From 94c6f8ddcc028cc46d17ba9e66ca737f03ef40c6 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 3 Jun 2014 16:51:07 +0200 Subject: [PATCH] rebase to openssh-6.6p1 --- .gitignore | 1 + ...patch => openssh-6.6p1-CVE-2014-2653.patch | 12 +- ...patch => openssh-6.6p1-allow-ip-opts.patch | 19 +- ....patch => openssh-6.6p1-ctr-cavstest.patch | 89 +- ...tropy.patch => openssh-6.6p1-entropy.patch | 141 +- ...t.patch => openssh-6.6p1-fingerprint.patch | 115 +- ...keycat.patch => openssh-6.6p1-keycat.patch | 138 +- ...yperm.patch => openssh-6.6p1-keyperm.patch | 22 +- ...3p1-ldap.patch => openssh-6.6p1-ldap.patch | 1269 +++++++++-------- ...patch => openssh-6.6p1-log-usepam-no.patch | 20 +- ...tch => openssh-6.6p1-privsep-selinux.patch | 68 +- ...redhat.patch => openssh-6.6p1-redhat.patch | 102 +- ...-mls.patch => openssh-6.6p1-role-mls.patch | 559 ++++---- openssh.spec | 91 +- sources | 2 +- 15 files changed, 1381 insertions(+), 1267 deletions(-) rename openssh-6.4p1-CVE-2014-2653.patch => openssh-6.6p1-CVE-2014-2653.patch (91%) rename openssh-5.2p1-allow-ip-opts.patch => openssh-6.6p1-allow-ip-opts.patch (74%) rename openssh-6.3p1-ctr-cavstest.patch => openssh-6.6p1-ctr-cavstest.patch (90%) rename openssh-6.2p1-entropy.patch => openssh-6.6p1-entropy.patch (70%) rename openssh-6.3p1-fingerprint.patch => openssh-6.6p1-fingerprint.patch (78%) rename openssh-6.3p1-keycat.patch => openssh-6.6p1-keycat.patch (72%) rename openssh-5.8p1-keyperm.patch => openssh-6.6p1-keyperm.patch (56%) rename openssh-6.3p1-ldap.patch => openssh-6.6p1-ldap.patch (95%) rename openssh-6.1p1-log-usepam-no.patch => openssh-6.6p1-log-usepam-no.patch (54%) rename openssh-6.3p1-privsep-selinux.patch => openssh-6.6p1-privsep-selinux.patch (51%) rename openssh-6.3p1-redhat.patch => openssh-6.6p1-redhat.patch (72%) rename openssh-6.3p1-role-mls.patch => openssh-6.6p1-role-mls.patch (66%) diff --git a/.gitignore b/.gitignore index 04bccd9..e407e89 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-6.2p2.tar.gz /openssh-6.3p1.tar.gz /openssh-6.4p1.tar.gz +/openssh-6.6p1.tar.gz diff --git a/openssh-6.4p1-CVE-2014-2653.patch b/openssh-6.6p1-CVE-2014-2653.patch similarity index 91% rename from openssh-6.4p1-CVE-2014-2653.patch rename to openssh-6.6p1-CVE-2014-2653.patch index 27f3fa3..c3bd0a1 100644 --- a/openssh-6.4p1-CVE-2014-2653.patch +++ b/openssh-6.6p1-CVE-2014-2653.patch @@ -1,5 +1,5 @@ diff --git a/ChangeLog b/ChangeLog -index 29d70ec..a0fb67e 100644 +index 38de846..1603a07 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ @@ -14,14 +14,14 @@ index 29d70ec..a0fb67e 100644 + + Reported by mcv21 AT cam.ac.uk + - 20131010 - - dtucker@cvs.openbsd.org 2013/10/08 11:42:13 - [dh.c dh.h] + 20140313 + - (djm) Release OpenSSH 6.6 + diff --git a/sshconnect.c b/sshconnect.c -index ddc167e..4d8c718 100644 +index 394cca8..e636f33 100644 --- a/sshconnect.c +++ b/sshconnect.c -@@ -1136,30 +1136,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) +@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { int flags = 0; char *fp; diff --git a/openssh-5.2p1-allow-ip-opts.patch b/openssh-6.6p1-allow-ip-opts.patch similarity index 74% rename from openssh-5.2p1-allow-ip-opts.patch rename to openssh-6.6p1-allow-ip-opts.patch index 96aaab1..e56d8aa 100644 --- a/openssh-5.2p1-allow-ip-opts.patch +++ b/openssh-6.6p1-allow-ip-opts.patch @@ -1,7 +1,8 @@ -diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c ---- openssh-5.2p1/canohost.c.ip-opts 2009-02-14 06:28:21.000000000 +0100 -+++ openssh-5.2p1/canohost.c 2009-09-01 15:31:29.000000000 +0200 -@@ -169,12 +169,27 @@ check_ip_options(int sock, char *ipaddr) +diff --git a/canohost.c b/canohost.c +index a61a8c9..97ce58c 100644 +--- a/canohost.c ++++ b/canohost.c +@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr) option_size = sizeof(options); if (getsockopt(sock, ipproto, IP_OPTIONS, options, &option_size) >= 0 && option_size != 0) { @@ -18,8 +19,12 @@ diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c + case 1: + ++i; + break; -+ case 131: -+ case 137: ++ case 130: ++ case 133: ++ case 134: ++ i += options[i + 1]; ++ break; ++ default: + /* Fail, fatally, if we detect either loose or strict + * source routing options. */ + text[0] = '\0'; @@ -28,8 +33,6 @@ diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c + " %2.2x", options[i]); + fatal("Connection from %.100s with IP options:%.800s", + ipaddr, text); -+ default: -+ i += options[i + 1]; + } + } while (i < option_size); } diff --git a/openssh-6.3p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch similarity index 90% rename from openssh-6.3p1-ctr-cavstest.patch rename to openssh-6.6p1-ctr-cavstest.patch index 5cd9997..1997fa6 100644 --- a/openssh-6.3p1-ctr-cavstest.patch +++ b/openssh-6.6p1-ctr-cavstest.patch @@ -1,6 +1,47 @@ -diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c ---- openssh-6.2p1/ctr-cavstest.c.ctr-cavs 2013-03-25 21:35:52.512586671 +0100 -+++ openssh-6.2p1/ctr-cavstest.c 2013-03-25 21:35:52.512586671 +0100 +diff --git a/Makefile.in b/Makefile.in +index 4ab6717..581b121 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign + SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper + SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper + SSH_KEYCAT=$(libexecdir)/ssh-keycat ++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest + SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + PRIVSEP_PATH=@PRIVSEP_PATH@ + SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ +@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ + MANFMT=@MANFMT@ + INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) + + LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ + canohost.o channels.o cipher.o cipher-aes.o \ +@@ -180,6 +181,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o + ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o + $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) + ++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o ++ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) ++ + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o + $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + +@@ -288,6 +292,7 @@ install-files: + $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ + fi + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) ++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 +diff --git a/ctr-cavstest.c b/ctr-cavstest.c +new file mode 100644 +index 0000000..bbcbe8a +--- /dev/null ++++ b/ctr-cavstest.c @@ -0,0 +1,208 @@ +/* + * @@ -103,7 +144,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c +int main (int argc, char *argv[]) +{ + -+ Cipher *c; ++ const Cipher *c; + CipherContext cc; + char *algo = "aes128-ctr"; + char *hexkey = NULL; @@ -194,7 +235,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c + return 2; + } + -+ cipher_crypt(&cc, outdata, data, datalen, 0, 0); ++ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0); + + free(data); + @@ -210,41 +251,3 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c + return 0; +} + -diff -up openssh-6.2p1/Makefile.in.ctr-cavs openssh-6.2p1/Makefile.in ---- openssh-6.2p1/Makefile.in.ctr-cavs 2013-03-25 21:35:52.451586280 +0100 -+++ openssh-6.2p1/Makefile.in 2013-03-25 21:37:14.956114584 +0100 -@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign - SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper - SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper - SSH_KEYCAT=$(libexecdir)/ssh-keycat -+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest - SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper - PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ - MANFMT=@MANFMT@ - INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ - --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) - - LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ - canohost.o channels.o cipher.o cipher-aes.o \ -@@ -174,6 +175,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l - ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o - $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS) - -+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o -+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) -+ - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) - -@@ -281,6 +285,7 @@ install-files: - $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ - fi - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) -+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) - $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 diff --git a/openssh-6.2p1-entropy.patch b/openssh-6.6p1-entropy.patch similarity index 70% rename from openssh-6.2p1-entropy.patch rename to openssh-6.6p1-entropy.patch index 4553422..67bd30f 100644 --- a/openssh-6.2p1-entropy.patch +++ b/openssh-6.6p1-entropy.patch @@ -1,7 +1,8 @@ -diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c ---- openssh-6.2p1/entropy.c.entropy 2013-03-25 19:31:42.737611051 +0100 -+++ openssh-6.2p1/entropy.c 2013-03-25 19:31:42.797611433 +0100 -@@ -237,6 +237,9 @@ seed_rng(void) +diff --git a/entropy.c b/entropy.c +index 2d483b3..b361a04 100644 +--- a/entropy.c ++++ b/entropy.c +@@ -234,6 +234,9 @@ seed_rng(void) memset(buf, '\0', sizeof(buf)); #endif /* OPENSSL_PRNG_ONLY */ @@ -11,21 +12,24 @@ diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c if (RAND_status() != 1) fatal("PRNG is not seeded"); } -diff -up openssh-6.2p1/openbsd-compat/Makefile.in.entropy openssh-6.2p1/openbsd-compat/Makefile.in ---- openssh-6.2p1/openbsd-compat/Makefile.in.entropy 2013-03-25 19:31:42.798611440 +0100 -+++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 19:33:02.042116876 +0100 -@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport +diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in +index b912dbe..9206337 100644 +--- a/openbsd-compat/Makefile.in ++++ b/openbsd-compat/Makefile.in +@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di - COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o + COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o --PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o -+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o +-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o ++PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/openbsd-compat/port-linux-prng.c ---- openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy 2013-03-25 19:31:42.798611440 +0100 -+++ openssh-6.2p1/openbsd-compat/port-linux-prng.c 2013-03-25 19:31:42.798611440 +0100 +diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c +new file mode 100644 +index 0000000..92a617c +--- /dev/null ++++ b/openbsd-compat/port-linux-prng.c @@ -0,0 +1,59 @@ +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ + @@ -86,9 +90,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op + fatal ("EOF reading %s", random); + } +} -diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0 ---- openssh-6.2p1/ssh-add.0.entropy 2013-03-22 00:38:29.000000000 +0100 -+++ openssh-6.2p1/ssh-add.0 2013-03-25 19:31:42.799611446 +0100 +diff --git a/ssh-add.0 b/ssh-add.0 +index ba43fee..0b2629a 100644 +--- a/ssh-add.0 ++++ b/ssh-add.0 @@ -82,6 +82,16 @@ ENVIRONMENT Identifies the path of a UNIX-domain socket used to communicate with the agent. @@ -106,10 +111,11 @@ diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0 FILES ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of -diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1 ---- openssh-6.2p1/ssh-add.1.entropy 2012-12-07 03:06:13.000000000 +0100 -+++ openssh-6.2p1/ssh-add.1 2013-03-25 19:31:42.799611446 +0100 -@@ -160,6 +160,20 @@ to make this work.) +diff --git a/ssh-add.1 b/ssh-add.1 +index 4812448..16305bf 100644 +--- a/ssh-add.1 ++++ b/ssh-add.1 +@@ -161,6 +161,20 @@ to make this work.) Identifies the path of a .Ux Ns -domain socket used to communicate with the agent. @@ -130,10 +136,11 @@ diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1 .El .Sh FILES .Bl -tag -width Ds -diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1 ---- openssh-6.2p1/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100 -+++ openssh-6.2p1/ssh-agent.1 2013-03-25 19:31:42.800611452 +0100 -@@ -198,6 +198,24 @@ sockets used to contain the connection t +diff --git a/ssh-agent.1 b/ssh-agent.1 +index 281ecbd..1a9a635 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. .El @@ -158,38 +165,11 @@ diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1 .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , -diff -up openssh-6.2p1/sshd.8.entropy openssh-6.2p1/sshd.8 ---- openssh-6.2p1/sshd.8.entropy 2013-03-25 19:31:42.752611146 +0100 -+++ openssh-6.2p1/sshd.8 2013-03-25 19:31:42.800611452 +0100 -@@ -945,6 +945,24 @@ concurrently for different ports, this c - started last). - The content of this file is not sensitive; it can be world-readable. - .El -+.Sh ENVIRONMENT -+.Bl -tag -width Ds -compact -+.Pp -+.It Pa SSH_USE_STRONG_RNG -+The reseeding of the OpenSSL random generator is usually done from -+.Cm /dev/urandom . -+If the -+.Cm SSH_USE_STRONG_RNG -+environment variable is set to value other than -+.Cm 0 -+the OpenSSL random generator is reseeded from -+.Cm /dev/random . -+The number of bytes read is defined by the SSH_USE_STRONG_RNG value. -+Minimum is 14 bytes. -+This setting is not recommended on the computers without the hardware -+random generator because insufficient entropy causes the connection to -+be blocked until enough entropy is available. -+.El - .Sh IPV6 - IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell. - .Sh SEE ALSO -diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1 ---- openssh-6.2p1/ssh-keygen.1.entropy 2013-01-20 12:35:06.000000000 +0100 -+++ openssh-6.2p1/ssh-keygen.1 2013-03-25 19:31:42.801611459 +0100 -@@ -806,6 +806,24 @@ Contains Diffie-Hellman groups used for +diff --git a/ssh-keygen.1 b/ssh-keygen.1 +index 12e00d4..1b51a4a 100644 +--- a/ssh-keygen.1 ++++ b/ssh-keygen.1 +@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX. The file format is described in .Xr moduli 5 . .El @@ -214,10 +194,11 @@ diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1 .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , -diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8 ---- openssh-6.2p1/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200 -+++ openssh-6.2p1/ssh-keysign.8 2013-03-25 19:31:42.801611459 +0100 -@@ -78,6 +78,24 @@ must be set-uid root if host-based authe +diff --git a/ssh-keysign.8 b/ssh-keysign.8 +index 69d0829..02d79f8 100644 +--- a/ssh-keysign.8 ++++ b/ssh-keysign.8 +@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used. If these files exist they are assumed to contain public certificate information corresponding with the private keys above. .El @@ -242,10 +223,11 @@ diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8 .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-keygen 1 , -diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1 ---- openssh-6.2p1/ssh.1.entropy 2013-03-25 19:31:42.752611146 +0100 -+++ openssh-6.2p1/ssh.1 2013-03-25 19:31:42.799611446 +0100 -@@ -1277,6 +1277,23 @@ For more information, see the +diff --git a/ssh.1 b/ssh.1 +index 929904b..f65e42f 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -1309,6 +1309,23 @@ For more information, see the .Cm PermitUserEnvironment option in .Xr sshd_config 5 . @@ -269,3 +251,32 @@ diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1 .Sh FILES .Bl -tag -width Ds -compact .It Pa ~/.rhosts +diff --git a/sshd.8 b/sshd.8 +index c2c237f..058d37a 100644 +--- a/sshd.8 ++++ b/sshd.8 +@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one + started last). + The content of this file is not sensitive; it can be world-readable. + .El ++.Sh ENVIRONMENT ++.Bl -tag -width Ds -compact ++.Pp ++.It Pa SSH_USE_STRONG_RNG ++The reseeding of the OpenSSL random generator is usually done from ++.Cm /dev/urandom . ++If the ++.Cm SSH_USE_STRONG_RNG ++environment variable is set to value other than ++.Cm 0 ++the OpenSSL random generator is reseeded from ++.Cm /dev/random . ++The number of bytes read is defined by the SSH_USE_STRONG_RNG value. ++Minimum is 14 bytes. ++This setting is not recommended on the computers without the hardware ++random generator because insufficient entropy causes the connection to ++be blocked until enough entropy is available. ++.El + .Sh IPV6 + IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell. + .Sh SEE ALSO diff --git a/openssh-6.3p1-fingerprint.patch b/openssh-6.6p1-fingerprint.patch similarity index 78% rename from openssh-6.3p1-fingerprint.patch rename to openssh-6.6p1-fingerprint.patch index b9cfbdb..c5332fb 100644 --- a/openssh-6.3p1-fingerprint.patch +++ b/openssh-6.6p1-fingerprint.patch @@ -1,7 +1,7 @@ -diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c -diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c ---- openssh-6.3p1/auth.c.fingerprint 2013-10-07 14:02:36.998968153 +0200 -+++ openssh-6.3p1/auth.c 2013-10-07 15:42:05.243812405 +0200 +diff --git a/auth.c b/auth.c +index 9a36f1d..420a85b 100644 +--- a/auth.c ++++ b/auth.c @@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key) case 1: revoked: @@ -15,10 +15,11 @@ diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c free(key_fp); return 1; } -diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c ---- openssh-6.3p1/auth2-hostbased.c.fingerprint 2013-10-07 14:02:36.998968153 +0200 -+++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:43:49.747355927 +0200 -@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw, +diff --git a/auth2-hostbased.c b/auth2-hostbased.c +index 488008f..eca0069 100644 +--- a/auth2-hostbased.c ++++ b/auth2-hostbased.c +@@ -206,16 +206,18 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, if (host_status == HOST_OK) { if (key_is_cert(key)) { @@ -44,10 +45,11 @@ diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbas } free(fp); } -diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c ---- openssh-6.3p1/auth2-pubkey.c.fingerprint 2013-07-18 08:10:10.000000000 +0200 -+++ openssh-6.3p1/auth2-pubkey.c 2013-10-07 15:50:44.617495624 +0200 -@@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file, +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index 0fd27bb..749b11a 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -365,10 +365,10 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) continue; if (!key_is_cert_authority) continue; @@ -62,7 +64,7 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c /* * If the user has specified a list of principals as * a key option, then prefer that list to matching -@@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file, +@@ -406,9 +406,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) if (key_is_cert_authority) continue; found_key = 1; @@ -75,7 +77,7 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c free(fp); break; } -@@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw, +@@ -431,13 +431,13 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) return 0; @@ -93,10 +95,11 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c options.trusted_user_ca_keys); goto out; } -diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c ---- openssh-6.3p1/key.c.fingerprint 2013-10-07 14:02:36.971968285 +0200 -+++ openssh-6.3p1/key.c 2013-10-07 14:02:36.999968148 +0200 -@@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty +diff --git a/key.c b/key.c +index 168e1b7..eb98ea8 100644 +--- a/key.c ++++ b/key.c +@@ -628,6 +628,34 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) return retval; } @@ -131,10 +134,11 @@ diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c /* * Reads a multiple-precision integer in decimal from the buffer, and advances * the pointer. The integer must already be initialized. This function is -diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h ---- openssh-6.3p1/key.h.fingerprint 2013-10-07 14:02:36.999968148 +0200 -+++ openssh-6.3p1/key.h 2013-10-07 15:44:17.574233450 +0200 -@@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons +diff --git a/key.h b/key.h +index d8ad13d..0e3eea5 100644 +--- a/key.h ++++ b/key.h +@@ -104,6 +104,9 @@ int key_equal_public(const Key *, const Key *); int key_equal(const Key *, const Key *); char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); @@ -144,10 +148,11 @@ diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h const char *key_type(const Key *); const char *key_cert_type(const Key *); int key_write(const Key *, FILE *); -diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c ---- openssh-6.3p1/ssh-add.c.fingerprint 2013-10-07 14:02:37.000968143 +0200 -+++ openssh-6.3p1/ssh-add.c 2013-10-07 14:44:57.466515766 +0200 -@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection +diff --git a/ssh-add.c b/ssh-add.c +index 3421452..691949f 100644 +--- a/ssh-add.c ++++ b/ssh-add.c +@@ -330,10 +330,10 @@ list_identities(AuthenticationConnection *ac, int do_fp) key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; if (do_fp) { @@ -162,9 +167,10 @@ diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c free(fp); } else { if (!key_write(key, stdout)) -diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c ---- openssh-6.3p1/ssh-agent.c.fingerprint 2013-10-07 14:02:37.000968143 +0200 -+++ openssh-6.3p1/ssh-agent.c 2013-10-07 15:41:11.627044336 +0200 +diff --git a/ssh-agent.c b/ssh-agent.c +index ba24612..117fdde 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c @@ -198,9 +198,9 @@ confirm_key(Identity *id) char *p; int ret = -1; @@ -178,10 +184,11 @@ diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c ret = 0; free(p); -diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c ---- openssh-6.3p1/ssh-keygen.c.fingerprint 2013-07-20 05:22:32.000000000 +0200 -+++ openssh-6.3p1/ssh-keygen.c 2013-10-07 14:25:52.864145038 +0200 -@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw) +diff --git a/ssh-keygen.c b/ssh-keygen.c +index 2a316bc..482dc1c 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -783,13 +783,14 @@ do_fingerprint(struct passwd *pw) { FILE *f; Key *public; @@ -198,7 +205,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; if (!have_identity) -@@ -785,8 +786,8 @@ do_fingerprint(struct passwd *pw) +@@ -801,8 +802,8 @@ do_fingerprint(struct passwd *pw) public = key_load_public(identity_file, &comment); if (public != NULL) { fp = key_fingerprint(public, fptype, rep); @@ -209,7 +216,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); -@@ -851,8 +852,8 @@ do_fingerprint(struct passwd *pw) +@@ -867,8 +868,8 @@ do_fingerprint(struct passwd *pw) } comment = *cp ? cp : comment; fp = key_fingerprint(public, fptype, rep); @@ -220,7 +227,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); -@@ -970,13 +971,15 @@ printhost(FILE *f, const char *name, Key +@@ -986,13 +987,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash) if (print_fingerprint) { enum fp_rep rep; enum fp_type fptype; @@ -240,7 +247,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); -@@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw) +@@ -1878,16 +1881,17 @@ do_show_cert(struct passwd *pw) fatal("%s is not a certificate", identity_file); v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; @@ -264,7 +271,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c printf(" Key ID: \"%s\"\n", key->cert->key_id); if (!v00) { printf(" Serial: %llu\n", -@@ -2655,13 +2659,12 @@ passphrase_again: +@@ -2686,13 +2690,12 @@ passphrase_again: fclose(f); if (!quiet) { @@ -281,10 +288,11 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c printf("The key's randomart image is:\n"); printf("%s\n", ra); free(ra); -diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c ---- openssh-6.3p1/sshconnect.c.fingerprint 2013-06-01 23:31:19.000000000 +0200 -+++ openssh-6.3p1/sshconnect.c 2013-10-07 14:43:54.859822036 +0200 -@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so +diff --git a/sshconnect.c b/sshconnect.c +index 573d7a8..394cca8 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -914,10 +914,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, "key for IP address '%.128s' to the list " "of known hosts.", type, ip); } else if (options.visual_host_key) { @@ -299,7 +307,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c free(ra); free(fp); } -@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so +@@ -955,9 +955,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, else snprintf(msg1, sizeof(msg1), "."); /* The default */ @@ -311,7 +319,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c msg2[0] = '\0'; if (options.verify_host_key_dns) { if (matching_host_key_dns) -@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so +@@ -972,10 +971,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" @@ -325,7 +333,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c options.visual_host_key ? "\n" : "", options.visual_host_key ? ra : "", msg2); -@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka +@@ -1220,8 +1220,9 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) int flags = 0; char *fp; @@ -337,7 +345,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c free(fp); /* XXX certs are not yet supported for DNS */ -@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey +@@ -1327,14 +1328,15 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) continue; if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) continue; @@ -357,7 +365,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c if (options.visual_host_key) logit("%s", ra); free(ra); -@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key) +@@ -1349,7 +1351,7 @@ warn_changed_key(Key *host_key) { char *fp; @@ -366,7 +374,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); -@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key) +@@ -1357,8 +1359,8 @@ warn_changed_key(Key *host_key) error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that a host key has just been changed."); @@ -377,10 +385,11 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c error("Please contact your system administrator."); free(fp); -diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c ---- openssh-6.3p1/sshconnect2.c.fingerprint 2013-10-07 14:02:37.001968139 +0200 -+++ openssh-6.3p1/sshconnect2.c 2013-10-07 15:20:09.403234714 +0200 -@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t +diff --git a/sshconnect2.c b/sshconnect2.c +index 7f4ff41..adbbfc7 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -577,8 +577,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) key->type, pktype); goto done; } @@ -392,7 +401,7 @@ diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c free(fp); /* -@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt, +@@ -986,8 +987,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) int have_sig = 1; char *fp; diff --git a/openssh-6.3p1-keycat.patch b/openssh-6.6p1-keycat.patch similarity index 72% rename from openssh-6.3p1-keycat.patch rename to openssh-6.6p1-keycat.patch index 6105d09..d30dedb 100644 --- a/openssh-6.3p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -1,6 +1,8 @@ -diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat ---- openssh-6.3p1/HOWTO.ssh-keycat.keycat 2013-10-10 15:16:33.445566916 +0200 -+++ openssh-6.3p1/HOWTO.ssh-keycat 2013-10-10 15:16:33.445566916 +0200 +diff --git a/HOWTO.ssh-keycat b/HOWTO.ssh-keycat +new file mode 100644 +index 0000000..630ec62 +--- /dev/null ++++ b/HOWTO.ssh-keycat @@ -0,0 +1,12 @@ +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +of an user in any environment. This includes environments with @@ -14,9 +16,10 @@ diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat + PubkeyAuthentication yes + + -diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in ---- openssh-6.3p1/Makefile.in.keycat 2013-10-10 15:16:33.442566930 +0200 -+++ openssh-6.3p1/Makefile.in 2013-10-10 15:16:33.445566916 +0200 +diff --git a/Makefile.in b/Makefile.in +index 411eadb..4ab6717 100644 +--- a/Makefile.in ++++ b/Makefile.in @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper @@ -34,17 +37,17 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-aes.o \ -@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) +@@ -176,6 +177,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11 ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) -+ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o -+ $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS) ++ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o ++ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -279,6 +283,7 @@ install-files: +@@ -283,6 +287,7 @@ install-files: $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ fi @@ -52,15 +55,16 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c ---- openssh-6.3p1/auth2-pubkey.c.keycat 2013-10-10 15:16:33.429566992 +0200 -+++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 15:16:33.445566916 +0200 -@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index c0ae0d4..cb0f931 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -600,6 +600,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) _exit(1); } +#ifdef WITH_SELINUX -+ if (ssh_selinux_setup_env_variables() < 0) { ++ if (sshd_selinux_setup_env_variables() < 0) { + error ("failed to copy environment: %s", + strerror(errno)); + _exit(127); @@ -70,19 +74,41 @@ diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c execl(options.authorized_keys_command, options.authorized_keys_command, user_pw->pw_name, NULL); -diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c ---- openssh-6.3p1/openbsd-compat/port-linux.c.keycat 2013-10-10 15:16:33.435566964 +0200 -+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:32:19.946065189 +0200 -@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname, +diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c +index d04f4ed..0077dd7 100644 +--- a/openbsd-compat/port-linux-sshd.c ++++ b/openbsd-compat/port-linux-sshd.c +@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt; + extern int inetd_flag; + extern int rexeced_flag; + ++/* Wrapper around is_selinux_enabled() to log its return value once only */ ++int ++sshd_selinux_enabled(void) ++{ ++ static int enabled = -1; ++ ++ if (enabled == -1) { ++ enabled = (is_selinux_enabled() == 1); ++ debug("SELinux support %s", enabled ? "enabled" : "disabled"); ++ } ++ ++ return (enabled); ++} ++ + /* Send audit message */ + static int + sshd_selinux_send_audit_message(int success, security_context_t default_context, +@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname, /* Setup environment variables for pam_selinux */ static int --ssh_selinux_setup_pam_variables(void) -+ssh_selinux_setup_variables(int(*set_it)(const char *, const char *)) +-sshd_selinux_setup_pam_variables(void) ++sshd_selinux_setup_variables(int(*set_it)(char *, const char *)) { const char *reqlvl; char *role; -@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void) +@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void) ssh_selinux_get_role_level(&role, &reqlvl); @@ -102,34 +128,82 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd- if (role != NULL) free(role); -@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void) +@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void) return rv; } +static int -+ssh_selinux_setup_pam_variables(void) ++sshd_selinux_setup_pam_variables(void) +{ -+ return ssh_selinux_setup_variables(do_pam_putenv); ++ return sshd_selinux_setup_variables(do_pam_putenv); +} + +static int -+do_setenv(char *name, char *value) ++do_setenv(char *name, const char *value) +{ + return setenv(name, value, 1); +} + +int -+ssh_selinux_setup_env_variables(void) ++sshd_selinux_setup_env_variables(void) +{ -+ return ssh_selinux_setup_variables(do_setenv); ++ return sshd_selinux_setup_variables(do_setenv); +} + /* Set the execution context to the default for the specified user */ void - ssh_selinux_setup_exec_context(char *pwname) -diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c ---- openssh-6.3p1/ssh-keycat.c.keycat 2013-10-10 15:16:33.446566911 +0200 -+++ openssh-6.3p1/ssh-keycat.c 2013-10-10 15:16:33.446566911 +0200 + sshd_selinux_setup_exec_context(char *pwname) +@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pwname) + int r = 0; + security_context_t default_ctx = NULL; + +- if (!ssh_selinux_enabled()) ++ if (!sshd_selinux_enabled()) + return; + + if (options.use_pam) { +@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void) + { + security_context_t *ctx; + +- if (!ssh_selinux_enabled()) ++ if (!sshd_selinux_enabled()) + return; + + if (getexeccon((security_context_t *)&ctx) != 0) { +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index b18893c..cb51f99 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const char *); + void ssh_selinux_change_context(const char *); + void ssh_selinux_setfscreatecon(const char *); + ++int sshd_selinux_enabled(void); + void sshd_selinux_copy_context(void); + void sshd_selinux_setup_exec_context(char *); ++int sshd_selinux_setup_env_variables(void); + #endif + + #ifdef LINUX_OOM_ADJUST +diff --git a/platform.c b/platform.c +index 0d39ab2..0dae387 100644 +--- a/platform.c ++++ b/platform.c +@@ -102,7 +102,7 @@ platform_setusercontext(struct passwd *pw) + { + #ifdef WITH_SELINUX + /* Cache selinux status for later use */ +- (void)ssh_selinux_enabled(); ++ (void)sshd_selinux_enabled(); + #endif + + #ifdef USE_SOLARIS_PROJECTS +diff --git a/ssh-keycat.c b/ssh-keycat.c +new file mode 100644 +index 0000000..f8ed7af +--- /dev/null ++++ b/ssh-keycat.c @@ -0,0 +1,238 @@ +/* + * Redistribution and use in source and binary forms, with or without diff --git a/openssh-5.8p1-keyperm.patch b/openssh-6.6p1-keyperm.patch similarity index 56% rename from openssh-5.8p1-keyperm.patch rename to openssh-6.6p1-keyperm.patch index 6167c14..fccb328 100644 --- a/openssh-5.8p1-keyperm.patch +++ b/openssh-6.6p1-keyperm.patch @@ -1,15 +1,15 @@ -diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c ---- openssh-5.8p1/authfile.c.keyperm 2010-12-01 02:03:39.000000000 +0100 -+++ openssh-5.8p1/authfile.c 2011-04-21 16:43:36.859648916 +0200 -@@ -57,6 +57,7 @@ - #include - #include - #include -+#include +diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c +--- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100 ++++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200 +@@ -54,6 +54,7 @@ - #include "xmalloc.h" - #include "cipher.h" -@@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename + #include + #include ++#include + #include + #include + #include +@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename #ifdef HAVE_CYGWIN if (check_ntsec(filename)) #endif diff --git a/openssh-6.3p1-ldap.patch b/openssh-6.6p1-ldap.patch similarity index 95% rename from openssh-6.3p1-ldap.patch rename to openssh-6.6p1-ldap.patch index 052973c..961cdf5 100644 --- a/openssh-6.3p1-ldap.patch +++ b/openssh-6.6p1-ldap.patch @@ -1,116 +1,8 @@ -diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac ---- openssh-6.2p1/configure.ac.ldap 2013-03-20 02:55:15.000000000 +0100 -+++ openssh-6.2p1/configure.ac 2013-03-25 21:27:15.888248071 +0100 -@@ -1509,6 +1509,106 @@ AC_ARG_WITH([audit], - esac ] - ) - -+# Check whether user wants LDAP support -+LDAP_MSG="no" -+INSTALL_SSH_LDAP_HELPER="" -+AC_ARG_WITH(ldap, -+ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)], -+ [ -+ if test "x$withval" != "xno" ; then -+ -+ INSTALL_SSH_LDAP_HELPER="yes" -+ CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED" -+ -+ if test "x$withval" != "xyes" ; then -+ CPPFLAGS="$CPPFLAGS -I${withval}/include" -+ LDFLAGS="$LDFLAGS -L${withval}/lib" -+ fi -+ -+ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support]) -+ LDAP_MSG="yes" -+ -+ AC_CHECK_HEADERS(lber.h) -+ AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate )) -+ AC_CHECK_HEADERS(ldap_ssl.h) -+ -+ AC_ARG_WITH(ldap-lib, -+ [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]]) -+ -+ if test -z "$with_ldap_lib"; then -+ with_ldap_lib=auto -+ fi -+ -+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then -+ AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes) -+ AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes) -+ fi -+ -+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then -+ AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes) -+ fi -+ -+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then -+ AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes) -+ if test -z "$found_ldap_lib"; then -+ AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes) -+ fi -+ if test -z "$found_ldap_lib"; then -+ AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes) -+ fi -+ if test -z "$found_ldap_lib"; then -+ AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes) -+ fi -+ fi -+ -+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then -+ AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes) -+ fi -+ -+ if test -z "$found_ldap_lib"; then -+ AC_MSG_ERROR(could not locate a valid LDAP library) -+ fi -+ -+ AC_MSG_CHECKING([for working LDAP support]) -+ AC_TRY_COMPILE( -+ [#include -+ #include ], -+ [(void)ldap_init(0, 0);], -+ [AC_MSG_RESULT(yes)], -+ [ -+ AC_MSG_RESULT(no) -+ AC_MSG_ERROR([** Incomplete or missing ldap libraries **]) -+ ]) -+ AC_CHECK_FUNCS( \ -+ ldap_init \ -+ ldap_get_lderrno \ -+ ldap_set_lderrno \ -+ ldap_parse_result \ -+ ldap_memfree \ -+ ldap_controls_free \ -+ ldap_set_option \ -+ ldap_get_option \ -+ ldapssl_init \ -+ ldap_start_tls_s \ -+ ldap_pvt_tls_set_option \ -+ ldap_initialize \ -+ ) -+ AC_CHECK_FUNCS(ldap_set_rebind_proc, -+ AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc]) -+ AC_TRY_COMPILE( -+ [#include -+ #include ], -+ [ldap_set_rebind_proc(0, 0, 0);], -+ [ac_cv_ldap_set_rebind_proc=3], -+ [ac_cv_ldap_set_rebind_proc=2]) -+ AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc) -+ AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc]) -+ ) -+ fi -+ ] -+) -+AC_SUBST(INSTALL_SSH_LDAP_HELPER) -+ - dnl Checks for library functions. Please keep in alphabetical order - AC_CHECK_FUNCS([ \ - arc4random \ -diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys ---- openssh-6.2p1/HOWTO.ldap-keys.ldap 2013-03-25 21:27:15.889248078 +0100 -+++ openssh-6.2p1/HOWTO.ldap-keys 2013-03-25 21:27:15.889248078 +0100 +diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys +new file mode 100644 +index 0000000..dd5f5cc +--- /dev/null ++++ b/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -220,9 +112,513 @@ diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys +5) Author + Jan F. Chadima + -diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c ---- openssh-6.2p1/ldapbody.c.ldap 2013-03-25 21:27:15.889248078 +0100 -+++ openssh-6.2p1/ldapbody.c 2013-03-25 21:27:15.889248078 +0100 +diff --git a/Makefile.in b/Makefile.in +index 28a8ec4..411eadb 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh + ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass + SFTP_SERVER=$(libexecdir)/sftp-server + SSH_KEYSIGN=$(libexecdir)/ssh-keysign ++SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper ++SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper + SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + PRIVSEP_PATH=@PRIVSEP_PATH@ + SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ +@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@ + LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ + EXEEXT=@EXEEXT@ + MANFMT=@MANFMT@ ++INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) + + LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ + canohost.o channels.o cipher.o cipher-aes.o \ +@@ -98,8 +101,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ + sandbox-seccomp-filter.o sandbox-capsicum.o + +-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out +-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out ++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 + MANTYPE = @MANTYPE@ + + CONFIGFILES=sshd_config.out ssh_config.out moduli.out +@@ -170,6 +173,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + ++ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o ++ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) ++ + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o + $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + +@@ -273,6 +279,10 @@ install-files: + $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) ++ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ ++ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ ++ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ ++ fi + $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 +@@ -289,6 +299,10 @@ install-files: + $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 + $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 ++ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ ++ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ ++ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ ++ fi + -rm -f $(DESTDIR)$(bindir)/slogin + ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 +@@ -318,6 +332,13 @@ install-sysconf: + else \ + echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ + fi ++ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ ++ if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \ ++ $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \ ++ else \ ++ echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \ ++ fi ; \ ++ fi + + host-key: ssh-keygen$(EXEEXT) + @if [ -z "$(DESTDIR)" ] ; then \ +@@ -381,6 +402,8 @@ uninstall: + -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) ++ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT) ++ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT) + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 +@@ -392,6 +415,7 @@ uninstall: + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 ++ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + + regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c +diff --git a/configure.ac b/configure.ac +index 7c6ce08..722a19e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1625,6 +1625,106 @@ if test "x$use_pie" != "xno"; then + fi + fi + ++# Check whether user wants LDAP support ++LDAP_MSG="no" ++INSTALL_SSH_LDAP_HELPER="" ++AC_ARG_WITH(ldap, ++ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)], ++ [ ++ if test "x$withval" != "xno" ; then ++ ++ INSTALL_SSH_LDAP_HELPER="yes" ++ CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED" ++ ++ if test "x$withval" != "xyes" ; then ++ CPPFLAGS="$CPPFLAGS -I${withval}/include" ++ LDFLAGS="$LDFLAGS -L${withval}/lib" ++ fi ++ ++ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support]) ++ LDAP_MSG="yes" ++ ++ AC_CHECK_HEADERS(lber.h) ++ AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate )) ++ AC_CHECK_HEADERS(ldap_ssl.h) ++ ++ AC_ARG_WITH(ldap-lib, ++ [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]]) ++ ++ if test -z "$with_ldap_lib"; then ++ with_ldap_lib=auto ++ fi ++ ++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then ++ AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes) ++ AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes) ++ fi ++ ++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then ++ AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes) ++ fi ++ ++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then ++ AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes) ++ if test -z "$found_ldap_lib"; then ++ AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes) ++ fi ++ if test -z "$found_ldap_lib"; then ++ AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes) ++ fi ++ if test -z "$found_ldap_lib"; then ++ AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes) ++ fi ++ fi ++ ++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then ++ AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes) ++ fi ++ ++ if test -z "$found_ldap_lib"; then ++ AC_MSG_ERROR(could not locate a valid LDAP library) ++ fi ++ ++ AC_MSG_CHECKING([for working LDAP support]) ++ AC_TRY_COMPILE( ++ [#include ++ #include ], ++ [(void)ldap_init(0, 0);], ++ [AC_MSG_RESULT(yes)], ++ [ ++ AC_MSG_RESULT(no) ++ AC_MSG_ERROR([** Incomplete or missing ldap libraries **]) ++ ]) ++ AC_CHECK_FUNCS( \ ++ ldap_init \ ++ ldap_get_lderrno \ ++ ldap_set_lderrno \ ++ ldap_parse_result \ ++ ldap_memfree \ ++ ldap_controls_free \ ++ ldap_set_option \ ++ ldap_get_option \ ++ ldapssl_init \ ++ ldap_start_tls_s \ ++ ldap_pvt_tls_set_option \ ++ ldap_initialize \ ++ ) ++ AC_CHECK_FUNCS(ldap_set_rebind_proc, ++ AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc]) ++ AC_TRY_COMPILE( ++ [#include ++ #include ], ++ [ldap_set_rebind_proc(0, 0, 0);], ++ [ac_cv_ldap_set_rebind_proc=3], ++ [ac_cv_ldap_set_rebind_proc=2]) ++ AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc) ++ AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc]) ++ ) ++ fi ++ ] ++) ++AC_SUBST(INSTALL_SSH_LDAP_HELPER) ++ + dnl Checks for library functions. Please keep in alphabetical order + AC_CHECK_FUNCS([ \ + Blowfish_initstate \ +diff --git a/ldap-helper.c b/ldap-helper.c +new file mode 100644 +index 0000000..e95a94a +--- /dev/null ++++ b/ldap-helper.c +@@ -0,0 +1,155 @@ ++/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ ++/* ++ * Copyright (c) 2009 Jan F. Chadima. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "ldapincludes.h" ++#include "log.h" ++#include "misc.h" ++#include "xmalloc.h" ++#include "ldapconf.h" ++#include "ldapbody.h" ++#include ++#include ++ ++static int config_debug = 0; ++int config_exclusive_config_file = 0; ++static char *config_file_name = "/etc/ssh/ldap.conf"; ++static char *config_single_user = NULL; ++static int config_verbose = SYSLOG_LEVEL_VERBOSE; ++int config_warning_config_file = 0; ++extern char *__progname; ++ ++static void ++usage(void) ++{ ++ fprintf(stderr, "usage: %s [options]\n", ++ __progname); ++ fprintf(stderr, "Options:\n"); ++ fprintf(stderr, " -d Output the log messages to stderr.\n"); ++ fprintf(stderr, " -e Check the config file for unknown commands.\n"); ++ fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n"); ++ fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n"); ++ fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n"); ++ fprintf(stderr, " -w Warn on unknown commands in the config file.\n"); ++ exit(1); ++} ++ ++/* ++ * Main program for the ssh pka ldap agent. ++ */ ++ ++int ++main(int ac, char **av) ++{ ++ int opt; ++ FILE *outfile = NULL; ++ ++ __progname = ssh_get_progname(av[0]); ++ ++ log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); ++ ++ /* ++ * Initialize option structure to indicate that no values have been ++ * set. ++ */ ++ initialize_options(); ++ ++ /* Parse command-line arguments. */ ++ while ((opt = getopt(ac, av, "def:s:vw")) != -1) { ++ switch (opt) { ++ case 'd': ++ config_debug = 1; ++ break; ++ ++ case 'e': ++ config_exclusive_config_file = 1; ++ config_warning_config_file = 1; ++ break; ++ ++ case 'f': ++ config_file_name = optarg; ++ break; ++ ++ case 's': ++ config_single_user = optarg; ++ outfile = fdopen (dup (fileno (stdout)), "w"); ++ break; ++ ++ case 'v': ++ config_debug = 1; ++ if (config_verbose < SYSLOG_LEVEL_DEBUG3) ++ config_verbose++; ++ break; ++ ++ case 'w': ++ config_warning_config_file = 1; ++ break; ++ ++ case '?': ++ default: ++ usage(); ++ break; ++ } ++ } ++ ++ /* Initialize loging */ ++ log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug); ++ ++ if (ac != optind) ++ fatal ("illegal extra parameter %s", av[1]); ++ ++ /* Ensure that fds 0 and 2 are open or directed to /dev/null */ ++ if (config_debug == 0) ++ sanitise_stdfd(); ++ ++ /* Read config file */ ++ read_config_file(config_file_name); ++ fill_default_options(); ++ if (config_verbose == SYSLOG_LEVEL_DEBUG3) { ++ debug3 ("=== Configuration ==="); ++ dump_config(); ++ debug3 ("=== *** ==="); ++ } ++ ++ ldap_checkconfig(); ++ ldap_do_connect(); ++ ++ if (config_single_user) { ++ process_user (config_single_user, outfile); ++ } else { ++ usage(); ++ fatal ("Not yet implemented"); ++/* TODO ++ * open unix socket a run the loop on it ++ */ ++ } ++ ++ ldap_do_close(); ++ return 0; ++} ++ ++/* Ugly hack */ ++void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } ++void buffer_put_string(Buffer *b, const void *f, u_int l) {} ++ +diff --git a/ldap-helper.h b/ldap-helper.h +new file mode 100644 +index 0000000..14cb29a +--- /dev/null ++++ b/ldap-helper.h +@@ -0,0 +1,32 @@ ++/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ ++/* ++ * Copyright (c) 2009 Jan F. Chadima. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#ifndef LDAP_HELPER_H ++#define LDAP_HELPER_H ++ ++extern int config_exclusive_config_file; ++extern int config_warning_config_file; ++ ++#endif /* LDAP_HELPER_H */ +diff --git a/ldap.conf b/ldap.conf +new file mode 100644 +index 0000000..42e38d3 +--- /dev/null ++++ b/ldap.conf +@@ -0,0 +1,88 @@ ++# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ ++# ++# This is the example configuration file for the OpenSSH ++# LDAP backend ++# ++# see ssh-ldap.conf(5) ++# ++ ++# URI with your LDAP server name. This allows to use ++# Unix Domain Sockets to connect to a local LDAP Server. ++#uri ldap://127.0.0.1/ ++#uri ldaps://127.0.0.1/ ++#uri ldapi://%2fvar%2frun%2fldapi_sock/ ++# Note: %2f encodes the '/' used as directory separator ++ ++# Another way to specify your LDAP server is to provide an ++# host name and the port of our LDAP server. Host name ++# must be resolvable without using LDAP. ++# Multiple hosts may be specified, each separated by a ++# space. How long nss_ldap takes to failover depends on ++# whether your LDAP client library supports configurable ++# network or connect timeouts (see bind_timelimit). ++#host 127.0.0.1 ++ ++# The port. ++# Optional: default is 389. ++#port 389 ++ ++# The distinguished name to bind to the server with. ++# Optional: default is to bind anonymously. ++#binddn cn=openssh_keys,dc=example,dc=org ++ ++# The credentials to bind with. ++# Optional: default is no credential. ++#bindpw TopSecret ++ ++# The distinguished name of the search base. ++#base dc=example,dc=org ++ ++# The LDAP version to use (defaults to 3 ++# if supported by client library) ++#ldap_version 3 ++ ++# The search scope. ++#scope sub ++#scope one ++#scope base ++ ++# Search timelimit ++#timelimit 30 ++ ++# Bind/connect timelimit ++#bind_timelimit 30 ++ ++# Reconnect policy: hard (default) will retry connecting to ++# the software with exponential backoff, soft will fail ++# immediately. ++#bind_policy hard ++ ++# SSL setup, may be implied by URI also. ++#ssl no ++#ssl on ++#ssl start_tls ++ ++# OpenLDAP SSL options ++# Require and verify server certificate (yes/no) ++# Default is to use libldap's default behavior, which can be configured in ++# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for ++# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". ++#tls_checkpeer hard ++ ++# CA certificates for server certificate verification ++# At least one of these are required if tls_checkpeer is "yes" ++#tls_cacertfile /etc/ssl/ca.cert ++#tls_cacertdir /etc/pki/tls/certs ++ ++# Seed the PRNG if /dev/urandom is not provided ++#tls_randfile /var/run/egd-pool ++ ++# SSL cipher suite ++# See man ciphers for syntax ++#tls_ciphers TLSv1 ++ ++# Client certificate and key ++# Use these, if your server requires client authentication. ++#tls_cert ++#tls_key ++ +diff --git a/ldapbody.c b/ldapbody.c +new file mode 100644 +index 0000000..3029108 +--- /dev/null ++++ b/ldapbody.c @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -718,9 +1114,11 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c + return; +} + -diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h ---- openssh-6.2p1/ldapbody.h.ldap 2013-03-25 21:27:15.889248078 +0100 -+++ openssh-6.2p1/ldapbody.h 2013-03-25 21:27:15.889248078 +0100 +diff --git a/ldapbody.h b/ldapbody.h +new file mode 100644 +index 0000000..665dca2 +--- /dev/null ++++ b/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -759,8 +1157,11 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h + +#endif /* LDAPBODY_H */ + ---- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100 -+++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100 +diff --git a/ldapconf.c b/ldapconf.c +new file mode 100644 +index 0000000..525060a +--- /dev/null ++++ b/ldapconf.c @@ -0,0 +1,720 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1482,9 +1883,11 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h + dump_cfg_string(lAccountClass, options.logdir); +} + -diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h ---- openssh-6.2p2/ldapconf.h.ldap 2013-06-07 15:10:05.602942689 +0200 -+++ openssh-6.2p2/ldapconf.h 2013-06-07 15:10:24.928857566 +0200 +diff --git a/ldapconf.h b/ldapconf.h +new file mode 100644 +index 0000000..2cb550c +--- /dev/null ++++ b/ldapconf.h @@ -0,0 +1,72 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1558,296 +1961,11 @@ diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff -up openssh-6.2p1/ldap.conf.ldap openssh-6.2p1/ldap.conf ---- openssh-6.2p1/ldap.conf.ldap 2013-03-25 21:27:15.891248091 +0100 -+++ openssh-6.2p1/ldap.conf 2013-03-25 21:27:15.891248091 +0100 -@@ -0,0 +1,88 @@ -+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ -+# -+# This is the example configuration file for the OpenSSH -+# LDAP backend -+# -+# see ssh-ldap.conf(5) -+# -+ -+# URI with your LDAP server name. This allows to use -+# Unix Domain Sockets to connect to a local LDAP Server. -+#uri ldap://127.0.0.1/ -+#uri ldaps://127.0.0.1/ -+#uri ldapi://%2fvar%2frun%2fldapi_sock/ -+# Note: %2f encodes the '/' used as directory separator -+ -+# Another way to specify your LDAP server is to provide an -+# host name and the port of our LDAP server. Host name -+# must be resolvable without using LDAP. -+# Multiple hosts may be specified, each separated by a -+# space. How long nss_ldap takes to failover depends on -+# whether your LDAP client library supports configurable -+# network or connect timeouts (see bind_timelimit). -+#host 127.0.0.1 -+ -+# The port. -+# Optional: default is 389. -+#port 389 -+ -+# The distinguished name to bind to the server with. -+# Optional: default is to bind anonymously. -+#binddn cn=openssh_keys,dc=example,dc=org -+ -+# The credentials to bind with. -+# Optional: default is no credential. -+#bindpw TopSecret -+ -+# The distinguished name of the search base. -+#base dc=example,dc=org -+ -+# The LDAP version to use (defaults to 3 -+# if supported by client library) -+#ldap_version 3 -+ -+# The search scope. -+#scope sub -+#scope one -+#scope base -+ -+# Search timelimit -+#timelimit 30 -+ -+# Bind/connect timelimit -+#bind_timelimit 30 -+ -+# Reconnect policy: hard (default) will retry connecting to -+# the software with exponential backoff, soft will fail -+# immediately. -+#bind_policy hard -+ -+# SSL setup, may be implied by URI also. -+#ssl no -+#ssl on -+#ssl start_tls -+ -+# OpenLDAP SSL options -+# Require and verify server certificate (yes/no) -+# Default is to use libldap's default behavior, which can be configured in -+# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for -+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". -+#tls_checkpeer hard -+ -+# CA certificates for server certificate verification -+# At least one of these are required if tls_checkpeer is "yes" -+#tls_cacertfile /etc/ssl/ca.cert -+#tls_cacertdir /etc/pki/tls/certs -+ -+# Seed the PRNG if /dev/urandom is not provided -+#tls_randfile /var/run/egd-pool -+ -+# SSL cipher suite -+# See man ciphers for syntax -+#tls_ciphers TLSv1 -+ -+# Client certificate and key -+# Use these, if your server requires client authentication. -+#tls_cert -+#tls_key -+ -diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c ---- openssh-6.2p1/ldap-helper.c.ldap 2013-03-25 21:27:15.892248097 +0100 -+++ openssh-6.2p1/ldap-helper.c 2013-03-25 21:27:15.892248097 +0100 -@@ -0,0 +1,155 @@ -+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ -+/* -+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "ldapincludes.h" -+#include "log.h" -+#include "misc.h" -+#include "xmalloc.h" -+#include "ldapconf.h" -+#include "ldapbody.h" -+#include -+#include -+ -+static int config_debug = 0; -+int config_exclusive_config_file = 0; -+static char *config_file_name = "/etc/ssh/ldap.conf"; -+static char *config_single_user = NULL; -+static int config_verbose = SYSLOG_LEVEL_VERBOSE; -+int config_warning_config_file = 0; -+extern char *__progname; -+ -+static void -+usage(void) -+{ -+ fprintf(stderr, "usage: %s [options]\n", -+ __progname); -+ fprintf(stderr, "Options:\n"); -+ fprintf(stderr, " -d Output the log messages to stderr.\n"); -+ fprintf(stderr, " -e Check the config file for unknown commands.\n"); -+ fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n"); -+ fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n"); -+ fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n"); -+ fprintf(stderr, " -w Warn on unknown commands in the config file.\n"); -+ exit(1); -+} -+ -+/* -+ * Main program for the ssh pka ldap agent. -+ */ -+ -+int -+main(int ac, char **av) -+{ -+ int opt; -+ FILE *outfile = NULL; -+ -+ __progname = ssh_get_progname(av[0]); -+ -+ log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); -+ -+ /* -+ * Initialize option structure to indicate that no values have been -+ * set. -+ */ -+ initialize_options(); -+ -+ /* Parse command-line arguments. */ -+ while ((opt = getopt(ac, av, "def:s:vw")) != -1) { -+ switch (opt) { -+ case 'd': -+ config_debug = 1; -+ break; -+ -+ case 'e': -+ config_exclusive_config_file = 1; -+ config_warning_config_file = 1; -+ break; -+ -+ case 'f': -+ config_file_name = optarg; -+ break; -+ -+ case 's': -+ config_single_user = optarg; -+ outfile = fdopen (dup (fileno (stdout)), "w"); -+ break; -+ -+ case 'v': -+ config_debug = 1; -+ if (config_verbose < SYSLOG_LEVEL_DEBUG3) -+ config_verbose++; -+ break; -+ -+ case 'w': -+ config_warning_config_file = 1; -+ break; -+ -+ case '?': -+ default: -+ usage(); -+ break; -+ } -+ } -+ -+ /* Initialize loging */ -+ log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug); -+ -+ if (ac != optind) -+ fatal ("illegal extra parameter %s", av[1]); -+ -+ /* Ensure that fds 0 and 2 are open or directed to /dev/null */ -+ if (config_debug == 0) -+ sanitise_stdfd(); -+ -+ /* Read config file */ -+ read_config_file(config_file_name); -+ fill_default_options(); -+ if (config_verbose == SYSLOG_LEVEL_DEBUG3) { -+ debug3 ("=== Configuration ==="); -+ dump_config(); -+ debug3 ("=== *** ==="); -+ } -+ -+ ldap_checkconfig(); -+ ldap_do_connect(); -+ -+ if (config_single_user) { -+ process_user (config_single_user, outfile); -+ } else { -+ usage(); -+ fatal ("Not yet implemented"); -+/* TODO -+ * open unix socket a run the loop on it -+ */ -+ } -+ -+ ldap_do_close(); -+ return 0; -+} -+ -+/* Ugly hack */ -+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } -+void buffer_put_string(Buffer *b, const void *f, u_int l) {} -+ -diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h ---- openssh-6.2p1/ldap-helper.h.ldap 2013-03-25 21:27:15.892248097 +0100 -+++ openssh-6.2p1/ldap-helper.h 2013-03-25 21:27:15.892248097 +0100 -@@ -0,0 +1,32 @@ -+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ -+/* -+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#ifndef LDAP_HELPER_H -+#define LDAP_HELPER_H -+ -+extern int config_exclusive_config_file; -+extern int config_warning_config_file; -+ -+#endif /* LDAP_HELPER_H */ -diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h ---- openssh-6.2p1/ldapincludes.h.ldap 2013-03-25 21:27:15.892248097 +0100 -+++ openssh-6.2p1/ldapincludes.h 2013-03-25 21:27:15.892248097 +0100 +diff --git a/ldapincludes.h b/ldapincludes.h +new file mode 100644 +index 0000000..8539bdc +--- /dev/null ++++ b/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1890,9 +2008,11 @@ diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h +#endif + +#endif /* LDAPINCLUDES_H */ -diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c ---- openssh-6.2p1/ldapmisc.c.ldap 2013-03-25 21:27:15.893248104 +0100 -+++ openssh-6.2p1/ldapmisc.c 2013-03-25 21:27:15.893248104 +0100 +diff --git a/ldapmisc.c b/ldapmisc.c +new file mode 100644 +index 0000000..de23c0c +--- /dev/null ++++ b/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -1973,9 +2093,11 @@ diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c +} +#endif + -diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h ---- openssh-6.2p1/ldapmisc.h.ldap 2013-03-25 21:27:15.893248104 +0100 -+++ openssh-6.2p1/ldapmisc.h 2013-03-25 21:27:15.893248104 +0100 +diff --git a/ldapmisc.h b/ldapmisc.h +new file mode 100644 +index 0000000..4c271df +--- /dev/null ++++ b/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2012,106 +2134,11 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h + +#endif /* LDAPMISC_H */ + -diff -up openssh-6.2p1/Makefile.in.ldap openssh-6.2p1/Makefile.in ---- openssh-6.2p1/Makefile.in.ldap 2013-03-25 21:27:15.850247822 +0100 -+++ openssh-6.2p1/Makefile.in 2013-03-25 21:27:57.356518817 +0100 -@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh - ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass - SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign -+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper -+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper - SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper - PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@ - LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ - EXEEXT=@EXEEXT@ - MANFMT=@MANFMT@ -+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ - --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) - - LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ - canohost.o channels.o cipher.o cipher-aes.o \ -@@ -95,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ - sandbox-seccomp-filter.o - --MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out --MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out -+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 - MANTYPE = @MANTYPE@ - - CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -164,6 +167,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) - -+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o -+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) -+ - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) - -@@ -266,6 +272,10 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ -+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ -+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ -+ fi - $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) - $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -@@ -282,6 +292,10 @@ install-files: - $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 - $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 - $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ -+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ -+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ -+ fi - -rm -f $(DESTDIR)$(bindir)/slogin - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -@@ -311,6 +325,13 @@ install-sysconf: - else \ - echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ - fi -+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ -+ if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \ -+ $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \ -+ else \ -+ echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \ -+ fi ; \ -+ fi - - host-key: ssh-keygen$(EXEEXT) - @if [ -z "$(DESTDIR)" ] ; then \ -@@ -368,6 +389,8 @@ uninstall: - -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) - -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) - -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT) -+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT) - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -379,6 +402,7 @@ uninstall: - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - - regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c -diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema ---- openssh-6.2p1/openssh-lpk-openldap.schema.ldap 2013-03-25 21:27:15.894248110 +0100 -+++ openssh-6.2p1/openssh-lpk-openldap.schema 2013-03-25 21:27:15.894248110 +0100 +diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema +new file mode 100644 +index 0000000..c84f90f +--- /dev/null ++++ b/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2134,9 +2161,11 @@ diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lp + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun.schema ---- openssh-6.2p1/openssh-lpk-sun.schema.ldap 2013-03-25 21:27:15.894248110 +0100 -+++ openssh-6.2p1/openssh-lpk-sun.schema 2013-03-25 21:27:15.894248110 +0100 +diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema +new file mode 100644 +index 0000000..3136673 +--- /dev/null ++++ b/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2161,9 +2190,106 @@ diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5 ---- openssh-6.2p2/ssh-ldap.conf.5.ldap 2013-06-07 15:10:05.604942680 +0200 -+++ openssh-6.2p2/ssh-ldap.conf.5 2013-06-07 15:10:24.928857566 +0200 +diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8 +new file mode 100644 +index 0000000..5d2d7be +--- /dev/null ++++ b/ssh-ldap-helper.8 +@@ -0,0 +1,79 @@ ++.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ ++.\" ++.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. ++.\" ++.\" Permission to use, copy, modify, and distribute this software for any ++.\" purpose with or without fee is hereby granted, provided that the above ++.\" copyright notice and this permission notice appear in all copies. ++.\" ++.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++.\" ++.Dd $Mdocdate: April 29 2010 $ ++.Dt SSH-LDAP-HELPER 8 ++.Os ++.Sh NAME ++.Nm ssh-ldap-helper ++.Nd sshd helper program for ldap support ++.Sh SYNOPSIS ++.Nm ssh-ldap-helper ++.Op Fl devw ++.Op Fl f Ar file ++.Op Fl s Ar user ++.Sh DESCRIPTION ++.Nm ++is used by ++.Xr sshd 1 ++to access keys provided by an LDAP. ++.Nm ++is disabled by default and can only be enabled in the ++sshd configuration file ++.Pa /etc/ssh/sshd_config ++by setting ++.Cm AuthorizedKeysCommand ++to ++.Dq /usr/libexec/ssh-ldap-wrapper . ++.Pp ++.Nm ++is not intended to be invoked by the user, but from ++.Xr sshd 8 via ++.Xr ssh-ldap-wrapper . ++.Pp ++The options are as follows: ++.Bl -tag -width Ds ++.It Fl d ++Set the debug mode; ++.Nm ++prints all logs to stderr instead of syslog. ++.It Fl e ++Implies \-w; ++.Nm ++halts if it encounters an unknown item in the ldap.conf file. ++.It Fl f ++.Nm ++uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default). ++.It Fl s ++.Nm ++prints out the user's keys to stdout and exits. ++.It Fl v ++Implies \-d; ++increases verbosity. ++.It Fl w ++.Nm ++writes warnings about unknown items in the ldap.conf configuration file. ++.El ++.Sh SEE ALSO ++.Xr sshd 8 , ++.Xr sshd_config 5 , ++.Xr ssh-ldap.conf 5 , ++.Sh HISTORY ++.Nm ++first appeared in ++OpenSSH 5.5 + PKA-LDAP . ++.Sh AUTHORS ++.An Jan F. Chadima Aq jchadima@redhat.com +diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper +new file mode 100644 +index 0000000..cb500aa +--- /dev/null ++++ b/ssh-ldap-wrapper +@@ -0,0 +1,4 @@ ++#!/bin/sh ++ ++exec /usr/libexec/openssh/ssh-ldap-helper -s "$1" ++ +diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5 +new file mode 100644 +index 0000000..f7081b8 +--- /dev/null ++++ b/ssh-ldap.conf.5 @@ -0,0 +1,379 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2544,94 +2670,3 @@ diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff -up openssh-6.2p1/ssh-ldap-helper.8.ldap openssh-6.2p1/ssh-ldap-helper.8 ---- openssh-6.2p1/ssh-ldap-helper.8.ldap 2013-03-25 21:27:15.895248117 +0100 -+++ openssh-6.2p1/ssh-ldap-helper.8 2013-03-25 21:27:15.895248117 +0100 -@@ -0,0 +1,79 @@ -+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ -+.\" -+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. -+.\" -+.\" Permission to use, copy, modify, and distribute this software for any -+.\" purpose with or without fee is hereby granted, provided that the above -+.\" copyright notice and this permission notice appear in all copies. -+.\" -+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+.\" -+.Dd $Mdocdate: April 29 2010 $ -+.Dt SSH-LDAP-HELPER 8 -+.Os -+.Sh NAME -+.Nm ssh-ldap-helper -+.Nd sshd helper program for ldap support -+.Sh SYNOPSIS -+.Nm ssh-ldap-helper -+.Op Fl devw -+.Op Fl f Ar file -+.Op Fl s Ar user -+.Sh DESCRIPTION -+.Nm -+is used by -+.Xr sshd 1 -+to access keys provided by an LDAP. -+.Nm -+is disabled by default and can only be enabled in the -+sshd configuration file -+.Pa /etc/ssh/sshd_config -+by setting -+.Cm AuthorizedKeysCommand -+to -+.Dq /usr/libexec/ssh-ldap-wrapper . -+.Pp -+.Nm -+is not intended to be invoked by the user, but from -+.Xr sshd 8 via -+.Xr ssh-ldap-wrapper . -+.Pp -+The options are as follows: -+.Bl -tag -width Ds -+.It Fl d -+Set the debug mode; -+.Nm -+prints all logs to stderr instead of syslog. -+.It Fl e -+Implies \-w; -+.Nm -+halts if it encounters an unknown item in the ldap.conf file. -+.It Fl f -+.Nm -+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default). -+.It Fl s -+.Nm -+prints out the user's keys to stdout and exits. -+.It Fl v -+Implies \-d; -+increases verbosity. -+.It Fl w -+.Nm -+writes warnings about unknown items in the ldap.conf configuration file. -+.El -+.Sh SEE ALSO -+.Xr sshd 8 , -+.Xr sshd_config 5 , -+.Xr ssh-ldap.conf 5 , -+.Sh HISTORY -+.Nm -+first appeared in -+OpenSSH 5.5 + PKA-LDAP . -+.Sh AUTHORS -+.An Jan F. Chadima Aq jchadima@redhat.com -diff -up openssh-6.2p1/ssh-ldap-wrapper.ldap openssh-6.2p1/ssh-ldap-wrapper ---- openssh-6.2p1/ssh-ldap-wrapper.ldap 2013-03-25 21:27:15.896248124 +0100 -+++ openssh-6.2p1/ssh-ldap-wrapper 2013-03-25 21:27:15.896248124 +0100 -@@ -0,0 +1,4 @@ -+#!/bin/sh -+ -+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1" -+ diff --git a/openssh-6.1p1-log-usepam-no.patch b/openssh-6.6p1-log-usepam-no.patch similarity index 54% rename from openssh-6.1p1-log-usepam-no.patch rename to openssh-6.6p1-log-usepam-no.patch index 64cec2c..bd3048c 100644 --- a/openssh-6.1p1-log-usepam-no.patch +++ b/openssh-6.6p1-log-usepam-no.patch @@ -1,7 +1,8 @@ -diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c ---- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200 -+++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200 -@@ -1617,6 +1617,10 @@ main(int ac, char **av) +diff --git a/sshd.c b/sshd.c +index a7b8b6a..24ab272 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1620,6 +1620,10 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, &cfg, NULL); @@ -12,15 +13,16 @@ diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c seed_rng(); /* Fill in default values for those options not explicitly set. */ -diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config ---- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200 -+++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200 -@@ -95,6 +95,8 @@ GSSAPICleanupCredentials no +diff --git a/sshd_config b/sshd_config +index 36cb27a..c1b7c03 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. - #UsePAM no UsePAM yes + #AllowAgentForwarding yes diff --git a/openssh-6.3p1-privsep-selinux.patch b/openssh-6.6p1-privsep-selinux.patch similarity index 51% rename from openssh-6.3p1-privsep-selinux.patch rename to openssh-6.6p1-privsep-selinux.patch index 529468c..6507647 100644 --- a/openssh-6.3p1-privsep-selinux.patch +++ b/openssh-6.6p1-privsep-selinux.patch @@ -1,12 +1,13 @@ -diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c ---- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux 2013-10-10 14:58:20.634762245 +0200 -+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:13:57.864306950 +0200 -@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n - free(newctx); +diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c +index c18524e..d04f4ed 100644 +--- a/openbsd-compat/port-linux-sshd.c ++++ b/openbsd-compat/port-linux-sshd.c +@@ -409,6 +409,25 @@ sshd_selinux_setup_exec_context(char *pwname) + debug3("%s: done", __func__); } +void -+ssh_selinux_copy_context(void) ++sshd_selinux_copy_context(void) +{ + security_context_t *ctx; + @@ -24,34 +25,36 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1 + } +} + - #endif /* WITH_SELINUX */ - - #ifdef LINUX_OOM_ADJUST -diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h ---- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100 -+++ openssh-6.3p1/openbsd-compat/port-linux.h 2013-10-10 14:58:20.634762245 +0200 -@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void); - void ssh_selinux_setup_pty(char *, const char *); - void ssh_selinux_setup_exec_context(char *); - void ssh_selinux_change_context(const char *); -+void ssh_selinux_copy_context(void); - void ssh_selinux_setfscreatecon(const char *); + #endif #endif -diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c ---- openssh-6.3p1/session.c.privsep-selinux 2013-10-10 14:58:20.617762326 +0200 -+++ openssh-6.3p1/session.c 2013-10-10 15:13:16.520503590 +0200 -@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw) +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index 8ef6cc4..b18893c 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *); + void ssh_selinux_change_context(const char *); + void ssh_selinux_setfscreatecon(const char *); + ++void sshd_selinux_copy_context(void); + void sshd_selinux_setup_exec_context(char *); + #endif + +diff --git a/session.c b/session.c +index 2bcf818..b5dc144 100644 +--- a/session.c ++++ b/session.c +@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw) pw->pw_uid); chroot_path = percent_expand(tmp, "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); +#ifdef WITH_SELINUX -+ ssh_selinux_copy_context(); ++ sshd_selinux_copy_context(); +#endif safely_chroot(chroot_path, pw->pw_uid); free(tmp); free(chroot_path); -@@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw) +@@ -1565,6 +1568,12 @@ do_setusercontext(struct passwd *pw) /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif @@ -59,12 +62,12 @@ diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c +#ifdef WITH_SELINUX + if (options.chroot_directory == NULL || + strcasecmp(options.chroot_directory, "none") == 0) -+ ssh_selinux_copy_context(); ++ sshd_selinux_copy_context(); +#endif } else if (options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { fatal("server lacks privileges to chroot to ChrootDirectory"); -@@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command +@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command) argv[i] = NULL; optind = optreset = 1; __progname = argv[0]; @@ -74,10 +77,11 @@ diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c exit(sftp_server_main(i, argv, s->pw)); } -diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c ---- openssh-6.3p1/sshd.c.privsep-selinux 2013-10-10 14:58:20.632762255 +0200 -+++ openssh-6.3p1/sshd.c 2013-10-10 14:58:20.635762241 +0200 -@@ -668,6 +668,10 @@ privsep_preauth_child(void) +diff --git a/sshd.c b/sshd.c +index 07f9926..a97f8b7 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -632,6 +632,10 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); @@ -88,14 +92,14 @@ diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c /* Change our root directory */ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, -@@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt) +@@ -768,6 +772,13 @@ privsep_postauth(Authctxt *authctxt) do_setusercontext(authctxt->pw); skip: +#ifdef WITH_SELINUX + /* switch SELinux content for root too */ + if (authctxt->pw->pw_uid == 0) { -+ ssh_selinux_copy_context(); ++ sshd_selinux_copy_context(); + } +#endif + diff --git a/openssh-6.3p1-redhat.patch b/openssh-6.6p1-redhat.patch similarity index 72% rename from openssh-6.3p1-redhat.patch rename to openssh-6.6p1-redhat.patch index 98df47d..a87d9bf 100644 --- a/openssh-6.3p1-redhat.patch +++ b/openssh-6.6p1-redhat.patch @@ -1,6 +1,7 @@ -diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config ---- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200 -+++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200 +diff --git a/ssh_config b/ssh_config +index 03a228f..6d1abaf 100644 +--- a/ssh_config ++++ b/ssh_config @@ -46,3 +46,14 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com @@ -16,37 +17,10 @@ diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS -diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0 ---- openssh-6.3p1/sshd_config.0.redhat 2013-09-13 08:20:43.000000000 +0200 -+++ openssh-6.3p1/sshd_config.0 2013-10-11 14:51:18.345876648 +0200 -@@ -653,9 +653,9 @@ DESCRIPTION - - SyslogFacility - Gives the facility code that is used when logging messages from -- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The -- default is AUTH. -+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, -+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -+ The default is AUTH. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages -diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5 ---- openssh-6.3p1/sshd_config.5.redhat 2013-07-20 05:21:53.000000000 +0200 -+++ openssh-6.3p1/sshd_config.5 2013-10-11 14:51:18.346876643 +0200 -@@ -1095,7 +1095,7 @@ Note that this option applies to protoco - .It Cm SyslogFacility - Gives the facility code that is used when logging messages from - .Xr sshd 8 . --The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, - LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. - The default is AUTH. - .It Cm TCPKeepAlive -diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config ---- openssh-6.3p1/sshd_config.redhat 2013-10-11 14:51:18.343876657 +0200 -+++ openssh-6.3p1/sshd_config 2013-10-11 14:51:18.346876643 +0200 +diff --git a/sshd_config b/sshd_config +index c735429..e68ddee 100644 +--- a/sshd_config ++++ b/sshd_config @@ -10,6 +10,10 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -58,7 +32,7 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -21,9 +25,9 @@ +@@ -21,10 +25,10 @@ # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 @@ -66,11 +40,13 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config +HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key +-#HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ecdsa_key ++HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -@@ -35,6 +39,7 @@ +@@ -36,6 +40,7 @@ # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -78,7 +54,7 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config #LogLevel INFO # Authentication: -@@ -70,9 +75,11 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -71,9 +76,11 @@ AuthorizedKeysFile .ssh/authorized_keys # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no @@ -90,31 +66,33 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config # Kerberos options #KerberosAuthentication no -@@ -82,7 +89,9 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -82,8 +89,8 @@ AuthorizedKeysFile .ssh/authorized_keys + #KerberosGetAFSToken no # GSSAPI options - #GSSAPIAuthentication no +-#GSSAPIAuthentication no +-#GSSAPICleanupCredentials yes +GSSAPIAuthentication yes - #GSSAPICleanupCredentials yes +GSSAPICleanupCredentials no - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -94,11 +103,13 @@ AuthorizedKeysFile .ssh/authorized_keys + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +@@ -94,12 +101,12 @@ AuthorizedKeysFile .ssh/authorized_keys + # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. - #UsePAM no +-#UsePAM no +UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no - #X11Forwarding no +-#X11Forwarding no +X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes - #PrintMotd yes -@@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox # Defaul + #PermitTTY yes +@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox # Default for new installations. # no default banner path #Banner none @@ -127,3 +105,33 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server +diff --git a/sshd_config.0 b/sshd_config.0 +index 413c260..87e7ee7 100644 +--- a/sshd_config.0 ++++ b/sshd_config.0 +@@ -675,9 +675,9 @@ DESCRIPTION + + SyslogFacility + Gives the facility code that is used when logging messages from +- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The +- default is AUTH. ++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, ++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++ The default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages +diff --git a/sshd_config.5 b/sshd_config.5 +index ce71efe..12465c2 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only. + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from + .Xr sshd 8 . +-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, ++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + .It Cm TCPKeepAlive diff --git a/openssh-6.3p1-role-mls.patch b/openssh-6.6p1-role-mls.patch similarity index 66% rename from openssh-6.3p1-role-mls.patch rename to openssh-6.6p1-role-mls.patch index 89d54b3..4740c99 100644 --- a/openssh-6.3p1-role-mls.patch +++ b/openssh-6.6p1-role-mls.patch @@ -1,7 +1,8 @@ -diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c ---- openssh-6.3p1/auth-pam.c.role-mls 2013-10-10 14:34:43.799494546 +0200 -+++ openssh-6.3p1/auth-pam.c 2013-10-10 14:34:43.835494375 +0200 -@@ -1071,7 +1071,7 @@ is_pam_session_open(void) +diff --git a/auth-pam.c b/auth-pam.c +index d789bad..cd1a775 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -1068,7 +1068,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ int @@ -10,9 +11,10 @@ diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c { int ret = 1; #ifdef HAVE_PAM_PUTENV -diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h ---- openssh-6.3p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200 -+++ openssh-6.3p1/auth-pam.h 2013-10-10 14:34:43.835494375 +0200 +diff --git a/auth-pam.h b/auth-pam.h +index a1a2b52..b109a5a 100644 +--- a/auth-pam.h ++++ b/auth-pam.h @@ -38,7 +38,7 @@ void do_pam_session(void); void do_pam_set_tty(const char *); void do_pam_setcred(int ); @@ -22,9 +24,10 @@ diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h ---- openssh-6.3p1/auth.h.role-mls 2013-10-10 14:34:43.834494379 +0200 -+++ openssh-6.3p1/auth.h 2013-10-10 14:38:45.060348227 +0200 +diff --git a/auth.h b/auth.h +index 124e597..4605588 100644 +--- a/auth.h ++++ b/auth.h @@ -59,6 +59,9 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -34,10 +37,11 @@ diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h +#endif void *kbdintctxt; char *info; /* Extra info for next auth_log */ - void *jpake_ctx; -diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c ---- openssh-6.3p1/auth1.c.role-mls 2013-06-02 00:01:24.000000000 +0200 -+++ openssh-6.3p1/auth1.c 2013-10-10 14:34:43.835494375 +0200 + #ifdef BSD_AUTH +diff --git a/auth1.c b/auth1.c +index 0f870b3..df040bb 100644 +--- a/auth1.c ++++ b/auth1.c @@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt) { u_int ulen; @@ -73,10 +77,11 @@ diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c ---- openssh-6.3p1/auth2-gss.c.role-mls 2013-06-01 23:31:18.000000000 +0200 -+++ openssh-6.3p1/auth2-gss.c 2013-10-10 14:34:43.836494370 +0200 -@@ -256,6 +256,7 @@ input_gssapi_mic(int type, u_int32_t ple +diff --git a/auth2-gss.c b/auth2-gss.c +index c28a705..4756dd7 100644 +--- a/auth2-gss.c ++++ b/auth2-gss.c +@@ -251,6 +251,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) Authctxt *authctxt = ctxt; Gssctxt *gssctxt; int authenticated = 0; @@ -84,7 +89,7 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c Buffer b; gss_buffer_desc mic, gssbuf; u_int len; -@@ -268,7 +269,13 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -263,7 +264,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) mic.value = packet_get_string(&len); mic.length = len; @@ -99,7 +104,7 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c "gssapi-with-mic"); gssbuf.value = buffer_ptr(&b); -@@ -280,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -275,6 +282,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) logit("GSSAPI MIC check failed"); buffer_free(&b); @@ -108,10 +113,11 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c free(mic.value); authctxt->postponed = 0; -diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.c ---- openssh-6.3p1/auth2-hostbased.c.role-mls 2013-10-10 14:34:43.818494455 +0200 -+++ openssh-6.3p1/auth2-hostbased.c 2013-10-10 14:34:43.836494370 +0200 -@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) +diff --git a/auth2-hostbased.c b/auth2-hostbased.c +index eca0069..95d678e 100644 +--- a/auth2-hostbased.c ++++ b/auth2-hostbased.c +@@ -112,7 +112,15 @@ userauth_hostbased(Authctxt *authctxt) buffer_put_string(&b, session_id2, session_id2_len); /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -128,10 +134,11 @@ diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased. buffer_put_cstring(&b, service); buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); -diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c ---- openssh-6.3p1/auth2-pubkey.c.role-mls 2013-10-10 14:34:43.836494370 +0200 -+++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 14:57:17.452062486 +0200 -@@ -127,9 +127,11 @@ userauth_pubkey(Authctxt *authctxt) +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index 749b11a..c0ae0d4 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -145,10 +152,11 @@ diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c buffer_put_cstring(&b, userstyle); free(userstyle); buffer_put_cstring(&b, -diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c ---- openssh-6.3p1/auth2.c.role-mls 2013-10-10 14:34:43.819494451 +0200 -+++ openssh-6.3p1/auth2.c 2013-10-10 14:34:43.835494375 +0200 -@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32 +diff --git a/auth2.c b/auth2.c +index a5490c0..5f4f26f 100644 +--- a/auth2.c ++++ b/auth2.c +@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) Authctxt *authctxt = ctxt; Authmethod *m = NULL; char *user, *service, *method, *style = NULL; @@ -158,7 +166,7 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c int authenticated = 0; if (authctxt == NULL) -@@ -232,6 +235,11 @@ input_userauth_request(int type, u_int32 +@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -170,7 +178,7 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c if ((style = strchr(user, ':')) != NULL) *style++ = 0; -@@ -254,8 +262,15 @@ input_userauth_request(int type, u_int32 +@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) use_privsep ? " [net]" : ""); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; @@ -187,10 +195,11 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c userauth_banner(); if (auth2_setup_methods_lists(authctxt) != 0) packet_disconnect("no authentication methods enabled"); -diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c ---- openssh-6.3p1/misc.c.role-mls 2013-08-08 04:50:06.000000000 +0200 -+++ openssh-6.3p1/misc.c 2013-10-10 14:34:43.836494370 +0200 -@@ -429,6 +429,7 @@ char * +diff --git a/misc.c b/misc.c +index e4c8c32..f31cd91 100644 +--- a/misc.c ++++ b/misc.c +@@ -430,6 +430,7 @@ char * colon(char *cp) { int flag = 0; @@ -198,7 +207,7 @@ diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c if (*cp == ':') /* Leading colon is part of file name. */ return NULL; -@@ -444,6 +445,13 @@ colon(char *cp) +@@ -445,6 +446,13 @@ colon(char *cp) return (cp); if (*cp == '/') return NULL; @@ -212,10 +221,11 @@ diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c } return NULL; } -diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c ---- openssh-6.3p1/monitor.c.role-mls 2013-10-10 14:34:43.821494441 +0200 -+++ openssh-6.3p1/monitor.c 2013-10-10 14:54:57.933725463 +0200 -@@ -149,6 +149,9 @@ int mm_answer_sign(int, Buffer *); +diff --git a/monitor.c b/monitor.c +index 531c4f9..229fada 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -145,6 +145,9 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); @@ -225,7 +235,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -233,6 +236,9 @@ struct mon_table mon_dispatch_proto20[] +@@ -219,6 +222,9 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -235,7 +245,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -853,6 +859,9 @@ mm_answer_pwnamallow(int sock, Buffer *m +@@ -805,6 +811,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -245,7 +255,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } #ifdef USE_PAM -@@ -894,6 +903,25 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -846,6 +855,25 @@ mm_answer_authserv(int sock, Buffer *m) return (0); } @@ -271,7 +281,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c int mm_answer_authpassword(int sock, Buffer *m) { -@@ -1269,7 +1297,7 @@ static int +@@ -1220,7 +1248,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; @@ -280,7 +290,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c u_int len; int fail = 0; -@@ -1295,6 +1323,8 @@ monitor_valid_userblob(u_char *data, u_i +@@ -1246,6 +1274,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_cstring(&b, NULL); @@ -289,7 +299,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -@@ -1330,7 +1360,7 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1281,7 +1311,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, char *chost) { Buffer b; @@ -298,7 +308,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c u_int len; int fail = 0; -@@ -1347,6 +1377,8 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1298,6 +1328,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_cstring(&b, NULL); @@ -307,23 +317,26 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -diff -up openssh-6.3p1/monitor.h.role-mls openssh-6.3p1/monitor.h ---- openssh-6.3p1/monitor.h.role-mls 2013-10-10 14:34:43.821494441 +0200 -+++ openssh-6.3p1/monitor.h 2013-10-10 14:34:43.837494365 +0200 -@@ -61,6 +61,9 @@ enum monitor_reqtype { - MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, - MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, - MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61, +diff --git a/monitor.h b/monitor.h +index 5bc41b5..20e2b4a 100644 +--- a/monitor.h ++++ b/monitor.h +@@ -57,6 +57,10 @@ enum monitor_reqtype { + MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, + MONITOR_REQ_TERM = 50, + +#ifdef WITH_SELINUX + MONITOR_REQ_AUTHROLE = 80, +#endif - ++ MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, -diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c ---- openssh-6.3p1/monitor_wrap.c.role-mls 2013-10-10 14:34:43.822494436 +0200 -+++ openssh-6.3p1/monitor_wrap.c 2013-10-10 14:34:43.838494360 +0200 -@@ -338,6 +338,25 @@ mm_inform_authserv(char *service, char * + MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, +diff --git a/monitor_wrap.c b/monitor_wrap.c +index 1a47e41..d1b6d99 100644 +--- a/monitor_wrap.c ++++ b/monitor_wrap.c +@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *style) buffer_free(&m); } @@ -349,9 +362,10 @@ diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h ---- openssh-6.3p1/monitor_wrap.h.role-mls 2013-10-10 14:34:43.822494436 +0200 -+++ openssh-6.3p1/monitor_wrap.h 2013-10-10 14:34:43.838494360 +0200 +diff --git a/monitor_wrap.h b/monitor_wrap.h +index 18c2501..9d5e5ba 100644 +--- a/monitor_wrap.h ++++ b/monitor_wrap.h @@ -42,6 +42,9 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); @@ -362,36 +376,67 @@ diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-6.3p1/openbsd-compat/Makefile.in.role-mls openssh-6.3p1/openbsd-compat/Makefile.in ---- openssh-6.3p1/openbsd-compat/Makefile.in.role-mls 2013-05-10 08:28:56.000000000 +0200 -+++ openssh-6.3p1/openbsd-compat/Makefile.in 2013-10-10 14:34:43.838494360 +0200 -@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport +diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in +index 6ecfb93..b912dbe 100644 +--- a/openbsd-compat/Makefile.in ++++ b/openbsd-compat/Makefile.in +@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di - COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o + COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o -+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o ++PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbsd-compat/port-linux.c ---- openssh-6.3p1/openbsd-compat/port-linux.c.role-mls 2013-06-02 00:07:32.000000000 +0200 -+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 14:40:41.841793347 +0200 -@@ -31,68 +31,271 @@ - - #include "log.h" - #include "xmalloc.h" +diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c +new file mode 100644 +index 0000000..c18524e +--- /dev/null ++++ b/openbsd-compat/port-linux-sshd.c +@@ -0,0 +1,414 @@ ++/* ++ * Copyright (c) 2005 Daniel Walsh ++ * Copyright (c) 2014 Petr Lautrbach ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++/* ++ * Linux-specific portability code - just SELinux support for sshd at present ++ */ ++ ++#include "includes.h" ++ ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) ++#include ++#include ++#include ++#include ++ ++#include "log.h" ++#include "xmalloc.h" +#include "servconf.h" - #include "port-linux.h" ++#include "port-linux.h" +#include "key.h" +#include "hostfile.h" +#include "auth.h" - - #ifdef WITH_SELINUX - #include - #include ++ ++#ifdef WITH_SELINUX ++#include ++#include +#include - #include ++#include +#include +#include + @@ -399,14 +444,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs +#include +#include +#endif - - #ifndef SSH_SELINUX_UNCONFINED_TYPE - # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" - #endif - --/* Wrapper around is_selinux_enabled() to log its return value once only */ --int --ssh_selinux_enabled(void) ++ +extern ServerOptions options; +extern Authctxt *the_authctxt; +extern int inetd_flag; @@ -414,10 +452,9 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + +/* Send audit message */ +static int -+send_audit_message(int success, security_context_t default_context, ++sshd_selinux_send_audit_message(int success, security_context_t default_context, + security_context_t selected_context) - { -- static int enabled = -1; ++{ + int rc=0; +#ifdef HAVE_LINUX_AUDIT + char *msg = NULL; @@ -509,7 +546,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + freecon(*sc); + *sc = strdup(context_str(con)); + context_free(con); -+ if (!*sc) ++ if (!*sc) + return -1; + } +#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL @@ -532,10 +569,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + context_free(con); + goto out; + } - -- if (enabled == -1) { -- enabled = (is_selinux_enabled() == 1); -- debug("SELinux support %s", enabled ? "enabled" : "disabled"); ++ + debug("get_user_context: obtained context '%s' requested context '%s'", + obtained_raw, requested_raw); + if (strcmp(obtained_raw, requested_raw)) { @@ -550,7 +584,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + freecon(requested_raw); + freecon(obtained_raw); + context_free(con); - } ++ } +#endif + return 0; + out: @@ -558,8 +592,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + *sc = NULL; + return -1; +} - -- return (enabled); ++ +static void +ssh_selinux_get_role_level(char **role, const char **level) +{ @@ -575,46 +608,37 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + } + } + } - } - - /* Return the default security context for the given username */ - static security_context_t --ssh_selinux_getctxbyname(char *pwname) -+ssh_selinux_getctxbyname(char *pwname, ++} ++ ++/* Return the default security context for the given username */ ++static int ++sshd_selinux_getctxbyname(char *pwname, + security_context_t *default_sc, security_context_t *user_sc) - { -- security_context_t sc = NULL; -- char *sename = NULL, *lvl = NULL; -- int r; ++{ + char *sename, *lvl; + char *role; + const char *reqlvl; + int r = 0; + context_t con = NULL; -+ ++ + ssh_selinux_get_role_level(&role, &reqlvl); - - #ifdef HAVE_GETSEUSERBYNAME -- if (getseuserbyname(pwname, &sename, &lvl) != 0) -- return NULL; ++ ++#ifdef HAVE_GETSEUSERBYNAME + if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { + sename = NULL; + lvl = NULL; + } - #else - sename = pwname; -- lvl = NULL; ++#else ++ sename = pwname; + lvl = ""; - #endif - ++#endif ++ + if (r == 0) { - #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL -- r = get_default_context_with_level(sename, lvl, NULL, &sc); ++#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL + r = get_default_context_with_level(sename, lvl, NULL, default_sc); - #else -- r = get_default_context(sename, NULL, &sc); ++#else + r = get_default_context(sename, NULL, default_sc); - #endif ++#endif + } + + if (r == 0) { @@ -634,26 +658,12 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + reqlvl = ""; + + debug("%s: current connection level '%s'", __func__, reqlvl); - -- if (r != 0) { -- switch (security_getenforce()) { -- case -1: -- fatal("%s: ssh_selinux_getctxbyname: " -- "security_getenforce() failed", __func__); -- case 0: -- error("%s: Failed to get default SELinux security " -- "context for %s", __func__, pwname); -- sc = NULL; -- break; -- default: -- fatal("%s: Failed to get default SELinux security " -- "context for %s (in enforcing mode)", -- __func__, pwname); - } -+ ++ ++ } ++ + if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) { + r = get_user_context(sename, role, reqlvl, user_sc); -+ ++ + if (r == 0 && reqlvl != NULL && reqlvl[0]) { + security_context_t default_level_sc = *default_sc; + if (role != NULL && role[0]) { @@ -677,14 +687,13 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + if (r != 0) { + error("%s: Failed to get default SELinux security " + "context for %s", __func__, pwname); - } - - #ifdef HAVE_GETSEUSERBYNAME -@@ -100,7 +303,42 @@ ssh_selinux_getctxbyname(char *pwname) - free(lvl); - #endif - -- return sc; ++ } ++ ++#ifdef HAVE_GETSEUSERBYNAME ++ free(sename); ++ free(lvl); ++#endif ++ + if (role != NULL) + free(role); + if (con) @@ -695,7 +704,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + +/* Setup environment variables for pam_selinux */ +static int -+ssh_selinux_setup_pam_variables(void) ++sshd_selinux_setup_pam_variables(void) +{ + const char *reqlvl; + char *role; @@ -721,22 +730,22 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + free(role); + + return rv; - } - - /* Set the execution context to the default for the specified user */ -@@ -108,28 +346,71 @@ void - ssh_selinux_setup_exec_context(char *pwname) - { - security_context_t user_ctx = NULL; ++} ++ ++/* Set the execution context to the default for the specified user */ ++void ++sshd_selinux_setup_exec_context(char *pwname) ++{ ++ security_context_t user_ctx = NULL; + int r = 0; + security_context_t default_ctx = NULL; - - if (!ssh_selinux_enabled()) - return; - ++ ++ if (!ssh_selinux_enabled()) ++ return; ++ + if (options.use_pam) { + /* do not compute context, just setup environment for pam_selinux */ -+ if (ssh_selinux_setup_pam_variables()) { ++ if (sshd_selinux_setup_pam_variables()) { + switch (security_getenforce()) { + case -1: + fatal("%s: security_getenforce() failed", __func__); @@ -752,17 +761,15 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + return; + } + - debug3("%s: setting execution context", __func__); - -- user_ctx = ssh_selinux_getctxbyname(pwname); -- if (setexeccon(user_ctx) != 0) { -+ r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); ++ debug3("%s: setting execution context", __func__); ++ ++ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); + if (r >= 0) { + r = setexeccon(user_ctx); + if (r < 0) { + error("%s: Failed to set SELinux execution context %s for %s", + __func__, user_ctx, pwname); -+ } ++ } +#ifdef HAVE_SETKEYCREATECON + else if (setkeycreatecon(user_ctx) < 0) { + error("%s: Failed to set SELinux keyring creation context %s for %s", @@ -776,155 +783,113 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs + if (r < 0 || user_ctx != default_ctx) { + /* audit just the case when user changed a role or there was + a failure */ -+ send_audit_message(r >= 0, default_ctx, user_ctx); ++ sshd_selinux_send_audit_message(r >= 0, default_ctx, user_ctx); + } + if (r < 0) { - switch (security_getenforce()) { - case -1: - fatal("%s: security_getenforce() failed", __func__); - case 0: -- error("%s: Failed to set SELinux execution " -- "context for %s", __func__, pwname); ++ switch (security_getenforce()) { ++ case -1: ++ fatal("%s: security_getenforce() failed", __func__); ++ case 0: + error("%s: SELinux failure. Continuing in permissive mode.", + __func__); - break; - default: -- fatal("%s: Failed to set SELinux execution context " -- "for %s (in enforcing mode)", __func__, pwname); ++ break; ++ default: + fatal("%s: SELinux failure. Aborting connection.", + __func__); - } - } -- if (user_ctx != NULL) ++ } ++ } + if (user_ctx != NULL && user_ctx != default_ctx) - freecon(user_ctx); ++ freecon(user_ctx); + if (default_ctx != NULL) + freecon(default_ctx); - - debug3("%s: done", __func__); - } -@@ -147,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons - - debug3("%s: setting TTY context on %s", __func__, tty); - -- user_ctx = ssh_selinux_getctxbyname(pwname); -+ if (getexeccon(&user_ctx) < 0) { -+ error("%s: getexeccon: %s", __func__, strerror(errno)); -+ goto out; -+ } - - /* XXX: should these calls fatal() upon failure in enforcing mode? */ - -@@ -219,21 +503,6 @@ ssh_selinux_change_context(const char *n - free(newctx); ++ ++ debug3("%s: done", __func__); ++} ++ ++#endif ++#endif ++ +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 4637a7a..22ea8ef 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname) + return sc; } +-/* Set the execution context to the default for the specified user */ -void --ssh_selinux_setfscreatecon(const char *path) +-ssh_selinux_setup_exec_context(char *pwname) -{ -- security_context_t context; +- security_context_t user_ctx = NULL; - - if (!ssh_selinux_enabled()) - return; -- if (path == NULL) { -- setfscreatecon(NULL); -- return; +- +- debug3("%s: setting execution context", __func__); +- +- user_ctx = ssh_selinux_getctxbyname(pwname); +- if (setexeccon(user_ctx) != 0) { +- switch (security_getenforce()) { +- case -1: +- fatal("%s: security_getenforce() failed", __func__); +- case 0: +- error("%s: Failed to set SELinux execution " +- "context for %s", __func__, pwname); +- break; +- default: +- fatal("%s: Failed to set SELinux execution context " +- "for %s (in enforcing mode)", __func__, pwname); +- } - } -- if (matchpathcon(path, 0700, &context) == 0) -- setfscreatecon(context); +- if (user_ctx != NULL) +- freecon(user_ctx); +- +- debug3("%s: done", __func__); -} - - #endif /* WITH_SELINUX */ + /* Set the TTY context for the specified user */ + void + ssh_selinux_setup_pty(char *pwname, const char *tty) +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index e3d1004..8ef6cc4 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -22,9 +22,10 @@ + #ifdef WITH_SELINUX + int ssh_selinux_enabled(void); + void ssh_selinux_setup_pty(char *, const char *); +-void ssh_selinux_setup_exec_context(char *); + void ssh_selinux_change_context(const char *); + void ssh_selinux_setfscreatecon(const char *); ++ ++void sshd_selinux_setup_exec_context(char *); + #endif #ifdef LINUX_OOM_ADJUST -diff -up openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.3p1/openbsd-compat/port-linux_part_2.c ---- openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-10-10 14:34:43.839494355 +0200 -+++ openssh-6.3p1/openbsd-compat/port-linux_part_2.c 2013-10-10 14:34:43.839494355 +0200 -@@ -0,0 +1,75 @@ -+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ -+ -+/* -+ * Copyright (c) 2005 Daniel Walsh -+ * Copyright (c) 2006 Damien Miller -+ * -+ * Permission to use, copy, modify, and distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* -+ * Linux-specific portability code - just SELinux support at present -+ */ -+ -+#include "includes.h" -+ -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) -+#include -+#include -+#include -+#include -+ -+#include "log.h" -+#include "xmalloc.h" -+#include "port-linux.h" -+#include "key.h" -+#include "hostfile.h" -+#include "auth.h" -+ -+#ifdef WITH_SELINUX -+#include -+#include -+#include -+ -+/* Wrapper around is_selinux_enabled() to log its return value once only */ -+int -+ssh_selinux_enabled(void) -+{ -+ static int enabled = -1; -+ -+ if (enabled == -1) { -+ enabled = (is_selinux_enabled() == 1); -+ debug("SELinux support %s", enabled ? "enabled" : "disabled"); -+ } -+ -+ return (enabled); -+} -+ -+void -+ssh_selinux_setfscreatecon(const char *path) -+{ -+ security_context_t context; -+ -+ if (!ssh_selinux_enabled()) -+ return; -+ if (path == NULL) { -+ setfscreatecon(NULL); -+ return; -+ } -+ if (matchpathcon(path, 0700, &context) == 0) -+ setfscreatecon(context); -+} -+ -+#endif /* WITH_SELINUX */ -+ -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ -diff -up openssh-6.3p1/sshd.c.role-mls openssh-6.3p1/sshd.c ---- openssh-6.3p1/sshd.c.role-mls 2013-10-10 14:34:43.824494427 +0200 -+++ openssh-6.3p1/sshd.c 2013-10-10 14:34:43.839494355 +0200 -@@ -2179,6 +2179,9 @@ main(int ac, char **av) +diff --git a/platform.c b/platform.c +index 30fc609..0d39ab2 100644 +--- a/platform.c ++++ b/platform.c +@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) + } + #endif /* HAVE_SETPCRED */ + #ifdef WITH_SELINUX +- ssh_selinux_setup_exec_context(pw->pw_name); ++ sshd_selinux_setup_exec_context(pw->pw_name); + #endif + } + +diff --git a/sshd.c b/sshd.c +index 7523de9..07f9926 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2138,6 +2138,9 @@ main(int ac, char **av) restore_uid(); } #endif +#ifdef WITH_SELINUX -+ ssh_selinux_setup_exec_context(authctxt->pw->pw_name); ++ sshd_selinux_setup_exec_context(authctxt->pw->pw_name); +#endif #ifdef USE_PAM if (options.use_pam) { diff --git a/openssh.spec b/openssh.spec index 516b803..1bb4cf5 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,10 +63,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%define openssh_ver 6.4p1 -%define openssh_rel 4 +%define openssh_ver 6.6p1 +%define openssh_rel 1 %define pam_ssh_agent_ver 0.9.3 -%define pam_ssh_agent_rel 1 +%define pam_ssh_agent_rel 2 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -94,7 +94,7 @@ Patch0: openssh-5.9p1-wIm.patch #? Patch100: openssh-6.3p1-coverity.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1872 -Patch101: openssh-6.3p1-fingerprint.patch +Patch101: openssh-6.6p1-fingerprint.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1894 #https://bugzilla.redhat.com/show_bug.cgi?id=735889 Patch102: openssh-5.8p1-getaddrinfo.patch @@ -114,76 +114,74 @@ Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch # don't use xfree (#1024965) Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) -Patch400: openssh-6.3p1-role-mls.patch +Patch400: openssh-6.6p1-role-mls.patch #https://bugzilla.redhat.com/show_bug.cgi?id=781634 -Patch404: openssh-6.3p1-privsep-selinux.patch +Patch404: openssh-6.6p1-privsep-selinux.patch #?-- unwanted child :( -Patch501: openssh-6.3p1-ldap.patch +Patch501: openssh-6.6p1-ldap.patch #? -Patch502: openssh-6.3p1-keycat.patch +Patch502: openssh-6.6p1-keycat.patch #http6://bugzilla.mindrot.org/show_bug.cgi?id=1644 -Patch601: openssh-5.2p1-allow-ip-opts.patch +Patch601: openssh-6.6p1-allow-ip-opts.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1701 Patch602: openssh-5.9p1-randclean.patch #http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h Patch603: openssh-5.8p1-glob.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1893 -Patch604: openssh-5.8p1-keyperm.patch +Patch604: openssh-6.6p1-keyperm.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX) -Patch605: openssh-5.8p2-remove-stale-control-socket.patch +# drop: Patch605: openssh-5.8p2-remove-stale-control-socket.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1925 Patch606: openssh-5.9p1-ipv6man.patch #? -Patch607: openssh-5.8p2-sigpipe.patch +# drop? Patch607: openssh-5.8p2-sigpipe.patch #? Patch608: openssh-6.1p1-askpass-ld.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1789 -Patch609: openssh-5.5p1-x11.patch +# drop? Patch609: openssh-5.5p1-x11.patch #? Patch700: openssh-6.3p1-fips.patch #? -Patch701: openssh-5.6p1-exit-deadlock.patch +# drop? Patch701: openssh-5.6p1-exit-deadlock.patch #? Patch702: openssh-5.1p1-askpass-progress.patch #? Patch703: openssh-4.3p2-askpass-grab-info.patch -#? -Patch704: openssh-5.9p1-edns.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=205842 +# drop? Patch704: openssh-5.9p1-edns.patch #? Patch705: openssh-5.1p1-scp-manpage.patch #? Patch706: openssh-5.8p1-localdomain.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) -Patch707: openssh-6.3p1-redhat.patch +Patch707: openssh-6.6p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) -Patch708: openssh-6.2p1-entropy.patch +Patch708: openssh-6.6p1-entropy.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) Patch709: openssh-6.2p1-vendor.patch # warn users for unsupported UsePAM=no (#757545) -Patch711: openssh-6.1p1-log-usepam-no.patch +Patch711: openssh-6.6p1-log-usepam-no.patch # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL Patch712: openssh-6.3p1-ctr-evp-fast.patch # add cavs test binary for the aes-ctr -Patch713: openssh-6.3p1-ctr-cavstest.patch +Patch713: openssh-6.6p1-ctr-cavstest.patch #http://www.sxw.org.uk/computing/patches/openssh.html #changed cache storage type - #848228 -Patch800: openssh-6.3p1-gsskex.patch +Patch800: openssh-6.6p1-gsskex.patch #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html -Patch801: openssh-6.3p1-force_krb.patch +Patch801: openssh-6.6p1-force_krb.patch Patch900: openssh-6.1p1-gssapi-canohost.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1780 -Patch901: openssh-6.3p1-kuserok.patch +Patch901: openssh-6.6p1-kuserok.patch # use default_ccache_name from /etc/krb5.conf (#991186) Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch -# increase the size of the Diffie-Hellman groups (#1010607) -Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch # FIPS mode - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#1001748) -Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch +# merge: Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch # Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375 Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch # Use tty allocation for a remote scp (#985650) @@ -192,9 +190,7 @@ Patch906: openssh-6.4p1-fromto-remote.patch Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch # Prevents a server from skipping SSHFP lookup and forcing a new-hostkey # dialog by offering only certificate keys. (#1081338) -Patch908: openssh-6.4p1-CVE-2014-2653.patch -# ignore environment variables with embedded '=' or '\0' characters (#1077843) -Patch909: openssh-6.4p1-ignore-bad-env-var.patch +Patch908: openssh-6.6p1-CVE-2014-2653.patch License: BSD @@ -358,12 +354,12 @@ The module is most useful for su and sudo service stacks. %patch0 -p1 -b .wIm %endif -%patch100 -p1 -b .coverity +# rework %patch100 -p1 -b .coverity %patch101 -p1 -b .fingerprint -%patch102 -p1 -b .getaddrinfo +# investigate %patch102 -p1 -b .getaddrinfo %patch103 -p1 -b .packet -%patch200 -p1 -b .audit +# rework %patch200 -p1 -b .audit %if %{pam_ssh_agent} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -387,21 +383,23 @@ popd %patch502 -p1 -b .keycat %patch601 -p1 -b .ip-opts -%patch602 -p1 -b .randclean +# merge to fips +# %patch602 -p1 -b .randclean %patch603 -p1 -b .glob %patch604 -p1 -b .keyperm -%patch605 -p1 -b .remove_stale +# drop %patch605 -p1 -b .remove_stale %patch606 -p1 -b .ipv6man -%patch607 -p1 -b .sigpipe +# drop? %patch607 -p1 -b .sigpipe %patch608 -p1 -b .askpass-ld -%patch609 -p1 -b .x11 - -%patch700 -p1 -b .fips -%patch701 -p1 -b .exit-deadlock +# drop? %patch609 -p1 -b .x11 +# +# move to the end %patch700 -p1 -b .fips +# drop? %patch701 -p1 -b .exit-deadlock %patch702 -p1 -b .progress %patch703 -p1 -b .grab-info -%patch704 -p1 -b .edns -%patch705 -p1 -b .manpage +# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842 +# probably not needed anymore %patch704 -p1 -b .edns +# drop it %patch705 -p1 -b .manpage %patch706 -p1 -b .localdomain %patch707 -p1 -b .redhat %patch708 -p1 -b .entropy @@ -409,20 +407,18 @@ popd %patch711 -p1 -b .log-usepam-no %patch712 -p1 -b .evp-ctr %patch713 -p1 -b .ctr-cavs - +# %patch800 -p1 -b .gsskex %patch801 -p1 -b .force_krb - +# %patch900 -p1 -b .canohost %patch901 -p1 -b .kuserok %patch902 -p1 -b .ccache_name -%patch903 -p1 -b .dh -%patch904 -p1 -b .SP800-131A +# merge with fips %patch904 -p1 -b .SP800-131A %patch905 -p1 -b .legacy-ssh-copy-id %patch906 -p1 -b .fromto-remote %patch907 -p1 -b .CLOCK_BOOTTIME %patch908 -p1 -b .CVE-2014-2653 -%patch909 -p1 -b .bad-env-var %if 0 # Nothing here yet @@ -737,6 +733,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Tue Jun 03 2014 Petr Lautrbach 6.6p1-1 + 0.9.3-2 +- new upstream release openssh-6.6p1 + * Thu May 15 2014 Petr Lautrbach 6.4p1-4 + 0.9.3-1 - use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode - make /etc/ssh/moduli file public (#1043661) diff --git a/sources b/sources index 90637ab..fbdb5e4 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2 -a62b88b884df0b09b8a8c5789ac9e51b openssh-6.4p1.tar.gz +3e9800e6bca1fbac0eea4d41baa7f239 openssh-6.6p1.tar.gz