From c12d6ba86c3df9662a3415739b8f5ea6f5e29c80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Tue, 8 Aug 2006 11:58:33 +0000 Subject: [PATCH] - drop the pam-session patch from the previous build (#201341) - don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594) --- openssh-4.3p2-no-v6only.patch | 11 ++++ openssh-4.3p2-pam-session.patch | 91 --------------------------------- openssh.spec | 18 ++++--- 3 files changed, 21 insertions(+), 99 deletions(-) create mode 100644 openssh-4.3p2-no-v6only.patch delete mode 100644 openssh-4.3p2-pam-session.patch diff --git a/openssh-4.3p2-no-v6only.patch b/openssh-4.3p2-no-v6only.patch new file mode 100644 index 0000000..a789812 --- /dev/null +++ b/openssh-4.3p2-no-v6only.patch @@ -0,0 +1,11 @@ +--- openssh-4.3p2/channels.c.no-v6only 2006-07-17 15:39:31.000000000 +0200 ++++ openssh-4.3p2/channels.c 2006-08-08 12:44:51.000000000 +0200 +@@ -2794,7 +2794,7 @@ + } + } + #ifdef IPV6_V6ONLY +- if (ai->ai_family == AF_INET6) { ++ if (x11_use_localhost && ai->ai_family == AF_INET6) { + int on = 1; + if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) + error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); diff --git a/openssh-4.3p2-pam-session.patch b/openssh-4.3p2-pam-session.patch deleted file mode 100644 index 7cdd90c..0000000 --- a/openssh-4.3p2-pam-session.patch +++ /dev/null @@ -1,91 +0,0 @@ -Index: auth-pam.c -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v -retrieving revision 1.134 -diff -u -p -r1.134 auth-pam.c ---- auth-pam.c 15 May 2006 07:22:33 -0000 1.134 -+++ auth-pam.c 22 May 2006 08:50:59 -0000 -@@ -573,15 +573,17 @@ static struct pam_conv store_conv = { ss - void - sshpam_cleanup(void) - { -- debug("PAM: cleanup"); -- if (sshpam_handle == NULL) -+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) - return; -+ debug("PAM: cleanup"); - pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { -+ debug("PAM: deleting credentials"); - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } - if (sshpam_session_open) { -+ debug("PAM: closing session"); - pam_close_session(sshpam_handle, PAM_SILENT); - sshpam_session_open = 0; - } -Index: monitor.c -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v -retrieving revision 1.104 -diff -u -p -r1.104 monitor.c ---- monitor.c 21 May 2006 08:26:40 -0000 1.104 -+++ monitor.c 22 May 2006 08:37:58 -0000 -@@ -354,6 +354,10 @@ monitor_child_preauth(Authctxt *_authctx - MONITOR_REQ_PAM_ACCOUNT, &m); - authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); - buffer_free(&m); -+ if (authenticated) { -+ do_pam_session(); -+ do_pam_setcred(0); -+ } - } - #endif - } -@@ -1531,6 +1535,11 @@ mm_answer_term(int sock, Buffer *req) - /* The child is terminating */ - session_destroy_all(&mm_session_close); - -+#ifdef USE_PAM -+ if (options.use_pam) -+ sshpam_cleanup(); -+#endif -+ - while (waitpid(pmonitor->m_pid, &status, 0) == -1) - if (errno != EINTR) - exit(1); -Index: session.c -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v -retrieving revision 1.328 -diff -u -p -r1.328 session.c ---- session.c 4 May 2006 06:24:34 -0000 1.328 -+++ session.c 22 May 2006 08:14:24 -0000 -@@ -541,7 +541,7 @@ do_exec_pty(Session *s, const char *comm - ttyfd = s->ttyfd; - - #if defined(USE_PAM) -- if (options.use_pam) { -+ if (options.use_pam && !use_privsep) { - do_pam_set_tty(s->tty); - if (!use_privsep) - do_pam_setcred(1); -@@ -1284,7 +1284,7 @@ do_setusercontext(struct passwd *pw) - } - #endif - # ifdef USE_PAM -- if (options.use_pam) { -+ if (options.use_pam && !use_privsep) { - do_pam_session(); - do_pam_setcred(0); - } -@@ -1326,7 +1326,7 @@ do_setusercontext(struct passwd *pw) - * These will have been wiped by the above initgroups() call. - * Reestablish them here. - */ -- if (options.use_pam) { -+ if (options.use_pam && !use_privsep) { - do_pam_session(); - do_pam_setcred(0); - } diff --git a/openssh.spec b/openssh.spec index 3cded84..729f66b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -2,6 +2,8 @@ %if %{WITH_SELINUX} # Audit patch applicable only over SELinux patch %define WITH_AUDIT 1 +%else +%define WITH_AUDIT 0 %endif # OpenSSH privilege separation requires a user & group ID @@ -49,6 +51,7 @@ # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) %define rescue 0 %{?build_rescue:%define rescue 1} +%{?build_rescue:%define rescue_rel rescue} # Turn off some stuff for resuce builds %if %{rescue} @@ -58,12 +61,7 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh Version: 4.3p2 -%define rel 7 -%if %{rescue} -%define %{rel}rescue -%else -Release: %{rel} -%endif +Release: 8%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig @@ -92,7 +90,7 @@ Patch35: openssh-4.2p1-askpass-progress.patch Patch36: openssh-4.3p2-buffer-len.patch Patch37: openssh-4.3p2-configure-typo.patch Patch38: openssh-4.3p2-askpass-grab-info.patch -Patch39: openssh-4.3p2-pam-session.patch +Patch39: openssh-4.3p2-no-v6only.patch License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot @@ -220,7 +218,7 @@ an X11 passphrase dialog for OpenSSH. %patch36 -p0 -b .buffer-len %patch37 -p1 -b .typo %patch38 -p1 -b .grab-info -%patch39 -p0 -b .pam-session +%patch39 -p1 -b .no-v6only autoreconf @@ -462,6 +460,10 @@ fi %endif %changelog +* Tue Aug 8 2006 Tomas Mraz - 4.3p2-8 +- drop the pam-session patch from the previous build (#201341) +- don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594) + * Thu Jul 20 2006 Tomas Mraz - 4.3p2-7 - dropped old ssh obsoletes - call the pam_session_open/close from the monitor when privsep is