From c54a8b0af7e7e9a846775fc178e02c522b2363a5 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Fri, 2 Oct 2009 13:50:30 +0000 Subject: [PATCH] Upgrade to new wersion 5.3p1 --- .cvsignore | 2 +- openssh-3.8.1p1-krb5-config.patch | 16 -- openssh-4.7p1-audit.patch | 267 ------------------ openssh-5.1p1-skip-initial.patch | 28 -- openssh-5.2p1-pathmax.patch | 47 --- ...2p1-fips.patch => openssh-5.3p1-fips.patch | 162 +++++------ ...5.1p1-mls.patch => openssh-5.3p1-mls.patch | 72 ++--- ...keys.patch => openssh-5.3p1-nss-keys.patch | 114 ++++---- ...label.patch => openssh-5.3p1-selabel.patch | 24 +- openssh-5.3p1-skip-initial.patch | 24 ++ openssh.spec | 4 +- sources | 2 +- 12 files changed, 214 insertions(+), 548 deletions(-) delete mode 100644 openssh-3.8.1p1-krb5-config.patch delete mode 100644 openssh-4.7p1-audit.patch delete mode 100644 openssh-5.1p1-skip-initial.patch delete mode 100644 openssh-5.2p1-pathmax.patch rename openssh-5.2p1-fips.patch => openssh-5.3p1-fips.patch (78%) rename openssh-5.1p1-mls.patch => openssh-5.3p1-mls.patch (91%) rename openssh-5.2p1-nss-keys.patch => openssh-5.3p1-nss-keys.patch (90%) rename openssh-5.2p1-selabel.patch => openssh-5.3p1-selabel.patch (67%) create mode 100644 openssh-5.3p1-skip-initial.patch diff --git a/.cvsignore b/.cvsignore index 37aee5b..28fd036 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssh-5.3p1.tar.gz +openssh-5.3p1-noacss.tar.bz2 diff --git a/openssh-3.8.1p1-krb5-config.patch b/openssh-3.8.1p1-krb5-config.patch deleted file mode 100644 index f284632..0000000 --- a/openssh-3.8.1p1-krb5-config.patch +++ /dev/null @@ -1,16 +0,0 @@ -Search the path for krb5-config if the prefix wasn't specified. ---- openssh-3.8p1/configure.ac 2004-02-26 21:17:12.000000000 -0500 -+++ openssh-3.8p1/configure.ac 2004-02-26 21:17:06.000000000 -0500 -@@ -2077,8 +2077,10 @@ - KRB5_MSG="yes" - - AC_MSG_CHECKING(for krb5-config) -- if test -x $KRB5ROOT/bin/krb5-config ; then -- KRB5CONF=$KRB5ROOT/bin/krb5-config -+ AC_PATH_PROG([KRB5CONF],[krb5-config], -+ [$KRB5ROOT/bin/krb5-config], -+ [$KRB5ROOT/bin:$PATH]) -+ if test -x $KRB5CONF ; then - AC_MSG_RESULT($KRB5CONF) - - AC_MSG_CHECKING(for gssapi support) diff --git a/openssh-4.7p1-audit.patch b/openssh-4.7p1-audit.patch deleted file mode 100644 index d561be0..0000000 --- a/openssh-4.7p1-audit.patch +++ /dev/null @@ -1,267 +0,0 @@ -diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c ---- openssh-5.2p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100 -+++ openssh-5.2p1/auth.c 2009-08-09 09:22:23.634850536 +0200 -@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent - get_canonical_hostname(options.use_dns), "ssh", &loginmsg); - # endif - #endif -+#if HAVE_LINUX_AUDIT -+ if (authenticated == 0 && !authctxt->postponed) { -+ linux_audit_record_event(-1, authctxt->user, NULL, -+ get_remote_ipaddr(), "sshd", 0); -+ } -+#endif - #ifdef SSH_AUDIT_EVENTS - if (authenticated == 0 && !authctxt->postponed) - audit_event(audit_classify_auth(method)); -@@ -533,6 +539,10 @@ getpwnamallow(const char *user) - record_failed_login(user, - get_canonical_hostname(options.use_dns), "ssh"); - #endif -+#ifdef HAVE_LINUX_AUDIT -+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), -+ "sshd", 0); -+#endif - #ifdef SSH_AUDIT_EVENTS - audit_event(SSH_INVALID_USER); - #endif /* SSH_AUDIT_EVENTS */ -diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in ---- openssh-5.2p1/config.h.in.audit 2009-02-23 01:18:12.000000000 +0100 -+++ openssh-5.2p1/config.h.in 2009-08-09 09:22:28.825939998 +0200 -@@ -1,5 +1,8 @@ - /* config.h.in. Generated from configure.ac by autoheader. */ - -+/* Define if building universal (internal helper macro) */ -+#undef AC_APPLE_UNIVERSAL_BUILD -+ - /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address - */ - #undef AIX_GETNAMEINFO_HACK -@@ -521,6 +524,9 @@ - /* Define to 1 if you have the header file. */ - #undef HAVE_LASTLOG_H - -+/* Define to 1 if you have the header file. */ -+#undef HAVE_LIBAUDIT_H -+ - /* Define to 1 if you have the `bsm' library (-lbsm). */ - #undef HAVE_LIBBSM - -@@ -560,6 +566,9 @@ - /* Define to 1 if you have the header file. */ - #undef HAVE_LIMITS_H - -+/* Define if you want Linux audit support. */ -+#undef HAVE_LINUX_AUDIT -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_LINUX_IF_TUN_H - -@@ -756,6 +765,9 @@ - /* Define to 1 if you have the `setgroups' function. */ - #undef HAVE_SETGROUPS - -+/* Define to 1 if you have the `setkeycreatecon' function. */ -+#undef HAVE_SETKEYCREATECON -+ - /* Define to 1 if you have the `setlogin' function. */ - #undef HAVE_SETLOGIN - -@@ -1330,6 +1342,10 @@ - /* Prepend the address family to IP tunnel traffic */ - #undef SSH_TUN_PREPEND_AF - -+/* Define to your vendor patch level, if it has been modified from the -+ upstream source release. */ -+#undef SSH_VENDOR_PATCHLEVEL -+ - /* Define to 1 if you have the ANSI C header files. */ - #undef STDC_HEADERS - -@@ -1397,9 +1413,17 @@ - /* Define if you want SELinux support. */ - #undef WITH_SELINUX - --/* Define to 1 if your processor stores words with the most significant byte -- first (like Motorola and SPARC, unlike Intel and VAX). */ --#undef WORDS_BIGENDIAN -+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most -+ significant byte first (like Motorola and SPARC, unlike Intel). */ -+#if defined AC_APPLE_UNIVERSAL_BUILD -+# if defined __BIG_ENDIAN__ -+# define WORDS_BIGENDIAN 1 -+# endif -+#else -+# ifndef WORDS_BIGENDIAN -+# undef WORDS_BIGENDIAN -+# endif -+#endif - - /* Define if xauth is found in your path */ - #undef XAUTH_PATH -diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac ---- openssh-5.2p1/configure.ac.audit 2009-08-09 09:22:23.608877833 +0200 -+++ openssh-5.2p1/configure.ac 2009-08-09 09:22:23.646244409 +0200 -@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux, - fi ] - ) - -+# Check whether user wants Linux audit support -+LINUX_AUDIT_MSG="no" -+AC_ARG_WITH(linux-audit, -+ [ --with-linux-audit Enable Linux audit support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) -+ LINUX_AUDIT_MSG="yes" -+ AC_CHECK_HEADERS(libaudit.h) -+ SSHDLIBS="$SSHDLIBS -laudit" -+ fi ] -+) -+ - # Check whether user wants Kerberos 5 support - KRB5_MSG="no" - AC_ARG_WITH(kerberos5, -@@ -4170,6 +4182,7 @@ echo " PAM support - echo " OSF SIA support: $SIA_MSG" - echo " KerberosV support: $KRB5_MSG" - echo " SELinux support: $SELINUX_MSG" -+echo " Linux audit support: $LINUX_AUDIT_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c ---- openssh-5.2p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100 -+++ openssh-5.2p1/loginrec.c 2009-08-09 09:22:23.667199702 +0200 -@@ -176,6 +176,10 @@ - #include "auth.h" - #include "buffer.h" - -+#ifdef HAVE_LINUX_AUDIT -+# include -+#endif -+ - #ifdef HAVE_UTIL_H - # include - #endif -@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l - int utmpx_write_entry(struct logininfo *li); - int wtmp_write_entry(struct logininfo *li); - int wtmpx_write_entry(struct logininfo *li); -+#ifdef HAVE_LINUX_AUDIT -+int linux_audit_write_entry(struct logininfo *li); -+#endif - int lastlog_write_entry(struct logininfo *li); - int syslogin_write_entry(struct logininfo *li); - -@@ -440,6 +447,10 @@ login_write(struct logininfo *li) - - /* set the timestamp */ - login_set_current_time(li); -+#ifdef HAVE_LINUX_AUDIT -+ if (linux_audit_write_entry(li) == 0) -+ fatal("linux_audit_write_entry failed: %s", strerror(errno)); -+#endif - #ifdef USE_LOGIN - syslogin_write_entry(li); - #endif -@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li) - } - #endif /* USE_WTMPX */ - -+#ifdef HAVE_LINUX_AUDIT -+static void -+_audit_hexscape(const char *what, char *where, unsigned int size) -+{ -+ const char *ptr = what; -+ const char *hex = "0123456789ABCDEF"; -+ -+ while (*ptr) { -+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) { -+ unsigned int i; -+ ptr = what; -+ for (i = 0; *ptr && i+2 < size; i += 2) { -+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */ -+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */ -+ ptr++; -+ } -+ where[i] = '\0'; -+ return; -+ } -+ ptr++; -+ } -+ where[0] = '"'; -+ if ((unsigned)(ptr - what) < size - 3) -+ { -+ size = ptr - what + 3; -+ } -+ strncpy(where + 1, what, size - 3); -+ where[size-2] = '"'; -+ where[size-1] = '\0'; -+} -+ -+#define AUDIT_LOG_SIZE 128 -+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8) -+ -+int -+linux_audit_record_event(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success) -+{ -+ char buf[AUDIT_LOG_SIZE]; -+ int audit_fd, rc; -+ -+ audit_fd = audit_open(); -+ if (audit_fd < 0) { -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return 1; /* No audit support in kernel */ -+ else -+ return 0; /* Must prevent login */ -+ } -+ if (username == NULL) -+ snprintf(buf, sizeof(buf), "uid=%d", uid); -+ else { -+ char encoded[AUDIT_ACCT_SIZE]; -+ _audit_hexscape(username, encoded, sizeof(encoded)); -+ snprintf(buf, sizeof(buf), "acct=%s", encoded); -+ } -+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, -+ buf, hostname, ip, ttyn, success); -+ close(audit_fd); -+ if (rc >= 0) -+ return 1; -+ else -+ return 0; -+} -+ -+int -+linux_audit_write_entry(struct logininfo *li) -+{ -+ switch(li->type) { -+ case LTYPE_LOGIN: -+ return (linux_audit_record_event(li->uid, NULL, li->hostname, -+ NULL, li->line, 1)); -+ case LTYPE_LOGOUT: -+ return (1); /* We only care about logins */ -+ default: -+ logit("%s: invalid type field", __func__); -+ return (0); -+ } -+} -+#endif /* HAVE_LINUX_AUDIT */ -+ - /** - ** Low-level libutil login() functions - **/ -diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h ---- openssh-5.2p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-5.2p1/loginrec.h 2009-08-09 09:22:23.641175349 +0200 -@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch - char *line_abbrevname(char *dst, const char *src, int dstsize); - - void record_failed_login(const char *, const char *, const char *); -+#ifdef HAVE_LINUX_AUDIT -+int linux_audit_record_event(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success); -+#endif /* HAVE_LINUX_AUDIT */ - - #endif /* _HAVE_LOGINREC_H_ */ diff --git a/openssh-5.1p1-skip-initial.patch b/openssh-5.1p1-skip-initial.patch deleted file mode 100644 index be3204e..0000000 --- a/openssh-5.1p1-skip-initial.patch +++ /dev/null @@ -1,28 +0,0 @@ -Skip the initial empty-password check if permit_empty_passwd is disabled. This -doesn't change the timing profiles of the host because the additional condition -check which can short-circuit the call to pam_authenticate() has no dependency -on the identity of the user who is being authenticated. -diff -up openssh-5.1p1/auth1.c.skip-initial openssh-5.1p1/auth1.c ---- openssh-5.1p1/auth1.c.skip-initial 2008-07-09 12:54:05.000000000 +0200 -+++ openssh-5.1p1/auth1.c 2008-07-23 18:26:01.000000000 +0200 -@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt) - authctxt->valid ? "" : "invalid user ", authctxt->user); - - /* If the user has no password, accept authentication immediately. */ -- if (options.password_authentication && -+ if (options.permit_empty_passwd && options.password_authentication && - #ifdef KRB5 - (!options.kerberos_authentication || options.kerberos_or_local_passwd) && - #endif -diff -up openssh-5.1p1/auth2-none.c.skip-initial openssh-5.1p1/auth2-none.c ---- openssh-5.1p1/auth2-none.c.skip-initial 2008-07-02 14:56:09.000000000 +0200 -+++ openssh-5.1p1/auth2-none.c 2008-07-23 18:26:01.000000000 +0200 -@@ -65,7 +65,7 @@ userauth_none(Authctxt *authctxt) - if (check_nt_auth(1, authctxt->pw) == 0) - return (0); - #endif -- if (options.password_authentication) -+ if (options.permit_empty_passwd && options.password_authentication) - return (PRIVSEP(auth_password(authctxt, ""))); - return (0); - } diff --git a/openssh-5.2p1-pathmax.patch b/openssh-5.2p1-pathmax.patch deleted file mode 100644 index 5411589..0000000 --- a/openssh-5.2p1-pathmax.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff -up openssh-5.2p1/ssh.c.pathmax openssh-5.2p1/ssh.c ---- openssh-5.2p1/ssh.c.pathmax 2009-07-08 14:23:19.000000000 +0200 -+++ openssh-5.2p1/ssh.c 2009-07-08 14:26:26.000000000 +0200 -@@ -49,6 +49,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -208,8 +209,8 @@ void muxserver_listen(void); - int - main(int ac, char **av) - { -- int i, opt, exit_status, use_syslog; -- char *p, *cp, *line, buf[256]; -+ int i, r, opt, exit_status, use_syslog; -+ char *p, *cp, *line, buf[MAXPATHLEN]; - struct stat st; - struct passwd *pw; - int dummy, timeout_ms; -@@ -624,9 +625,10 @@ main(int ac, char **av) - fatal("Can't open user config file %.100s: " - "%.100s", config, strerror(errno)); - } else { -- snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, -+ r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, - _PATH_SSH_USER_CONFFILE); -- (void)read_config_file(buf, host, &options, 1); -+ if (r > 0 && (size_t)r < sizeof(buf)) -+ (void)read_config_file(buf, host, &options, 1); - - /* Read systemwide configuration file after use config. */ - (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, -@@ -787,9 +789,9 @@ main(int ac, char **av) - * Now that we are back to our own permissions, create ~/.ssh - * directory if it doesn't already exist. - */ -- snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, -+ r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, - strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); -- if (stat(buf, &st) < 0) -+ if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) - if (mkdir(buf, 0700) < 0) - error("Could not create directory '%.200s'.", buf); - diff --git a/openssh-5.2p1-fips.patch b/openssh-5.3p1-fips.patch similarity index 78% rename from openssh-5.2p1-fips.patch rename to openssh-5.3p1-fips.patch index 6e5b88c..01a715c 100644 --- a/openssh-5.2p1-fips.patch +++ b/openssh-5.3p1-fips.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c ---- openssh-5.2p1/auth2-pubkey.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/auth2-pubkey.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c +--- openssh-5.3p1/auth2-pubkey.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/auth2-pubkey.c 2009-10-02 14:12:00.000000000 +0200 @@ -33,6 +33,7 @@ #include #include @@ -9,7 +9,7 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c #include "xmalloc.h" #include "ssh.h" -@@ -243,7 +244,7 @@ user_key_allowed2(struct passwd *pw, Key +@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); @@ -18,9 +18,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c verbose("Found matching %s key: %s", key_type(found), fp); xfree(fp); -diff -up openssh-5.2p1/authfile.c.fips openssh-5.2p1/authfile.c ---- openssh-5.2p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.2p1/authfile.c 2009-05-15 16:08:34.000000000 +0200 +diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c +--- openssh-5.3p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.3p1/authfile.c 2009-10-02 14:12:00.000000000 +0200 @@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch /* Allocate space for the private part of the key in the buffer. */ cp = buffer_append_space(&encrypted, buffer_len(&buffer)); @@ -55,9 +55,9 @@ diff -up openssh-5.2p1/authfile.c.fips openssh-5.2p1/authfile.c cipher_crypt(&ciphercontext, cp, buffer_ptr(&buffer), buffer_len(&buffer)); cipher_cleanup(&ciphercontext); -diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c ---- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100 -+++ openssh-5.2p1/cipher.c 2009-05-15 16:14:16.000000000 +0200 +diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c +--- openssh-5.3p1/cipher.c.fips 2009-10-02 13:44:03.000000000 +0200 ++++ openssh-5.3p1/cipher.c 2009-10-02 14:12:00.000000000 +0200 @@ -40,6 +40,7 @@ #include @@ -142,9 +142,9 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c } /* -diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c ---- openssh-5.2p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 -+++ openssh-5.2p1/cipher-ctr.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c +--- openssh-5.3p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 ++++ openssh-5.3p1/cipher-ctr.c 2009-10-02 14:12:00.000000000 +0200 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -155,9 +155,9 @@ diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c #endif return (&aes_ctr); } -diff -up openssh-5.2p1/cipher.h.fips openssh-5.2p1/cipher.h ---- openssh-5.2p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 -+++ openssh-5.2p1/cipher.h 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h +--- openssh-5.3p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 ++++ openssh-5.3p1/cipher.h 2009-10-02 14:12:00.000000000 +0200 @@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); @@ -167,9 +167,9 @@ diff -up openssh-5.2p1/cipher.h.fips openssh-5.2p1/cipher.h u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); u_int cipher_is_cbc(const Cipher *); -diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c ---- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.2p1/mac.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c +--- openssh-5.3p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 ++++ openssh-5.3p1/mac.c 2009-10-02 14:12:00.000000000 +0200 @@ -28,6 +28,7 @@ #include @@ -219,10 +219,10 @@ diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c for (i = 0; macs[i].name; i++) { if (strcmp(name, macs[i].name) == 0) { -diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in ---- openssh-5.2p1/Makefile.in.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/Makefile.in 2009-05-15 15:51:01.000000000 +0200 -@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS) +diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in +--- openssh-5.3p1/Makefile.in.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/Makefile.in 2009-10-02 14:20:18.000000000 +0200 +@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -231,7 +231,7 @@ diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) @@ -248,19 +248,19 @@ diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o -- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o +- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o -- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o +- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h ---- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 -+++ openssh-5.2p1/myproposal.h 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h +--- openssh-5.3p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 ++++ openssh-5.3p1/myproposal.h 2009-10-02 14:12:00.000000000 +0200 @@ -53,7 +53,12 @@ "hmac-sha1-96,hmac-md5-96" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" @@ -275,9 +275,9 @@ diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, -diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c ---- openssh-5.2p1/nsskeys.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/nsskeys.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c +--- openssh-5.3p1/nsskeys.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/nsskeys.c 2009-10-02 14:12:00.000000000 +0200 @@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k) break; } @@ -289,9 +289,9 @@ diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c xfree(p); return 0; -diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c ---- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 -+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c +--- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 ++++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c 2009-10-02 14:12:00.000000000 +0200 @@ -39,6 +39,7 @@ static int rc4_ready = 0; static RC4_KEY rc4; @@ -333,9 +333,9 @@ diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbs #endif /* !HAVE_ARC4RANDOM */ #ifndef ARC4RANDOM_BUF -diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c ---- openssh-5.2p1/ssh-add.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/ssh-add.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c +--- openssh-5.3p1/ssh-add.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/ssh-add.c 2009-10-02 14:12:00.000000000 +0200 @@ -42,6 +42,7 @@ #include @@ -353,9 +353,9 @@ diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); -diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c ---- openssh-5.2p1/ssh-agent.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/ssh-agent.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c +--- openssh-5.3p1/ssh-agent.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:12:00.000000000 +0200 @@ -51,6 +51,7 @@ #include @@ -377,10 +377,10 @@ diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c ret = 0; xfree(p); -diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c ---- openssh-5.2p1/ssh.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/ssh.c 2009-05-15 15:51:01.000000000 +0200 -@@ -71,6 +71,8 @@ +diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c +--- openssh-5.3p1/ssh.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/ssh.c 2009-10-02 14:12:00.000000000 +0200 +@@ -72,6 +72,8 @@ #include #include @@ -389,7 +389,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -220,6 +222,10 @@ main(int ac, char **av) +@@ -221,6 +223,10 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); @@ -400,7 +400,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c init_rng(); /* -@@ -279,6 +285,9 @@ main(int ac, char **av) +@@ -281,6 +287,9 @@ main(int ac, char **av) "ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) { switch (opt) { case '1': @@ -410,7 +410,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c options.protocol = SSH_PROTO_1; break; case '2': -@@ -550,7 +559,6 @@ main(int ac, char **av) +@@ -552,7 +561,6 @@ main(int ac, char **av) if (!host) usage(); @@ -418,7 +418,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c ERR_load_crypto_strings(); /* Initialize the command to execute on remote host. */ -@@ -635,6 +643,10 @@ main(int ac, char **av) +@@ -638,6 +646,10 @@ main(int ac, char **av) seed_rng(); @@ -429,7 +429,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c if (options.user == NULL) options.user = xstrdup(pw->pw_name); -@@ -701,6 +713,12 @@ main(int ac, char **av) +@@ -704,6 +716,12 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; @@ -442,9 +442,9 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, -diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c ---- openssh-5.2p1/sshconnect2.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/sshconnect2.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c +--- openssh-5.3p1/sshconnect2.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/sshconnect2.c 2009-10-02 14:12:00.000000000 +0200 @@ -44,6 +44,8 @@ #include #endif @@ -454,7 +454,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -116,6 +118,10 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -465,7 +465,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -131,7 +137,11 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -477,7 +477,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.hostkeyalgorithms; -@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t +@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t key->type, pktype); goto done; } @@ -488,9 +488,9 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c xfree(fp); /* -diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c ---- openssh-5.2p1/sshconnect.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/sshconnect.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c +--- openssh-5.3p1/sshconnect.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/sshconnect.c 2009-10-02 14:12:00.000000000 +0200 @@ -40,6 +40,8 @@ #include #include @@ -500,7 +500,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c #include "xmalloc.h" #include "key.h" #include "hostfile.h" -@@ -761,6 +763,7 @@ check_host_key(char *hostname, struct so +@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so goto fail; } else if (options.strict_host_key_checking == 2) { char msg1[1024], msg2[1024]; @@ -508,7 +508,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c if (show_other_keys(host, host_key)) snprintf(msg1, sizeof(msg1), -@@ -769,8 +772,8 @@ check_host_key(char *hostname, struct so +@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so else snprintf(msg1, sizeof(msg1), "."); /* The default */ @@ -519,7 +519,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c SSH_FP_RANDOMART); msg2[0] = '\0'; if (options.verify_host_key_dns) { -@@ -786,10 +789,10 @@ check_host_key(char *hostname, struct so +@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" @@ -532,7 +532,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c options.visual_host_key ? "\n" : "", options.visual_host_key ? ra : "", msg2); -@@ -1077,17 +1080,18 @@ show_key_from_file(const char *file, con +@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con Key *found; char *fp, *ra; int line, ret; @@ -555,7 +555,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c xfree(ra); xfree(fp); } -@@ -1133,8 +1137,9 @@ warn_changed_key(Key *host_key) +@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key) { char *fp; const char *type = key_type(host_key); @@ -566,7 +566,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); -@@ -1142,8 +1147,8 @@ warn_changed_key(Key *host_key) +@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key) error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that the %s host key has just been changed.", type); @@ -577,9 +577,9 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c error("Please contact your system administrator."); xfree(fp); -diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c ---- openssh-5.2p1/sshd.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/sshd.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c +--- openssh-5.3p1/sshd.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/sshd.c 2009-10-02 14:12:00.000000000 +0200 @@ -76,6 +76,8 @@ #include #include @@ -589,7 +589,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1260,6 +1262,12 @@ main(int ac, char **av) +@@ -1261,6 +1263,12 @@ main(int ac, char **av) (void)set_auth_parameters(ac, av); #endif __progname = ssh_get_progname(av[0]); @@ -602,7 +602,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c init_rng(); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -@@ -1412,8 +1420,6 @@ main(int ac, char **av) +@@ -1413,8 +1421,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -611,7 +611,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) -@@ -1531,6 +1537,10 @@ main(int ac, char **av) +@@ -1532,6 +1538,10 @@ main(int ac, char **av) debug("private host key: #%d type %d %s", i, key->type, key_type(key)); } @@ -622,7 +622,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1655,6 +1665,10 @@ main(int ac, char **av) +@@ -1656,6 +1666,10 @@ main(int ac, char **av) /* Initialize the random number generator. */ arc4random_stir(); @@ -633,7 +633,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c /* Chdir to the root directory so that the current disk can be unmounted if desired. */ chdir("/"); -@@ -2182,6 +2196,9 @@ do_ssh2_kex(void) +@@ -2183,6 +2197,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -643,7 +643,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2191,6 +2208,9 @@ do_ssh2_kex(void) +@@ -2192,6 +2209,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -653,9 +653,9 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c } if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = -diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c ---- openssh-5.2p1/ssh-keygen.c.fips 2009-05-15 15:51:01.000000000 +0200 -+++ openssh-5.2p1/ssh-keygen.c 2009-05-15 15:51:01.000000000 +0200 +diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c +--- openssh-5.3p1/ssh-keygen.c.fips 2009-10-02 14:12:00.000000000 +0200 ++++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:12:00.000000000 +0200 @@ -21,6 +21,7 @@ #include diff --git a/openssh-5.1p1-mls.patch b/openssh-5.3p1-mls.patch similarity index 91% rename from openssh-5.1p1-mls.patch rename to openssh-5.3p1-mls.patch index baf34ad..451b7e8 100644 --- a/openssh-5.1p1-mls.patch +++ b/openssh-5.3p1-mls.patch @@ -1,7 +1,18 @@ -diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c ---- openssh-5.1p1/misc.c.mls 2008-06-13 06:48:59.000000000 +0200 -+++ openssh-5.1p1/misc.c 2008-07-23 18:53:37.000000000 +0200 -@@ -427,6 +427,7 @@ char * +diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac +--- openssh-5.3p1/configure.ac.mls 2009-10-02 14:04:31.000000000 +0200 ++++ openssh-5.3p1/configure.ac 2009-10-02 14:04:31.000000000 +0200 +@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux, + SSHDLIBS="$SSHDLIBS $LIBSELINUX" + LIBS="$LIBS $LIBSELINUX" + AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) ++ AC_CHECK_FUNCS(setkeycreatecon) + LIBS="$save_LIBS" + fi ] + ) +diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c +--- openssh-5.3p1/misc.c.mls 2009-02-21 22:47:02.000000000 +0100 ++++ openssh-5.3p1/misc.c 2009-10-02 14:04:31.000000000 +0200 +@@ -423,6 +423,7 @@ char * colon(char *cp) { int flag = 0; @@ -9,7 +20,7 @@ diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c if (*cp == ':') /* Leading colon is part of file name. */ return (0); -@@ -440,8 +441,13 @@ colon(char *cp) +@@ -436,8 +437,13 @@ colon(char *cp) return (cp+1); if (*cp == ':' && !flag) return (cp); @@ -25,23 +36,9 @@ diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c } return (0); } -diff -up openssh-5.1p1/session.c.mls openssh-5.1p1/session.c ---- openssh-5.1p1/session.c.mls 2008-06-16 15:29:18.000000000 +0200 -+++ openssh-5.1p1/session.c 2008-07-23 18:53:37.000000000 +0200 -@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw) - #endif - if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) - fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); -- --#ifdef WITH_SELINUX -- ssh_selinux_setup_exec_context(pw->pw_name); --#endif - } - - static void -diff -up openssh-5.1p1/openbsd-compat/port-linux.c.mls openssh-5.1p1/openbsd-compat/port-linux.c ---- openssh-5.1p1/openbsd-compat/port-linux.c.mls 2008-07-23 18:53:37.000000000 +0200 -+++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-07-23 18:53:37.000000000 +0200 +diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c +--- openssh-5.3p1/openbsd-compat/port-linux.c.mls 2009-10-02 14:04:31.000000000 +0200 ++++ openssh-5.3p1/openbsd-compat/port-linux.c 2009-10-02 14:04:31.000000000 +0200 @@ -33,12 +33,23 @@ #include "key.h" #include "hostfile.h" @@ -419,20 +416,23 @@ diff -up openssh-5.1p1/openbsd-compat/port-linux.c.mls openssh-5.1p1/openbsd-com /* XXX: should these calls fatal() upon failure in enforcing mode? */ -diff -up openssh-5.1p1/configure.ac.mls openssh-5.1p1/configure.ac ---- openssh-5.1p1/configure.ac.mls 2008-07-23 18:53:37.000000000 +0200 -+++ openssh-5.1p1/configure.ac 2008-07-23 18:53:37.000000000 +0200 -@@ -3311,6 +3311,7 @@ AC_ARG_WITH(selinux, - SSHDLIBS="$SSHDLIBS $LIBSELINUX" - LIBS="$LIBS $LIBSELINUX" - AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) -+ AC_CHECK_FUNCS(setkeycreatecon) - LIBS="$save_LIBS" - fi ] - ) -diff -up openssh-5.1p1/sshd.c.mls openssh-5.1p1/sshd.c ---- openssh-5.1p1/sshd.c.mls 2008-07-23 18:53:37.000000000 +0200 -+++ openssh-5.1p1/sshd.c 2008-07-23 18:53:37.000000000 +0200 +diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c +--- openssh-5.3p1/session.c.mls 2009-08-20 08:20:50.000000000 +0200 ++++ openssh-5.3p1/session.c 2009-10-02 14:06:12.000000000 +0200 +@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw) + + if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) + fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); +- +-#ifdef WITH_SELINUX +- ssh_selinux_setup_exec_context(pw->pw_name); +-#endif + } + + static void +diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c +--- openssh-5.3p1/sshd.c.mls 2009-10-02 14:04:31.000000000 +0200 ++++ openssh-5.3p1/sshd.c 2009-10-02 14:04:31.000000000 +0200 @@ -1896,6 +1896,9 @@ main(int ac, char **av) restore_uid(); } diff --git a/openssh-5.2p1-nss-keys.patch b/openssh-5.3p1-nss-keys.patch similarity index 90% rename from openssh-5.2p1-nss-keys.patch rename to openssh-5.3p1-nss-keys.patch index cf8bbea..af12b97 100644 --- a/openssh-5.2p1-nss-keys.patch +++ b/openssh-5.3p1-nss-keys.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.2p1/authfd.c.nss-keys openssh-5.2p1/authfd.c ---- openssh-5.2p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.2p1/authfd.c 2009-08-15 11:39:07.376618281 +0200 +diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c +--- openssh-5.3p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.3p1/authfd.c 2009-10-02 14:09:01.000000000 +0200 @@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection return decode_reply(type); } @@ -47,9 +47,9 @@ diff -up openssh-5.2p1/authfd.c.nss-keys openssh-5.2p1/authfd.c /* * Removes all identities from the agent. This call is not meant to be used * by normal applications. -diff -up openssh-5.2p1/authfd.h.nss-keys openssh-5.2p1/authfd.h ---- openssh-5.2p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200 -+++ openssh-5.2p1/authfd.h 2009-08-15 11:39:07.369353952 +0200 +diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h +--- openssh-5.3p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200 ++++ openssh-5.3p1/authfd.h 2009-10-02 14:09:01.000000000 +0200 @@ -49,6 +49,12 @@ #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 @@ -72,10 +72,10 @@ diff -up openssh-5.2p1/authfd.h.nss-keys openssh-5.2p1/authfd.h int ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], -diff -up openssh-5.2p1/configure.ac.nss-keys openssh-5.2p1/configure.ac ---- openssh-5.2p1/configure.ac.nss-keys 2009-08-15 11:39:07.161229467 +0200 -+++ openssh-5.2p1/configure.ac 2009-08-15 11:39:07.373539105 +0200 -@@ -3462,6 +3462,20 @@ AC_ARG_WITH(kerberos5, +diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac +--- openssh-5.3p1/configure.ac.nss-keys 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/configure.ac 2009-10-02 14:09:01.000000000 +0200 +@@ -3514,6 +3514,20 @@ AC_ARG_WITH(kerberos5, ] ) @@ -96,7 +96,7 @@ diff -up openssh-5.2p1/configure.ac.nss-keys openssh-5.2p1/configure.ac # Looking for programs, paths and files PRIVSEP_PATH=/var/empty -@@ -4189,6 +4203,7 @@ echo " TCP Wrappers support +@@ -4240,6 +4254,7 @@ echo " TCP Wrappers support echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" @@ -104,9 +104,9 @@ diff -up openssh-5.2p1/configure.ac.nss-keys openssh-5.2p1/configure.ac echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" -diff -up openssh-5.2p1/key.c.nss-keys openssh-5.2p1/key.c ---- openssh-5.2p1/key.c.nss-keys 2008-11-03 09:24:17.000000000 +0100 -+++ openssh-5.2p1/key.c 2009-08-15 11:39:07.363301772 +0200 +diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c +--- openssh-5.3p1/key.c.nss-keys 2008-11-03 09:24:17.000000000 +0100 ++++ openssh-5.3p1/key.c 2009-10-02 14:09:01.000000000 +0200 @@ -96,6 +96,54 @@ key_new(int type) return k; } @@ -182,9 +182,9 @@ diff -up openssh-5.2p1/key.c.nss-keys openssh-5.2p1/key.c xfree(k); } -diff -up openssh-5.2p1/key.h.nss-keys openssh-5.2p1/key.h ---- openssh-5.2p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200 -+++ openssh-5.2p1/key.h 2009-08-15 11:39:07.388333558 +0200 +diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h +--- openssh-5.3p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200 ++++ openssh-5.3p1/key.h 2009-10-02 14:09:01.000000000 +0200 @@ -29,11 +29,17 @@ #include #include @@ -234,9 +234,9 @@ diff -up openssh-5.2p1/key.h.nss-keys openssh-5.2p1/key.h void key_free(Key *); Key *key_demote(const Key *); int key_equal(const Key *, const Key *); -diff -up openssh-5.2p1/Makefile.in.nss-keys openssh-5.2p1/Makefile.in ---- openssh-5.2p1/Makefile.in.nss-keys 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.2p1/Makefile.in 2009-08-15 11:39:07.387287237 +0200 +diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in +--- openssh-5.3p1/Makefile.in.nss-keys 2009-08-28 02:47:38.000000000 +0200 ++++ openssh-5.3p1/Makefile.in 2009-10-02 14:09:53.000000000 +0200 @@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ @@ -245,10 +245,10 @@ diff -up openssh-5.2p1/Makefile.in.nss-keys openssh-5.2p1/Makefile.in + entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o -diff -up /dev/null openssh-5.2p1/nsskeys.c ---- /dev/null 2009-08-11 04:59:51.783705773 +0200 -+++ openssh-5.2p1/nsskeys.c 2009-08-15 11:39:07.381280271 +0200 + sshconnect.o sshconnect1.o sshconnect2.o mux.o \ +diff -up /dev/null openssh-5.3p1/nsskeys.c +--- /dev/null 2009-09-11 09:35:58.778798825 +0200 ++++ openssh-5.3p1/nsskeys.c 2009-10-02 14:09:01.000000000 +0200 @@ -0,0 +1,327 @@ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -577,9 +577,9 @@ diff -up /dev/null openssh-5.2p1/nsskeys.c +} + +#endif /* HAVE_LIBNSS */ -diff -up /dev/null openssh-5.2p1/nsskeys.h ---- /dev/null 2009-08-11 04:59:51.783705773 +0200 -+++ openssh-5.2p1/nsskeys.h 2009-08-15 11:39:07.385223433 +0200 +diff -up /dev/null openssh-5.3p1/nsskeys.h +--- /dev/null 2009-09-11 09:35:58.778798825 +0200 ++++ openssh-5.3p1/nsskeys.h 2009-10-02 14:09:01.000000000 +0200 @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -620,9 +620,9 @@ diff -up /dev/null openssh-5.2p1/nsskeys.h + +#endif +#endif -diff -up openssh-5.2p1/readconf.c.nss-keys openssh-5.2p1/readconf.c ---- openssh-5.2p1/readconf.c.nss-keys 2009-02-14 06:28:21.000000000 +0100 -+++ openssh-5.2p1/readconf.c 2009-08-15 11:39:07.397161060 +0200 +diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c +--- openssh-5.3p1/readconf.c.nss-keys 2009-07-05 23:12:27.000000000 +0200 ++++ openssh-5.3p1/readconf.c 2009-10-02 14:09:01.000000000 +0200 @@ -124,6 +124,7 @@ typedef enum { oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, @@ -645,7 +645,7 @@ diff -up openssh-5.2p1/readconf.c.nss-keys openssh-5.2p1/readconf.c { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, { "verifyhostkeydns", oVerifyHostKeyDNS }, -@@ -612,6 +620,14 @@ parse_string: +@@ -613,6 +621,14 @@ parse_string: charptr = &options->smartcard_device; goto parse_string; @@ -660,7 +660,7 @@ diff -up openssh-5.2p1/readconf.c.nss-keys openssh-5.2p1/readconf.c case oProxyCommand: charptr = &options->proxy_command; parse_command: -@@ -1047,6 +1063,8 @@ initialize_options(Options * options) +@@ -1052,6 +1068,8 @@ initialize_options(Options * options) options->preferred_authentications = NULL; options->bind_address = NULL; options->smartcard_device = NULL; @@ -669,7 +669,7 @@ diff -up openssh-5.2p1/readconf.c.nss-keys openssh-5.2p1/readconf.c options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; options->identities_only = - 1; -@@ -1177,6 +1195,8 @@ fill_default_options(Options * options) +@@ -1183,6 +1201,8 @@ fill_default_options(Options * options) options->no_host_authentication_for_localhost = 0; if (options->identities_only == -1) options->identities_only = 0; @@ -678,9 +678,9 @@ diff -up openssh-5.2p1/readconf.c.nss-keys openssh-5.2p1/readconf.c if (options->enable_ssh_keysign == -1) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) -diff -up openssh-5.2p1/readconf.h.nss-keys openssh-5.2p1/readconf.h ---- openssh-5.2p1/readconf.h.nss-keys 2009-02-14 06:28:21.000000000 +0100 -+++ openssh-5.2p1/readconf.h 2009-08-15 11:39:07.377835083 +0200 +diff -up openssh-5.3p1/readconf.h.nss-keys openssh-5.3p1/readconf.h +--- openssh-5.3p1/readconf.h.nss-keys 2009-07-05 23:12:27.000000000 +0200 ++++ openssh-5.3p1/readconf.h 2009-10-02 14:09:01.000000000 +0200 @@ -85,6 +85,8 @@ typedef struct { char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ @@ -690,9 +690,9 @@ diff -up openssh-5.2p1/readconf.h.nss-keys openssh-5.2p1/readconf.h int verify_host_key_dns; /* Verify host key using DNS */ int num_identity_files; /* Number of files for RSA/DSA identities. */ -diff -up openssh-5.2p1/ssh-add.c.nss-keys openssh-5.2p1/ssh-add.c ---- openssh-5.2p1/ssh-add.c.nss-keys 2008-02-28 09:13:52.000000000 +0100 -+++ openssh-5.2p1/ssh-add.c 2009-08-15 11:39:07.414164844 +0200 +diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c +--- openssh-5.3p1/ssh-add.c.nss-keys 2008-02-28 09:13:52.000000000 +0100 ++++ openssh-5.3p1/ssh-add.c 2009-10-02 14:09:01.000000000 +0200 @@ -44,6 +44,14 @@ #include #include "openbsd-compat/openssl-compat.h" @@ -930,9 +930,9 @@ diff -up openssh-5.2p1/ssh-add.c.nss-keys openssh-5.2p1/ssh-add.c if (argc == 0) { char buf[MAXPATHLEN]; struct passwd *pw; -diff -up openssh-5.2p1/ssh-agent.c.nss-keys openssh-5.2p1/ssh-agent.c ---- openssh-5.2p1/ssh-agent.c.nss-keys 2008-07-04 15:10:49.000000000 +0200 -+++ openssh-5.2p1/ssh-agent.c 2009-08-15 11:39:07.368143486 +0200 +diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c +--- openssh-5.3p1/ssh-agent.c.nss-keys 2009-06-21 09:50:15.000000000 +0200 ++++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:09:01.000000000 +0200 @@ -80,6 +80,10 @@ #include "scard.h" #endif @@ -1075,10 +1075,10 @@ diff -up openssh-5.2p1/ssh-agent.c.nss-keys openssh-5.2p1/ssh-agent.c default: /* Unknown message. Respond with failure. */ error("Unknown message %d", type); -diff -up openssh-5.2p1/ssh.c.nss-keys openssh-5.2p1/ssh.c ---- openssh-5.2p1/ssh.c.nss-keys 2009-02-14 06:28:21.000000000 +0100 -+++ openssh-5.2p1/ssh.c 2009-08-15 11:39:07.383383769 +0200 -@@ -104,6 +104,9 @@ +diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c +--- openssh-5.3p1/ssh.c.nss-keys 2009-07-05 23:16:56.000000000 +0200 ++++ openssh-5.3p1/ssh.c 2009-10-02 14:09:01.000000000 +0200 +@@ -105,6 +105,9 @@ #ifdef SMARTCARD #include "scard.h" #endif @@ -1088,7 +1088,7 @@ diff -up openssh-5.2p1/ssh.c.nss-keys openssh-5.2p1/ssh.c extern char *__progname; -@@ -1231,9 +1234,11 @@ load_public_identity_files(void) +@@ -1234,9 +1237,11 @@ load_public_identity_files(void) int i = 0; Key *public; struct passwd *pw; @@ -1101,7 +1101,7 @@ diff -up openssh-5.2p1/ssh.c.nss-keys openssh-5.2p1/ssh.c if (options.smartcard_device != NULL && options.num_identity_files < SSH_MAX_IDENTITY_FILES && (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) { -@@ -1256,6 +1261,27 @@ load_public_identity_files(void) +@@ -1259,6 +1264,27 @@ load_public_identity_files(void) xfree(keys); } #endif /* SMARTCARD */ @@ -1129,9 +1129,9 @@ diff -up openssh-5.2p1/ssh.c.nss-keys openssh-5.2p1/ssh.c if ((pw = getpwuid(original_real_uid)) == NULL) fatal("load_public_identity_files: getpwuid failed"); pwname = xstrdup(pw->pw_name); -diff -up openssh-5.2p1/ssh-dss.c.nss-keys openssh-5.2p1/ssh-dss.c ---- openssh-5.2p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100 -+++ openssh-5.2p1/ssh-dss.c 2009-08-15 11:39:07.365182193 +0200 +diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c +--- openssh-5.3p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100 ++++ openssh-5.3p1/ssh-dss.c 2009-10-02 14:09:01.000000000 +0200 @@ -39,6 +39,10 @@ #include "log.h" #include "key.h" @@ -1189,9 +1189,9 @@ diff -up openssh-5.2p1/ssh-dss.c.nss-keys openssh-5.2p1/ssh-dss.c if (datafellows & SSH_BUG_SIGBLOB) { if (lenp != NULL) *lenp = SIGBLOB_LEN; -diff -up openssh-5.2p1/ssh-keygen.c.nss-keys openssh-5.2p1/ssh-keygen.c ---- openssh-5.2p1/ssh-keygen.c.nss-keys 2009-02-21 22:47:02.000000000 +0100 -+++ openssh-5.2p1/ssh-keygen.c 2009-08-15 11:39:07.395366022 +0200 +diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c +--- openssh-5.3p1/ssh-keygen.c.nss-keys 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:09:01.000000000 +0200 @@ -53,6 +53,11 @@ #include "scard.h" #endif @@ -1293,9 +1293,9 @@ diff -up openssh-5.2p1/ssh-keygen.c.nss-keys openssh-5.2p1/ssh-keygen.c if (reader_id != NULL) { #ifdef SMARTCARD if (download) -diff -up openssh-5.2p1/ssh-rsa.c.nss-keys openssh-5.2p1/ssh-rsa.c ---- openssh-5.2p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-5.2p1/ssh-rsa.c 2009-08-15 11:39:07.393249953 +0200 +diff -up openssh-5.3p1/ssh-rsa.c.nss-keys openssh-5.3p1/ssh-rsa.c +--- openssh-5.3p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200 ++++ openssh-5.3p1/ssh-rsa.c 2009-10-02 14:09:01.000000000 +0200 @@ -32,6 +32,10 @@ #include "compat.h" #include "ssh.h" diff --git a/openssh-5.2p1-selabel.patch b/openssh-5.3p1-selabel.patch similarity index 67% rename from openssh-5.2p1-selabel.patch rename to openssh-5.3p1-selabel.patch index 06ccffe..6e5d6bd 100644 --- a/openssh-5.2p1-selabel.patch +++ b/openssh-5.3p1-selabel.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-copy-id ---- openssh-5.2p1/contrib/ssh-copy-id.selabel 2009-01-21 10:29:21.000000000 +0100 -+++ openssh-5.2p1/contrib/ssh-copy-id 2009-07-08 14:28:27.000000000 +0200 +diff -up openssh-5.3p1/contrib/ssh-copy-id.selabel openssh-5.3p1/contrib/ssh-copy-id +--- openssh-5.3p1/contrib/ssh-copy-id.selabel 2009-01-21 10:29:21.000000000 +0100 ++++ openssh-5.3p1/contrib/ssh-copy-id 2009-10-02 14:21:54.000000000 +0200 @@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || exit 1 fi @@ -10,10 +10,10 @@ diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-cop cat < #include @@ -33,7 +33,7 @@ diff -up openssh-5.2p1/ssh.c.selabel openssh-5.2p1/ssh.c #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -791,10 +792,15 @@ main(int ac, char **av) +@@ -792,10 +793,15 @@ main(int ac, char **av) */ r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); diff --git a/openssh-5.3p1-skip-initial.patch b/openssh-5.3p1-skip-initial.patch new file mode 100644 index 0000000..d52962e --- /dev/null +++ b/openssh-5.3p1-skip-initial.patch @@ -0,0 +1,24 @@ +diff -up openssh-5.3p1/auth1.c.skip-initial openssh-5.3p1/auth1.c +--- openssh-5.3p1/auth1.c.skip-initial 2009-03-08 01:40:28.000000000 +0100 ++++ openssh-5.3p1/auth1.c 2009-10-02 13:55:00.000000000 +0200 +@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt) + authctxt->valid ? "" : "invalid user ", authctxt->user); + + /* If the user has no password, accept authentication immediately. */ +- if (options.password_authentication && ++ if (options.permit_empty_passwd && options.password_authentication && + #ifdef KRB5 + (!options.kerberos_authentication || options.kerberos_or_local_passwd) && + #endif +diff -up openssh-5.3p1/auth2-none.c.skip-initial openssh-5.3p1/auth2-none.c +--- openssh-5.3p1/auth2-none.c.skip-initial 2009-03-08 01:40:28.000000000 +0100 ++++ openssh-5.3p1/auth2-none.c 2009-10-02 13:56:21.000000000 +0200 +@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt) + { + none_enabled = 0; + packet_check_eom(); +- if (options.password_authentication) ++ if (options.permit_empty_passwd && options.password_authentication) + return (PRIVSEP(auth_password(authctxt, ""))); + return (0); + } diff --git a/openssh.spec b/openssh.spec index 2963f24..c76facd 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.3p1 -Release: 1%{?dist}%{?rescue_rel} +Release: 2%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -460,7 +460,7 @@ fi %endif %changelog -* Fri Oct 2 2009 Jan F. Chadima - 5.3p1-1 +* Fri Oct 2 2009 Jan F. Chadima - 5.3p1-2 - Upgrade to new wersion 5.3p1 * Tue Sep 29 2009 Jan F. Chadima - 5.2p1-29 diff --git a/sources b/sources index 40209a7..7d28e2e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -13563dbf61f36ca9a1e4254260131041 openssh-5.3p1.tar.gz +89f85c1da83c24ca0b10c05344f7c93c openssh-5.3p1-noacss.tar.bz2