- do not copy /etc/localtime into the chroot as it is not necessary anymore

(#193184)
- call setkeycreatecon when selinux context is established
- test for NULL privk when freeing key (#391871) - patch by Pierre Ossman
This commit is contained in:
Tomáš Mráz 2007-11-20 14:53:45 +00:00
parent 5d613bead0
commit 8b8c4dc83c
4 changed files with 53 additions and 33 deletions

View File

@ -9,7 +9,7 @@
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
@@ -99,12 +101,16 @@
@@ -99,12 +101,14 @@
start()
{
# Create keys if necessary
@ -21,8 +21,6 @@
+ do_rsa_keygen
+ do_dsa_keygen
+ fi
+
+ cp -af /etc/localtime /var/empty/sshd/etc
- echo -n $"Starting $prog:"
- initlog -c "$SSHD $OPTIONS" && success || failure
@ -31,7 +29,7 @@
RETVAL=$?
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
echo
@@ -112,17 +118,30 @@
@@ -112,17 +116,30 @@
stop()
{

View File

@ -359,7 +359,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com
security_context_t user_ctx = NULL;
if (!ssh_selinux_enabled())
@@ -126,22 +324,39 @@ ssh_selinux_setup_exec_context(char *pwn
@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn
debug3("%s: setting execution context", __func__);
@ -371,7 +371,13 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com
+ if (r < 0) {
+ error("%s: Failed to set SELinux execution context %s for %s",
+ __func__, user_ctx, pwname);
+ }
+#ifdef HAVE_SETKEYCREATECON
+ else if (setkeycreatecon(user_ctx) < 0) {
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
+ __func__, user_ctx, pwname);
+ }
+#endif
+ }
+ if (user_ctx == NULL) {
+ user_ctx = default_ctx;
@ -406,7 +412,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com
debug3("%s: done", __func__);
}
@@ -159,7 +374,10 @@ ssh_selinux_setup_pty(char *pwname, cons
@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
@ -418,6 +424,17 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh-4.7p1/configure.ac.mls openssh-4.7p1/configure.ac
--- openssh-4.7p1/configure.ac.mls 2007-10-17 19:05:10.000000000 +0200
+++ openssh-4.7p1/configure.ac 2007-10-17 19:05:38.000000000 +0200
@@ -3213,6 +3213,7 @@ AC_ARG_WITH(selinux,
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+ AC_CHECK_FUNCS(setkeycreatecon)
LIBS="$save_LIBS"
fi ]
)
diff -up openssh-4.7p1/sshd.c.mls openssh-4.7p1/sshd.c
--- openssh-4.7p1/sshd.c.mls 2007-09-06 17:39:28.000000000 +0200
+++ openssh-4.7p1/sshd.c 2007-09-06 17:39:28.000000000 +0200

View File

@ -1,6 +1,6 @@
diff -up openssh-4.7p1/key.c.nss-keys openssh-4.7p1/key.c
--- openssh-4.7p1/key.c.nss-keys 2007-08-08 06:28:26.000000000 +0200
+++ openssh-4.7p1/key.c 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/key.c 2007-11-20 14:40:17.000000000 +0100
@@ -93,6 +93,54 @@ key_new(int type)
return k;
}
@ -62,7 +62,7 @@ diff -up openssh-4.7p1/key.c.nss-keys openssh-4.7p1/key.c
}
+#ifdef HAVE_LIBNSS
+ if (k->flags & KEY_FLAG_NSS) {
+ if (k->nss->privk->wincx != NULL) {
+ if (k->nss->privk != NULL && k->nss->privk->wincx != NULL) {
+ memset(k->nss->privk->wincx, 0,
+ strlen(k->nss->privk->wincx));
+ xfree(k->nss->privk->wincx);
@ -78,7 +78,7 @@ diff -up openssh-4.7p1/key.c.nss-keys openssh-4.7p1/key.c
diff -up openssh-4.7p1/ssh-dss.c.nss-keys openssh-4.7p1/ssh-dss.c
--- openssh-4.7p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100
+++ openssh-4.7p1/ssh-dss.c 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/ssh-dss.c 2007-11-20 14:26:43.000000000 +0100
@@ -39,6 +39,10 @@
#include "log.h"
#include "key.h"
@ -138,7 +138,7 @@ diff -up openssh-4.7p1/ssh-dss.c.nss-keys openssh-4.7p1/ssh-dss.c
*lenp = SIGBLOB_LEN;
diff -up openssh-4.7p1/ssh-agent.c.nss-keys openssh-4.7p1/ssh-agent.c
--- openssh-4.7p1/ssh-agent.c.nss-keys 2007-03-21 10:45:07.000000000 +0100
+++ openssh-4.7p1/ssh-agent.c 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/ssh-agent.c 2007-11-20 14:26:43.000000000 +0100
@@ -79,6 +79,10 @@
#include "scard.h"
#endif
@ -283,7 +283,7 @@ diff -up openssh-4.7p1/ssh-agent.c.nss-keys openssh-4.7p1/ssh-agent.c
error("Unknown message %d", type);
diff -up openssh-4.7p1/authfd.h.nss-keys openssh-4.7p1/authfd.h
--- openssh-4.7p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200
+++ openssh-4.7p1/authfd.h 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/authfd.h 2007-11-20 14:26:43.000000000 +0100
@@ -49,6 +49,12 @@
#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
@ -307,9 +307,9 @@ diff -up openssh-4.7p1/authfd.h.nss-keys openssh-4.7p1/authfd.h
int
ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
diff -up openssh-4.7p1/configure.ac.nss-keys openssh-4.7p1/configure.ac
--- openssh-4.7p1/configure.ac.nss-keys 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/configure.ac 2007-09-06 17:51:48.000000000 +0200
@@ -3228,6 +3228,20 @@ AC_ARG_WITH(linux-audit,
--- openssh-4.7p1/configure.ac.nss-keys 2007-11-20 14:26:43.000000000 +0100
+++ openssh-4.7p1/configure.ac 2007-11-20 14:26:43.000000000 +0100
@@ -3230,6 +3230,20 @@ AC_ARG_WITH(linux-audit,
fi ]
)
@ -330,7 +330,7 @@ diff -up openssh-4.7p1/configure.ac.nss-keys openssh-4.7p1/configure.ac
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -4050,6 +4064,7 @@ echo " OSF SIA support
@@ -4052,6 +4066,7 @@ echo " OSF SIA support
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
echo " Linux audit support: $LINUX_AUDIT_MSG"
@ -339,8 +339,8 @@ diff -up openssh-4.7p1/configure.ac.nss-keys openssh-4.7p1/configure.ac
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
diff -up /dev/null openssh-4.7p1/README.nss
--- /dev/null 2007-09-04 17:17:14.474470098 +0200
+++ openssh-4.7p1/README.nss 2007-09-06 17:43:59.000000000 +0200
--- /dev/null 2007-11-05 08:22:09.502001637 +0100
+++ openssh-4.7p1/README.nss 2007-11-20 14:26:43.000000000 +0100
@@ -0,0 +1,36 @@
+How to use NSS tokens with OpenSSH?
+
@ -380,7 +380,7 @@ diff -up /dev/null openssh-4.7p1/README.nss
+ $ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'
diff -up openssh-4.7p1/authfd.c.nss-keys openssh-4.7p1/authfd.c
--- openssh-4.7p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200
+++ openssh-4.7p1/authfd.c 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/authfd.c 2007-11-20 14:26:43.000000000 +0100
@@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection
return decode_reply(type);
}
@ -429,7 +429,7 @@ diff -up openssh-4.7p1/authfd.c.nss-keys openssh-4.7p1/authfd.c
* by normal applications.
diff -up openssh-4.7p1/readconf.h.nss-keys openssh-4.7p1/readconf.h
--- openssh-4.7p1/readconf.h.nss-keys 2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.7p1/readconf.h 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/readconf.h 2007-11-20 14:26:43.000000000 +0100
@@ -84,6 +84,8 @@ typedef struct {
char *preferred_authentications;
char *bind_address; /* local socket address for connection to sshd */
@ -440,8 +440,8 @@ diff -up openssh-4.7p1/readconf.h.nss-keys openssh-4.7p1/readconf.h
int num_identity_files; /* Number of files for RSA/DSA identities. */
diff -up /dev/null openssh-4.7p1/nsskeys.c
--- /dev/null 2007-09-04 17:17:14.474470098 +0200
+++ openssh-4.7p1/nsskeys.c 2007-09-06 17:43:59.000000000 +0200
--- /dev/null 2007-11-05 08:22:09.502001637 +0100
+++ openssh-4.7p1/nsskeys.c 2007-11-20 14:26:43.000000000 +0100
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -772,7 +772,7 @@ diff -up /dev/null openssh-4.7p1/nsskeys.c
+#endif /* HAVE_LIBNSS */
diff -up openssh-4.7p1/ssh.c.nss-keys openssh-4.7p1/ssh.c
--- openssh-4.7p1/ssh.c.nss-keys 2007-08-08 06:32:41.000000000 +0200
+++ openssh-4.7p1/ssh.c 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/ssh.c 2007-11-20 14:26:43.000000000 +0100
@@ -104,6 +104,9 @@
#ifdef SMARTCARD
#include "scard.h"
@ -825,8 +825,8 @@ diff -up openssh-4.7p1/ssh.c.nss-keys openssh-4.7p1/ssh.c
fatal("load_public_identity_files: getpwuid failed");
if (gethostname(thishost, sizeof(thishost)) == -1)
diff -up /dev/null openssh-4.7p1/nsskeys.h
--- /dev/null 2007-09-04 17:17:14.474470098 +0200
+++ openssh-4.7p1/nsskeys.h 2007-09-06 17:43:59.000000000 +0200
--- /dev/null 2007-11-05 08:22:09.502001637 +0100
+++ openssh-4.7p1/nsskeys.h 2007-11-20 14:26:43.000000000 +0100
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -869,7 +869,7 @@ diff -up /dev/null openssh-4.7p1/nsskeys.h
+#endif
diff -up openssh-4.7p1/Makefile.in.nss-keys openssh-4.7p1/Makefile.in
--- openssh-4.7p1/Makefile.in.nss-keys 2007-06-11 06:01:42.000000000 +0200
+++ openssh-4.7p1/Makefile.in 2007-09-06 17:53:14.000000000 +0200
+++ openssh-4.7p1/Makefile.in 2007-11-20 14:26:43.000000000 +0100
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
@ -881,7 +881,7 @@ diff -up openssh-4.7p1/Makefile.in.nss-keys openssh-4.7p1/Makefile.in
sshconnect.o sshconnect1.o sshconnect2.o
diff -up openssh-4.7p1/key.h.nss-keys openssh-4.7p1/key.h
--- openssh-4.7p1/key.h.nss-keys 2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.7p1/key.h 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/key.h 2007-11-20 14:26:43.000000000 +0100
@@ -29,11 +29,17 @@
#include <openssl/rsa.h>
#include <openssl/dsa.h>
@ -933,7 +933,7 @@ diff -up openssh-4.7p1/key.h.nss-keys openssh-4.7p1/key.h
int key_equal(const Key *, const Key *);
diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c
--- openssh-4.7p1/ssh-add.c.nss-keys 2006-09-01 07:38:37.000000000 +0200
+++ openssh-4.7p1/ssh-add.c 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/ssh-add.c 2007-11-20 14:26:43.000000000 +0100
@@ -43,6 +43,14 @@
#include <openssl/evp.h>
@ -1162,7 +1162,7 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c
struct passwd *pw;
diff -up openssh-4.7p1/ssh-rsa.c.nss-keys openssh-4.7p1/ssh-rsa.c
--- openssh-4.7p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200
+++ openssh-4.7p1/ssh-rsa.c 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/ssh-rsa.c 2007-11-20 14:26:43.000000000 +0100
@@ -32,6 +32,10 @@
#include "compat.h"
#include "ssh.h"
@ -1235,7 +1235,7 @@ diff -up openssh-4.7p1/ssh-rsa.c.nss-keys openssh-4.7p1/ssh-rsa.c
buffer_put_cstring(&b, "ssh-rsa");
diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c
--- openssh-4.7p1/ssh-keygen.c.nss-keys 2007-02-19 12:10:25.000000000 +0100
+++ openssh-4.7p1/ssh-keygen.c 2007-09-06 17:48:08.000000000 +0200
+++ openssh-4.7p1/ssh-keygen.c 2007-11-20 14:26:43.000000000 +0100
@@ -52,6 +52,11 @@
#include "scard.h"
#endif
@ -1339,7 +1339,7 @@ diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c
if (download)
diff -up openssh-4.7p1/readconf.c.nss-keys openssh-4.7p1/readconf.c
--- openssh-4.7p1/readconf.c.nss-keys 2007-03-21 10:46:03.000000000 +0100
+++ openssh-4.7p1/readconf.c 2007-09-06 17:43:59.000000000 +0200
+++ openssh-4.7p1/readconf.c 2007-11-20 14:26:43.000000000 +0100
@@ -124,6 +124,7 @@ typedef enum {
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,

View File

@ -63,7 +63,7 @@
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 4.7p1
Release: 2%{?dist}%{?rescue_rel}
Release: 3%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -461,8 +461,6 @@ fi
%files server
%defattr(-,root,root)
%dir %attr(0711,root,root) %{_var}/empty/sshd
%dir %attr(0755,root,root) %{_var}/empty/sshd/etc
%ghost %verify(not md5 size mtime) %{_var}/empty/sshd/etc/localtime
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
@ -482,6 +480,13 @@ fi
%endif
%changelog
* Tue Nov 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-3
- do not copy /etc/localtime into the chroot as it is not
necessary anymore (#193184)
- call setkeycreatecon when selinux context is established
- test for NULL privk when freeing key (#391871) - patch by
Pierre Ossman
* Mon Sep 17 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-2
- revert default window size adjustments (#286181)