From 1b8a267cb916f20439043dacc4e2a90253bbb59f Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Tue, 3 Aug 2010 02:41:49 +0200 Subject: [PATCH] Upgrade to openssh-5.6p1 --- openssh-4.0p1-exit-deadlock.patch | 13 - openssh-5.3p1-skip-initial.patch | 24 -- openssh-5.5p1-staterr.patch | 30 --- openssh-5.5p1-stderr.patch | 171 ------------- ...penssh-5.6p1-authorized-keys-command.patch | 131 +++++----- openssh-5.6p1-exit-deadlock.patch | 14 ++ ...5p1-fips.patch => openssh-5.6p1-fips.patch | 136 +++++----- ...gsskex.patch => openssh-5.6p1-gsskex.patch | 236 +++++++++--------- ...keygen.patch => openssh-5.6p1-keygen.patch | 40 +-- ...serok.patch => openssh-5.6p1-kuserok.patch | 52 ++-- ...5p1-ldap.patch => openssh-5.6p1-ldap.patch | 131 +++++----- ...5.5p1-mls.patch => openssh-5.6p1-mls.patch | 42 ++-- ...label.patch => openssh-5.6p1-selabel.patch | 34 +-- openssh.spec | 29 +-- 14 files changed, 419 insertions(+), 664 deletions(-) delete mode 100644 openssh-4.0p1-exit-deadlock.patch delete mode 100644 openssh-5.3p1-skip-initial.patch delete mode 100644 openssh-5.5p1-staterr.patch delete mode 100644 openssh-5.5p1-stderr.patch rename openssh-5.5p1-authorized-keys-command.patch => openssh-5.6p1-authorized-keys-command.patch (78%) create mode 100644 openssh-5.6p1-exit-deadlock.patch rename openssh-5.5p1-fips.patch => openssh-5.6p1-fips.patch (83%) rename openssh-5.5p1-gsskex.patch => openssh-5.6p1-gsskex.patch (92%) rename openssh-5.5p1-keygen.patch => openssh-5.6p1-keygen.patch (64%) rename openssh-5.5p1-kuserok.patch => openssh-5.6p1-kuserok.patch (68%) rename openssh-5.5p1-ldap.patch => openssh-5.6p1-ldap.patch (95%) rename openssh-5.5p1-mls.patch => openssh-5.6p1-mls.patch (91%) rename openssh-5.3p1-selabel.patch => openssh-5.6p1-selabel.patch (50%) diff --git a/openssh-4.0p1-exit-deadlock.patch b/openssh-4.0p1-exit-deadlock.patch deleted file mode 100644 index 66246d3..0000000 --- a/openssh-4.0p1-exit-deadlock.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- openssh-4.0p1/channels.c.exit-deadlock 2005-03-01 11:24:33.000000000 +0100 -+++ openssh-4.0p1/channels.c 2005-04-05 22:25:15.197226237 +0200 -@@ -1403,6 +1403,10 @@ - u_int dlen; - int len; - -+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { -+ debug("channel %d: forcing write", c->self); -+ FD_SET(c->wfd, writeset); -+ } - /* Send buffered output data to the socket. */ - if (c->wfd != -1 && - FD_ISSET(c->wfd, writeset) && diff --git a/openssh-5.3p1-skip-initial.patch b/openssh-5.3p1-skip-initial.patch deleted file mode 100644 index d52962e..0000000 --- a/openssh-5.3p1-skip-initial.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssh-5.3p1/auth1.c.skip-initial openssh-5.3p1/auth1.c ---- openssh-5.3p1/auth1.c.skip-initial 2009-03-08 01:40:28.000000000 +0100 -+++ openssh-5.3p1/auth1.c 2009-10-02 13:55:00.000000000 +0200 -@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt) - authctxt->valid ? "" : "invalid user ", authctxt->user); - - /* If the user has no password, accept authentication immediately. */ -- if (options.password_authentication && -+ if (options.permit_empty_passwd && options.password_authentication && - #ifdef KRB5 - (!options.kerberos_authentication || options.kerberos_or_local_passwd) && - #endif -diff -up openssh-5.3p1/auth2-none.c.skip-initial openssh-5.3p1/auth2-none.c ---- openssh-5.3p1/auth2-none.c.skip-initial 2009-03-08 01:40:28.000000000 +0100 -+++ openssh-5.3p1/auth2-none.c 2009-10-02 13:56:21.000000000 +0200 -@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt) - { - none_enabled = 0; - packet_check_eom(); -- if (options.password_authentication) -+ if (options.permit_empty_passwd && options.password_authentication) - return (PRIVSEP(auth_password(authctxt, ""))); - return (0); - } diff --git a/openssh-5.5p1-staterr.patch b/openssh-5.5p1-staterr.patch deleted file mode 100644 index ecabf2d..0000000 --- a/openssh-5.5p1-staterr.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up openssh-5.5p1/ssh-keygen.c.staterr openssh-5.5p1/ssh-keygen.c ---- openssh-5.5p1/ssh-keygen.c.staterr 2010-05-04 09:01:14.000000000 +0200 -+++ openssh-5.5p1/ssh-keygen.c 2010-05-04 09:03:32.000000000 +0200 -@@ -1831,13 +1831,19 @@ main(int argc, char **argv) - ask_filename(pw, "Enter file in which to save the key"); - - /* Create ~/.ssh directory if it doesn't already exist. */ -- snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR); -- if (strstr(identity_file, dotsshdir) != NULL && -- stat(dotsshdir, &st) < 0) { -- if (mkdir(dotsshdir, 0700) < 0) -- error("Could not create directory '%s'.", dotsshdir); -- else if (!quiet) -- printf("Created directory '%s'.\n", dotsshdir); -+ snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", -+ pw->pw_dir, _PATH_SSH_USER_DIR); -+ if (strstr(identity_file, dotsshdir) != NULL) { -+ if (stat(dotsshdir, &st) < 0) { -+ if (errno != ENOENT) { -+ error("Could not stat %s: %s", dotsshdir, -+ strerror(errno)); -+ } else if (mkdir(dotsshdir, 0700) < 0) { -+ error("Could not create directory '%s': %s", -+ dotsshdir, strerror(errno)); -+ } else if (!quiet) -+ printf("Created directory '%s'.\n", dotsshdir); -+ } - } - /* If the file already exists, ask the user to confirm. */ - if (!overwrite && stat(identity_file, &st) >= 0) { diff --git a/openssh-5.5p1-stderr.patch b/openssh-5.5p1-stderr.patch deleted file mode 100644 index 633d30e..0000000 --- a/openssh-5.5p1-stderr.patch +++ /dev/null @@ -1,171 +0,0 @@ -diff -up openssh-5.5p1/channels.c.stderr openssh-5.5p1/channels.c ---- openssh-5.5p1/channels.c.stderr 2010-06-23 15:20:30.000000000 +0200 -+++ openssh-5.5p1/channels.c 2010-06-23 15:23:06.000000000 +0200 -@@ -838,8 +838,9 @@ channel_pre_open(Channel *c, fd_set *rea - if (c->extended_usage == CHAN_EXTENDED_WRITE && - buffer_len(&c->extended) > 0) - FD_SET(c->efd, writeset); -- else if (!(c->flags & CHAN_EOF_SENT) && -- c->extended_usage == CHAN_EXTENDED_READ && -+ else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && -+ (c->extended_usage == CHAN_EXTENDED_READ || -+ c->extended_usage == CHAN_EXTENDED_IGNORE) && - buffer_len(&c->extended) < c->remote_window) - FD_SET(c->efd, readset); - } -@@ -1759,7 +1760,9 @@ channel_handle_efd(Channel *c, fd_set *r - buffer_consume(&c->extended, len); - c->local_consumed += len; - } -- } else if (c->extended_usage == CHAN_EXTENDED_READ && -+ } else if (c->efd != -1 && -+ (c->extended_usage == CHAN_EXTENDED_READ || -+ c->extended_usage == CHAN_EXTENDED_IGNORE) && - (c->detach_close || FD_ISSET(c->efd, readset))) { - len = read(c->efd, buf, sizeof(buf)); - debug2("channel %d: read %d from efd %d", -@@ -1772,7 +1775,11 @@ channel_handle_efd(Channel *c, fd_set *r - c->self, c->efd); - channel_close_fd(&c->efd); - } else { -- buffer_append(&c->extended, buf, len); -+ if (c->extended_usage == CHAN_EXTENDED_IGNORE) { -+ debug3("channel %d: discard efd", -+ c->self); -+ } else -+ buffer_append(&c->extended, buf, len); - } - } - } -diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c ---- openssh-5.5p1/session.c.stderr 2010-06-23 15:20:29.000000000 +0200 -+++ openssh-5.5p1/session.c 2010-06-23 15:23:55.000000000 +0200 -@@ -47,6 +47,7 @@ - #include - - #include -+#include - #include - #ifdef HAVE_PATHS_H - #include -@@ -104,7 +105,7 @@ - /* func */ - - Session *session_new(void); --void session_set_fds(Session *, int, int, int, int); -+void session_set_fds(Session *, int, int, int, int, int); - void session_pty_cleanup(Session *); - void session_proctitle(Session *); - int session_setup_x11fwd(Session *); -@@ -443,10 +444,14 @@ int - do_exec_no_pty(Session *s, const char *command) - { - pid_t pid; -+ int ignore_fderr = 0; - - #ifdef USE_PIPES - int pin[2], pout[2], perr[2]; - -+ if (s == NULL) -+ fatal("do_exec_no_pty: no session"); -+ - /* Allocate pipes for communicating with the program. */ - if (pipe(pin) < 0) { - error("%s: pipe in: %.100s", __func__, strerror(errno)); -@@ -459,32 +464,38 @@ do_exec_no_pty(Session *s, const char *c - return -1; - } - if (pipe(perr) < 0) { -- error("%s: pipe err: %.100s", __func__, strerror(errno)); -+ error("%s: pipe err: %.100s", __func__, -+ strerror(errno)); - close(pin[0]); - close(pin[1]); - close(pout[0]); - close(pout[1]); - return -1; - } -+ if (s->is_subsystem) -+ ignore_fderr = 1; - #else - int inout[2], err[2]; - -+ if (s == NULL) -+ fatal("do_exec_no_pty: no session"); -+ - /* Uses socket pairs to communicate with the program. */ - if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) { - error("%s: socketpair #1: %.100s", __func__, strerror(errno)); - return -1; - } - if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) { -- error("%s: socketpair #2: %.100s", __func__, strerror(errno)); -+ error("%s: socketpair #2: %.100s", __func__, -+ strerror(errno)); - close(inout[0]); - close(inout[1]); - return -1; - } -+ if (s->is_subsystem) -+ ignore_fderr = 1; - #endif - -- if (s == NULL) -- fatal("do_exec_no_pty: no session"); -- - session_proctitle(s); - - /* Fork the child. */ -@@ -595,11 +606,7 @@ do_exec_no_pty(Session *s, const char *c - close(perr[1]); - - if (compat20) { -- if (s->is_subsystem) { -- close(perr[0]); -- perr[0] = -1; -- } -- session_set_fds(s, pin[1], pout[0], perr[0], 0); -+ session_set_fds(s, pin[1], pout[0], perr[0], ignore_fderr, 0); - } else { - /* Enter the interactive session. */ - server_loop(pid, pin[1], pout[0], perr[0]); -@@ -615,10 +622,7 @@ do_exec_no_pty(Session *s, const char *c - * handle the case that fdin and fdout are the same. - */ - if (compat20) { -- session_set_fds(s, inout[1], inout[1], -- s->is_subsystem ? -1 : err[1], 0); -- if (s->is_subsystem) -- close(err[1]); -+ session_set_fds(s, inout[1], inout[1], err[1], ignore_fderr, 0); - } else { - server_loop(pid, inout[1], inout[1], err[1]); - /* server_loop has closed inout[1] and err[1]. */ -@@ -740,7 +744,7 @@ do_exec_pty(Session *s, const char *comm - s->ptymaster = ptymaster; - packet_set_interactive(1); - if (compat20) { -- session_set_fds(s, ptyfd, fdout, -1, 1); -+ session_set_fds(s, ptyfd, fdout, -1, 1, 1); - } else { - server_loop(pid, ptyfd, fdout, -1); - /* server_loop _has_ closed ptyfd and fdout. */ -@@ -2321,7 +2325,8 @@ session_input_channel_req(Channel *c, co - } - - void --session_set_fds(Session *s, int fdin, int fdout, int fderr, int is_tty) -+session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr, -+ int is_tty) - { - if (!compat20) - fatal("session_set_fds: called for proto != 2.0"); -@@ -2333,7 +2338,7 @@ session_set_fds(Session *s, int fdin, in - fatal("no channel for session %d", s->self); - channel_set_fds(s->chanid, - fdout, fdin, fderr, -- fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, -+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, - 1, is_tty, CHAN_SES_WINDOW_DEFAULT); - } - diff --git a/openssh-5.5p1-authorized-keys-command.patch b/openssh-5.6p1-authorized-keys-command.patch similarity index 78% rename from openssh-5.5p1-authorized-keys-command.patch rename to openssh-5.6p1-authorized-keys-command.patch index 8be37fd..4c9b5b1 100644 --- a/openssh-5.5p1-authorized-keys-command.patch +++ b/openssh-5.6p1-authorized-keys-command.patch @@ -1,6 +1,6 @@ -diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c ---- openssh-5.5p1.orig/auth2-pubkey.c 2010-03-21 14:51:21.000000000 -0400 -+++ openssh-5.5p1/auth2-pubkey.c 2010-07-03 20:23:43.000000000 -0400 +diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c +--- openssh-5.6p1/auth2-pubkey.c.akc 2010-08-23 12:15:42.000000000 +0200 ++++ openssh-5.6p1/auth2-pubkey.c 2010-08-23 12:15:42.000000000 +0200 @@ -27,6 +27,7 @@ #include @@ -9,7 +9,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c #include #include -@@ -178,27 +178,15 @@ +@@ -264,27 +265,15 @@ match_principals_file(char *file, struct /* return 1 if user allows given key */ static int @@ -38,7 +38,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c found_key = 0; found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); -@@ -273,8 +261,6 @@ +@@ -377,8 +366,6 @@ user_key_allowed2(struct passwd *pw, Key break; } } @@ -47,7 +47,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c key_free(found); if (!found_key) debug2("key not found"); -@@ -321,13 +307,191 @@ +@@ -440,13 +427,191 @@ user_cert_trusted_ca(struct passwd *pw, return ret; } @@ -240,10 +240,10 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c if (auth_key_is_revoked(key)) return 0; if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) -diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac ---- openssh-5.5p1.orig/configure.ac 2010-04-10 08:58:01.000000000 -0400 -+++ openssh-5.5p1/configure.ac 2010-07-03 19:57:42.000000000 -0400 -@@ -1346,6 +1346,18 @@ +diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac +--- openssh-5.6p1/configure.ac.akc 2010-08-23 12:15:42.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-08-23 12:15:42.000000000 +0200 +@@ -1346,6 +1346,18 @@ AC_ARG_WITH(audit, esac ] ) @@ -262,7 +262,7 @@ diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS( \ arc4random \ -@@ -4181,6 +4193,7 @@ +@@ -4209,6 +4221,7 @@ echo " Linux audit support echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" @@ -270,10 +270,10 @@ diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" -diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c ---- openssh-5.5p1.orig/servconf.c 2010-03-25 19:40:04.000000000 -0400 -+++ openssh-5.5p1/servconf.c 2010-07-03 19:59:07.000000000 -0400 -@@ -128,6 +128,8 @@ +diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c +--- openssh-5.6p1/servconf.c.akc 2010-08-23 12:15:41.000000000 +0200 ++++ openssh-5.6p1/servconf.c 2010-08-23 12:22:22.000000000 +0200 +@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; @@ -282,18 +282,18 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c options->zero_knowledge_password_authentication = -1; options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; -@@ -311,6 +313,7 @@ +@@ -316,6 +318,7 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, - sRevokedKeys, sTrustedUserCAKeys, + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, + sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs, sDeprecated, sUnsupported } ServerOpCodes; -@@ -432,6 +435,13 @@ - { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, +@@ -439,6 +442,13 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, +#ifdef WITH_AUTHORIZED_KEYS_COMMAND + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL }, @@ -304,7 +304,7 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c { NULL, sBadOption, 0 } }; -@@ -1345,6 +1355,20 @@ +@@ -1360,6 +1370,20 @@ process_server_config_line(ServerOptions charptr = &options->revoked_keys_file; goto parse_filename; @@ -325,7 +325,7 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); -@@ -1438,6 +1462,8 @@ +@@ -1453,6 +1477,8 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(gss_authentication); M_CP_INTOPT(rsa_authentication); M_CP_INTOPT(pubkey_authentication); @@ -333,54 +333,42 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c + M_CP_STROPT(authorized_keys_command_runas); M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); - M_CP_INTOPT(kbd_interactive_authentication); -@@ -1682,6 +1708,8 @@ - dump_cfg_string(sChrootDirectory, o->chroot_directory); - dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); + M_CP_INTOPT(hostbased_uses_name_from_packet_only); +@@ -1705,6 +1731,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sRevokedKeys, o->revoked_keys_file); + dump_cfg_string(sAuthorizedPrincipalsFile, + o->authorized_principals_file); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); + dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); -diff -ruN openssh-5.5p1.orig/servconf.h openssh-5.5p1/servconf.h ---- openssh-5.5p1.orig/servconf.h 2010-03-04 05:53:35.000000000 -0500 -+++ openssh-5.5p1/servconf.h 2010-07-03 19:57:42.000000000 -0400 -@@ -156,6 +156,8 @@ - char *chroot_directory; +diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h +--- openssh-5.6p1/servconf.h.akc 2010-08-23 12:15:41.000000000 +0200 ++++ openssh-5.6p1/servconf.h 2010-08-23 12:17:58.000000000 +0200 +@@ -158,6 +158,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; + char *authorized_principals_file; + char *authorized_keys_command; + char *authorized_keys_command_runas; } ServerOptions; void initialize_server_options(ServerOptions *); -diff -ruN openssh-5.5p1.orig/sshd_config openssh-5.5p1/sshd_config ---- openssh-5.5p1.orig/sshd_config 2009-10-11 06:51:09.000000000 -0400 -+++ openssh-5.5p1/sshd_config 2010-07-03 19:57:42.000000000 -0400 -@@ -44,6 +44,8 @@ - #RSAAuthentication yes - #PubkeyAuthentication yes - #AuthorizedKeysFile .ssh/authorized_keys -+#AuthorizedKeysCommand none -+#AuthorizedKeysCommandRunAs nobody +diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0 +--- openssh-5.6p1/sshd_config.0.akc 2010-08-23 12:15:41.000000000 +0200 ++++ openssh-5.6p1/sshd_config.0 2010-08-23 12:25:18.000000000 +0200 +@@ -374,7 +374,8 @@ DESCRIPTION - # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts - #RhostsRSAAuthentication no -diff -ruN openssh-5.5p1.orig/sshd_config.0 openssh-5.5p1/sshd_config.0 ---- openssh-5.5p1.orig/sshd_config.0 2010-04-15 20:17:12.000000000 -0400 -+++ openssh-5.5p1/sshd_config.0 2010-07-03 19:57:42.000000000 -0400 -@@ -352,7 +352,8 @@ - KbdInteractiveAuthentication, KerberosAuthentication, - MaxAuthTries, MaxSessions, PasswordAuthentication, - PermitEmptyPasswords, PermitOpen, PermitRootLogin, -- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, -+ PubkeyAuthentication, AuthorizedKeysCommand, AuthorizedKeysCommandRunAs, -+ RhostsRSAAuthentication, RSAAuthentication, - X11DisplayOffset, X11Forwarding and X11UseLocalHost. - - MaxAuthTries -@@ -467,6 +468,23 @@ + Only a subset of keywords may be used on the lines following a + Match keyword. Available keywords are AllowAgentForwarding, +- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, ++ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand, ++ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, + Banner, ChrootDirectory, ForceCommand, GatewayPorts, + GSSAPIAuthentication, HostbasedAuthentication, + HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, +@@ -496,6 +497,23 @@ DESCRIPTION this file is not readable, then public key authentication will be refused for all users. @@ -404,20 +392,27 @@ diff -ruN openssh-5.5p1.orig/sshd_config.0 openssh-5.5p1/sshd_config.0 RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication to- gether with successful RSA host authentication is allowed. The -diff -ruN openssh-5.5p1.orig/sshd_config.5 openssh-5.5p1/sshd_config.5 ---- openssh-5.5p1.orig/sshd_config.5 2010-03-04 18:41:45.000000000 -0500 -+++ openssh-5.5p1/sshd_config.5 2010-07-03 19:57:42.000000000 -0400 -@@ -618,6 +618,9 @@ +diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5 +--- openssh-5.6p1/sshd_config.5.akc 2010-08-23 12:15:41.000000000 +0200 ++++ openssh-5.6p1/sshd_config.5 2010-08-23 12:25:46.000000000 +0200 +@@ -654,6 +654,8 @@ Available keywords are + .Cm AllowAgentForwarding , + .Cm AllowTcpForwarding , + .Cm AuthorizedKeysFile , ++.Cm AuthorizedKeysCommand , ++.Cm AuthorizedKeysCommandRunAs , + .Cm AuthorizedPrincipalsFile , + .Cm Banner , + .Cm ChrootDirectory , +@@ -666,6 +668,7 @@ Available keywords are .Cm KerberosAuthentication , .Cm MaxAuthTries , .Cm MaxSessions , +.Cm PubkeyAuthentication , -+.Cm AuthorizedKeysCommand , -+.Cm AuthorizedKeysCommandRunAs , .Cm PasswordAuthentication , .Cm PermitEmptyPasswords , .Cm PermitOpen , -@@ -819,6 +822,20 @@ +@@ -868,6 +871,20 @@ Specifies a list of revoked public keys. Keys listed in this file will be refused for public key authentication. Note that if this file is not readable, then public key authentication will be refused for all users. @@ -438,3 +433,15 @@ diff -ruN openssh-5.5p1.orig/sshd_config.5 openssh-5.5p1/sshd_config.5 .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. +diff -up openssh-5.6p1/sshd_config.akc openssh-5.6p1/sshd_config +--- openssh-5.6p1/sshd_config.akc 2010-08-23 12:15:41.000000000 +0200 ++++ openssh-5.6p1/sshd_config 2010-08-23 12:15:42.000000000 +0200 +@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV + #RSAAuthentication yes + #PubkeyAuthentication yes + #AuthorizedKeysFile .ssh/authorized_keys ++#AuthorizedKeysCommand none ++#AuthorizedKeysCommandRunAs nobody + + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #RhostsRSAAuthentication no diff --git a/openssh-5.6p1-exit-deadlock.patch b/openssh-5.6p1-exit-deadlock.patch new file mode 100644 index 0000000..278dfa1 --- /dev/null +++ b/openssh-5.6p1-exit-deadlock.patch @@ -0,0 +1,14 @@ +diff -up openssh-5.6p1/channels.c.exit-deadlock openssh-5.6p1/channels.c +--- openssh-5.6p1/channels.c.exit-deadlock 2010-08-05 15:09:48.000000000 +0200 ++++ openssh-5.6p1/channels.c 2010-08-23 12:41:43.000000000 +0200 +@@ -1647,6 +1647,10 @@ channel_handle_wfd(Channel *c, fd_set *r + u_int dlen, olen = 0; + int len; + ++ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { ++ debug("channel %d: forcing write", c->self); ++ FD_SET(c->wfd, writeset); ++ } + /* Send buffered output data to the socket. */ + if (c->wfd != -1 && + FD_ISSET(c->wfd, writeset) && diff --git a/openssh-5.5p1-fips.patch b/openssh-5.6p1-fips.patch similarity index 83% rename from openssh-5.5p1-fips.patch rename to openssh-5.6p1-fips.patch index 2f6db6f..7277c3b 100644 --- a/openssh-5.5p1-fips.patch +++ b/openssh-5.6p1-fips.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c ---- openssh-5.5p1/auth2-pubkey.c.fips 2010-04-16 08:46:47.000000000 +0200 -+++ openssh-5.5p1/auth2-pubkey.c 2010-04-16 08:46:48.000000000 +0200 -@@ -35,6 +35,7 @@ +diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c +--- openssh-5.6p1/auth2-pubkey.c.fips 2010-08-23 12:43:40.000000000 +0200 ++++ openssh-5.6p1/auth2-pubkey.c 2010-08-23 12:43:41.000000000 +0200 +@@ -36,6 +36,7 @@ #include #include #include @@ -9,7 +9,7 @@ diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c #include "xmalloc.h" #include "ssh.h" -@@ -274,7 +275,7 @@ user_key_allowed2(struct passwd *pw, Key +@@ -359,7 +360,7 @@ user_search_key_in_file(FILE *f, char *f found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); @@ -18,9 +18,9 @@ diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c verbose("Found matching %s key: %s", key_type(found), fp); xfree(fp); -diff -up openssh-5.5p1/authfile.c.fips openssh-5.5p1/authfile.c ---- openssh-5.5p1/authfile.c.fips 2010-03-04 11:53:35.000000000 +0100 -+++ openssh-5.5p1/authfile.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c +--- openssh-5.6p1/authfile.c.fips 2010-08-05 05:05:16.000000000 +0200 ++++ openssh-5.6p1/authfile.c 2010-08-23 12:43:41.000000000 +0200 @@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch /* Allocate space for the private part of the key in the buffer. */ cp = buffer_append_space(&encrypted, buffer_len(&buffer)); @@ -55,9 +55,9 @@ diff -up openssh-5.5p1/authfile.c.fips openssh-5.5p1/authfile.c cipher_crypt(&ciphercontext, cp, buffer_ptr(&buffer), buffer_len(&buffer)); cipher_cleanup(&ciphercontext); -diff -up openssh-5.5p1/cipher.c.fips openssh-5.5p1/cipher.c ---- openssh-5.5p1/cipher.c.fips 2010-04-16 08:34:06.000000000 +0200 -+++ openssh-5.5p1/cipher.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c +--- openssh-5.6p1/cipher.c.fips 2010-08-23 09:49:50.000000000 +0200 ++++ openssh-5.6p1/cipher.c 2010-08-23 12:43:41.000000000 +0200 @@ -40,6 +40,7 @@ #include @@ -142,9 +142,9 @@ diff -up openssh-5.5p1/cipher.c.fips openssh-5.5p1/cipher.c } /* -diff -up openssh-5.5p1/cipher-ctr.c.fips openssh-5.5p1/cipher-ctr.c ---- openssh-5.5p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 -+++ openssh-5.5p1/cipher-ctr.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c +--- openssh-5.6p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 ++++ openssh-5.6p1/cipher-ctr.c 2010-08-23 12:43:41.000000000 +0200 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -155,9 +155,9 @@ diff -up openssh-5.5p1/cipher-ctr.c.fips openssh-5.5p1/cipher-ctr.c #endif return (&aes_ctr); } -diff -up openssh-5.5p1/cipher.h.fips openssh-5.5p1/cipher.h ---- openssh-5.5p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 -+++ openssh-5.5p1/cipher.h 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h +--- openssh-5.6p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 ++++ openssh-5.6p1/cipher.h 2010-08-23 12:43:41.000000000 +0200 @@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); @@ -167,9 +167,9 @@ diff -up openssh-5.5p1/cipher.h.fips openssh-5.5p1/cipher.h u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); u_int cipher_is_cbc(const Cipher *); -diff -up openssh-5.5p1/mac.c.fips openssh-5.5p1/mac.c ---- openssh-5.5p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.5p1/mac.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c +--- openssh-5.6p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 ++++ openssh-5.6p1/mac.c 2010-08-23 12:43:41.000000000 +0200 @@ -28,6 +28,7 @@ #include @@ -219,10 +219,10 @@ diff -up openssh-5.5p1/mac.c.fips openssh-5.5p1/mac.c for (i = 0; macs[i].name; i++) { if (strcmp(name, macs[i].name) == 0) { -diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in ---- openssh-5.5p1/Makefile.in.fips 2010-03-13 22:41:34.000000000 +0100 -+++ openssh-5.5p1/Makefile.in 2010-04-16 09:48:16.000000000 +0200 -@@ -141,25 +141,25 @@ +diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in +--- openssh-5.6p1/Makefile.in.fips 2010-08-23 12:43:40.000000000 +0200 ++++ openssh-5.6p1/Makefile.in 2010-08-23 12:46:24.000000000 +0200 +@@ -141,25 +141,25 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -253,8 +253,8 @@ diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in + $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -168,7 +168,7 @@ + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +@@ -168,7 +168,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o @@ -263,10 +263,10 @@ diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh-5.5p1/myproposal.h.fips openssh-5.5p1/myproposal.h ---- openssh-5.5p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.5p1/myproposal.h 2010-04-16 08:46:49.000000000 +0200 -@@ -55,7 +55,12 @@ +diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h +--- openssh-5.6p1/myproposal.h.fips 2010-04-16 07:56:22.000000000 +0200 ++++ openssh-5.6p1/myproposal.h 2010-08-23 12:43:41.000000000 +0200 +@@ -58,7 +58,12 @@ "hmac-sha1-96,hmac-md5-96" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" @@ -280,9 +280,9 @@ diff -up openssh-5.5p1/myproposal.h.fips openssh-5.5p1/myproposal.h static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, -diff -up openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.5p1/openbsd-compat/bsd-arc4random.c ---- openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 -+++ openssh-5.5p1/openbsd-compat/bsd-arc4random.c 2010-04-16 09:17:30.000000000 +0200 +diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbsd-compat/bsd-arc4random.c +--- openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 ++++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c 2010-08-23 12:43:41.000000000 +0200 @@ -39,6 +39,7 @@ static int rc4_ready = 0; static RC4_KEY rc4; @@ -324,9 +324,9 @@ diff -up openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.5p1/openbs #endif /* !HAVE_ARC4RANDOM */ #ifndef HAVE_ARC4RANDOM_BUF -diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c ---- openssh-5.5p1/ssh-add.c.fips 2010-03-03 00:25:42.000000000 +0100 -+++ openssh-5.5p1/ssh-add.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c +--- openssh-5.6p1/ssh-add.c.fips 2010-05-21 06:56:47.000000000 +0200 ++++ openssh-5.6p1/ssh-add.c 2010-08-23 12:43:41.000000000 +0200 @@ -42,6 +42,7 @@ #include @@ -335,7 +335,7 @@ diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c #include "openbsd-compat/openssl-compat.h" #include -@@ -269,7 +270,7 @@ list_identities(AuthenticationConnection +@@ -277,7 +278,7 @@ list_identities(AuthenticationConnection key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; if (do_fp) { @@ -344,9 +344,9 @@ diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); -diff -up openssh-5.5p1/ssh-agent.c.fips openssh-5.5p1/ssh-agent.c ---- openssh-5.5p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100 -+++ openssh-5.5p1/ssh-agent.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c +--- openssh-5.6p1/ssh-agent.c.fips 2010-04-16 07:56:22.000000000 +0200 ++++ openssh-5.6p1/ssh-agent.c 2010-08-23 12:43:41.000000000 +0200 @@ -51,6 +51,7 @@ #include @@ -368,9 +368,9 @@ diff -up openssh-5.5p1/ssh-agent.c.fips openssh-5.5p1/ssh-agent.c ret = 0; xfree(p); -diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c ---- openssh-5.5p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100 -+++ openssh-5.5p1/ssh.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c +--- openssh-5.6p1/ssh.c.fips 2010-08-16 17:59:31.000000000 +0200 ++++ openssh-5.6p1/ssh.c 2010-08-23 12:43:41.000000000 +0200 @@ -72,6 +72,8 @@ #include @@ -380,7 +380,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -225,6 +227,10 @@ main(int ac, char **av) +@@ -235,6 +237,10 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); @@ -391,7 +391,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c init_rng(); /* -@@ -285,6 +291,9 @@ main(int ac, char **av) +@@ -301,6 +307,9 @@ main(int ac, char **av) "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': @@ -401,7 +401,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c options.protocol = SSH_PROTO_1; break; case '2': -@@ -581,7 +590,6 @@ main(int ac, char **av) +@@ -599,7 +608,6 @@ main(int ac, char **av) if (!host) usage(); @@ -409,7 +409,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c ERR_load_crypto_strings(); /* Initialize the command to execute on remote host. */ -@@ -667,6 +675,10 @@ main(int ac, char **av) +@@ -685,6 +693,10 @@ main(int ac, char **av) seed_rng(); @@ -420,7 +420,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c if (options.user == NULL) options.user = xstrdup(pw->pw_name); -@@ -733,6 +745,12 @@ main(int ac, char **av) +@@ -752,6 +764,12 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; @@ -433,9 +433,9 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, -diff -up openssh-5.5p1/sshconnect2.c.fips openssh-5.5p1/sshconnect2.c ---- openssh-5.5p1/sshconnect2.c.fips 2010-04-16 08:46:48.000000000 +0200 -+++ openssh-5.5p1/sshconnect2.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c +--- openssh-5.6p1/sshconnect2.c.fips 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/sshconnect2.c 2010-08-23 12:43:41.000000000 +0200 @@ -44,6 +44,8 @@ #include #endif @@ -479,9 +479,9 @@ diff -up openssh-5.5p1/sshconnect2.c.fips openssh-5.5p1/sshconnect2.c xfree(fp); /* -diff -up openssh-5.5p1/sshconnect.c.fips openssh-5.5p1/sshconnect.c ---- openssh-5.5p1/sshconnect.c.fips 2010-03-04 11:53:36.000000000 +0100 -+++ openssh-5.5p1/sshconnect.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c +--- openssh-5.6p1/sshconnect.c.fips 2010-04-18 00:08:21.000000000 +0200 ++++ openssh-5.6p1/sshconnect.c 2010-08-23 12:43:41.000000000 +0200 @@ -40,6 +40,8 @@ #include #include @@ -568,9 +568,9 @@ diff -up openssh-5.5p1/sshconnect.c.fips openssh-5.5p1/sshconnect.c error("Please contact your system administrator."); xfree(fp); -diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c ---- openssh-5.5p1/sshd.c.fips 2010-04-16 08:46:48.000000000 +0200 -+++ openssh-5.5p1/sshd.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c +--- openssh-5.6p1/sshd.c.fips 2010-08-23 12:43:40.000000000 +0200 ++++ openssh-5.6p1/sshd.c 2010-08-23 12:43:41.000000000 +0200 @@ -76,6 +76,8 @@ #include #include @@ -580,7 +580,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1298,6 +1300,12 @@ main(int ac, char **av) +@@ -1307,6 +1309,12 @@ main(int ac, char **av) (void)set_auth_parameters(ac, av); #endif __progname = ssh_get_progname(av[0]); @@ -593,7 +593,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c init_rng(); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -@@ -1459,8 +1467,6 @@ main(int ac, char **av) +@@ -1468,8 +1476,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -602,7 +602,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) -@@ -1578,6 +1584,10 @@ main(int ac, char **av) +@@ -1587,6 +1593,10 @@ main(int ac, char **av) debug("private host key: #%d type %d %s", i, key->type, key_type(key)); } @@ -613,7 +613,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1742,6 +1752,10 @@ main(int ac, char **av) +@@ -1751,6 +1761,10 @@ main(int ac, char **av) /* Initialize the random number generator. */ arc4random_stir(); @@ -624,7 +624,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c /* Chdir to the root directory so that the current disk can be unmounted if desired. */ chdir("/"); -@@ -2275,6 +2289,9 @@ do_ssh2_kex(void) +@@ -2284,6 +2298,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -634,7 +634,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2284,6 +2301,9 @@ do_ssh2_kex(void) +@@ -2293,6 +2310,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -644,9 +644,9 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c } if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = -diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c ---- openssh-5.5p1/ssh-keygen.c.fips 2010-03-21 19:58:24.000000000 +0100 -+++ openssh-5.5p1/ssh-keygen.c 2010-04-16 08:46:49.000000000 +0200 +diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c +--- openssh-5.6p1/ssh-keygen.c.fips 2010-08-23 12:43:40.000000000 +0200 ++++ openssh-5.6p1/ssh-keygen.c 2010-08-23 12:43:41.000000000 +0200 @@ -21,6 +21,7 @@ #include @@ -655,7 +655,7 @@ diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c #include "openbsd-compat/openssl-compat.h" #include -@@ -527,7 +528,7 @@ do_fingerprint(struct passwd *pw) +@@ -692,7 +693,7 @@ do_fingerprint(struct passwd *pw) enum fp_type fptype; struct stat st; @@ -664,7 +664,7 @@ diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; if (!have_identity) -@@ -1916,14 +1917,15 @@ passphrase_again: +@@ -2209,14 +2210,15 @@ passphrase_again: fclose(f); if (!quiet) { diff --git a/openssh-5.5p1-gsskex.patch b/openssh-5.6p1-gsskex.patch similarity index 92% rename from openssh-5.5p1-gsskex.patch rename to openssh-5.6p1-gsskex.patch index 249faa4..95da913 100644 --- a/openssh-5.5p1-gsskex.patch +++ b/openssh-5.6p1-gsskex.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c ---- openssh-5.5p1/auth2.c.gsskex 2010-05-13 15:59:50.000000000 +0200 -+++ openssh-5.5p1/auth2.c 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c +--- openssh-5.6p1/auth2.c.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/auth2.c 2010-08-23 12:51:58.000000000 +0200 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -35,9 +35,9 @@ diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c authctxt->failures++; if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS -diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c ---- openssh-5.5p1/auth2-gss.c.gsskex 2010-05-13 15:59:50.000000000 +0200 -+++ openssh-5.5p1/auth2-gss.c 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c +--- openssh-5.6p1/auth2-gss.c.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/auth2-gss.c 2010-08-23 12:51:58.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ @@ -137,9 +137,9 @@ diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h ---- openssh-5.5p1/auth.h.gsskex 2010-05-13 15:59:50.000000000 +0200 -+++ openssh-5.5p1/auth.h 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h +--- openssh-5.6p1/auth.h.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/auth.h 2010-08-23 12:51:58.000000000 +0200 @@ -53,6 +53,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; @@ -148,9 +148,9 @@ diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h int force_pwchange; char *user; /* username sent by the client */ char *service; -diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c ---- openssh-5.5p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 -+++ openssh-5.5p1/auth-krb5.c 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c +--- openssh-5.6p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 ++++ openssh-5.6p1/auth-krb5.c 2010-08-23 12:51:58.000000000 +0200 @@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c len = strlen(authctxt->krb5_ticket_file) + 6; @@ -198,9 +198,9 @@ diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c return (krb5_cc_resolve(ctx, ccname, ccache)); } -diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi ---- openssh-5.5p1/ChangeLog.gssapi.gsskex 2010-05-13 15:59:58.000000000 +0200 -+++ openssh-5.5p1/ChangeLog.gssapi 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi +--- openssh-5.6p1/ChangeLog.gssapi.gsskex 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/ChangeLog.gssapi 2010-08-23 12:51:58.000000000 +0200 @@ -0,0 +1,95 @@ +20090615 + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c @@ -297,9 +297,9 @@ diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi + add support for GssapiTrustDns option for gssapi-with-mic + (from jbasney AT ncsa.uiuc.edu) + -diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c ---- openssh-5.5p1/clientloop.c.gsskex 2010-03-21 19:54:02.000000000 +0100 -+++ openssh-5.5p1/clientloop.c 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c +--- openssh-5.6p1/clientloop.c.gsskex 2010-08-03 08:04:46.000000000 +0200 ++++ openssh-5.6p1/clientloop.c 2010-08-23 12:51:58.000000000 +0200 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -311,7 +311,7 @@ diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c /* import options */ extern Options options; -@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha +@@ -1483,6 +1487,13 @@ client_loop(int have_pty, int escape_cha /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); @@ -325,9 +325,9 @@ diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); xxx_kex->done = 0; -diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac ---- openssh-5.5p1/configure.ac.gsskex 2010-05-13 15:59:52.000000000 +0200 -+++ openssh-5.5p1/configure.ac 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac +--- openssh-5.6p1/configure.ac.gsskex 2010-08-23 12:51:57.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-08-23 12:51:58.000000000 +0200 @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE(SSH_TUN_PREPEND_AF, 1, @@ -359,9 +359,9 @@ diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac m4_pattern_allow(AU_IPv) AC_CHECK_DECL(AU_IPv4, [], AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) -diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c ---- openssh-5.5p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.5p1/gss-genr.c 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c +--- openssh-5.6p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.6p1/gss-genr.c 2010-08-23 12:51:58.000000000 +0200 @@ -39,12 +39,167 @@ #include "buffer.h" #include "log.h" @@ -700,9 +700,9 @@ diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c ---- openssh-5.5p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 -+++ openssh-5.5p1/gss-serv.c 2010-05-13 15:59:58.000000000 +0200 +diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c +--- openssh-5.6p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 ++++ openssh-5.6p1/gss-serv.c 2010-08-23 12:51:58.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ @@ -1016,9 +1016,9 @@ diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c } #endif -diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c ---- openssh-5.5p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.5p1/gss-serv-krb5.c 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c +--- openssh-5.6p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.6p1/gss-serv-krb5.c 2010-08-23 12:51:58.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1139,9 +1139,9 @@ diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c }; #endif /* KRB5 */ -diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c ---- openssh-5.5p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 -+++ openssh-5.5p1/kex.c 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c +--- openssh-5.6p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 ++++ openssh-5.6p1/kex.c 2010-08-23 12:51:58.000000000 +0200 @@ -50,6 +50,10 @@ #include "monitor.h" #include "roaming.h" @@ -1174,9 +1174,9 @@ diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c } else fatal("bad kex alg %s", k->name); } -diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c ---- openssh-5.5p1/kexgssc.c.gsskex 2010-05-13 15:59:59.000000000 +0200 -+++ openssh-5.5p1/kexgssc.c 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c +--- openssh-5.6p1/kexgssc.c.gsskex 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/kexgssc.c 2010-08-23 12:51:58.000000000 +0200 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1512,9 +1512,9 @@ diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c ---- openssh-5.5p1/kexgsss.c.gsskex 2010-05-13 15:59:59.000000000 +0200 -+++ openssh-5.5p1/kexgsss.c 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c +--- openssh-5.6p1/kexgsss.c.gsskex 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/kexgsss.c 2010-08-23 12:51:58.000000000 +0200 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1804,9 +1804,9 @@ diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h ---- openssh-5.5p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.5p1/kex.h 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h +--- openssh-5.6p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.6p1/kex.h 2010-08-23 12:51:58.000000000 +0200 @@ -67,6 +67,9 @@ enum kex_exchange { KEX_DH_GRP14_SHA1, KEX_DH_GEX_SHA1, @@ -1842,32 +1842,32 @@ diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff -up openssh-5.5p1/key.c.gsskex openssh-5.5p1/key.c ---- openssh-5.5p1/key.c.gsskex 2010-03-21 19:58:24.000000000 +0100 -+++ openssh-5.5p1/key.c 2010-05-13 15:59:59.000000000 +0200 -@@ -982,6 +982,8 @@ key_type_from_name(char *name) +diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c +--- openssh-5.6p1/key.c.gsskex 2010-07-16 05:58:37.000000000 +0200 ++++ openssh-5.6p1/key.c 2010-08-23 12:56:03.000000000 +0200 +@@ -1020,6 +1020,8 @@ key_type_from_name(char *name) return KEY_RSA_CERT; - } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { + } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { return KEY_DSA_CERT; + } else if (strcmp(name, "null") == 0) { + return KEY_NULL; } debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; -diff -up openssh-5.5p1/key.h.gsskex openssh-5.5p1/key.h ---- openssh-5.5p1/key.h.gsskex 2010-03-21 19:58:24.000000000 +0100 -+++ openssh-5.5p1/key.h 2010-05-13 15:59:59.000000000 +0200 -@@ -37,6 +37,7 @@ enum types { - KEY_DSA, - KEY_RSA_CERT, +diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h +--- openssh-5.6p1/key.h.gsskex 2010-04-16 07:56:22.000000000 +0200 ++++ openssh-5.6p1/key.h 2010-08-23 12:56:32.000000000 +0200 +@@ -39,6 +39,7 @@ enum types { KEY_DSA_CERT, + KEY_RSA_CERT_V00, + KEY_DSA_CERT_V00, + KEY_NULL, KEY_UNSPEC }; enum fp_type { -diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in ---- openssh-5.5p1/Makefile.in.gsskex 2010-05-13 15:59:57.000000000 +0200 -+++ openssh-5.5p1/Makefile.in 2010-05-13 16:01:34.000000000 +0200 +diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in +--- openssh-5.6p1/Makefile.in.gsskex 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/Makefile.in 2010-08-23 12:51:58.000000000 +0200 @@ -76,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ @@ -1891,9 +1891,9 @@ diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 -diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c ---- openssh-5.5p1/monitor.c.gsskex 2010-05-13 15:59:50.000000000 +0200 -+++ openssh-5.5p1/monitor.c 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c +--- openssh-5.6p1/monitor.c.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/monitor.c 2010-08-23 12:51:58.000000000 +0200 @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -2086,9 +2086,9 @@ diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h ---- openssh-5.5p1/monitor.h.gsskex 2010-05-13 15:59:50.000000000 +0200 -+++ openssh-5.5p1/monitor.h 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h +--- openssh-5.6p1/monitor.h.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/monitor.h 2010-08-23 12:51:58.000000000 +0200 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2098,9 +2098,9 @@ diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, -diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c ---- openssh-5.5p1/monitor_wrap.c.gsskex 2010-05-13 15:59:51.000000000 +0200 -+++ openssh-5.5p1/monitor_wrap.c 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c +--- openssh-5.6p1/monitor_wrap.c.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/monitor_wrap.c 2010-08-23 12:51:58.000000000 +0200 @@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } @@ -2162,9 +2162,9 @@ diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h ---- openssh-5.5p1/monitor_wrap.h.gsskex 2010-05-13 15:59:51.000000000 +0200 -+++ openssh-5.5p1/monitor_wrap.h 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h +--- openssh-5.6p1/monitor_wrap.h.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/monitor_wrap.h 2010-08-23 12:51:58.000000000 +0200 @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2177,18 +2177,18 @@ diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c ---- openssh-5.5p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100 -+++ openssh-5.5p1/readconf.c 2010-05-13 15:59:59.000000000 +0200 +diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c +--- openssh-5.6p1/readconf.c.gsskex 2010-08-03 08:04:46.000000000 +0200 ++++ openssh-5.6p1/readconf.c 2010-08-23 12:57:26.000000000 +0200 @@ -127,6 +127,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, - oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, -@@ -164,10 +165,18 @@ static struct { + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -166,10 +167,18 @@ static struct { { "afstokenpassing", oUnsupported }, #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2207,7 +2207,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -456,10 +465,26 @@ parse_flag: +@@ -474,10 +483,26 @@ parse_flag: intptr = &options->gss_authentication; goto parse_flag; @@ -2234,7 +2234,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1015,7 +1040,11 @@ initialize_options(Options * options) +@@ -1058,7 +1083,11 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -2246,7 +2246,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1107,8 +1136,14 @@ fill_default_options(Options * options) +@@ -1156,8 +1185,14 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2261,10 +2261,10 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h ---- openssh-5.5p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100 -+++ openssh-5.5p1/readconf.h 2010-05-13 16:00:00.000000000 +0200 -@@ -44,7 +44,11 @@ typedef struct { +diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h +--- openssh-5.6p1/readconf.h.gsskex 2010-08-03 08:04:46.000000000 +0200 ++++ openssh-5.6p1/readconf.h 2010-08-23 12:51:59.000000000 +0200 +@@ -46,7 +46,11 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ @@ -2276,9 +2276,9 @@ diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c ---- openssh-5.5p1/servconf.c.gsskex 2010-05-13 15:59:54.000000000 +0200 -+++ openssh-5.5p1/servconf.c 2010-05-13 16:00:00.000000000 +0200 +diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c +--- openssh-5.6p1/servconf.c.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/servconf.c 2010-08-23 12:51:59.000000000 +0200 @@ -93,7 +93,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; @@ -2290,7 +2290,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -217,8 +220,14 @@ fill_default_server_options(ServerOption +@@ -218,8 +221,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2305,7 +2305,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -312,7 +321,9 @@ typedef enum { +@@ -313,7 +322,9 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -2316,7 +2316,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -376,9 +387,15 @@ static struct { +@@ -377,9 +388,15 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2332,7 +2332,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -939,10 +956,22 @@ process_server_config_line(ServerOptions +@@ -941,10 +958,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2355,9 +2355,9 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h ---- openssh-5.5p1/servconf.h.gsskex 2010-05-13 15:59:54.000000000 +0200 -+++ openssh-5.5p1/servconf.h 2010-05-13 16:00:00.000000000 +0200 +diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h +--- openssh-5.6p1/servconf.h.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/servconf.h 2010-08-23 12:51:59.000000000 +0200 @@ -94,7 +94,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -2369,10 +2369,10 @@ diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5 ---- openssh-5.5p1/ssh_config.5.gsskex 2010-03-26 02:09:13.000000000 +0100 -+++ openssh-5.5p1/ssh_config.5 2010-05-13 16:00:00.000000000 +0200 -@@ -478,11 +478,38 @@ Specifies whether user authentication ba +diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5 +--- openssh-5.6p1/ssh_config.5.gsskex 2010-08-05 05:03:13.000000000 +0200 ++++ openssh-5.6p1/ssh_config.5 2010-08-23 12:51:59.000000000 +0200 +@@ -509,11 +509,38 @@ Specifies whether user authentication ba The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -2412,9 +2412,9 @@ diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config ---- openssh-5.5p1/ssh_config.gsskex 2010-05-13 15:59:48.000000000 +0200 -+++ openssh-5.5p1/ssh_config 2010-05-13 16:00:00.000000000 +0200 +diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config +--- openssh-5.6p1/ssh_config.gsskex 2010-08-23 12:51:55.000000000 +0200 ++++ openssh-5.6p1/ssh_config 2010-08-23 12:51:59.000000000 +0200 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2424,9 +2424,9 @@ diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config # BatchMode no # CheckHostIP yes # AddressFamily any -diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c ---- openssh-5.5p1/sshconnect2.c.gsskex 2010-05-13 15:59:57.000000000 +0200 -+++ openssh-5.5p1/sshconnect2.c 2010-05-13 16:00:00.000000000 +0200 +diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c +--- openssh-5.6p1/sshconnect2.c.gsskex 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/sshconnect2.c 2010-08-23 12:51:59.000000000 +0200 @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2624,9 +2624,9 @@ diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c #endif /* GSSAPI */ int -diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c ---- openssh-5.5p1/sshd.c.gsskex 2010-05-13 15:59:57.000000000 +0200 -+++ openssh-5.5p1/sshd.c 2010-05-13 16:00:00.000000000 +0200 +diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c +--- openssh-5.6p1/sshd.c.gsskex 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/sshd.c 2010-08-23 12:51:59.000000000 +0200 @@ -129,6 +129,10 @@ int allow_severity; int deny_severity; #endif /* LIBWRAP */ @@ -2638,7 +2638,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c #ifndef O_NOCTTY #define O_NOCTTY 0 #endif -@@ -1592,10 +1596,13 @@ main(int ac, char **av) +@@ -1601,10 +1605,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2652,7 +2652,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -1928,6 +1935,60 @@ main(int ac, char **av) +@@ -1937,6 +1944,60 @@ main(int ac, char **av) /* Log the connection. */ verbose("Connection from %.500s port %d", remote_ip, remote_port); @@ -2713,7 +2713,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2315,12 +2376,61 @@ do_ssh2_kex(void) +@@ -2324,12 +2385,61 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); @@ -2775,10 +2775,10 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5 ---- openssh-5.5p1/sshd_config.5.gsskex 2010-05-13 15:59:54.000000000 +0200 -+++ openssh-5.5p1/sshd_config.5 2010-05-13 16:00:00.000000000 +0200 -@@ -379,12 +379,40 @@ Specifies whether user authentication ba +diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5 +--- openssh-5.6p1/sshd_config.5.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/sshd_config.5 2010-08-23 12:51:59.000000000 +0200 +@@ -424,12 +424,40 @@ Specifies whether user authentication ba The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -2819,9 +2819,9 @@ diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5 .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config ---- openssh-5.5p1/sshd_config.gsskex 2010-05-13 15:59:54.000000000 +0200 -+++ openssh-5.5p1/sshd_config 2010-05-13 16:00:00.000000000 +0200 +diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config +--- openssh-5.6p1/sshd_config.gsskex 2010-08-23 12:51:56.000000000 +0200 ++++ openssh-5.6p1/sshd_config 2010-08-23 12:51:59.000000000 +0200 @@ -78,6 +78,8 @@ ChallengeResponseAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes @@ -2831,9 +2831,9 @@ diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff -up openssh-5.5p1/ssh-gss.h.gsskex openssh-5.5p1/ssh-gss.h ---- openssh-5.5p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 -+++ openssh-5.5p1/ssh-gss.h 2010-05-13 16:00:00.000000000 +0200 +diff -up openssh-5.6p1/ssh-gss.h.gsskex openssh-5.6p1/ssh-gss.h +--- openssh-5.6p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 ++++ openssh-5.6p1/ssh-gss.h 2010-08-23 12:51:59.000000000 +0200 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* diff --git a/openssh-5.5p1-keygen.patch b/openssh-5.6p1-keygen.patch similarity index 64% rename from openssh-5.5p1-keygen.patch rename to openssh-5.6p1-keygen.patch index c7a8fb4..9d7fce2 100644 --- a/openssh-5.5p1-keygen.patch +++ b/openssh-5.6p1-keygen.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0 ---- openssh-5.5p1/ssh-keygen.0.keygen 2010-04-16 02:17:11.000000000 +0200 -+++ openssh-5.5p1/ssh-keygen.0 2010-05-04 08:19:22.000000000 +0200 +diff -up openssh-5.6p1/ssh-keygen.0.keygen openssh-5.6p1/ssh-keygen.0 +--- openssh-5.6p1/ssh-keygen.0.keygen 2010-08-22 16:30:03.000000000 +0200 ++++ openssh-5.6p1/ssh-keygen.0 2010-08-23 12:37:19.000000000 +0200 @@ -4,7 +4,7 @@ NAME ssh-keygen - authentication key generation, management and conversion @@ -9,8 +9,8 @@ diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0 + ssh-keygen [-q] [-o] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile] ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] - ssh-keygen -i [-f input_keyfile] -@@ -222,6 +222,8 @@ DESCRIPTION + ssh-keygen -i [-m key_format] [-f input_keyfile] +@@ -232,6 +232,8 @@ DESCRIPTION -q Silence ssh-keygen. Used by /etc/rc when creating a new key. @@ -19,18 +19,18 @@ diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0 -R hostname Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts (see the -H option -diff -up openssh-5.5p1/ssh-keygen.1.keygen openssh-5.5p1/ssh-keygen.1 ---- openssh-5.5p1/ssh-keygen.1.keygen 2010-03-21 19:57:49.000000000 +0100 -+++ openssh-5.5p1/ssh-keygen.1 2010-05-04 08:19:22.000000000 +0200 +diff -up openssh-5.6p1/ssh-keygen.1.keygen openssh-5.6p1/ssh-keygen.1 +--- openssh-5.6p1/ssh-keygen.1.keygen 2010-08-05 05:05:32.000000000 +0200 ++++ openssh-5.6p1/ssh-keygen.1 2010-08-23 12:36:25.000000000 +0200 @@ -47,6 +47,7 @@ - .Nm ssh-keygen .Bk -words + .Nm ssh-keygen .Op Fl q +.Op Fl o .Op Fl b Ar bits .Fl t Ar type .Op Fl N Ar new_passphrase -@@ -370,6 +371,8 @@ Silence +@@ -397,6 +398,8 @@ Silence Used by .Pa /etc/rc when creating a new key. @@ -39,9 +39,9 @@ diff -up openssh-5.5p1/ssh-keygen.1.keygen openssh-5.5p1/ssh-keygen.1 .It Fl R Ar hostname Removes all keys belonging to .Ar hostname -diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c ---- openssh-5.5p1/ssh-keygen.c.keygen 2010-03-21 19:58:24.000000000 +0100 -+++ openssh-5.5p1/ssh-keygen.c 2010-05-04 08:22:22.000000000 +0200 +diff -up openssh-5.6p1/ssh-keygen.c.keygen openssh-5.6p1/ssh-keygen.c +--- openssh-5.6p1/ssh-keygen.c.keygen 2010-08-05 05:05:32.000000000 +0200 ++++ openssh-5.6p1/ssh-keygen.c 2010-08-23 12:34:40.000000000 +0200 @@ -72,6 +72,7 @@ int change_passphrase = 0; int change_comment = 0; @@ -50,16 +50,16 @@ diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c int log_level = SYSLOG_LEVEL_INFO; -@@ -1540,7 +1541,7 @@ main(int argc, char **argv) +@@ -1798,7 +1799,7 @@ main(int argc, char **argv) exit(1); } -- while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:N:n:" -+ while ((opt = getopt(argc, argv, "degiqopclBHLhvxXyF:b:f:t:D:I:P:N:n:" - "O:C:r:g:R:T:G:M:S:s:a:V:W:")) != -1) { +- while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" ++ while ((opt = getopt(argc, argv, "degiqopclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" + "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { switch (opt) { case 'b': -@@ -1605,6 +1606,9 @@ main(int argc, char **argv) +@@ -1878,6 +1879,9 @@ main(int argc, char **argv) case 'q': quiet = 1; break; @@ -69,8 +69,8 @@ diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c case 'e': case 'x': /* export key */ -@@ -1835,7 +1839,7 @@ main(int argc, char **argv) - printf("Created directory '%s'.\n", dotsshdir); +@@ -2124,7 +2128,7 @@ main(int argc, char **argv) + } } /* If the file already exists, ask the user to confirm. */ - if (stat(identity_file, &st) >= 0) { diff --git a/openssh-5.5p1-kuserok.patch b/openssh-5.6p1-kuserok.patch similarity index 68% rename from openssh-5.5p1-kuserok.patch rename to openssh-5.6p1-kuserok.patch index 2390745..7754032 100644 --- a/openssh-5.5p1-kuserok.patch +++ b/openssh-5.6p1-kuserok.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c ---- openssh-5.5p1/auth-krb5.c.kuserok 2010-07-07 13:12:01.000000000 +0200 -+++ openssh-5.5p1/auth-krb5.c 2010-07-07 13:12:03.000000000 +0200 +diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c +--- openssh-5.6p1/auth-krb5.c.kuserok 2010-08-23 13:01:19.000000000 +0200 ++++ openssh-5.6p1/auth-krb5.c 2010-08-23 13:01:21.000000000 +0200 @@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; @@ -16,18 +16,18 @@ diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c } problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); -diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c ---- openssh-5.5p1/servconf.c.kuserok 2010-07-07 13:12:02.000000000 +0200 -+++ openssh-5.5p1/servconf.c 2010-07-07 13:12:04.000000000 +0200 -@@ -137,6 +137,7 @@ initialize_server_options(ServerOptions - options->zero_knowledge_password_authentication = -1; +diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c +--- openssh-5.6p1/servconf.c.kuserok 2010-08-23 13:01:20.000000000 +0200 ++++ openssh-5.6p1/servconf.c 2010-08-23 13:02:14.000000000 +0200 +@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; + options->authorized_principals_file = NULL; + options->use_kuserok = -1; } void -@@ -285,6 +286,8 @@ fill_default_server_options(ServerOption +@@ -286,6 +287,8 @@ fill_default_server_options(ServerOption if (use_privsep == -1) use_privsep = 1; @@ -36,7 +36,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " -@@ -306,7 +309,7 @@ typedef enum { +@@ -307,7 +310,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -45,7 +45,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -376,11 +379,13 @@ static struct { +@@ -377,11 +380,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -59,7 +59,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1335,6 +1340,10 @@ process_server_config_line(ServerOptions +@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -70,7 +70,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1517,6 +1526,7 @@ copy_set_server_options(ServerOptions *d +@@ -1525,6 +1534,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(x11_use_localhost); M_CP_INTOPT(max_sessions); M_CP_INTOPT(max_authtries); @@ -78,7 +78,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c M_CP_STROPT(banner); if (preauth) -@@ -1734,6 +1744,7 @@ dump_config(ServerOptions *o) +@@ -1745,6 +1755,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); @@ -86,9 +86,9 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h ---- openssh-5.5p1/servconf.h.kuserok 2010-07-07 13:12:02.000000000 +0200 -+++ openssh-5.5p1/servconf.h 2010-07-07 13:12:04.000000000 +0200 +diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h +--- openssh-5.6p1/servconf.h.kuserok 2010-08-23 13:01:20.000000000 +0200 ++++ openssh-5.6p1/servconf.h 2010-08-23 13:01:21.000000000 +0200 @@ -157,6 +157,7 @@ typedef struct { int num_permitted_opens; @@ -97,10 +97,10 @@ diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5 ---- openssh-5.5p1/sshd_config.5.kuserok 2010-07-07 13:12:03.000000000 +0200 -+++ openssh-5.5p1/sshd_config.5 2010-07-07 13:21:02.000000000 +0200 -@@ -519,6 +519,10 @@ Specifies whether to automatically destr +diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5 +--- openssh-5.6p1/sshd_config.5.kuserok 2010-08-23 13:01:21.000000000 +0200 ++++ openssh-5.6p1/sshd_config.5 2010-08-23 13:03:15.000000000 +0200 +@@ -564,6 +564,10 @@ Specifies whether to automatically destr file on logout. The default is .Dq yes . @@ -111,17 +111,17 @@ diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5 .It Cm KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). -@@ -644,6 +648,7 @@ Available keywords are - .Cm HostbasedAuthentication , +@@ -694,6 +698,7 @@ Available keywords are + .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , +.Cm KerberosUseKuserok , .Cm MaxAuthTries , .Cm MaxSessions , .Cm PubkeyAuthentication , -diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config ---- openssh-5.5p1/sshd_config.kuserok 2010-07-07 13:12:03.000000000 +0200 -+++ openssh-5.5p1/sshd_config 2010-07-07 13:12:04.000000000 +0200 +diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config +--- openssh-5.6p1/sshd_config.kuserok 2010-08-23 13:01:21.000000000 +0200 ++++ openssh-5.6p1/sshd_config 2010-08-23 13:01:21.000000000 +0200 @@ -72,6 +72,7 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes diff --git a/openssh-5.5p1-ldap.patch b/openssh-5.6p1-ldap.patch similarity index 95% rename from openssh-5.5p1-ldap.patch rename to openssh-5.6p1-ldap.patch index 172477f..1010a8c 100644 --- a/openssh-5.5p1-ldap.patch +++ b/openssh-5.6p1-ldap.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac ---- openssh-5.5p1/configure.ac.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/configure.ac 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac +--- openssh-5.6p1/configure.ac.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-08-23 12:28:11.000000000 +0200 @@ -1358,6 +1358,106 @@ AC_ARG_WITH(authorized-keys-command, ] ) @@ -108,9 +108,9 @@ diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS( \ arc4random \ -diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c ---- openssh-5.5p1/ldapbody.c.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldapbody.c 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c +--- openssh-5.6p1/ldapbody.c.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldapbody.c 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -606,9 +606,9 @@ diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c + return; +} + -diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h ---- openssh-5.5p1/ldapbody.h.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldapbody.h 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h +--- openssh-5.6p1/ldapbody.h.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldapbody.h 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -647,9 +647,9 @@ diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h + +#endif /* LDAPBODY_H */ + -diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c ---- openssh-5.5p1/ldapconf.c.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldapconf.c 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c +--- openssh-5.6p1/ldapconf.c.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldapconf.c 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1333,9 +1333,9 @@ diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h ---- openssh-5.5p1/ldapconf.h.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldapconf.h 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h +--- openssh-5.6p1/ldapconf.h.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldapconf.h 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1408,9 +1408,9 @@ diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff -up openssh-5.5p1/ldap.conf.ldap openssh-5.5p1/ldap.conf ---- openssh-5.5p1/ldap.conf.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldap.conf 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf +--- openssh-5.6p1/ldap.conf.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldap.conf 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -1500,9 +1500,9 @@ diff -up openssh-5.5p1/ldap.conf.ldap openssh-5.5p1/ldap.conf +#tls_cert +#tls_key + -diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c ---- openssh-5.5p1/ldap-helper.c.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldap-helper.c 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c +--- openssh-5.6p1/ldap-helper.c.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldap-helper.c 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,154 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1658,9 +1658,9 @@ diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c +void *buffer_get_string(Buffer *b, u_int *l) {} +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + -diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h ---- openssh-5.5p1/ldap-helper.h.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldap-helper.h 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h +--- openssh-5.6p1/ldap-helper.h.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldap-helper.h 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1694,9 +1694,9 @@ diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h ---- openssh-5.5p1/ldapincludes.h.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldapincludes.h 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h +--- openssh-5.6p1/ldapincludes.h.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldapincludes.h 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1739,9 +1739,9 @@ diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h +#endif + +#endif /* LDAPINCLUDES_H */ -diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c ---- openssh-5.5p1/ldapmisc.c.ldap 2010-07-07 14:36:34.000000000 +0200 -+++ openssh-5.5p1/ldapmisc.c 2010-07-07 14:36:34.000000000 +0200 +diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c +--- openssh-5.6p1/ldapmisc.c.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldapmisc.c 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -1822,9 +1822,9 @@ diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c +} +#endif + -diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h ---- openssh-5.5p1/ldapmisc.h.ldap 2010-07-07 14:36:35.000000000 +0200 -+++ openssh-5.5p1/ldapmisc.h 2010-07-07 14:36:35.000000000 +0200 +diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h +--- openssh-5.6p1/ldapmisc.h.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ldapmisc.h 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1861,9 +1861,9 @@ diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h + +#endif /* LDAPMISC_H */ + -diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example.txt ---- openssh-5.5p1/lpk-user-example.txt.ldap 2010-07-07 14:36:35.000000000 +0200 -+++ openssh-5.5p1/lpk-user-example.txt 2010-07-07 14:36:35.000000000 +0200 +diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example.txt +--- openssh-5.6p1/lpk-user-example.txt.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/lpk-user-example.txt 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,117 @@ + +Post to ML -> User Made Quick Install Doc. @@ -1982,9 +1982,9 @@ diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example. +puTTY). Login should succeed. + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in ---- openssh-5.5p1/Makefile.in.ldap 2010-03-13 22:41:34.000000000 +0100 -+++ openssh-5.5p1/Makefile.in 2010-07-07 14:36:35.000000000 +0200 +diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in +--- openssh-5.6p1/Makefile.in.ldap 2010-05-12 08:51:39.000000000 +0200 ++++ openssh-5.6p1/Makefile.in 2010-08-23 12:29:24.000000000 +0200 @@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -2004,26 +2004,9 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ -@@ -74,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b - monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ - kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ - entropy.o gss-genr.o umac.o jpake.o schnorr.o \ -- ssh-pkcs11.o -+ ssh-pkcs11.o - - SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -- roaming_common.o roaming_client.o -+ roaming_common.o roaming_client.o - - SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ - sshpty.o sshlogin.o servconf.o serverloop.o \ -@@ -91,10 +93,10 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ +@@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ -- roaming_common.o roaming_serv.o -+ roaming_common.o roaming_serv.o + roaming_common.o roaming_serv.o -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 @@ -2034,7 +2017,7 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in CONFIGFILES=sshd_config.out ssh_config.out moduli.out @@ -162,6 +164,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) @@ -2085,9 +2068,9 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 tests interop-tests: $(TARGETS) -diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lpk-openldap.schema ---- openssh-5.5p1/openssh-lpk-openldap.schema.ldap 2010-07-07 14:36:35.000000000 +0200 -+++ openssh-5.5p1/openssh-lpk-openldap.schema 2010-07-07 14:36:35.000000000 +0200 +diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lpk-openldap.schema +--- openssh-5.6p1/openssh-lpk-openldap.schema.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/openssh-lpk-openldap.schema 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2110,9 +2093,9 @@ diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lp + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun.schema ---- openssh-5.5p1/openssh-lpk-sun.schema.ldap 2010-07-07 14:36:35.000000000 +0200 -+++ openssh-5.5p1/openssh-lpk-sun.schema 2010-07-07 14:36:35.000000000 +0200 +diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun.schema +--- openssh-5.6p1/openssh-lpk-sun.schema.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/openssh-lpk-sun.schema 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2137,9 +2120,9 @@ diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk ---- openssh-5.5p1/README.lpk.ldap 2010-07-07 14:36:35.000000000 +0200 -+++ openssh-5.5p1/README.lpk 2010-07-07 14:36:35.000000000 +0200 +diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk +--- openssh-5.6p1/README.lpk.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/README.lpk 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,274 @@ +OpenSSH LDAP PUBLIC KEY PATCH +Copyright (c) 2003 Eric AUGE (eau@phear.org) @@ -2415,9 +2398,9 @@ diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk +- CONTACT : + Jan F. Chadima + -diff -up openssh-5.5p1/ssh-ldap.conf.5.ldap openssh-5.5p1/ssh-ldap.conf.5 ---- openssh-5.5p1/ssh-ldap.conf.5.ldap 2010-07-07 14:36:35.000000000 +0200 -+++ openssh-5.5p1/ssh-ldap.conf.5 2010-07-07 14:36:35.000000000 +0200 +diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5 +--- openssh-5.6p1/ssh-ldap.conf.5.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ssh-ldap.conf.5 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,373 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2792,9 +2775,9 @@ diff -up openssh-5.5p1/ssh-ldap.conf.5.ldap openssh-5.5p1/ssh-ldap.conf.5 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff -up openssh-5.5p1/ssh-ldap-helper.8.ldap openssh-5.5p1/ssh-ldap-helper.8 ---- openssh-5.5p1/ssh-ldap-helper.8.ldap 2010-07-07 14:36:35.000000000 +0200 -+++ openssh-5.5p1/ssh-ldap-helper.8 2010-07-07 14:36:35.000000000 +0200 +diff -up openssh-5.6p1/ssh-ldap-helper.8.ldap openssh-5.6p1/ssh-ldap-helper.8 +--- openssh-5.6p1/ssh-ldap-helper.8.ldap 2010-08-23 12:28:11.000000000 +0200 ++++ openssh-5.6p1/ssh-ldap-helper.8 2010-08-23 12:28:11.000000000 +0200 @@ -0,0 +1,78 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" diff --git a/openssh-5.5p1-mls.patch b/openssh-5.6p1-mls.patch similarity index 91% rename from openssh-5.5p1-mls.patch rename to openssh-5.6p1-mls.patch index 3c12716..ee8a8ef 100644 --- a/openssh-5.5p1-mls.patch +++ b/openssh-5.6p1-mls.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac ---- openssh-5.4p1/configure.ac.mls 2010-03-01 15:24:27.000000000 +0100 -+++ openssh-5.4p1/configure.ac 2010-03-01 15:24:28.000000000 +0100 -@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux, +diff -up openssh-5.6p1/configure.ac.mls openssh-5.6p1/configure.ac +--- openssh-5.6p1/configure.ac.mls 2010-08-23 12:11:36.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-08-23 12:11:36.000000000 +0200 +@@ -3390,6 +3390,7 @@ AC_ARG_WITH(selinux, SSHDLIBS="$SSHDLIBS $LIBSELINUX" LIBS="$LIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) @@ -9,23 +9,21 @@ diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac LIBS="$save_LIBS" fi ] ) -diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c ---- openssh-5.4p1/misc.c.mls 2010-01-10 00:31:12.000000000 +0100 -+++ openssh-5.4p1/misc.c 2010-03-01 15:24:28.000000000 +0100 -@@ -423,6 +423,7 @@ char * +diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c +--- openssh-5.6p1/misc.c.mls 2010-08-03 08:05:05.000000000 +0200 ++++ openssh-5.6p1/misc.c 2010-08-23 12:14:16.000000000 +0200 +@@ -424,6 +424,7 @@ char * colon(char *cp) { int flag = 0; + int start = 1; if (*cp == ':') /* Leading colon is part of file name. */ - return (0); -@@ -436,8 +437,13 @@ colon(char *cp) - return (cp+1); - if (*cp == ':' && !flag) + return NULL; +@@ -439,6 +440,13 @@ colon(char *cp) return (cp); -- if (*cp == '/') -- return (0); + if (*cp == '/') + return NULL; + if (start) { + /* Slash on beginning or after dots only denotes file name. */ + if (*cp == '/') @@ -34,11 +32,11 @@ diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c + start = 0; + } } - return (0); + return NULL; } -diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c ---- openssh-5.4p1/openbsd-compat/port-linux.c.mls 2010-03-01 15:24:27.000000000 +0100 -+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:25:50.000000000 +0100 +diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-compat/port-linux.c +--- openssh-5.6p1/openbsd-compat/port-linux.c.mls 2010-08-23 12:11:36.000000000 +0200 ++++ openssh-5.6p1/openbsd-compat/port-linux.c 2010-08-23 12:11:37.000000000 +0200 @@ -35,13 +35,24 @@ #include "key.h" #include "hostfile.h" @@ -417,10 +415,10 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-com /* XXX: should these calls fatal() upon failure in enforcing mode? */ -diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c ---- openssh-5.4p1/sshd.c.mls 2010-03-01 15:24:27.000000000 +0100 -+++ openssh-5.4p1/sshd.c 2010-03-01 15:24:28.000000000 +0100 -@@ -1987,6 +1987,9 @@ main(int ac, char **av) +diff -up openssh-5.6p1/sshd.c.mls openssh-5.6p1/sshd.c +--- openssh-5.6p1/sshd.c.mls 2010-08-23 12:11:36.000000000 +0200 ++++ openssh-5.6p1/sshd.c 2010-08-23 12:11:37.000000000 +0200 +@@ -1997,6 +1997,9 @@ main(int ac, char **av) restore_uid(); } #endif diff --git a/openssh-5.3p1-selabel.patch b/openssh-5.6p1-selabel.patch similarity index 50% rename from openssh-5.3p1-selabel.patch rename to openssh-5.6p1-selabel.patch index 6e5d6bd..459164f 100644 --- a/openssh-5.3p1-selabel.patch +++ b/openssh-5.6p1-selabel.patch @@ -1,19 +1,19 @@ -diff -up openssh-5.3p1/contrib/ssh-copy-id.selabel openssh-5.3p1/contrib/ssh-copy-id ---- openssh-5.3p1/contrib/ssh-copy-id.selabel 2009-01-21 10:29:21.000000000 +0100 -+++ openssh-5.3p1/contrib/ssh-copy-id 2009-10-02 14:21:54.000000000 +0200 -@@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || - exit 1 - fi +diff -up openssh-5.6p1/contrib/ssh-copy-id.selabel openssh-5.6p1/contrib/ssh-copy-id +--- openssh-5.6p1/contrib/ssh-copy-id.selabel 2010-08-10 05:36:09.000000000 +0200 ++++ openssh-5.6p1/contrib/ssh-copy-id 2010-08-23 12:50:20.000000000 +0200 +@@ -41,7 +41,7 @@ fi + # strip any trailing colon + host=`echo $1 | sed 's/:$//'` --{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 -+{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys" || exit 1 +-{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1 ++{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys" || exit 1 cat < #include @@ -33,7 +33,7 @@ diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -792,10 +793,15 @@ main(int ac, char **av) +@@ -848,10 +849,15 @@ main(int ac, char **av) */ r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); diff --git a/openssh.spec b/openssh.spec index c54bd02..92d712b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -73,7 +73,7 @@ %define openssh_ver 5.6p1 %define openssh_rel 1 %define pam_ssh_agent_ver 0.9.2 -%define pam_ssh_agent_rel 26 +%define pam_ssh_agent_rel 27 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -94,44 +94,38 @@ Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/p Source5: pam_ssh_agent-rmheaders Patch0: openssh-5.4p1-redhat.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1638 -Patch2: openssh-5.3p1-skip-initial.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 Patch4: openssh-5.2p1-vendor.patch Patch10: pam_ssh_agent_auth-0.9-build.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Patch12: openssh-5.4p1-selinux.patch -Patch13: openssh-5.5p1-mls.patch +Patch13: openssh-5.6p1-mls.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 Patch16: openssh-5.3p1-audit.patch Patch18: openssh-5.4p1-pam_selinux.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1663 -Patch20: openssh-5.5p1-authorized-keys-command.patch -Patch21: openssh-5.5p1-ldap.patch +Patch20: openssh-5.6p1-authorized-keys-command.patch +Patch21: openssh-5.6p1-ldap.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1668 -Patch23: openssh-5.5p1-keygen.patch +Patch23: openssh-5.6p1-keygen.patch Patch24: openssh-4.3p1-fromto-remote.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1636 Patch27: openssh-5.1p1-log-in-chroot.patch -Patch30: openssh-4.0p1-exit-deadlock.patch +Patch30: openssh-5.6p1-exit-deadlock.patch Patch35: openssh-5.1p1-askpass-progress.patch Patch38: openssh-4.3p2-askpass-grab-info.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1644 Patch44: openssh-5.2p1-allow-ip-opts.patch Patch49: openssh-4.3p2-gssapi-canohost.patch Patch62: openssh-5.1p1-scp-manpage.patch -Patch65: openssh-5.5p1-fips.patch +Patch65: openssh-5.6p1-fips.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1614 -Patch69: openssh-5.3p1-selabel.patch +Patch69: openssh-5.6p1-selabel.patch Patch71: openssh-5.2p1-edns.patch -Patch73: openssh-5.5p1-gsskex.patch +Patch73: openssh-5.6p1-gsskex.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1701 Patch74: openssh-5.3p1-randclean.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1740 -Patch76: openssh-5.5p1-staterr.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1750 -Patch77: openssh-5.5p1-stderr.patch -Patch78: openssh-5.5p1-kuserok.patch +Patch78: openssh-5.6p1-kuserok.patch Patch79: openssh-5.5p1-x11.patch License: BSD @@ -268,7 +262,6 @@ The module is most useful for su and sudo service stacks. %prep %setup -q -a 4 %patch0 -p1 -b .redhat -%patch2 -p1 -b .skip-initial %patch4 -p1 -b .vendor %if %{pam_ssh_agent} @@ -303,8 +296,6 @@ popd %patch71 -p1 -b .edns %patch73 -p1 -b .gsskex %patch74 -p1 -b .randclean -%patch76 -p1 -b .staterr -%patch77 -p1 -b .stderr %patch78 -p1 -b .kuserok %patch79 -p1 -b .x11