rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

rearange patches

Browse Source
This commit is contained in:
Jan F. Chadima 2009-08-28 21:46:27 +00:00
parent 214b7b9738
commit 15914f24ed
7 changed files with 246 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
openssh-4.3p2-cve-2007-3102.patch
View File

@ -1,62 +0,0 @@
--- openssh-4.3p2/loginrec.c.inject-fix 2007-06-20 21:18:00.000000000 +0200
+++ openssh-4.3p2/loginrec.c 2007-07-13 15:25:35.000000000 +0200
@@ -1389,11 +1389,44 @@
#endif /* USE_WTMPX */
#ifdef HAVE_LINUX_AUDIT
+static void
+_audit_hexscape(const char *what, char *where, unsigned int size)
+{
+ const char *ptr = what;
+ const char *hex = "0123456789ABCDEF";
+
+ while (*ptr) {
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
+ unsigned int i;
+ ptr = what;
+ for (i = 0; *ptr && i+2 < size; i += 2) {
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
+ ptr++;
+ }
+ where[i] = '\0';
+ return;
+ }
+ ptr++;
+ }
+ where[0] = '"';
+ if ((unsigned)(ptr - what) < size - 3)
+ {
+ size = ptr - what + 3;
+ }
+ strncpy(where + 1, what, size - 3);
+ where[size-2] = '"';
+ where[size-1] = '\0';
+}
+
+#define AUDIT_LOG_SIZE 128
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
+
int
linux_audit_record_event(int uid, const char *username,
const char *hostname, const char *ip, const char *ttyn, int success)
{
- char buf[64];
+ char buf[AUDIT_LOG_SIZE];
int audit_fd, rc;
audit_fd = audit_open();
@@ -1406,8 +1439,11 @@
}
if (username == NULL)
snprintf(buf, sizeof(buf), "uid=%d", uid);
- else
- snprintf(buf, sizeof(buf), "acct=%s", username);
+ else {
+ char encoded[AUDIT_ACCT_SIZE];
+ _audit_hexscape(username, encoded, sizeof(encoded));
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
+ }
rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
buf, hostname, ip, ttyn, success);
close(audit_fd);

213
openssh-4.7p1-audit.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c
--- openssh-4.7p1/auth.c.audit 2007-03-26 18:35:28.000000000 +0200 --- openssh-5.2p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
+++ openssh-4.7p1/auth.c 2007-09-06 17:07:44.000000000 +0200 +++ openssh-5.2p1/auth.c 2009-08-09 09:22:23.634850536 +0200
@@ -286,6 +286,12 @@ auth_log(Authctxt *authctxt, int authent @@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
get_canonical_hostname(options.use_dns), "ssh", &loginmsg); get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif # endif
#endif #endif
@ -14,7 +14,7 @@ diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed) if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method)); audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@ getpwnamallow(const char *user) @@ -533,6 +539,10 @@ getpwnamallow(const char *user)
record_failed_login(user, record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh"); get_canonical_hostname(options.use_dns), "ssh");
#endif #endif
@ -25,9 +25,113 @@ diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER); audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in
--- openssh-4.7p1/loginrec.c.audit 2007-04-29 04:10:58.000000000 +0200 --- openssh-5.2p1/config.h.in.audit 2009-02-23 01:18:12.000000000 +0100
+++ openssh-4.7p1/loginrec.c 2007-09-06 17:07:44.000000000 +0200 +++ openssh-5.2p1/config.h.in 2009-08-09 09:22:28.825939998 +0200
@@ -1,5 +1,8 @@
/* config.h.in. Generated from configure.ac by autoheader. */
+/* Define if building universal (internal helper macro) */
+#undef AC_APPLE_UNIVERSAL_BUILD
+
/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
*/
#undef AIX_GETNAMEINFO_HACK
@@ -521,6 +524,9 @@
/* Define to 1 if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
+/* Define to 1 if you have the <libaudit.h> header file. */
+#undef HAVE_LIBAUDIT_H
+
/* Define to 1 if you have the `bsm' library (-lbsm). */
#undef HAVE_LIBBSM
@@ -560,6 +566,9 @@
/* Define to 1 if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
/* Define to 1 if you have the <linux/if_tun.h> header file. */
#undef HAVE_LINUX_IF_TUN_H
@@ -756,6 +765,9 @@
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
+/* Define to 1 if you have the `setkeycreatecon' function. */
+#undef HAVE_SETKEYCREATECON
+
/* Define to 1 if you have the `setlogin' function. */
#undef HAVE_SETLOGIN
@@ -1330,6 +1342,10 @@
/* Prepend the address family to IP tunnel traffic */
#undef SSH_TUN_PREPEND_AF
+/* Define to your vendor patch level, if it has been modified from the
+ upstream source release. */
+#undef SSH_VENDOR_PATCHLEVEL
+
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
@@ -1397,9 +1413,17 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
-/* Define to 1 if your processor stores words with the most significant byte
- first (like Motorola and SPARC, unlike Intel and VAX). */
-#undef WORDS_BIGENDIAN
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+ significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+# define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+# undef WORDS_BIGENDIAN
+# endif
+#endif
/* Define if xauth is found in your path */
#undef XAUTH_PATH
diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac
--- openssh-5.2p1/configure.ac.audit 2009-08-09 09:22:23.608877833 +0200
+++ openssh-5.2p1/configure.ac 2009-08-09 09:22:23.646244409 +0200
@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux,
fi ]
)
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+AC_ARG_WITH(linux-audit,
+ [ --with-linux-audit Enable Linux audit support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+ LINUX_AUDIT_MSG="yes"
+ AC_CHECK_HEADERS(libaudit.h)
+ SSHDLIBS="$SSHDLIBS -laudit"
+ fi ]
+)
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -4170,6 +4182,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " Linux audit support: $LINUX_AUDIT_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c
--- openssh-5.2p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
+++ openssh-5.2p1/loginrec.c 2009-08-09 09:22:23.667199702 +0200
@@ -176,6 +176,10 @@ @@ -176,6 +176,10 @@
#include "auth.h" #include "auth.h"
#include "buffer.h" #include "buffer.h"
@ -60,16 +164,49 @@ diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c
#ifdef USE_LOGIN #ifdef USE_LOGIN
syslogin_write_entry(li); syslogin_write_entry(li);
#endif #endif
@@ -1394,6 +1405,51 @@ wtmpx_get_entry(struct logininfo *li) @@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
} }
#endif /* USE_WTMPX */ #endif /* USE_WTMPX */
+#ifdef HAVE_LINUX_AUDIT +#ifdef HAVE_LINUX_AUDIT
+static void
+_audit_hexscape(const char *what, char *where, unsigned int size)
+{
+ const char *ptr = what;
+ const char *hex = "0123456789ABCDEF";
+
+ while (*ptr) {
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
+ unsigned int i;
+ ptr = what;
+ for (i = 0; *ptr && i+2 < size; i += 2) {
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
+ ptr++;
+ }
+ where[i] = '\0';
+ return;
+ }
+ ptr++;
+ }
+ where[0] = '"';
+ if ((unsigned)(ptr - what) < size - 3)
+ {
+ size = ptr - what + 3;
+ }
+ strncpy(where + 1, what, size - 3);
+ where[size-2] = '"';
+ where[size-1] = '\0';
+}
+
+#define AUDIT_LOG_SIZE 128
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
+
+int +int
+linux_audit_record_event(int uid, const char *username, +linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success) + const char *hostname, const char *ip, const char *ttyn, int success)
+{ +{
+ char buf[64]; + char buf[AUDIT_LOG_SIZE];
+ int audit_fd, rc; + int audit_fd, rc;
+ +
+ audit_fd = audit_open(); + audit_fd = audit_open();
@ -82,8 +219,11 @@ diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c
+ } + }
+ if (username == NULL) + if (username == NULL)
+ snprintf(buf, sizeof(buf), "uid=%d", uid); + snprintf(buf, sizeof(buf), "uid=%d", uid);
+ else + else {
+ snprintf(buf, sizeof(buf), "acct=%s", username); + char encoded[AUDIT_ACCT_SIZE];
+ _audit_hexscape(username, encoded, sizeof(encoded));
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
+ }
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, + rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+ buf, hostname, ip, ttyn, success); + buf, hostname, ip, ttyn, success);
+ close(audit_fd); + close(audit_fd);
@ -112,22 +252,9 @@ diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c
/** /**
** Low-level libutil login() functions ** Low-level libutil login() functions
**/ **/
diff -up openssh-4.7p1/config.h.in.audit openssh-4.7p1/config.h.in diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h
--- openssh-4.7p1/config.h.in.audit 2007-09-04 08:50:04.000000000 +0200 --- openssh-5.2p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.7p1/config.h.in 2007-09-06 17:07:44.000000000 +0200 +++ openssh-5.2p1/loginrec.h 2009-08-09 09:22:23.641175349 +0200
@@ -1334,6 +1334,9 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN
diff -up openssh-4.7p1/loginrec.h.audit openssh-4.7p1/loginrec.h
--- openssh-4.7p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.7p1/loginrec.h 2007-09-06 17:07:44.000000000 +0200
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
char *line_abbrevname(char *dst, const char *src, int dstsize); char *line_abbrevname(char *dst, const char *src, int dstsize);
@ -138,33 +265,3 @@ diff -up openssh-4.7p1/loginrec.h.audit openssh-4.7p1/loginrec.h
+#endif /* HAVE_LINUX_AUDIT */ +#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */ #endif /* _HAVE_LOGINREC_H_ */
diff -up openssh-4.7p1/configure.ac.audit openssh-4.7p1/configure.ac
--- openssh-4.7p1/configure.ac.audit 2007-09-06 17:07:44.000000000 +0200
+++ openssh-4.7p1/configure.ac 2007-09-06 17:15:23.000000000 +0200
@@ -3216,6 +3216,18 @@ AC_ARG_WITH(selinux,
fi ]
)
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+AC_ARG_WITH(linux-audit,
+ [ --with-linux-audit Enable Linux audit support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+ LINUX_AUDIT_MSG="yes"
+ AC_CHECK_HEADERS(libaudit.h)
+ SSHDLIBS="$SSHDLIBS -laudit"
+ fi ]
+)
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -4037,6 +4049,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " Linux audit support: $LINUX_AUDIT_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"

35
openssh-5.1p1-gssapi-role.patch
View File

@ -1,35 +0,0 @@
Written-by: Nalin Dahyabhai <nalin@redhat.com>
Reviewed-by: Tomas Mraz <tmraz@redhat.com>
diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c
--- openssh-5.1p1/auth2-gss.c.gssapi-role 2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.1p1/auth2-gss.c 2008-07-23 19:18:15.000000000 +0200
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;

96
openssh-5.2p1-redhat.patch
View File

@ -1,6 +1,52 @@
diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
--- openssh-5.2p1/ssh_config.redhat 2009-02-21 02:45:02.000000000 +0100
+++ openssh-5.2p1/ssh_config 2009-08-09 08:45:11.302092427 +0200
@@ -44,3 +44,14 @@
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
+# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
--- openssh-5.2p1/sshd_config.0.redhat 2009-02-23 01:18:15.000000000 +0100
+++ openssh-5.2p1/sshd_config.0 2009-08-09 08:45:11.276555108 +0200
@@ -491,9 +491,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
- fault is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
--- openssh-5.2p1/sshd_config.5.redhat 2009-02-23 01:00:24.000000000 +0100
+++ openssh-5.2p1/sshd_config.5 2009-08-09 08:45:11.278927203 +0200
@@ -848,7 +848,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
--- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200 --- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200
+++ openssh-5.2p1/sshd_config 2008-07-23 14:11:12.000000000 +0200 +++ openssh-5.2p1/sshd_config 2009-08-09 08:47:40.850857227 +0200
@@ -33,6 +33,7 @@ Protocol 2 @@ -33,6 +33,7 @@ Protocol 2
# Logging # Logging
# obsoletes QuietMode and FascistLogging # obsoletes QuietMode and FascistLogging
@ -31,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
@@ -84,11 +89,18 @@ Protocol 2 @@ -84,11 +89,19 @@ Protocol 2
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
#UsePAM no #UsePAM no
@ -41,6 +87,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
#AllowAgentForwarding yes #AllowAgentForwarding yes
#AllowTcpForwarding yes #AllowTcpForwarding yes
@ -50,48 +97,3 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
--- openssh-5.2p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200
+++ openssh-5.2p1/ssh_config 2008-07-23 14:07:29.000000000 +0200
@@ -44,3 +44,13 @@
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
+# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
--- openssh-5.2p1/sshd_config.0.redhat 2008-07-21 10:30:51.000000000 +0200
+++ openssh-5.2p1/sshd_config.0 2008-07-23 14:07:29.000000000 +0200
@@ -490,9 +490,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
- fault is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
--- openssh-5.2p1/sshd_config.5.redhat 2008-07-02 14:35:43.000000000 +0200
+++ openssh-5.2p1/sshd_config.5 2008-07-23 14:07:29.000000000 +0200
@@ -846,7 +846,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive

33
openssh-5.2p1-selinux.patch
View File

@ -326,3 +326,36 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
if (strcmp(authctxt->user, p) != 0) { if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s", logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p); authctxt->user, p);
diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c
--- openssh-5.1p1/auth2-gss.c.gssapi-role 2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.1p1/auth2-gss.c 2008-07-23 19:18:15.000000000 +0200
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;

8
openssh-5.2p1-xmodifiers.patch
View File

@ -1,8 +0,0 @@
diff -up openssh-5.2p1/ssh_config.xmodifiers openssh-5.2p1/ssh_config
--- openssh-5.2p1/ssh_config.xmodifiers 2009-06-12 13:32:36.000000000 +0200
+++ openssh-5.2p1/ssh_config 2009-06-12 13:39:12.365582705 +0200
@@ -54,3 +54,4 @@ Host *
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS

18
openssh.spec
View File

@ -63,7 +63,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
Version: 5.2p1 Version: 5.2p1
Release: 19%{?dist}%{?rescue_rel} Release: 20%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -81,8 +81,8 @@ Patch4: openssh-5.2p1-vendor.patch
Patch12: openssh-5.2p1-selinux.patch Patch12: openssh-5.2p1-selinux.patch
Patch13: openssh-5.1p1-mls.patch Patch13: openssh-5.1p1-mls.patch
Patch16: openssh-4.7p1-audit.patch Patch16: openssh-4.7p1-audit.patch
Patch17: openssh-4.3p2-cve-2007-3102.patch
Patch18: openssh-5.0p1-pam_selinux.patch Patch18: openssh-5.0p1-pam_selinux.patch
Patch19: openssh-5.2p1-sesftp.patch
Patch22: openssh-3.9p1-askpass-keep-above.patch Patch22: openssh-3.9p1-askpass-keep-above.patch
Patch24: openssh-4.3p1-fromto-remote.patch Patch24: openssh-4.3p1-fromto-remote.patch
Patch27: openssh-5.1p1-log-in-chroot.patch Patch27: openssh-5.1p1-log-in-chroot.patch
@ -93,15 +93,12 @@ Patch39: openssh-4.3p2-no-v6only.patch
Patch44: openssh-4.3p2-allow-ip-opts.patch Patch44: openssh-4.3p2-allow-ip-opts.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch51: openssh-5.2p1-nss-keys.patch Patch51: openssh-5.2p1-nss-keys.patch
Patch54: openssh-5.1p1-gssapi-role.patch
Patch55: openssh-5.1p1-cloexec.patch Patch55: openssh-5.1p1-cloexec.patch
Patch62: openssh-5.1p1-scp-manpage.patch Patch62: openssh-5.1p1-scp-manpage.patch
Patch65: openssh-5.2p1-fips.patch Patch65: openssh-5.2p1-fips.patch
Patch66: openssh-5.2p1-homechroot.patch Patch66: openssh-5.2p1-homechroot.patch
Patch67: openssh-5.2p1-xmodifiers.patch
Patch68: openssh-5.2p1-pathmax.patch Patch68: openssh-5.2p1-pathmax.patch
Patch69: openssh-5.2p1-selabel.patch Patch69: openssh-5.2p1-selabel.patch
Patch70: openssh-5.2p1-sesftp.patch
Patch71: openssh-5.2p1-edns.patch Patch71: openssh-5.2p1-edns.patch
License: BSD License: BSD
@ -216,8 +213,8 @@ an X11 passphrase dialog for OpenSSH.
%patch12 -p1 -b .selinux %patch12 -p1 -b .selinux
%patch13 -p1 -b .mls %patch13 -p1 -b .mls
%patch16 -p1 -b .audit %patch16 -p1 -b .audit
%patch17 -p1 -b .inject-fix
%patch18 -p1 -b .pam_selinux %patch18 -p1 -b .pam_selinux
%patch19 -p1 -b .sesftp
%endif %endif
%patch22 -p1 -b .keep-above %patch22 -p1 -b .keep-above
@ -230,15 +227,12 @@ an X11 passphrase dialog for OpenSSH.
%patch44 -p1 -b .ip-opts %patch44 -p1 -b .ip-opts
%patch49 -p1 -b .canohost %patch49 -p1 -b .canohost
%patch51 -p1 -b .nss-keys %patch51 -p1 -b .nss-keys
%patch54 -p1 -b .gssapi-role
%patch55 -p1 -b .cloexec %patch55 -p1 -b .cloexec
%patch62 -p1 -b .manpage %patch62 -p1 -b .manpage
%patch65 -p1 -b .fips %patch65 -p1 -b .fips
%patch66 -p1 -b .homechroot %patch66 -p1 -b .homechroot
%patch67 -p1 -b .xmodifiers
%patch68 -p1 -b .pathmax %patch68 -p1 -b .pathmax
%patch69 -p1 -b .selabel %patch69 -p1 -b .selabel
%patch70 -p1 -b .sesftp
%patch71 -p1 -b .edns %patch71 -p1 -b .edns
autoreconf autoreconf
@ -474,6 +468,12 @@ fi
%endif %endif
%changelog %changelog
* Fri Aug 28 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-20
- merged xmodifiers to redhat patch
- merged gssapi-role to selinux patch
- merged cve-2007_3102 to audit patch
- sesftp patch only with WITH_SELINUX flag
* Wed Aug 26 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-19 * Wed Aug 26 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-19
- minor change in sesftp patch - minor change in sesftp patch