b/openssh-5.4p1-gsskex.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c ---- openssh-5.3p1/auth2.c.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/auth2.c 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c +--- openssh-5.4p1/auth2.c.gsskex 2010-03-01 18:14:24.000000000 +0100 ++++ openssh-5.4p1/auth2.c 2010-03-01 18:14:28.000000000 +0100 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -35,9 +35,9 @@ diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c authctxt->failures++; if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS -diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c ---- openssh-5.3p1/auth2-gss.c.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/auth2-gss.c 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c +--- openssh-5.4p1/auth2-gss.c.gsskex 2010-03-01 18:14:24.000000000 +0100 ++++ openssh-5.4p1/auth2-gss.c 2010-03-01 18:14:28.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ @@ -137,9 +137,9 @@ diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h ---- openssh-5.3p1/auth.h.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/auth.h 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h +--- openssh-5.4p1/auth.h.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/auth.h 2010-03-01 18:14:28.000000000 +0100 @@ -53,6 +53,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; @@ -148,10 +148,10 @@ diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h int force_pwchange; char *user; /* username sent by the client */ char *service; -diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c ---- openssh-5.3p1/auth-krb5.c.gsskex 2006-08-05 04:39:39.000000000 +0200 -+++ openssh-5.3p1/auth-krb5.c 2009-11-20 14:39:04.000000000 +0100 -@@ -166,8 +166,13 @@ auth_krb5_password(Authctxt *authctxt, c +diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c +--- openssh-5.4p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 ++++ openssh-5.4p1/auth-krb5.c 2010-03-01 18:14:28.000000000 +0100 +@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c len = strlen(authctxt->krb5_ticket_file) + 6; authctxt->krb5_ccname = xmalloc(len); @@ -165,7 +165,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c #ifdef USE_PAM if (options.use_pam) -@@ -219,15 +224,22 @@ krb5_cleanup_proc(Authctxt *authctxt) +@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt) #ifndef HEIMDAL krb5_error_code ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { @@ -190,7 +190,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c old_umask = umask(0177); tmpfd = mkstemp(ccname + strlen("FILE:")); umask(old_umask); -@@ -242,6 +254,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c +@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c return errno; } close(tmpfd); @@ -198,9 +198,9 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c return (krb5_cc_resolve(ctx, ccname, ccache)); } -diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi ---- /dev/null 2009-11-13 11:29:57.672908570 +0100 -+++ openssh-5.3p1/ChangeLog.gssapi 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi +--- openssh-5.4p1/ChangeLog.gssapi.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/ChangeLog.gssapi 2010-03-01 18:14:28.000000000 +0100 @@ -0,0 +1,95 @@ +20090615 + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c @@ -297,9 +297,9 @@ diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi + add support for GssapiTrustDns option for gssapi-with-mic + (from jbasney AT ncsa.uiuc.edu) + -diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c ---- openssh-5.3p1/clientloop.c.gsskex 2009-08-28 03:21:07.000000000 +0200 -+++ openssh-5.3p1/clientloop.c 2009-11-20 14:48:53.000000000 +0100 +diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c +--- openssh-5.4p1/clientloop.c.gsskex 2010-01-30 07:28:35.000000000 +0100 ++++ openssh-5.4p1/clientloop.c 2010-03-01 18:14:28.000000000 +0100 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -311,7 +311,7 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c /* import options */ extern Options options; -@@ -1430,6 +1434,13 @@ client_loop(int have_pty, int escape_cha +@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); @@ -325,9 +325,9 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); xxx_kex->done = 0; -diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.gsskex 2009-11-20 14:39:02.000000000 +0100 -+++ openssh-5.3p1/configure.ac 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac +--- openssh-5.4p1/configure.ac.gsskex 2010-03-01 18:14:27.000000000 +0100 ++++ openssh-5.4p1/configure.ac 2010-03-01 18:14:28.000000000 +0100 @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE(SSH_TUN_PREPEND_AF, 1, @@ -359,9 +359,9 @@ diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac m4_pattern_allow(AU_IPv) AC_CHECK_DECL(AU_IPv4, [], AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) -diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c ---- openssh-5.3p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.3p1/gss-genr.c 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c +--- openssh-5.4p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.4p1/gss-genr.c 2010-03-01 18:14:28.000000000 +0100 @@ -39,12 +39,167 @@ #include "buffer.h" #include "log.h" @@ -700,9 +700,9 @@ diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c ---- openssh-5.3p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 -+++ openssh-5.3p1/gss-serv.c 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c +--- openssh-5.4p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 ++++ openssh-5.4p1/gss-serv.c 2010-03-01 18:14:28.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ @@ -1016,9 +1016,9 @@ diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c } #endif -diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c ---- openssh-5.3p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.3p1/gss-serv-krb5.c 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c +--- openssh-5.4p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.4p1/gss-serv-krb5.c 2010-03-01 18:14:28.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1139,12 +1139,12 @@ diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c }; #endif /* KRB5 */ -diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c ---- openssh-5.3p1/kex.c.gsskex 2009-06-21 10:15:25.000000000 +0200 -+++ openssh-5.3p1/kex.c 2009-11-20 14:50:11.000000000 +0100 -@@ -49,6 +49,10 @@ - #include "dispatch.h" +diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c +--- openssh-5.4p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 ++++ openssh-5.4p1/kex.c 2010-03-01 18:18:42.000000000 +0100 +@@ -50,6 +50,10 @@ #include "monitor.h" + #include "roaming.h" +#ifdef GSSAPI +#include "ssh-gss.h" @@ -1153,7 +1153,7 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) # define evp_ssh_sha256 EVP_sha256 -@@ -325,6 +329,20 @@ choose_kex(Kex *k, char *client, char *s +@@ -326,6 +330,20 @@ choose_kex(Kex *k, char *client, char *s k->kex_type = KEX_DH_GEX_SHA256; k->evp_md = evp_ssh_sha256(); #endif @@ -1174,9 +1174,9 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c } else fatal("bad kex alg %s", k->name); } -diff -up /dev/null openssh-5.3p1/kexgssc.c ---- /dev/null 2009-11-13 11:29:57.672908570 +0100 -+++ openssh-5.3p1/kexgssc.c 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c +--- openssh-5.4p1/kexgssc.c.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/kexgssc.c 2010-03-01 18:14:28.000000000 +0100 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1512,9 +1512,9 @@ diff -up /dev/null openssh-5.3p1/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up /dev/null openssh-5.3p1/kexgsss.c ---- /dev/null 2009-11-13 11:29:57.672908570 +0100 -+++ openssh-5.3p1/kexgsss.c 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c +--- openssh-5.4p1/kexgsss.c.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/kexgsss.c 2010-03-01 18:14:28.000000000 +0100 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1804,10 +1804,10 @@ diff -up /dev/null openssh-5.3p1/kexgsss.c + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h ---- openssh-5.3p1/kex.h.gsskex 2009-06-21 10:15:25.000000000 +0200 -+++ openssh-5.3p1/kex.h 2009-11-20 14:39:05.000000000 +0100 -@@ -66,6 +66,9 @@ enum kex_exchange { +diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h +--- openssh-5.4p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/kex.h 2010-03-01 18:14:28.000000000 +0100 +@@ -67,6 +67,9 @@ enum kex_exchange { KEX_DH_GRP14_SHA1, KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA256, @@ -1817,7 +1817,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h KEX_MAX }; -@@ -121,6 +124,12 @@ struct Kex { +@@ -123,6 +126,12 @@ struct Kex { sig_atomic_t done; int flags; const EVP_MD *evp_md; @@ -1830,7 +1830,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h char *client_version_string; char *server_version_string; int (*verify_host_key)(Key *); -@@ -143,6 +152,11 @@ void kexdh_server(Kex *); +@@ -146,6 +155,11 @@ void kexdh_server(Kex *); void kexgex_client(Kex *); void kexgex_server(Kex *); @@ -1842,54 +1842,58 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff -up openssh-5.3p1/key.c.gsskex openssh-5.3p1/key.c ---- openssh-5.3p1/key.c.gsskex 2009-11-20 14:38:59.000000000 +0100 -+++ openssh-5.3p1/key.c 2009-11-20 14:39:05.000000000 +0100 -@@ -825,6 +825,8 @@ key_type_from_name(char *name) - return KEY_RSA; - } else if (strcmp(name, "ssh-dss") == 0) { - return KEY_DSA; +diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c +--- openssh-5.4p1/key.c.gsskex 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/key.c 2010-03-01 18:20:43.000000000 +0100 +@@ -969,6 +969,8 @@ key_type_from_name(char *name) + return KEY_RSA_CERT; + } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { + return KEY_DSA_CERT; + } else if (strcmp(name, "null") == 0) { + return KEY_NULL; } debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; -diff -up openssh-5.3p1/key.h.gsskex openssh-5.3p1/key.h ---- openssh-5.3p1/key.h.gsskex 2009-11-20 14:38:59.000000000 +0100 -+++ openssh-5.3p1/key.h 2009-11-20 14:50:59.000000000 +0100 -@@ -40,6 +40,7 @@ enum types { - KEY_RSA, +diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h +--- openssh-5.4p1/key.h.gsskex 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/key.h 2010-03-01 18:21:22.000000000 +0100 +@@ -37,6 +37,7 @@ enum types { KEY_DSA, - KEY_NSS, + KEY_RSA_CERT, + KEY_DSA_CERT, + KEY_NULL, KEY_UNSPEC }; enum fp_type { -diff -up openssh-5.3p1/Makefile.in.gsskex openssh-5.3p1/Makefile.in ---- openssh-5.3p1/Makefile.in.gsskex 2009-11-20 14:39:02.000000000 +0100 -+++ openssh-5.3p1/Makefile.in 2009-11-20 15:06:44.000000000 +0100 -@@ -71,7 +71,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ +diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in +--- openssh-5.4p1/Makefile.in.gsskex 2010-03-01 18:14:27.000000000 +0100 ++++ openssh-5.4p1/Makefile.in 2010-03-01 18:23:31.000000000 +0100 +@@ -74,11 +74,11 @@ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ - kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ -- entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o -+ entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o \ -+ kexgssc.o + kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ + entropy.o gss-genr.o umac.o jpake.o schnorr.o \ +- ssh-pkcs11.o ++ ssh-pkcs11.o kexgssc.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -@@ -85,7 +86,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ - auth-krb5.o \ -- auth2-gss.o gss-serv.o gss-serv-krb5.o \ -+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ +- roaming_common.o roaming_client.o ++ roaming_common.o roaming_client.o kexgssc.o + + SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + sshpty.o sshlogin.o servconf.o serverloop.o \ +@@ -91,7 +91,7 @@ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ - roaming_common.o -diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c ---- openssh-5.3p1/monitor.c.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/monitor.c 2009-11-20 14:39:05.000000000 +0100 +- roaming_common.o roaming_serv.o ++ roaming_common.o roaming_serv.o kexgsss.o + + MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out + MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 +diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c +--- openssh-5.4p1/monitor.c.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/monitor.c 2010-03-01 18:14:29.000000000 +0100 @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -1956,7 +1960,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -1943,6 +1967,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -1944,6 +1968,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -1966,7 +1970,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -1970,6 +1997,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1971,6 +1998,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1976,7 +1980,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -1987,6 +2017,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1988,6 +2018,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1984,7 +1988,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c } return (0); } -@@ -1998,6 +2029,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -1999,6 +2030,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -1994,7 +1998,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2024,7 +2058,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2025,7 +2059,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -2007,7 +2011,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2037,6 +2075,74 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2038,6 +2076,74 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2082,9 +2086,9 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h ---- openssh-5.3p1/monitor.h.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/monitor.h 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h +--- openssh-5.4p1/monitor.h.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/monitor.h 2010-03-01 18:14:29.000000000 +0100 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2094,9 +2098,9 @@ diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, -diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c ---- openssh-5.3p1/monitor_wrap.c.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/monitor_wrap.c 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c +--- openssh-5.4p1/monitor_wrap.c.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/monitor_wrap.c 2010-03-01 18:14:29.000000000 +0100 @@ -1267,7 +1267,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } @@ -2158,9 +2162,9 @@ diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h ---- openssh-5.3p1/monitor_wrap.h.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/monitor_wrap.h 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h +--- openssh-5.4p1/monitor_wrap.h.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/monitor_wrap.h 2010-03-01 18:14:29.000000000 +0100 @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2173,10 +2177,10 @@ diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c ---- openssh-5.3p1/readconf.c.gsskex 2009-11-20 14:38:59.000000000 +0100 -+++ openssh-5.3p1/readconf.c 2009-11-20 14:39:06.000000000 +0100 -@@ -128,6 +128,7 @@ typedef enum { +diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c +--- openssh-5.4p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100 ++++ openssh-5.4p1/readconf.c 2010-03-01 18:14:29.000000000 +0100 +@@ -127,6 +127,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2184,7 +2188,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, -@@ -165,10 +166,18 @@ static struct { +@@ -164,10 +165,18 @@ static struct { { "afstokenpassing", oUnsupported }, #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2203,7 +2207,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -462,10 +471,26 @@ parse_flag: +@@ -456,10 +465,26 @@ parse_flag: intptr = &options->gss_authentication; goto parse_flag; @@ -2230,7 +2234,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1029,7 +1054,11 @@ initialize_options(Options * options) +@@ -1015,7 +1040,11 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -2242,7 +2246,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1123,8 +1152,14 @@ fill_default_options(Options * options) +@@ -1107,8 +1136,14 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2257,9 +2261,9 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h ---- openssh-5.3p1/readconf.h.gsskex 2009-11-20 14:38:59.000000000 +0100 -+++ openssh-5.3p1/readconf.h 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h +--- openssh-5.4p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100 ++++ openssh-5.4p1/readconf.h 2010-03-01 18:14:29.000000000 +0100 @@ -44,7 +44,11 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2272,10 +2276,10 @@ diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c ---- openssh-5.3p1/servconf.c.gsskex 2009-11-20 14:39:03.000000000 +0100 -+++ openssh-5.3p1/servconf.c 2009-11-20 14:52:27.000000000 +0100 -@@ -92,7 +92,10 @@ initialize_server_options(ServerOptions +diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c +--- openssh-5.4p1/servconf.c.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/servconf.c 2010-03-01 18:25:32.000000000 +0100 +@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -2286,7 +2290,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -213,8 +216,14 @@ fill_default_server_options(ServerOption +@@ -215,8 +218,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2301,7 +2305,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -308,7 +317,9 @@ typedef enum { +@@ -310,7 +319,9 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -2311,8 +2315,8 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c + sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, -@@ -371,9 +382,15 @@ static struct { + sZeroKnowledgePasswordAuthentication, sHostCertificate, +@@ -373,9 +384,15 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2328,7 +2332,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -906,10 +923,22 @@ process_server_config_line(ServerOptions +@@ -935,10 +952,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2351,10 +2355,10 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h ---- openssh-5.3p1/servconf.h.gsskex 2009-11-20 14:39:03.000000000 +0100 -+++ openssh-5.3p1/servconf.h 2009-11-20 14:39:06.000000000 +0100 -@@ -91,7 +91,10 @@ typedef struct { +diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h +--- openssh-5.4p1/servconf.h.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/servconf.h 2010-03-01 18:14:29.000000000 +0100 +@@ -94,7 +94,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -2365,9 +2369,9 @@ diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5 ---- openssh-5.3p1/ssh_config.5.gsskex 2009-02-23 00:53:58.000000000 +0100 -+++ openssh-5.3p1/ssh_config.5 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5 +--- openssh-5.4p1/ssh_config.5.gsskex 2010-02-11 23:26:02.000000000 +0100 ++++ openssh-5.4p1/ssh_config.5 2010-03-01 18:14:29.000000000 +0100 @@ -478,11 +478,38 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2408,9 +2412,9 @@ diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config ---- openssh-5.3p1/ssh_config.gsskex 2009-11-20 14:38:53.000000000 +0100 -+++ openssh-5.3p1/ssh_config 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config +--- openssh-5.4p1/ssh_config.gsskex 2010-03-01 18:14:24.000000000 +0100 ++++ openssh-5.4p1/ssh_config 2010-03-01 18:14:29.000000000 +0100 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2420,9 +2424,9 @@ diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config # BatchMode no # CheckHostIP yes # AddressFamily any -diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c ---- openssh-5.3p1/sshconnect2.c.gsskex 2009-11-20 14:39:01.000000000 +0100 -+++ openssh-5.3p1/sshconnect2.c 2009-11-20 15:05:03.000000000 +0100 +diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c +--- openssh-5.4p1/sshconnect2.c.gsskex 2010-03-01 18:14:27.000000000 +0100 ++++ openssh-5.4p1/sshconnect2.c 2010-03-01 18:14:29.000000000 +0100 @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2503,7 +2507,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c xxx_kex = kex; dispatch_run(DISPATCH_BLOCK, &kex->done, kex); -@@ -247,6 +299,7 @@ void input_gssapi_token(int type, u_int3 +@@ -253,6 +305,7 @@ void input_gssapi_token(int type, u_int3 void input_gssapi_hash(int type, u_int32_t, void *); void input_gssapi_error(int, u_int32_t, void *); void input_gssapi_errtok(int, u_int32_t, void *); @@ -2511,7 +2515,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c #endif void userauth(Authctxt *, char *); -@@ -262,6 +315,10 @@ static char *authmethods_get(void); +@@ -268,6 +321,10 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -2522,7 +2526,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c {"gssapi-with-mic", userauth_gssapi, NULL, -@@ -555,23 +612,35 @@ userauth_gssapi(Authctxt *authctxt) +@@ -576,23 +633,35 @@ userauth_gssapi(Authctxt *authctxt) int ok = 0; char* remotehost = NULL; const char* canonicalhost = get_canonical_hostname(1); @@ -2560,7 +2564,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c ok = 1; /* Mechanism works */ } else { mech++; -@@ -668,8 +737,8 @@ input_gssapi_response(int type, u_int32_ +@@ -689,8 +758,8 @@ input_gssapi_response(int type, u_int32_ { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -2571,7 +2575,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); -@@ -779,6 +848,48 @@ input_gssapi_error(int type, u_int32_t p +@@ -800,6 +869,48 @@ input_gssapi_error(int type, u_int32_t p xfree(msg); xfree(lang); } @@ -2620,9 +2624,9 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c #endif /* GSSAPI */ int -diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c ---- openssh-5.3p1/sshd.c.gsskex 2009-11-20 14:39:01.000000000 +0100 -+++ openssh-5.3p1/sshd.c 2009-11-20 14:53:31.000000000 +0100 +diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c +--- openssh-5.4p1/sshd.c.gsskex 2010-03-01 18:14:27.000000000 +0100 ++++ openssh-5.4p1/sshd.c 2010-03-01 18:14:29.000000000 +0100 @@ -129,6 +129,10 @@ int allow_severity; int deny_severity; #endif /* LIBWRAP */ @@ -2634,7 +2638,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c #ifndef O_NOCTTY #define O_NOCTTY 0 #endif -@@ -1546,10 +1550,13 @@ main(int ac, char **av) +@@ -1592,10 +1596,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2648,7 +2652,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -1837,6 +1844,60 @@ main(int ac, char **av) +@@ -1928,6 +1935,60 @@ main(int ac, char **av) /* Log the connection. */ verbose("Connection from %.500s port %d", remote_ip, remote_port); @@ -2709,7 +2713,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2223,12 +2284,61 @@ do_ssh2_kex(void) +@@ -2314,12 +2375,61 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); @@ -2771,9 +2775,9 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5 ---- openssh-5.3p1/sshd_config.5.gsskex 2009-11-20 14:39:03.000000000 +0100 -+++ openssh-5.3p1/sshd_config.5 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5 +--- openssh-5.4p1/sshd_config.5.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/sshd_config.5 2010-03-01 18:14:29.000000000 +0100 @@ -379,12 +379,40 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2815,10 +2819,10 @@ diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5 .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config ---- openssh-5.3p1/sshd_config.gsskex 2009-11-20 14:39:04.000000000 +0100 -+++ openssh-5.3p1/sshd_config 2009-11-20 14:54:30.000000000 +0100 -@@ -80,6 +80,8 @@ ChallengeResponseAuthentication no +diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config +--- openssh-5.4p1/sshd_config.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/sshd_config 2010-03-01 18:14:29.000000000 +0100 +@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes @@ -2827,9 +2831,9 @@ diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff -up openssh-5.3p1/ssh-gss.h.gsskex openssh-5.3p1/ssh-gss.h ---- openssh-5.3p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 -+++ openssh-5.3p1/ssh-gss.h 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h +--- openssh-5.4p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 ++++ openssh-5.4p1/ssh-gss.h 2010-03-01 18:14:30.000000000 +0100 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* diff --git a/openssh-5.3p1-mls.patch b/openssh-5.4p1-mls.patch similarity index 88% rename from openssh-5.3p1-mls.patch rename to openssh-5.4p1-mls.patch index 451b7e8..2fb3ee5 100644 --- a/openssh-5.3p1-mls.patch +++ b/openssh-5.4p1-mls.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.mls 2009-10-02 14:04:31.000000000 +0200 -+++ openssh-5.3p1/configure.ac 2009-10-02 14:04:31.000000000 +0200 -@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux, +diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac +--- openssh-5.4p1/configure.ac.mls 2010-03-01 15:24:27.000000000 +0100 ++++ openssh-5.4p1/configure.ac 2010-03-01 15:24:28.000000000 +0100 +@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux, SSHDLIBS="$SSHDLIBS $LIBSELINUX" LIBS="$LIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) @@ -9,9 +9,9 @@ diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac LIBS="$save_LIBS" fi ] ) -diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c ---- openssh-5.3p1/misc.c.mls 2009-02-21 22:47:02.000000000 +0100 -+++ openssh-5.3p1/misc.c 2009-10-02 14:04:31.000000000 +0200 +diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c +--- openssh-5.4p1/misc.c.mls 2010-01-10 00:31:12.000000000 +0100 ++++ openssh-5.4p1/misc.c 2010-03-01 15:24:28.000000000 +0100 @@ -423,6 +423,7 @@ char * colon(char *cp) { @@ -36,15 +36,16 @@ diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c } return (0); } -diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c ---- openssh-5.3p1/openbsd-compat/port-linux.c.mls 2009-10-02 14:04:31.000000000 +0200 -+++ openssh-5.3p1/openbsd-compat/port-linux.c 2009-10-02 14:04:31.000000000 +0200 -@@ -33,12 +33,23 @@ +diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c +--- openssh-5.4p1/openbsd-compat/port-linux.c.mls 2010-03-01 15:24:27.000000000 +0100 ++++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:25:50.000000000 +0100 +@@ -35,13 +35,24 @@ #include "key.h" #include "hostfile.h" #include "auth.h" +#include "xmalloc.h" + #ifdef WITH_SELINUX #include #include +#include @@ -63,7 +64,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com /* Wrapper around is_selinux_enabled() to log its return value once only */ int -@@ -54,17 +65,173 @@ ssh_selinux_enabled(void) +@@ -57,17 +68,173 @@ ssh_selinux_enabled(void) return (enabled); } @@ -243,7 +244,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com #ifdef HAVE_GETSEUSERBYNAME if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { sename = NULL; -@@ -72,38 +239,63 @@ ssh_selinux_getctxbyname(char *pwname) +@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname) } #else sename = pwname; @@ -329,7 +330,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com #ifdef HAVE_GETSEUSERBYNAME if (sename != NULL) -@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname) +@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname) if (lvl != NULL) xfree(lvl); #endif @@ -351,7 +352,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com security_context_t user_ctx = NULL; if (!ssh_selinux_enabled()) -@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn +@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn debug3("%s: setting execution context", __func__); @@ -404,7 +405,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com debug3("%s: done", __func__); } -@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons +@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons debug3("%s: setting TTY context on %s", __func__, tty); @@ -416,10 +417,10 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com /* XXX: should these calls fatal() upon failure in enforcing mode? */ -diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c ---- openssh-5.3p1/session.c.mls 2009-08-20 08:20:50.000000000 +0200 -+++ openssh-5.3p1/session.c 2009-10-02 14:06:12.000000000 +0200 -@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw) +diff -up openssh-5.4p1/session.c.mls openssh-5.4p1/session.c +--- openssh-5.4p1/session.c.mls 2010-01-12 09:51:48.000000000 +0100 ++++ openssh-5.4p1/session.c 2010-03-01 15:24:28.000000000 +0100 +@@ -1559,10 +1559,6 @@ do_setusercontext(struct passwd *pw) if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); @@ -430,10 +431,10 @@ diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c } static void -diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c ---- openssh-5.3p1/sshd.c.mls 2009-10-02 14:04:31.000000000 +0200 -+++ openssh-5.3p1/sshd.c 2009-10-02 14:04:31.000000000 +0200 -@@ -1896,6 +1896,9 @@ main(int ac, char **av) +diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c +--- openssh-5.4p1/sshd.c.mls 2010-03-01 15:24:27.000000000 +0100 ++++ openssh-5.4p1/sshd.c 2010-03-01 15:24:28.000000000 +0100 +@@ -1987,6 +1987,9 @@ main(int ac, char **av) restore_uid(); } #endif diff --git a/openssh-5.4p1-0.beta1.fc14.src.rpm b/openssh-5.4p1-noacss.tar.bz2 similarity index 62% rename from openssh-5.4p1-0.beta1.fc14.src.rpm rename to openssh-5.4p1-noacss.tar.bz2 index 8d5379b..1b80b47 100644 Binary files a/openssh-5.4p1-0.beta1.fc14.src.rpm and b/openssh-5.4p1-noacss.tar.bz2 differ diff --git a/openssh-5.3p1-nss-keys.patch b/openssh-5.4p1-nss-keys.patch similarity index 99% rename from openssh-5.3p1-nss-keys.patch rename to openssh-5.4p1-nss-keys.patch index 50a6441..7321816 100644 --- a/openssh-5.3p1-nss-keys.patch +++ b/openssh-5.4p1-nss-keys.patch @@ -186,7 +186,7 @@ diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h --- openssh-5.3p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200 +++ openssh-5.3p1/key.h 2009-11-27 13:43:01.000000000 +0100 -@@ -29,11 +29,17 @@ +@@ -30,6 +30,11 @@ #include #include @@ -198,13 +198,15 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h typedef struct Key Key; enum types { KEY_RSA1, - KEY_RSA, +@@ -37,6 +42,7 @@ KEY_DSA, + KEY_RSA_CERT, + KEY_DSA_CERT, + KEY_NSS, KEY_UNSPEC }; enum fp_type { -@@ -48,16 +54,30 @@ enum fp_rep { +@@ -51,6 +57,15 @@ /* key is stored in external hardware */ #define KEY_FLAG_EXT 0x0001 @@ -218,23 +220,25 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h +}; +#endif - struct Key { - int type; - int flags; + #define CERT_MAX_PRINCIPALS 256 + struct KeyCert { +@@ -70,11 +85,16 @@ RSA *rsa; DSA *dsa; + struct KeyCert *cert; +#ifdef HAVE_LIBNSS + NSSKey *nss; +#endif }; Key *key_new(int); + void key_add_private(Key *); Key *key_new_private(int); +Key *key_new_nss(int); +Key *key_new_nss_copy(int, const Key *); void key_free(Key *); Key *key_demote(const Key *); - int key_equal(const Key *, const Key *); + int key_equal_public(const Key *, const Key *); diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in --- openssh-5.3p1/Makefile.in.nss-keys 2009-08-28 02:47:38.000000000 +0200 +++ openssh-5.3p1/Makefile.in 2009-11-27 13:43:01.000000000 +0100 diff --git a/openssh-5.0p1-pam_selinux.patch b/openssh-5.4p1-pam_selinux.patch similarity index 78% rename from openssh-5.0p1-pam_selinux.patch rename to openssh-5.4p1-pam_selinux.patch index acd1611..6b601da 100644 --- a/openssh-5.0p1-pam_selinux.patch +++ b/openssh-5.4p1-pam_selinux.patch @@ -1,18 +1,6 @@ -diff -up openssh-5.0p1/auth-pam.h.pam_selinux openssh-5.0p1/auth-pam.h ---- openssh-5.0p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200 -+++ openssh-5.0p1/auth-pam.h 2008-04-30 14:25:28.000000000 +0200 -@@ -38,7 +38,7 @@ void do_pam_session(void); - void do_pam_set_tty(const char *); - void do_pam_setcred(int ); - void do_pam_chauthtok(void); --int do_pam_putenv(char *, char *); -+int do_pam_putenv(char *, const char *); - char ** fetch_pam_environment(void); - char ** fetch_pam_child_environment(void); - void free_pam_environment(char **); -diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c ---- openssh-5.0p1/auth-pam.c.pam_selinux 2008-03-11 12:58:25.000000000 +0100 -+++ openssh-5.0p1/auth-pam.c 2008-04-30 14:25:21.000000000 +0200 +diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c +--- openssh-5.4p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200 ++++ openssh-5.4p1/auth-pam.c 2010-03-01 15:27:23.000000000 +0100 @@ -1069,7 +1069,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ @@ -22,18 +10,30 @@ diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c { int ret = 1; #ifdef HAVE_PAM_PUTENV -diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/openbsd-compat/port-linux.c ---- openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux 2008-04-07 22:01:37.000000000 +0200 -+++ openssh-5.0p1/openbsd-compat/port-linux.c 2008-04-30 14:26:17.000000000 +0200 -@@ -34,6 +34,7 @@ +diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h +--- openssh-5.4p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200 ++++ openssh-5.4p1/auth-pam.h 2010-03-01 15:27:23.000000000 +0100 +@@ -38,7 +38,7 @@ void do_pam_session(void); + void do_pam_set_tty(const char *); + void do_pam_setcred(int ); + void do_pam_chauthtok(void); +-int do_pam_putenv(char *, char *); ++int do_pam_putenv(char *, const char *); + char ** fetch_pam_environment(void); + char ** fetch_pam_child_environment(void); + void free_pam_environment(char **); +diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/openbsd-compat/port-linux.c +--- openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux 2010-03-01 15:27:22.000000000 +0100 ++++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:27:53.000000000 +0100 +@@ -36,6 +36,7 @@ #include "hostfile.h" #include "auth.h" #include "xmalloc.h" +#include "servconf.h" + #ifdef WITH_SELINUX #include - #include -@@ -47,6 +48,7 @@ +@@ -50,6 +51,7 @@ #include #endif @@ -41,7 +41,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope extern Authctxt *the_authctxt; extern int inetd_flag; extern int rexeced_flag; -@@ -208,29 +210,38 @@ get_user_context(const char *sename, con +@@ -211,29 +213,38 @@ get_user_context(const char *sename, con return -1; } @@ -92,7 +92,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope #ifdef HAVE_GETSEUSERBYNAME if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { -@@ -311,6 +322,36 @@ ssh_selinux_getctxbyname(char *pwname, +@@ -314,6 +325,36 @@ ssh_selinux_getctxbyname(char *pwname, return (r); } @@ -129,7 +129,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope /* Set the execution context to the default for the specified user */ void ssh_selinux_setup_exec_context(char *pwname) -@@ -322,6 +363,24 @@ ssh_selinux_setup_exec_context(char *pwn +@@ -325,6 +366,24 @@ ssh_selinux_setup_exec_context(char *pwn if (!ssh_selinux_enabled()) return; diff --git a/openssh-5.3p1-pka.patch b/openssh-5.4p1-pka.patch similarity index 66% rename from openssh-5.3p1-pka.patch rename to openssh-5.4p1-pka.patch index 0733527..b2e50ac 100644 --- a/openssh-5.3p1-pka.patch +++ b/openssh-5.4p1-pka.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c ---- openssh-5.3p1/auth2-pubkey.c.pka 2009-03-08 01:40:28.000000000 +0100 -+++ openssh-5.3p1/auth2-pubkey.c 2010-01-04 16:07:53.000000000 +0100 -@@ -175,26 +175,14 @@ done: +diff -up openssh-5.4p1/auth2-pubkey.c.pka openssh-5.4p1/auth2-pubkey.c +--- openssh-5.4p1/auth2-pubkey.c.pka 2010-03-01 18:10:48.000000000 +0100 ++++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 18:10:50.000000000 +0100 +@@ -186,27 +186,15 @@ done: /* return 1 if user allows given key */ static int @@ -9,6 +9,7 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c +user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw) { char line[SSH_MAX_PUBKEY_BYTES]; + const char *reason; int found_key = 0; - FILE *f; u_long linenum = 0; @@ -27,9 +28,9 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c - } - found_key = 0; - found = key_new(key->type); + found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); -@@ -239,21 +227,160 @@ user_key_allowed2(struct passwd *pw, Key +@@ -277,21 +265,160 @@ user_key_allowed2(struct passwd *pw, Key break; } } @@ -193,63 +194,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c file = authorized_keys_file(pw); success = user_key_allowed2(pw, key, file); xfree(file); -diff -up openssh-5.3p1/configure.pka openssh-5.3p1/configure ---- openssh-5.3p1/configure.pka 2009-10-13 19:27:51.000000000 +0200 -+++ openssh-5.3p1/configure 2009-10-15 06:26:33.000000000 +0200 -@@ -769,6 +769,7 @@ with_skey - with_tcp_wrappers - with_libedit - with_audit -+with_pka - with_ssl_dir - with_openssl_header_check - with_ssl_engine -@@ -1473,6 +1474,7 @@ Optional Packages: - --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) - --with-libedit[=PATH] Enable libedit support for sftp - --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm) -+ --with-pka Enable pubkey agent support - --with-ssl-dir=PATH Specify path to OpenSSL installation - --without-openssl-header-check Disable OpenSSL version consistency check - --with-ssl-engine Enable OpenSSL (hardware) ENGINE support -@@ -13443,6 +13445,25 @@ $as_echo "$as_me: error: Unknown audit m - fi - - -+# Check whether user wants pubkey agent support -+PKA_MSG="no" -+ -+# Check whether --with-pka was given. -+if test "${with_pka+set}" = set; then -+ withval=$with_pka; -+ if test "x$withval" != "xno" ; then -+ -+cat >>confdefs.h <<\_ACEOF -+#define WITH_PUBKEY_AGENT 1 -+_ACEOF -+ -+ PKA_MSG="yes" -+ fi -+ -+ -+fi -+ -+ - - - -@@ -32772,6 +32793,7 @@ echo " Linux audit support - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -+echo " PKA support: $PKA_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" -diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.pka 2009-09-11 06:56:08.000000000 +0200 -+++ openssh-5.3p1/configure.ac 2010-01-04 16:07:53.000000000 +0100 -@@ -1319,6 +1319,18 @@ AC_ARG_WITH(audit, +diff -up openssh-5.4p1/configure.ac.pka openssh-5.4p1/configure.ac +--- openssh-5.4p1/configure.ac.pka 2010-03-01 18:10:47.000000000 +0100 ++++ openssh-5.4p1/configure.ac 2010-03-01 18:10:50.000000000 +0100 +@@ -1323,6 +1323,18 @@ AC_ARG_WITH(audit, esac ] ) @@ -268,7 +216,7 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS( \ arc4random \ -@@ -4229,6 +4241,7 @@ echo " SELinux support +@@ -4206,6 +4218,7 @@ echo " Linux audit support echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" @@ -276,10 +224,10 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" -diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c ---- openssh-5.3p1/servconf.c.pka 2009-06-21 12:26:17.000000000 +0200 -+++ openssh-5.3p1/servconf.c 2010-01-04 16:07:53.000000000 +0100 -@@ -127,6 +127,8 @@ initialize_server_options(ServerOptions +diff -up openssh-5.4p1/servconf.c.pka openssh-5.4p1/servconf.c +--- openssh-5.4p1/servconf.c.pka 2010-03-01 18:10:46.000000000 +0100 ++++ openssh-5.4p1/servconf.c 2010-03-01 18:13:23.000000000 +0100 +@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; @@ -288,18 +236,18 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c options->zero_knowledge_password_authentication = -1; } -@@ -306,6 +308,7 @@ typedef enum { +@@ -312,6 +314,7 @@ typedef enum { sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, + sZeroKnowledgePasswordAuthentication, sHostCertificate, + sPubkeyAgent, sPubkeyAgentRunAs, sDeprecated, sUnsupported } ServerOpCodes; -@@ -424,6 +427,13 @@ static struct { - { "permitopen", sPermitOpen, SSHCFG_ALL }, +@@ -432,6 +435,13 @@ static struct { { "forcecommand", sForceCommand, SSHCFG_ALL }, { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, + { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, +#ifdef WITH_PUBKEY_AGENT + { "pubkeyagent", sPubkeyAgent, SSHCFG_ALL }, + { "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL }, @@ -310,7 +258,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c { NULL, sBadOption, 0 } }; -@@ -1294,6 +1304,20 @@ process_server_config_line(ServerOptions +@@ -1332,6 +1342,20 @@ process_server_config_line(ServerOptions *charptr = xstrdup(arg); break; @@ -331,7 +279,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); -@@ -1387,6 +1411,8 @@ copy_set_server_options(ServerOptions *d +@@ -1425,6 +1449,8 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(gss_authentication); M_CP_INTOPT(rsa_authentication); M_CP_INTOPT(pubkey_authentication); @@ -340,10 +288,10 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(kbd_interactive_authentication); -@@ -1626,6 +1652,10 @@ dump_config(ServerOptions *o) - dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); +@@ -1666,6 +1692,10 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); dump_cfg_string(sForceCommand, o->adm_forced_command); + dump_cfg_string(sChrootDirectory, o->chroot_directory); +#ifdef WITH_PUBKEY_AGENT + dump_cfg_string(sPubkeyAgent, o->pubkey_agent); + dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas); @@ -351,10 +299,10 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); -diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h ---- openssh-5.3p1/servconf.h.pka 2009-01-28 06:31:23.000000000 +0100 -+++ openssh-5.3p1/servconf.h 2010-01-04 16:07:53.000000000 +0100 -@@ -151,6 +151,8 @@ typedef struct { +diff -up openssh-5.4p1/servconf.h.pka openssh-5.4p1/servconf.h +--- openssh-5.4p1/servconf.h.pka 2010-03-01 18:10:46.000000000 +0100 ++++ openssh-5.4p1/servconf.h 2010-03-01 18:10:50.000000000 +0100 +@@ -155,6 +155,8 @@ typedef struct { int num_permitted_opens; char *chroot_directory; @@ -363,26 +311,20 @@ diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h } ServerOptions; void initialize_server_options(ServerOptions *); -diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0 ---- openssh-5.3p1/sshd_config.0.pka 2009-09-26 08:31:16.000000000 +0200 -+++ openssh-5.3p1/sshd_config.0 2010-01-04 16:07:53.000000000 +0100 -@@ -344,10 +344,11 @@ DESCRIPTION - AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, - GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, +diff -up openssh-5.4p1/sshd_config.0.pka openssh-5.4p1/sshd_config.0 +--- openssh-5.4p1/sshd_config.0.pka 2010-03-01 18:10:46.000000000 +0100 ++++ openssh-5.4p1/sshd_config.0 2010-03-01 18:10:50.000000000 +0100 +@@ -352,7 +352,8 @@ DESCRIPTION KbdInteractiveAuthentication, KerberosAuthentication, -- MaxAuthTries, MaxSessions, PasswordAuthentication, -- PermitEmptyPasswords, PermitOpen, PermitRootLogin, -- RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, -- X11Forwarding and X11UseLocalHost. -+ MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent, -+ PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords, -+ PermitOpen, PermitRootLogin, RhostsRSAAuthentication, -+ RSAAuthentication, X11DisplayOffset, X11Forwarding and -+ X11UseLocalHost. + MaxAuthTries, MaxSessions, PasswordAuthentication, + PermitEmptyPasswords, PermitOpen, PermitRootLogin, +- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, ++ PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs, ++ RhostsRSAAuthentication, RSAAuthentication, + X11DisplayOffset, X11Forwarding and X11UseLocalHost. MaxAuthTries - Specifies the maximum number of authentication attempts permitted -@@ -455,6 +456,17 @@ DESCRIPTION +@@ -461,6 +462,17 @@ DESCRIPTION fault is ``yes''. Note that this option applies to protocol ver- sion 2 only. @@ -400,22 +342,10 @@ diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0 RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication to- gether with successful RSA host authentication is allowed. The -diff -up openssh-5.3p1/sshd_config.pka openssh-5.3p1/sshd_config ---- openssh-5.3p1/sshd_config.pka 2008-07-02 14:35:43.000000000 +0200 -+++ openssh-5.3p1/sshd_config 2010-01-04 16:07:53.000000000 +0100 -@@ -46,6 +46,8 @@ Protocol 2 - #RSAAuthentication yes - #PubkeyAuthentication yes - #AuthorizedKeysFile .ssh/authorized_keys -+#PubkeyAgent none -+#PubkeyAgentRunAs nobody - - # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts - #RhostsRSAAuthentication no -diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5 ---- openssh-5.3p1/sshd_config.5.pka 2009-08-28 02:27:08.000000000 +0200 -+++ openssh-5.3p1/sshd_config.5 2010-01-04 16:07:53.000000000 +0100 -@@ -610,6 +610,9 @@ Available keywords are +diff -up openssh-5.4p1/sshd_config.5.pka openssh-5.4p1/sshd_config.5 +--- openssh-5.4p1/sshd_config.5.pka 2010-03-01 18:10:46.000000000 +0100 ++++ openssh-5.4p1/sshd_config.5 2010-03-01 18:10:50.000000000 +0100 +@@ -618,6 +618,9 @@ Available keywords are .Cm KerberosAuthentication , .Cm MaxAuthTries , .Cm MaxSessions , @@ -425,7 +355,7 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5 .Cm PasswordAuthentication , .Cm PermitEmptyPasswords , .Cm PermitOpen , -@@ -805,6 +808,16 @@ Specifies whether public key authenticat +@@ -814,6 +817,16 @@ Specifies whether public key authenticat The default is .Dq yes . Note that this option applies to protocol version 2 only. @@ -442,3 +372,15 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5 .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. +diff -up openssh-5.4p1/sshd_config.pka openssh-5.4p1/sshd_config +--- openssh-5.4p1/sshd_config.pka 2010-03-01 18:10:46.000000000 +0100 ++++ openssh-5.4p1/sshd_config 2010-03-01 18:10:50.000000000 +0100 +@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV + #RSAAuthentication yes + #PubkeyAuthentication yes + #AuthorizedKeysFile .ssh/authorized_keys ++#PubkeyAgent none ++#PubkeyAgentRunAs nobody + + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #RhostsRSAAuthentication no diff --git a/openssh-5.2p1-redhat.patch b/openssh-5.4p1-redhat.patch similarity index 73% rename from openssh-5.2p1-redhat.patch rename to openssh-5.4p1-redhat.patch index 4304065..bd2ad80 100644 --- a/openssh-5.2p1-redhat.patch +++ b/openssh-5.4p1-redhat.patch @@ -1,10 +1,10 @@ -diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config ---- openssh-5.2p1/ssh_config.redhat 2009-02-21 02:45:02.000000000 +0100 -+++ openssh-5.2p1/ssh_config 2009-08-09 08:45:11.302092427 +0200 -@@ -44,3 +44,14 @@ - # TunnelDevice any:any +diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config +--- openssh-5.4p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 ++++ openssh-5.4p1/ssh_config 2010-03-01 15:15:51.000000000 +0100 +@@ -45,3 +45,14 @@ # PermitLocalCommand no # VisualHostKey no + # ProxyCommand ssh -q -W %h:%p gateway.example.com +Host * + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access @@ -16,10 +16,10 @@ diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS -diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0 ---- openssh-5.2p1/sshd_config.0.redhat 2009-02-23 01:18:15.000000000 +0100 -+++ openssh-5.2p1/sshd_config.0 2009-08-09 08:45:11.276555108 +0200 -@@ -491,9 +491,9 @@ DESCRIPTION +diff -up openssh-5.4p1/sshd_config.0.redhat openssh-5.4p1/sshd_config.0 +--- openssh-5.4p1/sshd_config.0.redhat 2010-03-01 14:30:04.000000000 +0100 ++++ openssh-5.4p1/sshd_config.0 2010-03-01 15:14:13.000000000 +0100 +@@ -501,9 +501,9 @@ DESCRIPTION SyslogFacility Gives the facility code that is used when logging messages from @@ -32,10 +32,10 @@ diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0 TCPKeepAlive Specifies whether the system should send TCP keepalive messages -diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5 ---- openssh-5.2p1/sshd_config.5.redhat 2009-02-23 01:00:24.000000000 +0100 -+++ openssh-5.2p1/sshd_config.5 2009-08-09 08:45:11.278927203 +0200 -@@ -848,7 +848,7 @@ Note that this option applies to protoco +diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5 +--- openssh-5.4p1/sshd_config.5.redhat 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/sshd_config.5 2010-03-01 15:14:14.000000000 +0100 +@@ -865,7 +865,7 @@ Note that this option applies to protoco .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . @@ -44,10 +44,10 @@ diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. .It Cm TCPKeepAlive -diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config ---- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200 -+++ openssh-5.2p1/sshd_config 2009-08-09 08:47:40.850857227 +0200 -@@ -33,6 +33,7 @@ Protocol 2 +diff -up openssh-5.4p1/sshd_config.redhat openssh-5.4p1/sshd_config +--- openssh-5.4p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200 ++++ openssh-5.4p1/sshd_config 2010-03-01 15:14:14.000000000 +0100 +@@ -31,6 +31,7 @@ # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -55,7 +55,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config #LogLevel INFO # Authentication: -@@ -60,9 +61,11 @@ Protocol 2 +@@ -58,9 +59,11 @@ # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no @@ -67,7 +67,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config # Kerberos options #KerberosAuthentication no -@@ -72,7 +75,9 @@ Protocol 2 +@@ -70,7 +73,9 @@ # GSSAPI options #GSSAPIAuthentication no @@ -77,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -84,11 +89,19 @@ Protocol 2 +@@ -82,11 +87,19 @@ # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no diff --git a/openssh-5.2p1-selinux.patch b/openssh-5.4p1-selinux.patch similarity index 74% rename from openssh-5.2p1-selinux.patch rename to openssh-5.4p1-selinux.patch index 19cea68..465811f 100644 --- a/openssh-5.2p1-selinux.patch +++ b/openssh-5.4p1-selinux.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c ---- openssh-5.2p1/auth1.c.selinux 2008-07-09 12:54:05.000000000 +0200 -+++ openssh-5.2p1/auth1.c 2009-08-11 22:43:07.918183730 +0200 -@@ -392,6 +392,9 @@ do_authentication(Authctxt *authctxt) +diff -up openssh-5.4p1/auth1.c.selinux openssh-5.4p1/auth1.c +--- openssh-5.4p1/auth1.c.selinux 2010-03-01 15:19:56.000000000 +0100 ++++ openssh-5.4p1/auth1.c 2010-03-01 15:19:57.000000000 +0100 +@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt) { u_int ulen; char *user, *style = NULL; @@ -11,7 +11,7 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -400,11 +403,25 @@ do_authentication(Authctxt *authctxt) +@@ -392,11 +395,25 @@ do_authentication(Authctxt *authctxt) user = packet_get_string(&ulen); packet_check_eom(); @@ -37,9 +37,9 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c ---- openssh-5.2p1/auth2.c.selinux 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.2p1/auth2.c 2009-08-11 22:43:07.919756192 +0200 +diff -up openssh-5.4p1/auth2.c.selinux openssh-5.4p1/auth2.c +--- openssh-5.4p1/auth2.c.selinux 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.4p1/auth2.c 2010-03-01 15:19:57.000000000 +0100 @@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 Authctxt *authctxt = ctxt; Authmethod *m = NULL; @@ -79,9 +79,9 @@ diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c userauth_banner(); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { -diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c ---- openssh-5.2p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100 -+++ openssh-5.2p1/auth2-gss.c 2009-08-11 22:43:07.921723295 +0200 +diff -up openssh-5.4p1/auth2-gss.c.selinux openssh-5.4p1/auth2-gss.c +--- openssh-5.4p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100 ++++ openssh-5.4p1/auth2-gss.c 2010-03-01 15:19:57.000000000 +0100 @@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -114,9 +114,9 @@ diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c xfree(mic.value); authctxt->postponed = 0; -diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c ---- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 -+++ openssh-5.2p1/auth2-hostbased.c 2009-08-11 22:43:07.923721059 +0200 +diff -up openssh-5.4p1/auth2-hostbased.c.selinux openssh-5.4p1/auth2-hostbased.c +--- openssh-5.4p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 ++++ openssh-5.4p1/auth2-hostbased.c 2010-03-01 15:19:57.000000000 +0100 @@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) buffer_put_string(&b, session_id2, session_id2_len); /* reconstruct packet */ @@ -134,10 +134,10 @@ diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c buffer_put_cstring(&b, service); buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); -diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c ---- openssh-5.2p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200 -+++ openssh-5.2p1/auth2-pubkey.c 2009-08-11 22:43:07.925704588 +0200 -@@ -117,7 +117,15 @@ userauth_pubkey(Authctxt *authctxt) +diff -up openssh-5.4p1/auth2-pubkey.c.selinux openssh-5.4p1/auth2-pubkey.c +--- openssh-5.4p1/auth2-pubkey.c.selinux 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 15:19:57.000000000 +0100 +@@ -119,7 +119,15 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -154,9 +154,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c buffer_put_cstring(&b, datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : -diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h ---- openssh-5.2p1/auth.h.selinux 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.2p1/auth.h 2009-08-11 22:43:07.927199901 +0200 +diff -up openssh-5.4p1/auth.h.selinux openssh-5.4p1/auth.h +--- openssh-5.4p1/auth.h.selinux 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/auth.h 2010-03-01 15:19:57.000000000 +0100 @@ -58,6 +58,9 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -167,21 +167,21 @@ diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h void *kbdintctxt; void *jpake_ctx; #ifdef BSD_AUTH -diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac ---- openssh-5.2p1/configure.ac.selinux 2009-02-16 05:37:03.000000000 +0100 -+++ openssh-5.2p1/configure.ac 2009-08-11 22:43:07.930259052 +0200 -@@ -3335,6 +3335,7 @@ AC_ARG_WITH(selinux, - AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], - AC_MSG_ERROR(SELinux support requires libselinux library)) +diff -up openssh-5.4p1/configure.ac.selinux openssh-5.4p1/configure.ac +--- openssh-5.4p1/configure.ac.selinux 2010-03-01 15:19:57.000000000 +0100 ++++ openssh-5.4p1/configure.ac 2010-03-01 15:21:12.000000000 +0100 +@@ -3358,6 +3358,7 @@ AC_ARG_WITH(selinux, + ], + AC_MSG_ERROR(SELinux support requires libselinux library)) SSHDLIBS="$SSHDLIBS $LIBSELINUX" + LIBS="$LIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) LIBS="$save_LIBS" fi ] -diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c ---- openssh-5.2p1/monitor.c.selinux 2009-02-14 06:33:31.000000000 +0100 -+++ openssh-5.2p1/monitor.c 2009-08-11 22:43:07.933623092 +0200 -@@ -135,6 +135,9 @@ int mm_answer_sign(int, Buffer *); +diff -up openssh-5.4p1/monitor.c.selinux openssh-5.4p1/monitor.c +--- openssh-5.4p1/monitor.c.selinux 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/monitor.c 2010-03-01 15:19:57.000000000 +0100 +@@ -137,6 +137,9 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); @@ -191,7 +191,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -211,6 +214,9 @@ struct mon_table mon_dispatch_proto20[] +@@ -213,6 +216,9 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -201,7 +201,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -680,6 +686,9 @@ mm_answer_pwnamallow(int sock, Buffer *m +@@ -682,6 +688,9 @@ mm_answer_pwnamallow(int sock, Buffer *m else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -211,7 +211,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } -@@ -724,6 +733,25 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -726,6 +735,25 @@ mm_answer_authserv(int sock, Buffer *m) return (0); } @@ -237,7 +237,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c int mm_answer_authpassword(int sock, Buffer *m) { -@@ -1102,7 +1130,7 @@ static int +@@ -1104,7 +1132,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; @@ -246,7 +246,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c u_int len; int fail = 0; -@@ -1128,6 +1156,8 @@ monitor_valid_userblob(u_char *data, u_i +@@ -1130,6 +1158,8 @@ monitor_valid_userblob(u_char *data, u_i if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_string(&b, NULL); @@ -255,7 +255,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c if (strcmp(authctxt->user, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); -@@ -1159,7 +1189,7 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1161,7 +1191,7 @@ monitor_valid_hostbasedblob(u_char *data char *chost) { Buffer b; @@ -264,7 +264,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c u_int len; int fail = 0; -@@ -1176,6 +1206,8 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1178,6 +1208,8 @@ monitor_valid_hostbasedblob(u_char *data if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_string(&b, NULL); @@ -273,9 +273,9 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c if (strcmp(authctxt->user, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); -diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h ---- openssh-5.2p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.2p1/monitor.h 2009-08-11 22:43:07.935612930 +0200 +diff -up openssh-5.4p1/monitor.h.selinux openssh-5.4p1/monitor.h +--- openssh-5.4p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100 ++++ openssh-5.4p1/monitor.h 2010-03-01 15:19:57.000000000 +0100 @@ -31,6 +31,9 @@ enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, @@ -286,9 +286,9 @@ diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, -diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c ---- openssh-5.2p1/monitor_wrap.c.selinux 2008-11-05 06:20:47.000000000 +0100 -+++ openssh-5.2p1/monitor_wrap.c 2009-08-11 22:43:07.937212340 +0200 +diff -up openssh-5.4p1/monitor_wrap.c.selinux openssh-5.4p1/monitor_wrap.c +--- openssh-5.4p1/monitor_wrap.c.selinux 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.4p1/monitor_wrap.c 2010-03-01 15:19:57.000000000 +0100 @@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char * buffer_free(&m); } @@ -315,9 +315,9 @@ diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h ---- openssh-5.2p1/monitor_wrap.h.selinux 2008-11-05 06:20:47.000000000 +0100 -+++ openssh-5.2p1/monitor_wrap.h 2009-08-11 22:43:07.938268752 +0200 +diff -up openssh-5.4p1/monitor_wrap.h.selinux openssh-5.4p1/monitor_wrap.h +--- openssh-5.4p1/monitor_wrap.h.selinux 2009-03-05 14:58:22.000000000 +0100 ++++ openssh-5.4p1/monitor_wrap.h 2010-03-01 15:19:57.000000000 +0100 @@ -41,6 +41,9 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); @@ -328,17 +328,18 @@ diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd-compat/port-linux.c ---- openssh-5.2p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100 -+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-11 22:44:14.529196220 +0200 -@@ -30,11 +30,16 @@ - #ifdef WITH_SELINUX +diff -up openssh-5.4p1/openbsd-compat/port-linux.c.selinux openssh-5.4p1/openbsd-compat/port-linux.c +--- openssh-5.4p1/openbsd-compat/port-linux.c.selinux 2010-03-01 05:52:50.000000000 +0100 ++++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:22:19.000000000 +0100 +@@ -32,12 +32,17 @@ #include "log.h" + #include "xmalloc.h" #include "port-linux.h" +#include "key.h" +#include "hostfile.h" +#include "auth.h" + #ifdef WITH_SELINUX #include #include #include @@ -348,7 +349,7 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd /* Wrapper around is_selinux_enabled() to log its return value once only */ int ssh_selinux_enabled(void) -@@ -53,23 +58,36 @@ ssh_selinux_enabled(void) +@@ -56,23 +61,36 @@ ssh_selinux_enabled(void) static security_context_t ssh_selinux_getctxbyname(char *pwname) { diff --git a/openssh.spec b/openssh.spec index 6988819..243d816 100644 --- a/openssh.spec +++ b/openssh.spec @@ -27,7 +27,8 @@ %define libedit 1 # Do we want NSS tokens support -%define nss 1 +#NSS support is broken from 5.4p1 +%define nss 0 # Whether or not /sbin/nologin exists. %define nologin 1 @@ -68,10 +69,10 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh -Version: 5.3p1 +Version: 5.4p1 # Do not rewind release to 1 on version upgrades unless the pam_ssh_agent_auth # is updated as well. -Release: 22%{?dist}%{?rescue_rel} +Release: 0.snap20100302.1%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -79,39 +80,37 @@ URL: http://www.openssh.com/portable.html # This package differs from the upstream OpenSSH tarball in that # the ACSS cipher is removed by running openssh-nukeacss.sh in # the unpacked source directory. -Source0: openssh-%{version}-noacss.tar.bz2 +Source0: openssh-%{version}-snap20100302-noacss.tar.bz2 Source1: openssh-nukeacss.sh Source2: sshd.pam Source3: sshd.init Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 Source5: pam_ssh_agent-rmheaders -Patch0: openssh-5.2p1-redhat.patch +Patch0: openssh-5.4p1-redhat.patch Patch2: openssh-5.3p1-skip-initial.patch Patch4: openssh-5.2p1-vendor.patch -Patch5: openssh-5.2p1-engine.patch Patch10: pam_ssh_agent_auth-0.9-build.patch -Patch12: openssh-5.2p1-selinux.patch -Patch13: openssh-5.3p1-mls.patch +Patch12: openssh-5.4p1-selinux.patch +Patch13: openssh-5.4p1-mls.patch Patch16: openssh-5.3p1-audit.patch -Patch18: openssh-5.0p1-pam_selinux.patch -Patch19: openssh-5.2p1-sesftp.patch -Patch22: openssh-3.9p1-askpass-keep-above.patch +Patch18: openssh-5.4p1-pam_selinux.patch Patch24: openssh-4.3p1-fromto-remote.patch Patch27: openssh-5.1p1-log-in-chroot.patch Patch30: openssh-4.0p1-exit-deadlock.patch Patch35: openssh-5.1p1-askpass-progress.patch Patch38: openssh-4.3p2-askpass-grab-info.patch +#??? - 201594 Patch39: openssh-4.3p2-no-v6only.patch Patch44: openssh-5.2p1-allow-ip-opts.patch Patch49: openssh-4.3p2-gssapi-canohost.patch -Patch51: openssh-5.3p1-nss-keys.patch -Patch55: openssh-5.1p1-cloexec.patch +#??? +Patch51: openssh-5.4p1-nss-keys.patch Patch62: openssh-5.1p1-scp-manpage.patch -Patch65: openssh-5.3p1-fips.patch +Patch65: openssh-5.4p1-fips.patch Patch69: openssh-5.3p1-selabel.patch Patch71: openssh-5.2p1-edns.patch -Patch72: openssh-5.3p1-pka.patch -Patch73: openssh-5.3p1-gsskex.patch +Patch72: openssh-5.4p1-pka.patch +Patch73: openssh-5.4p1-gsskex.patch Patch74: openssh-5.3p1-randclean.patch Patch75: openssh-5.3p1-dso.patch @@ -189,6 +188,7 @@ Provides: openssh-askpass-gnome Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} +Release: 23%{?dist}%{?rescue_rel} License: BSD %description @@ -234,7 +234,6 @@ The module is most useful for su and sudo service stacks. %patch0 -p1 -b .redhat %patch2 -p1 -b .skip-initial %patch4 -p1 -b .vendor -%patch5 -p1 -b .engine %if %{pam_ssh_agent} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -250,20 +249,17 @@ popd %patch13 -p1 -b .mls %patch16 -p1 -b .audit %patch18 -p1 -b .pam_selinux -%patch19 -p1 -b .sesftp %endif -%patch22 -p1 -b .keep-above %patch24 -p1 -b .fromto-remote %patch27 -p1 -b .log-chroot %patch30 -p1 -b .exit-deadlock %patch35 -p1 -b .progress %patch38 -p1 -b .grab-info -%patch39 -p1 -b .no-v6only +#???%patch39 -p1 -b .no-v6only %patch44 -p1 -b .ip-opts %patch49 -p1 -b .canohost -%patch51 -p1 -b .nss-keys -%patch55 -p1 -b .cloexec +#???%patch51 -p1 -b .nss-keys %patch62 -p1 -b .manpage %patch65 -p1 -b .fips %patch69 -p1 -b .selabel @@ -316,6 +312,7 @@ fi --disable-strip \ --without-zlib-version-check \ --with-ssl-engine \ + --with-pka \ %if %{nss} --with-nss \ %endif @@ -489,11 +486,13 @@ fi %attr(0755,root,root) %{_bindir}/ssh-keyscan %attr(0755,root,root) %{_bindir}/sftp %attr(0755,root,root) %{_bindir}/ssh-copy-id +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1* %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* +%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* %endif %if ! %{rescue} @@ -529,6 +528,9 @@ fi %endif %changelog +* Wed Mar 3 2010 Jan F. Chadima - 5.4p1-0.snap20100302.1 +- Prepare update to 5.4p1 + * Mon Feb 15 2010 Jan F. Chadima - 5.3p1-22 - ImplicitDSOLinking (#564824) diff --git a/sources b/sources index af5cd52..74abcc8 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -89f85c1da83c24ca0b10c05344f7c93c openssh-5.3p1-noacss.tar.bz2 b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2 fea6e6ac9b5dda1d48af3f2676e8166c openssh-5.4p1-snap20100302-noacss.tar.bz2