rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

- upgrade to new upstream release

Browse Source 
- fixed a problem with public key authentication and explicitely specified
    SELinux role
This commit is contained in:
Tomáš Mráz 2008-07-23 14:50:23 +00:00
parent 077dad7320
commit 93a4744539
11 changed files with 243 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1 +1 @@
openssh-5.0p1-noacss.tar.bz2 openssh-5.1p1-noacss.tar.bz2

15
openssh-4.5p1-controlcleanup.patch
View File

@ -1,15 +0,0 @@
--- openssh-4.5p1/ssh.c~ 2007-03-24 16:25:18.000000000 +0000
+++ openssh-4.5p1/ssh.c 2007-03-24 16:31:06.000000000 +0000
@@ -1347,7 +1347,11 @@
}
if (errno == ENOENT)
debug("Control socket \"%.100s\" does not exist", path);
- else {
+ else if (errno == ECONNREFUSED) {
+ debug("Control socket connect(%.100s): %s", path,
+ strerror(errno));
+ unlink(path);
+ } else {
error("Control socket connect(%.100s): %s", path,
strerror(errno));
}

85
openssh-4.7p1-master-race.patch
View File

@ -1,85 +0,0 @@
--- openssh-4.7p1/ssh.c.masterrace 2008-03-06 13:55:11.000000000 +0000
+++ openssh-4.7p1/ssh.c 2008-03-06 13:55:19.000000000 +0000
@@ -1065,7 +1065,7 @@ client_global_request_reply_fwd(int type
}
}
-static void
+static int
ssh_control_listener(void)
{
struct sockaddr_un addr;
@@ -1073,10 +1073,11 @@ ssh_control_listener(void)
int addr_len;
if (options.control_path == NULL ||
- options.control_master == SSHCTL_MASTER_NO)
- return;
+ options.control_master == SSHCTL_MASTER_NO ||
+ control_fd != -1)
+ return 1;
- debug("setting up multiplex master socket");
+ debug("trying to set up multiplex master socket");
memset(&addr, '\0', sizeof(addr));
addr.sun_family = AF_UNIX;
@@ -1093,11 +1094,9 @@ ssh_control_listener(void)
old_umask = umask(0177);
if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) {
control_fd = -1;
- if (errno == EINVAL || errno == EADDRINUSE)
- fatal("ControlSocket %s already exists",
- options.control_path);
- else
+ if (errno != EINVAL && errno != EADDRINUSE)
fatal("%s bind(): %s", __func__, strerror(errno));
+ return 0;
}
umask(old_umask);
@@ -1105,6 +1104,9 @@ ssh_control_listener(void)
fatal("%s listen(): %s", __func__, strerror(errno));
set_nonblock(control_fd);
+
+ debug("control master listening on %s", options.control_path);
+ return 1;
}
/* request pty/x11/agent/tcpfwd/shell for channel */
@@ -1196,7 +1198,9 @@ ssh_session2(void)
ssh_init_forwarding();
/* Start listening for multiplex clients */
- ssh_control_listener();
+ if (!ssh_control_listener())
+ fatal("control master socket %s already exists",
+ options.control_path);
/*
* If we are the control master, and if control_persist is set,
@@ -1375,7 +1379,13 @@ control_client(const char *path)
switch (options.control_master) {
case SSHCTL_MASTER_AUTO:
case SSHCTL_MASTER_AUTO_ASK:
- debug("auto-mux: Trying existing master");
+ /* see if we can create a control master socket
+ to avoid a race between two auto clients */
+ if (mux_command == SSHMUX_COMMAND_OPEN &&
+ ssh_control_listener())
+ return;
+ debug("trying to connect to control master socket %s",
+ options.control_path);
/* FALLTHROUGH */
case SSHCTL_MASTER_NO:
break;
@@ -1522,6 +1532,8 @@ control_client(const char *path)
signal(SIGTERM, control_client_sighandler);
signal(SIGWINCH, control_client_sigrelay);
+ debug("connected to control master; waiting for exit");
+
if (tty_flag)
enter_raw_mode();

20
openssh-5.0p1-unbreakalive.patch
View File

@ -1,20 +0,0 @@
Index: packet.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/packet.c,v
retrieving revision 1.152
diff -u -p packet.c
--- packet.c 8 May 2008 06:59:01 -0000
+++ packet.c 19 May 2008 04:00:34 -0000
@@ -1185,9 +1185,10 @@ packet_read_poll_seqnr(u_int32_t *seqnr_
for (;;) {
if (compat20) {
type = packet_read_poll2(seqnr_p);
- keep_alive_timeouts = 0;
- if (type)
+ if (type) {
+ keep_alive_timeouts = 0;
DBG(debug("received packet type %d", type));
+ }
switch (type) {
case SSH2_MSG_IGNORE:
debug3("Received SSH2_MSG_IGNORE");

22
openssh-4.7p1-cloexec.patch → openssh-5.1p1-cloexec.patch
View File

@ -1,15 +1,15 @@
diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
--- openssh-4.7p1/sshconnect2.c.cloexec 2008-03-06 15:58:03.000000000 +0100 --- openssh-5.1p1/sshconnect2.c.cloexec 2008-07-23 15:21:23.000000000 +0200
+++ openssh-4.7p1/sshconnect2.c 2008-05-21 09:27:06.000000000 +0200 +++ openssh-5.1p1/sshconnect2.c 2008-07-23 15:23:19.000000000 +0200
@@ -38,6 +38,7 @@ @@ -38,6 +38,7 @@
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
+#include <fcntl.h> +#include <fcntl.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
#include "openbsd-compat/sys-queue.h" #include <vis.h>
#endif
@@ -1257,6 +1258,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i @@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
return -1; return -1;
} }
if (pid == 0) { if (pid == 0) {
@ -17,9 +17,9 @@ diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c
permanently_drop_suid(getuid()); permanently_drop_suid(getuid());
close(from[0]); close(from[0]);
if (dup2(from[1], STDOUT_FILENO) < 0) if (dup2(from[1], STDOUT_FILENO) < 0)
diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
--- openssh-4.7p1/sshconnect.c.cloexec 2006-10-23 19:02:24.000000000 +0200 --- openssh-5.1p1/sshconnect.c.cloexec 2008-07-02 14:34:30.000000000 +0200
+++ openssh-4.7p1/sshconnect.c 2008-03-06 15:58:03.000000000 +0100 +++ openssh-5.1p1/sshconnect.c 2008-07-23 15:21:23.000000000 +0200
@@ -38,6 +38,7 @@ @@ -38,6 +38,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
@ -28,7 +28,7 @@ diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c
#include "xmalloc.h" #include "xmalloc.h"
#include "key.h" #include "key.h"
@@ -189,8 +190,11 @@ ssh_create_socket(int privileged, struct @@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct
return sock; return sock;
} }
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);

26
openssh-4.7p1-log-in-chroot.patch → openssh-5.1p1-log-in-chroot.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c
--- openssh-4.7p1/sshd.c.log-chroot 2007-09-06 17:24:13.000000000 +0200 --- openssh-5.1p1/sshd.c.log-chroot 2008-07-23 15:18:52.000000000 +0200
+++ openssh-4.7p1/sshd.c 2007-09-06 17:24:13.000000000 +0200 +++ openssh-5.1p1/sshd.c 2008-07-23 15:18:52.000000000 +0200
@@ -596,6 +596,10 @@ privsep_preauth_child(void) @@ -591,6 +591,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
demote_sensitive_data(); demote_sensitive_data();
@ -12,9 +12,9 @@ diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c
/* Change our root directory */ /* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c
--- openssh-4.7p1/log.c.log-chroot 2007-05-20 07:08:16.000000000 +0200 --- openssh-5.1p1/log.c.log-chroot 2008-06-10 15:01:51.000000000 +0200
+++ openssh-4.7p1/log.c 2007-09-06 17:29:34.000000000 +0200 +++ openssh-5.1p1/log.c 2008-07-23 15:18:52.000000000 +0200
@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL @@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL
static int log_on_stderr = 1; static int log_on_stderr = 1;
static int log_facility = LOG_AUTH; static int log_facility = LOG_AUTH;
@ -23,7 +23,7 @@ diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c
extern char *__progname; extern char *__progname;
@@ -370,10 +371,21 @@ do_log(LogLevel level, const char *fmt, @@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt,
syslog_r(pri, &sdata, "%.500s", fmtbuf); syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata); closelog_r(&sdata);
#else #else
@ -45,13 +45,13 @@ diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c
+ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility); + openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
+ log_fd_keep = 1; + log_fd_keep = 1;
+} +}
diff -up openssh-4.7p1/log.h.log-chroot openssh-4.7p1/log.h diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h
--- openssh-4.7p1/log.h.log-chroot 2006-08-18 16:32:21.000000000 +0200 --- openssh-5.1p1/log.h.log-chroot 2008-06-13 02:22:54.000000000 +0200
+++ openssh-4.7p1/log.h 2007-09-06 17:24:13.000000000 +0200 +++ openssh-5.1p1/log.h 2008-07-23 15:20:11.000000000 +0200
@@ -62,4 +62,6 @@ void debug3(const char *, ...) __att @@ -66,4 +66,6 @@ void debug3(const char *, ...) __att
void do_log(LogLevel, const char *, va_list); void do_log(LogLevel, const char *, va_list);
void cleanup_exit(int) __dead; void cleanup_exit(int) __attribute__((noreturn));
+ +
+void open_log(void); +void open_log(void);
#endif #endif

44
openssh-4.7p1-redhat.patch → openssh-5.1p1-redhat.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config diff -up openssh-5.1p1/sshd_config.redhat openssh-5.1p1/sshd_config
--- openssh-4.7p1/sshd_config.redhat 2007-03-21 10:42:25.000000000 +0100 --- openssh-5.1p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200
+++ openssh-4.7p1/sshd_config 2007-09-06 16:23:58.000000000 +0200 +++ openssh-5.1p1/sshd_config 2008-07-23 14:11:12.000000000 +0200
@@ -33,6 +33,7 @@ Protocol 2 @@ -33,6 +33,7 @@ Protocol 2
# Logging # Logging
# obsoletes QuietMode and FascistLogging # obsoletes QuietMode and FascistLogging
@ -9,7 +9,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
#LogLevel INFO #LogLevel INFO
# Authentication: # Authentication:
@@ -59,9 +60,11 @@ Protocol 2 @@ -60,9 +61,11 @@ Protocol 2
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PasswordAuthentication yes
#PermitEmptyPasswords no #PermitEmptyPasswords no
@ -21,7 +21,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@@ -71,7 +74,9 @@ Protocol 2 @@ -72,7 +75,9 @@ Protocol 2
# GSSAPI options # GSSAPI options
#GSSAPIAuthentication no #GSSAPIAuthentication no
@ -31,16 +31,18 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
@@ -83,10 +88,16 @@ Protocol 2 @@ -84,11 +89,18 @@ Protocol 2
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
#UsePAM no #UsePAM no
+UsePAM yes +UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+# Accept locale-related environment variables #AllowAgentForwarding yes
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
#AllowTcpForwarding yes #AllowTcpForwarding yes
#GatewayPorts no #GatewayPorts no
#X11Forwarding no #X11Forwarding no
@ -48,9 +50,9 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config diff -up openssh-5.1p1/ssh_config.redhat openssh-5.1p1/ssh_config
--- openssh-4.7p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200 --- openssh-5.1p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200
+++ openssh-4.7p1/ssh_config 2007-09-06 16:21:49.000000000 +0200 +++ openssh-5.1p1/ssh_config 2008-07-23 14:07:29.000000000 +0200
@@ -43,3 +43,13 @@ @@ -43,3 +43,13 @@
# Tunnel no # Tunnel no
# TunnelDevice any:any # TunnelDevice any:any
@ -65,10 +67,10 @@ diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0 diff -up openssh-5.1p1/sshd_config.0.redhat openssh-5.1p1/sshd_config.0
--- openssh-4.7p1/sshd_config.0.redhat 2007-09-04 08:50:11.000000000 +0200 --- openssh-5.1p1/sshd_config.0.redhat 2008-07-21 10:30:51.000000000 +0200
+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:21:49.000000000 +0200 +++ openssh-5.1p1/sshd_config.0 2008-07-23 14:07:29.000000000 +0200
@@ -435,9 +435,9 @@ DESCRIPTION @@ -490,9 +490,9 @@ DESCRIPTION
SyslogFacility SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
@ -81,10 +83,10 @@ diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0
TCPKeepAlive TCPKeepAlive
Specifies whether the system should send TCP keepalive messages Specifies whether the system should send TCP keepalive messages
diff -up openssh-4.7p1/sshd_config.5.redhat openssh-4.7p1/sshd_config.5 diff -up openssh-5.1p1/sshd_config.5.redhat openssh-5.1p1/sshd_config.5
--- openssh-4.7p1/sshd_config.5.redhat 2007-06-11 06:07:13.000000000 +0200 --- openssh-5.1p1/sshd_config.5.redhat 2008-07-02 14:35:43.000000000 +0200
+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:21:49.000000000 +0200 +++ openssh-5.1p1/sshd_config.5 2008-07-23 14:07:29.000000000 +0200
@@ -748,7 +748,7 @@ Note that this option applies to protoco @@ -846,7 +846,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility .It Cm SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
.Xr sshd 8 . .Xr sshd 8 .

154
openssh-4.7p1-selinux.patch → openssh-5.1p1-selinux.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac diff -up openssh-5.1p1/configure.ac.selinux openssh-5.1p1/configure.ac
--- openssh-4.7p1/configure.ac.selinux 2007-09-06 19:46:32.000000000 +0200 --- openssh-5.1p1/configure.ac.selinux 2008-07-23 16:32:13.000000000 +0200
+++ openssh-4.7p1/configure.ac 2007-09-06 19:52:23.000000000 +0200 +++ openssh-5.1p1/configure.ac 2008-07-23 16:32:13.000000000 +0200
@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux, @@ -3309,6 +3309,7 @@ AC_ARG_WITH(selinux,
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
AC_MSG_ERROR(SELinux support requires libselinux library)) AC_MSG_ERROR(SELinux support requires libselinux library))
SSHDLIBS="$SSHDLIBS $LIBSELINUX" SSHDLIBS="$SSHDLIBS $LIBSELINUX"
@ -9,10 +9,10 @@ diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
LIBS="$save_LIBS" LIBS="$save_LIBS"
fi ] fi ]
diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c diff -up openssh-5.1p1/auth1.c.selinux openssh-5.1p1/auth1.c
--- openssh-4.7p1/auth1.c.selinux 2007-09-06 19:46:32.000000000 +0200 --- openssh-5.1p1/auth1.c.selinux 2008-07-23 16:32:13.000000000 +0200
+++ openssh-4.7p1/auth1.c 2007-09-06 19:46:32.000000000 +0200 +++ openssh-5.1p1/auth1.c 2008-07-23 16:32:13.000000000 +0200
@@ -388,7 +388,7 @@ void @@ -391,7 +391,7 @@ void
do_authentication(Authctxt *authctxt) do_authentication(Authctxt *authctxt)
{ {
u_int ulen; u_int ulen;
@ -21,7 +21,7 @@ diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c
/* Get the name of the user that we wish to log in as. */ /* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER); packet_read_expect(SSH_CMSG_USER);
@@ -397,11 +397,19 @@ do_authentication(Authctxt *authctxt) @@ -400,11 +400,19 @@ do_authentication(Authctxt *authctxt)
user = packet_get_string(&ulen); user = packet_get_string(&ulen);
packet_check_eom(); packet_check_eom();
@ -41,9 +41,28 @@ diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c
/* Verify that the user is a valid user. */ /* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h diff -up openssh-5.1p1/auth2-pubkey.c.selinux openssh-5.1p1/auth2-pubkey.c
--- openssh-4.7p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 --- openssh-5.1p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200
+++ openssh-4.7p1/monitor_wrap.h 2007-09-06 19:46:32.000000000 +0200 +++ openssh-5.1p1/auth2-pubkey.c 2008-07-23 16:32:13.000000000 +0200
@@ -117,7 +117,14 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else {
+ buffer_put_cstring(&b, authctxt->user);
+ }
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.1p1/monitor_wrap.h.selinux openssh-5.1p1/monitor_wrap.h
--- openssh-5.1p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200
+++ openssh-5.1p1/monitor_wrap.h 2008-07-23 16:32:13.000000000 +0200
@@ -41,6 +41,7 @@ int mm_is_monitor(void); @@ -41,6 +41,7 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int); DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -52,9 +71,9 @@ diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *); struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *); int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h diff -up openssh-5.1p1/monitor.h.selinux openssh-5.1p1/monitor.h
--- openssh-4.7p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 --- openssh-5.1p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200
+++ openssh-4.7p1/monitor.h 2007-09-06 19:46:32.000000000 +0200 +++ openssh-5.1p1/monitor.h 2008-07-23 16:32:13.000000000 +0200
@@ -30,7 +30,7 @@ @@ -30,7 +30,7 @@
enum monitor_reqtype { enum monitor_reqtype {
@ -64,10 +83,29 @@ diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c diff -up openssh-5.1p1/auth2-hostbased.c.selinux openssh-5.1p1/auth2-hostbased.c
--- openssh-4.7p1/monitor_wrap.c.selinux 2007-06-11 06:01:42.000000000 +0200 --- openssh-5.1p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
+++ openssh-4.7p1/monitor_wrap.c 2007-09-06 19:46:32.000000000 +0200 +++ openssh-5.1p1/auth2-hostbased.c 2008-07-23 16:32:13.000000000 +0200
@@ -294,6 +294,23 @@ mm_inform_authserv(char *service, char * @@ -106,7 +106,14 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else {
+ buffer_put_cstring(&b, authctxt->user);
+ }
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.1p1/monitor_wrap.c.selinux openssh-5.1p1/monitor_wrap.c
--- openssh-5.1p1/monitor_wrap.c.selinux 2008-07-11 09:36:48.000000000 +0200
+++ openssh-5.1p1/monitor_wrap.c 2008-07-23 16:32:13.000000000 +0200
@@ -296,6 +296,23 @@ mm_inform_authserv(char *service, char *
buffer_free(&m); buffer_free(&m);
} }
@ -91,9 +129,9 @@ diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c
/* Do the password authentication */ /* Do the password authentication */
int int
mm_auth_password(Authctxt *authctxt, char *password) mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd-compat/port-linux.c diff -up openssh-5.1p1/openbsd-compat/port-linux.c.selinux openssh-5.1p1/openbsd-compat/port-linux.c
--- openssh-4.7p1/openbsd-compat/port-linux.c.selinux 2007-06-28 00:48:03.000000000 +0200 --- openssh-5.1p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100
+++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-09-06 19:46:32.000000000 +0200 +++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-07-23 16:32:13.000000000 +0200
@@ -30,11 +30,16 @@ @@ -30,11 +30,16 @@
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
#include "log.h" #include "log.h"
@ -109,7 +147,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
+ +
/* Wrapper around is_selinux_enabled() to log its return value once only */ /* Wrapper around is_selinux_enabled() to log its return value once only */
static int int
ssh_selinux_enabled(void) ssh_selinux_enabled(void)
@@ -53,23 +58,36 @@ ssh_selinux_enabled(void) @@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
static security_context_t static security_context_t
@ -155,9 +193,9 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd
if (r != 0) { if (r != 0) {
switch (security_getenforce()) { switch (security_getenforce()) {
diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h diff -up openssh-5.1p1/auth.h.selinux openssh-5.1p1/auth.h
--- openssh-4.7p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200 --- openssh-5.1p1/auth.h.selinux 2008-07-02 14:37:30.000000000 +0200
+++ openssh-4.7p1/auth.h 2007-09-06 19:46:32.000000000 +0200 +++ openssh-5.1p1/auth.h 2008-07-23 16:32:13.000000000 +0200
@@ -58,6 +58,7 @@ struct Authctxt { @@ -58,6 +58,7 @@ struct Authctxt {
char *service; char *service;
struct passwd *pw; /* set if 'valid' */ struct passwd *pw; /* set if 'valid' */
@ -166,10 +204,10 @@ diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h
void *kbdintctxt; void *kbdintctxt;
#ifdef BSD_AUTH #ifdef BSD_AUTH
auth_session_t *as; auth_session_t *as;
diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c diff -up openssh-5.1p1/auth2.c.selinux openssh-5.1p1/auth2.c
--- openssh-4.7p1/auth2.c.selinux 2007-05-20 06:58:41.000000000 +0200 --- openssh-5.1p1/auth2.c.selinux 2008-07-05 01:44:53.000000000 +0200
+++ openssh-4.7p1/auth2.c 2007-09-06 19:46:32.000000000 +0200 +++ openssh-5.1p1/auth2.c 2008-07-23 16:32:13.000000000 +0200
@@ -141,7 +141,7 @@ input_userauth_request(int type, u_int32 @@ -209,7 +209,7 @@ input_userauth_request(int type, u_int32
{ {
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
@ -178,7 +216,7 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
int authenticated = 0; int authenticated = 0;
if (authctxt == NULL) if (authctxt == NULL)
@@ -153,6 +153,9 @@ input_userauth_request(int type, u_int32 @@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method); debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -188,7 +226,7 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
if ((style = strchr(user, ':')) != NULL) if ((style = strchr(user, ':')) != NULL)
*style++ = 0; *style++ = 0;
@@ -178,8 +181,11 @@ input_userauth_request(int type, u_int32 @@ -246,8 +249,11 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : ""); use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service); authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL; authctxt->style = style ? xstrdup(style) : NULL;
@ -198,13 +236,13 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
mm_inform_authserv(service, style); mm_inform_authserv(service, style);
+ mm_inform_authrole(role); + mm_inform_authrole(role);
+ } + }
userauth_banner();
} else if (strcmp(user, authctxt->user) != 0 || } else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) { strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: " diff -up openssh-5.1p1/monitor.c.selinux openssh-5.1p1/monitor.c
diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c --- openssh-5.1p1/monitor.c.selinux 2008-07-11 09:36:48.000000000 +0200
--- openssh-4.7p1/monitor.c.selinux 2007-05-20 07:10:16.000000000 +0200 +++ openssh-5.1p1/monitor.c 2008-07-23 16:36:10.000000000 +0200
+++ openssh-4.7p1/monitor.c 2007-09-06 19:46:32.000000000 +0200 @@ -134,6 +134,7 @@ int mm_answer_sign(int, Buffer *);
@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *); int mm_answer_authserv(int, Buffer *);
@ -212,7 +250,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
int mm_answer_authpassword(int, Buffer *); int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *);
@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] @@ -205,6 +206,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -220,7 +258,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -657,6 +659,7 @@ mm_answer_pwnamallow(int sock, Buffer *m @@ -658,6 +660,7 @@ mm_answer_pwnamallow(int sock, Buffer *m
else { else {
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -228,7 +266,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
} }
@@ -702,6 +705,23 @@ mm_answer_authserv(int sock, Buffer *m) @@ -703,6 +706,23 @@ mm_answer_authserv(int sock, Buffer *m)
} }
int int
@ -252,3 +290,39 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
mm_answer_authpassword(int sock, Buffer *m) mm_answer_authpassword(int sock, Buffer *m)
{ {
static int call_count; static int call_count;
@@ -1080,7 +1100,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
- char *p;
+ char *p, *r;
u_int len;
int fail = 0;
@@ -1106,6 +1126,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
@@ -1137,7 +1159,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
- char *p;
+ char *p, *r;
u_int len;
int fail = 0;
@@ -1154,6 +1176,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);

124
openssh-4.7p1-vendor.patch → openssh-5.1p1-vendor.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac diff -up openssh-5.1p1/configure.ac.vendor openssh-5.1p1/configure.ac
--- openssh-4.7p1/configure.ac.vendor 2007-09-06 16:27:47.000000000 +0200 --- openssh-5.1p1/configure.ac.vendor 2008-07-23 14:13:22.000000000 +0200
+++ openssh-4.7p1/configure.ac 2007-09-06 16:27:47.000000000 +0200 +++ openssh-5.1p1/configure.ac 2008-07-23 14:13:22.000000000 +0200
@@ -3792,6 +3792,12 @@ AC_ARG_WITH(lastlog, @@ -3890,6 +3890,12 @@ AC_ARG_WITH(lastlog,
fi fi
] ]
) )
@ -14,7 +14,7 @@ diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -4041,6 +4047,7 @@ echo " IP address in \$DISPLAY hac @@ -4146,6 +4152,7 @@ echo " IP address in \$DISPLAY hac
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
@ -22,47 +22,47 @@ diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac
if test ! -z "$USE_RAND_HELPER" ; then if test ! -z "$USE_RAND_HELPER" ; then
echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
fi fi
diff -up openssh-4.7p1/sshd_config.5.vendor openssh-4.7p1/sshd_config.5 diff -up openssh-5.1p1/sshd_config.5.vendor openssh-5.1p1/sshd_config.5
--- openssh-4.7p1/sshd_config.5.vendor 2007-09-06 16:27:47.000000000 +0200 --- openssh-5.1p1/sshd_config.5.vendor 2008-07-23 14:13:22.000000000 +0200
+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:27:47.000000000 +0200 +++ openssh-5.1p1/sshd_config.5 2008-07-23 14:19:23.000000000 +0200
@@ -725,6 +725,14 @@ This option applies to protocol version @@ -812,6 +812,14 @@ This option applies to protocol version
.It Cm ServerKeyBits .It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key. Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 768. The minimum value is 512, and the default is 1024.
+.It Cm ShowPatchLevel +.It Cm ShowPatchLevel
+Specifies whether +Specifies whether
+.Nm sshd +.Nm sshd
+will display the patch level of the binary in the identification string. +will display the patch level of the binary in the identification string.
+The patch level is set at compile-time. +The patch level is set at compile-time.
+The default is +The default is
+.Dq no . +.Dq no .
+This option applies to protocol version 1 only. +This option applies to protocol version 1 only.
.It Cm StrictModes .It Cm StrictModes
Specifies whether Specifies whether
.Xr sshd 8 .Xr sshd 8
diff -up openssh-4.7p1/servconf.h.vendor openssh-4.7p1/servconf.h diff -up openssh-5.1p1/servconf.h.vendor openssh-5.1p1/servconf.h
--- openssh-4.7p1/servconf.h.vendor 2007-02-19 12:25:38.000000000 +0100 --- openssh-5.1p1/servconf.h.vendor 2008-06-10 15:01:51.000000000 +0200
+++ openssh-4.7p1/servconf.h 2007-09-06 16:27:47.000000000 +0200 +++ openssh-5.1p1/servconf.h 2008-07-23 14:13:22.000000000 +0200
@@ -120,6 +120,7 @@ typedef struct { @@ -126,6 +126,7 @@ typedef struct {
int max_startups;
int max_authtries; int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
+ int show_patchlevel; /* Show vendor patch level to clients */ + int show_patchlevel; /* Show vendor patch level to clients */
int use_dns; int use_dns;
int client_alive_interval; /* int client_alive_interval; /*
* poke the client this often to * poke the client this often to
diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c diff -up openssh-5.1p1/servconf.c.vendor openssh-5.1p1/servconf.c
--- openssh-4.7p1/servconf.c.vendor 2007-05-20 07:03:16.000000000 +0200 --- openssh-5.1p1/servconf.c.vendor 2008-07-04 05:51:12.000000000 +0200
+++ openssh-4.7p1/servconf.c 2007-09-06 16:29:11.000000000 +0200 +++ openssh-5.1p1/servconf.c 2008-07-23 14:32:27.000000000 +0200
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions @@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
options->max_startups = -1;
options->max_authtries = -1; options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL; options->banner = NULL;
+ options->show_patchlevel = -1; + options->show_patchlevel = -1;
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
options->client_alive_count_max = -1; options->client_alive_count_max = -1;
@@ -250,6 +251,9 @@ fill_default_server_options(ServerOption @@ -259,6 +260,9 @@ fill_default_server_options(ServerOption
if (options->permit_tun == -1) if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO; options->permit_tun = SSH_TUNMODE_NO;
@ -72,23 +72,24 @@ diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
use_privsep = 1; use_privsep = 1;
@@ -293,6 +297,7 @@ typedef enum { @@ -296,7 +300,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, @@ -401,6 +405,7 @@ static struct {
sUsePrivilegeSeparation, { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
+ sShowPatchLevel, { "maxsessions", sMaxSessions, SSHCFG_ALL },
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -390,6 +395,7 @@ static struct {
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
{ "banner", sBanner, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL },
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL }, + { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1005,6 +1011,10 @@ parse_flag: @@ -1020,6 +1025,10 @@ process_server_config_line(ServerOptions
intptr = &use_privsep; intptr = &use_privsep;
goto parse_flag; goto parse_flag;
@ -99,12 +100,20 @@ diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c
case sAllowUsers: case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS) if (options->num_allow_users >= MAX_ALLOW_USERS)
diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0 @@ -1584,6 +1593,7 @@ dump_config(ServerOptions *o)
--- openssh-4.7p1/sshd_config.0.vendor 2007-09-06 16:27:47.000000000 +0200 dump_cfg_fmtint(sUseLogin, o->use_login);
+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:27:47.000000000 +0200 dump_cfg_fmtint(sCompression, o->compression);
@@ -418,6 +418,11 @@ DESCRIPTION dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-5.1p1/sshd_config.0.vendor openssh-5.1p1/sshd_config.0
--- openssh-5.1p1/sshd_config.0.vendor 2008-07-23 14:13:22.000000000 +0200
+++ openssh-5.1p1/sshd_config.0 2008-07-23 14:13:22.000000000 +0200
@@ -466,6 +466,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1 Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 768. server key. The minimum value is 512, and the default is 1024.
+ ShowPatchLevel + ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of + Specifies whether sshd will display the specific patch level of
@ -114,10 +123,10 @@ diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0
StrictModes StrictModes
Specifies whether sshd(8) should check file modes and ownership Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login. of the user's files and home directory before accepting login.
diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config diff -up openssh-5.1p1/sshd_config.vendor openssh-5.1p1/sshd_config
--- openssh-4.7p1/sshd_config.vendor 2007-09-06 16:27:47.000000000 +0200 --- openssh-5.1p1/sshd_config.vendor 2008-07-23 14:13:22.000000000 +0200
+++ openssh-4.7p1/sshd_config 2007-09-06 16:27:47.000000000 +0200 +++ openssh-5.1p1/sshd_config 2008-07-23 14:13:22.000000000 +0200
@@ -109,6 +109,7 @@ X11Forwarding yes @@ -112,6 +112,7 @@ X11Forwarding yes
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
@ -125,20 +134,19 @@ diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config
#UseDNS yes #UseDNS yes
#PidFile /var/run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10 #MaxStartups 10
diff -up openssh-4.7p1/sshd.c.vendor openssh-4.7p1/sshd.c diff -up openssh-5.1p1/sshd.c.vendor openssh-5.1p1/sshd.c
--- openssh-4.7p1/sshd.c.vendor 2007-06-05 10:22:32.000000000 +0200 --- openssh-5.1p1/sshd.c.vendor 2008-07-11 09:36:49.000000000 +0200
+++ openssh-4.7p1/sshd.c 2007-09-06 16:27:47.000000000 +0200 +++ openssh-5.1p1/sshd.c 2008-07-23 14:35:43.000000000 +0200
@@ -419,7 +419,8 @@ sshd_exchange_identification(int sock_in @@ -416,7 +416,7 @@ sshd_exchange_identification(int sock_in
major = PROTOCOL_MAJOR_1;
minor = PROTOCOL_MINOR_1; minor = PROTOCOL_MINOR_1;
} }
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, - SSH_VERSION, newline);
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION); + (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
server_version_string = xstrdup(buf); server_version_string = xstrdup(buf);
/* Send our protocol version identification. */ /* Send our protocol version identification. */
@@ -1434,7 +1435,8 @@ main(int ac, char **av) @@ -1484,7 +1484,8 @@ main(int ac, char **av)
exit(1); exit(1);
} }

28
openssh.spec
View File

@ -62,8 +62,8 @@
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
Version: 5.0p1 Version: 5.1p1
Release: 3%{?dist}%{?rescue_rel} Release: 1%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -74,17 +74,17 @@ Source0: openssh-%{version}-noacss.tar.bz2
Source1: openssh-nukeacss.sh Source1: openssh-nukeacss.sh
Source2: sshd.pam Source2: sshd.pam
Source3: sshd.init Source3: sshd.init
Patch0: openssh-4.7p1-redhat.patch Patch0: openssh-5.1p1-redhat.patch
Patch2: openssh-3.8.1p1-skip-initial.patch Patch2: openssh-3.8.1p1-skip-initial.patch
Patch3: openssh-3.8.1p1-krb5-config.patch Patch3: openssh-3.8.1p1-krb5-config.patch
Patch4: openssh-4.7p1-vendor.patch Patch4: openssh-5.1p1-vendor.patch
Patch12: openssh-4.7p1-selinux.patch Patch12: openssh-5.1p1-selinux.patch
Patch13: openssh-4.7p1-mls.patch Patch13: openssh-4.7p1-mls.patch
Patch16: openssh-4.7p1-audit.patch Patch16: openssh-4.7p1-audit.patch
Patch17: openssh-4.3p2-cve-2007-3102.patch Patch17: openssh-4.3p2-cve-2007-3102.patch
Patch22: openssh-3.9p1-askpass-keep-above.patch Patch22: openssh-3.9p1-askpass-keep-above.patch
Patch24: openssh-4.3p1-fromto-remote.patch Patch24: openssh-4.3p1-fromto-remote.patch
Patch27: openssh-4.7p1-log-in-chroot.patch Patch27: openssh-5.1p1-log-in-chroot.patch
Patch30: openssh-4.0p1-exit-deadlock.patch Patch30: openssh-4.0p1-exit-deadlock.patch
Patch35: openssh-4.2p1-askpass-progress.patch Patch35: openssh-4.2p1-askpass-progress.patch
Patch38: openssh-4.3p2-askpass-grab-info.patch Patch38: openssh-4.3p2-askpass-grab-info.patch
@ -93,11 +93,8 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch51: openssh-4.7p1-nss-keys.patch Patch51: openssh-4.7p1-nss-keys.patch
Patch54: openssh-4.7p1-gssapi-role.patch Patch54: openssh-4.7p1-gssapi-role.patch
Patch55: openssh-4.7p1-cloexec.patch Patch55: openssh-5.1p1-cloexec.patch
Patch58: openssh-4.5p1-controlcleanup.patch
Patch59: openssh-4.7p1-master-race.patch
Patch60: openssh-5.0p1-pam_selinux.patch Patch60: openssh-5.0p1-pam_selinux.patch
Patch61: openssh-5.0p1-unbreakalive.patch
Patch62: openssh-3.9p1-scp-manpage.patch Patch62: openssh-3.9p1-scp-manpage.patch
License: BSD License: BSD
@ -229,10 +226,7 @@ an X11 passphrase dialog for OpenSSH.
%patch51 -p1 -b .nss-keys %patch51 -p1 -b .nss-keys
%patch54 -p0 -b .gssapi-role %patch54 -p0 -b .gssapi-role
%patch55 -p1 -b .cloexec %patch55 -p1 -b .cloexec
%patch58 -p1 -b .controlcleanup
%patch59 -p1 -b .master-race
%patch60 -p1 -b .pam_selinux %patch60 -p1 -b .pam_selinux
%patch61 -p0 -b .unbreakalive
%patch62 -p0 -b .manpage %patch62 -p0 -b .manpage
autoreconf autoreconf
@ -423,7 +417,7 @@ fi
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* %doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README* TODO WARNING*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue} %if ! %{rescue}
@ -468,6 +462,7 @@ fi
%attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
@ -484,6 +479,11 @@ fi
%endif %endif
%changelog %changelog
* Wed Jul 23 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-1
- upgrade to new upstream release
- fixed a problem with public key authentication and explicitely
specified SELinux role
* Wed May 21 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-3 * Wed May 21 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-3
- pass the connection socket to ssh-keysign (#447680) - pass the connection socket to ssh-keysign (#447680)

2
sources
View File

@ -1 +1 @@
e39c15a5fb9036bd64256c78a6fbf394 openssh-5.0p1-noacss.tar.bz2 5273579190b10f53baaf87f3c6eb0d73 openssh-5.1p1-noacss.tar.bz2