Prepare update to 5.4p1
This commit is contained in:
parent
53050644bf
commit
974c89c195
@ -1 +1,2 @@
|
||||
openssh-5.4p1-snap20100302-noacss.tar.bz2
|
||||
pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
|
@ -1,11 +0,0 @@
|
||||
--- openssh-3.9p1/contrib/gnome-ssh-askpass2.c.keep-above 2003-11-21 13:48:56.000000000 +0100
|
||||
+++ openssh-3.9p1/contrib/gnome-ssh-askpass2.c 2005-02-08 08:44:02.099739294 +0100
|
||||
@@ -119,6 +119,8 @@
|
||||
g_signal_connect(G_OBJECT(entry), "activate",
|
||||
G_CALLBACK(ok_dialog), dialog);
|
||||
|
||||
+ gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||
+
|
||||
/* Grab focus */
|
||||
gtk_widget_show_now(dialog);
|
||||
if (grab_pointer) {
|
@ -1,7 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.2.2 (OpenBSD)
|
||||
|
||||
iD8DBQBBIgAxzo7LA4b/nEgRArlqAJ0UhIfcfbz+oAxn8AsiOeHBVMwFXwCgkXcX
|
||||
hxmfq8nv/+hpiid1j9lAUx8=
|
||||
=P4zN
|
||||
-----END PGP SIGNATURE-----
|
@ -1,9 +0,0 @@
|
||||
--- openssh-5.2p1/openbsd-compat/openssl-compat.c~ 2010-01-27 17:36:29.000000000 -0500
|
||||
+++ openssh-5.2p1/openbsd-compat/openssl-compat.c 2010-01-28 10:52:53.000000000 -0500
|
||||
@@ -58,5 +58,6 @@
|
||||
/* Enable use of crypto hardware */
|
||||
ENGINE_load_builtin_engines();
|
||||
ENGINE_register_all_complete();
|
||||
+ OPENSSL_config(NULL);
|
||||
}
|
||||
#endif
|
@ -1,64 +0,0 @@
|
||||
diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp 2009-08-12 00:29:37.712368892 +0200
|
||||
+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-12 00:29:37.732544890 +0200
|
||||
@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
freecon(user_ctx);
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+ssh_selinux_change_context(const char *newname)
|
||||
+{
|
||||
+ int len, newlen;
|
||||
+ char *oldctx, *newctx, *cx;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (getcon((security_context_t *)&oldctx) < 0) {
|
||||
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == NULL) {
|
||||
+ logit ("%s: unparseable context %s", __func__, oldctx);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ newlen = strlen(oldctx) + strlen(newname) + 1;
|
||||
+ newctx = xmalloc(newlen);
|
||||
+ len = cx - oldctx + 1;
|
||||
+ memcpy(newctx, oldctx, len);
|
||||
+ strlcpy(newctx + len, newname, newlen - len);
|
||||
+ if ((cx = index(cx + 1, ':')))
|
||||
+ strlcat(newctx, cx, newlen);
|
||||
+ debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx);
|
||||
+ if (setcon(newctx) < 0)
|
||||
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
|
||||
+ xfree(oldctx);
|
||||
+ xfree(newctx);
|
||||
+}
|
||||
#endif /* WITH_SELINUX */
|
||||
diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h
|
||||
--- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100
|
||||
+++ openssh-5.2p1/openbsd-compat/port-linux.h 2009-08-12 00:29:37.733388083 +0200
|
||||
@@ -23,6 +23,7 @@
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_setup_exec_context(char *);
|
||||
+void ssh_selinux_change_context(const char *);
|
||||
#endif
|
||||
|
||||
#endif /* ! _PORT_LINUX_H */
|
||||
diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c
|
||||
--- openssh-5.2p1/session.c.sesftp 2009-08-12 00:29:37.659250161 +0200
|
||||
+++ openssh-5.2p1/session.c 2009-08-12 00:29:37.729578695 +0200
|
||||
@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_change_context("sftpd_t");
|
||||
+#endif
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
Binary file not shown.
Binary file not shown.
@ -1,15 +1,15 @@
|
||||
diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
|
||||
--- openssh-5.3p1/auth2-pubkey.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/auth2-pubkey.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -33,6 +33,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c
|
||||
--- openssh-5.4p1/auth2-pubkey.c.fips 2010-03-01 17:55:26.000000000 +0100
|
||||
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 17:57:56.000000000 +0100
|
||||
@@ -35,6 +35,7 @@
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
@@ -269,7 +270,7 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
found_key = 1;
|
||||
debug("matching key found: file %s, line %lu",
|
||||
file, linenum);
|
||||
@ -18,10 +18,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
|
||||
verbose("Found matching %s key: %s",
|
||||
key_type(found), fp);
|
||||
xfree(fp);
|
||||
diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
|
||||
--- openssh-5.3p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-5.3p1/authfile.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch
|
||||
diff -up openssh-5.4p1/authfile.c.fips openssh-5.4p1/authfile.c
|
||||
--- openssh-5.4p1/authfile.c.fips 2010-01-12 09:42:29.000000000 +0100
|
||||
+++ openssh-5.4p1/authfile.c 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
|
||||
/* Allocate space for the private part of the key in the buffer. */
|
||||
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
|
||||
|
||||
@ -38,7 +38,7 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
|
||||
cipher_crypt(&ciphercontext, cp,
|
||||
buffer_ptr(&buffer), buffer_len(&buffer));
|
||||
cipher_cleanup(&ciphercontext);
|
||||
@@ -414,8 +420,14 @@ key_load_private_rsa1(int fd, const char
|
||||
@@ -421,8 +427,14 @@ key_load_private_rsa1(int fd, const char
|
||||
cp = buffer_append_space(&decrypted, buffer_len(&buffer));
|
||||
|
||||
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
|
||||
@ -55,9 +55,9 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
|
||||
cipher_crypt(&ciphercontext, cp,
|
||||
buffer_ptr(&buffer), buffer_len(&buffer));
|
||||
cipher_cleanup(&ciphercontext);
|
||||
diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
|
||||
--- openssh-5.3p1/cipher.c.fips 2009-10-02 13:44:03.000000000 +0200
|
||||
+++ openssh-5.3p1/cipher.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/cipher.c.fips openssh-5.4p1/cipher.c
|
||||
--- openssh-5.4p1/cipher.c.fips 2010-03-01 15:09:22.000000000 +0100
|
||||
+++ openssh-5.4p1/cipher.c 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -142,9 +142,9 @@ diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
|
||||
--- openssh-5.3p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
|
||||
+++ openssh-5.3p1/cipher-ctr.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/cipher-ctr.c.fips openssh-5.4p1/cipher-ctr.c
|
||||
--- openssh-5.4p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
|
||||
+++ openssh-5.4p1/cipher-ctr.c 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
@ -155,9 +155,9 @@ diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
|
||||
--- openssh-5.3p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.3p1/cipher.h 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/cipher.h.fips openssh-5.4p1/cipher.h
|
||||
--- openssh-5.4p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.4p1/cipher.h 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe
|
||||
const u_char *, u_int, int);
|
||||
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
|
||||
@ -167,9 +167,9 @@ diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
|
||||
u_int cipher_blocksize(const Cipher *);
|
||||
u_int cipher_keylen(const Cipher *);
|
||||
u_int cipher_is_cbc(const Cipher *);
|
||||
diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
|
||||
--- openssh-5.3p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.3p1/mac.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/mac.c.fips openssh-5.4p1/mac.c
|
||||
--- openssh-5.4p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.4p1/mac.c 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -219,10 +219,10 @@ diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
|
||||
|
||||
for (i = 0; macs[i].name; i++) {
|
||||
if (strcmp(name, macs[i].name) == 0) {
|
||||
diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
|
||||
--- openssh-5.3p1/Makefile.in.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/Makefile.in 2009-10-02 14:20:18.000000000 +0200
|
||||
@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in
|
||||
--- openssh-5.4p1/Makefile.in.fips 2010-02-24 08:18:51.000000000 +0100
|
||||
+++ openssh-5.4p1/Makefile.in 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -139,31 +139,31 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
@ -240,28 +240,31 @@ diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
|
||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
|
||||
- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
|
||||
--- openssh-5.3p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
|
||||
+++ openssh-5.3p1/myproposal.h 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -53,7 +53,12 @@
|
||||
diff -up openssh-5.4p1/myproposal.h.fips openssh-5.4p1/myproposal.h
|
||||
--- openssh-5.4p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/myproposal.h 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -55,7 +55,12 @@
|
||||
"hmac-sha1-96,hmac-md5-96"
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
#define KEX_DEFAULT_LANG ""
|
||||
@ -275,23 +278,9 @@ diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
|
||||
|
||||
static char *myproposal[PROPOSAL_MAX] = {
|
||||
KEX_DEFAULT_KEX,
|
||||
diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c
|
||||
--- openssh-5.3p1/nsskeys.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/nsskeys.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
|
||||
break;
|
||||
}
|
||||
|
||||
- p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug("fingerprint %u %s", key_size(k), p);
|
||||
+ p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX);
|
||||
+ debug("SHA1 fingerprint %u %s", key_size(k), p);
|
||||
xfree(p);
|
||||
|
||||
return 0;
|
||||
diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c
|
||||
--- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
|
||||
+++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.4p1/openbsd-compat/bsd-arc4random.c
|
||||
--- openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
|
||||
+++ openssh-5.4p1/openbsd-compat/bsd-arc4random.c 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -39,6 +39,7 @@
|
||||
static int rc4_ready = 0;
|
||||
static RC4_KEY rc4;
|
||||
@ -333,9 +322,9 @@ diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbs
|
||||
#endif /* !HAVE_ARC4RANDOM */
|
||||
|
||||
#ifndef ARC4RANDOM_BUF
|
||||
diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
|
||||
--- openssh-5.3p1/ssh-add.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh-add.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c
|
||||
--- openssh-5.4p1/ssh-add.c.fips 2010-02-26 21:55:06.000000000 +0100
|
||||
+++ openssh-5.4p1/ssh-add.c 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -42,6 +42,7 @@
|
||||
#include <sys/param.h>
|
||||
|
||||
@ -343,8 +332,8 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
|
||||
+#include <openssl/fips.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef HAVE_LIBNSS
|
||||
@@ -254,7 +255,7 @@ list_identities(AuthenticationConnection
|
||||
#include <fcntl.h>
|
||||
@@ -270,7 +271,7 @@ list_identities(AuthenticationConnection
|
||||
key = ssh_get_next_identity(ac, &comment, version)) {
|
||||
had_identities = 1;
|
||||
if (do_fp) {
|
||||
@ -353,9 +342,9 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
|
||||
SSH_FP_HEX);
|
||||
printf("%d %s %s (%s)\n",
|
||||
key_size(key), fp, comment, key_type(key));
|
||||
diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
|
||||
--- openssh-5.3p1/ssh-agent.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/ssh-agent.c.fips openssh-5.4p1/ssh-agent.c
|
||||
--- openssh-5.4p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100
|
||||
+++ openssh-5.4p1/ssh-agent.c 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -51,6 +51,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -364,7 +353,7 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#include <errno.h>
|
||||
@@ -200,9 +201,9 @@ confirm_key(Identity *id)
|
||||
@@ -199,9 +200,9 @@ confirm_key(Identity *id)
|
||||
char *p;
|
||||
int ret = -1;
|
||||
|
||||
@ -377,9 +366,9 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
|
||||
ret = 0;
|
||||
xfree(p);
|
||||
|
||||
diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
|
||||
--- openssh-5.3p1/ssh.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/ssh.c.fips openssh-5.4p1/ssh.c
|
||||
--- openssh-5.4p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100
|
||||
+++ openssh-5.4p1/ssh.c 2010-03-01 17:55:28.000000000 +0100
|
||||
@@ -72,6 +72,8 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -389,7 +378,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -221,6 +223,10 @@ main(int ac, char **av)
|
||||
@@ -225,6 +227,10 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -400,8 +389,8 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
|
||||
init_rng();
|
||||
|
||||
/*
|
||||
@@ -281,6 +287,9 @@ main(int ac, char **av)
|
||||
"ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) {
|
||||
@@ -285,6 +291,9 @@ main(int ac, char **av)
|
||||
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
+ if (FIPS_mode()) {
|
||||
@ -410,7 +399,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -552,7 +561,6 @@ main(int ac, char **av)
|
||||
@@ -581,7 +590,6 @@ main(int ac, char **av)
|
||||
if (!host)
|
||||
usage();
|
||||
|
||||
@ -418,7 +407,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
|
||||
ERR_load_crypto_strings();
|
||||
|
||||
/* Initialize the command to execute on remote host. */
|
||||
@@ -638,6 +646,10 @@ main(int ac, char **av)
|
||||
@@ -667,6 +675,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
@ -429,7 +418,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -704,6 +716,12 @@ main(int ac, char **av)
|
||||
@@ -733,6 +745,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
@ -442,9 +431,9 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
|
||||
/* Open a connection to the remote host. */
|
||||
if (ssh_connect(host, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts, &timeout_ms,
|
||||
diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
|
||||
--- openssh-5.3p1/sshconnect2.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/sshconnect2.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/sshconnect2.c.fips openssh-5.4p1/sshconnect2.c
|
||||
--- openssh-5.4p1/sshconnect2.c.fips 2010-03-01 17:55:28.000000000 +0100
|
||||
+++ openssh-5.4p1/sshconnect2.c 2010-03-01 17:55:29.000000000 +0100
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
@ -477,7 +466,7 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
|
||||
if (options.hostkeyalgorithms != NULL)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
options.hostkeyalgorithms;
|
||||
@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
@@ -529,8 +539,8 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
@ -488,19 +477,19 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
|
||||
xfree(fp);
|
||||
|
||||
/*
|
||||
diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
|
||||
--- openssh-5.3p1/sshconnect.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/sshconnect.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
|
||||
--- openssh-5.4p1/sshconnect.c.fips 2010-02-26 21:55:06.000000000 +0100
|
||||
+++ openssh-5.4p1/sshconnect.c 2010-03-01 17:55:29.000000000 +0100
|
||||
@@ -40,6 +40,8 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so
|
||||
@@ -789,6 +791,7 @@ check_host_key(char *hostname, struct so
|
||||
goto fail;
|
||||
} else if (options.strict_host_key_checking == 2) {
|
||||
char msg1[1024], msg2[1024];
|
||||
@ -508,7 +497,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
|
||||
|
||||
if (show_other_keys(host, host_key))
|
||||
snprintf(msg1, sizeof(msg1),
|
||||
@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so
|
||||
@@ -797,8 +800,8 @@ check_host_key(char *hostname, struct so
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
@ -519,7 +508,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
|
||||
SSH_FP_RANDOMART);
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so
|
||||
@@ -814,10 +817,10 @@ check_host_key(char *hostname, struct so
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
"established%s\n"
|
||||
@ -532,7 +521,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
|
||||
options.visual_host_key ? "\n" : "",
|
||||
options.visual_host_key ? ra : "",
|
||||
msg2);
|
||||
@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con
|
||||
@@ -1131,17 +1134,18 @@ show_key_from_file(const char *file, con
|
||||
Key *found;
|
||||
char *fp, *ra;
|
||||
int line, ret;
|
||||
@ -555,7 +544,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
|
||||
xfree(ra);
|
||||
xfree(fp);
|
||||
}
|
||||
@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1187,8 +1191,9 @@ warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
const char *type = key_type(host_key);
|
||||
@ -566,7 +555,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
|
||||
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
|
||||
@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1196,8 +1201,8 @@ warn_changed_key(Key *host_key)
|
||||
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
|
||||
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
|
||||
error("It is also possible that the %s host key has just been changed.", type);
|
||||
@ -577,9 +566,9 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
|
||||
error("Please contact your system administrator.");
|
||||
|
||||
xfree(fp);
|
||||
diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
--- openssh-5.3p1/sshd.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c
|
||||
--- openssh-5.4p1/sshd.c.fips 2010-03-01 17:55:27.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd.c 2010-03-01 17:55:29.000000000 +0100
|
||||
@@ -76,6 +76,8 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
@ -589,7 +578,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
@@ -1261,6 +1263,12 @@ main(int ac, char **av)
|
||||
@@ -1298,6 +1300,12 @@ main(int ac, char **av)
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -602,7 +591,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
init_rng();
|
||||
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
@@ -1413,8 +1421,6 @@ main(int ac, char **av)
|
||||
@@ -1459,8 +1467,6 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
@ -611,7 +600,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
/*
|
||||
* Force logging to stderr until we have loaded the private host
|
||||
* key (unless started from inetd)
|
||||
@@ -1532,6 +1538,10 @@ main(int ac, char **av)
|
||||
@@ -1578,6 +1584,10 @@ main(int ac, char **av)
|
||||
debug("private host key: #%d type %d %s", i, key->type,
|
||||
key_type(key));
|
||||
}
|
||||
@ -622,7 +611,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -1656,6 +1666,10 @@ main(int ac, char **av)
|
||||
@@ -1742,6 +1752,10 @@ main(int ac, char **av)
|
||||
/* Initialize the random number generator. */
|
||||
arc4random_stir();
|
||||
|
||||
@ -633,7 +622,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
chdir("/");
|
||||
@@ -2183,6 +2197,9 @@ do_ssh2_kex(void)
|
||||
@@ -2274,6 +2288,9 @@ do_ssh2_kex(void)
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -643,7 +632,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -2192,6 +2209,9 @@ do_ssh2_kex(void)
|
||||
@@ -2283,6 +2300,9 @@ do_ssh2_kex(void)
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -653,9 +642,9 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
}
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
|
||||
--- openssh-5.3p1/ssh-keygen.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:12:00.000000000 +0200
|
||||
diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c
|
||||
--- openssh-5.4p1/ssh-keygen.c.fips 2010-02-26 21:55:06.000000000 +0100
|
||||
+++ openssh-5.4p1/ssh-keygen.c 2010-03-01 17:55:29.000000000 +0100
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -664,7 +653,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#include <errno.h>
|
||||
@@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw)
|
||||
@@ -524,7 +525,7 @@ do_fingerprint(struct passwd *pw)
|
||||
enum fp_type fptype;
|
||||
struct stat st;
|
||||
|
||||
@ -673,7 +662,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
|
||||
if (!have_identity)
|
||||
@@ -1506,14 +1507,15 @@ passphrase_again:
|
||||
@@ -1808,14 +1809,15 @@ passphrase_again:
|
||||
fclose(f);
|
||||
|
||||
if (!quiet) {
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
|
||||
--- openssh-5.3p1/auth2.c.gsskex 2009-11-20 14:38:55.000000000 +0100
|
||||
+++ openssh-5.3p1/auth2.c 2009-11-20 14:39:04.000000000 +0100
|
||||
diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c
|
||||
--- openssh-5.4p1/auth2.c.gsskex 2010-03-01 18:14:24.000000000 +0100
|
||||
+++ openssh-5.4p1/auth2.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
@ -35,9 +35,9 @@ diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
|
||||
authctxt->failures++;
|
||||
if (authctxt->failures >= options.max_authtries) {
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
|
||||
--- openssh-5.3p1/auth2-gss.c.gsskex 2009-11-20 14:38:55.000000000 +0100
|
||||
+++ openssh-5.3p1/auth2-gss.c 2009-11-20 14:39:04.000000000 +0100
|
||||
diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c
|
||||
--- openssh-5.4p1/auth2-gss.c.gsskex 2010-03-01 18:14:24.000000000 +0100
|
||||
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
|
||||
|
||||
@ -137,9 +137,9 @@ diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
|
||||
Authmethod method_gssapi = {
|
||||
"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
|
||||
--- openssh-5.3p1/auth.h.gsskex 2009-11-20 14:38:55.000000000 +0100
|
||||
+++ openssh-5.3p1/auth.h 2009-11-20 14:39:04.000000000 +0100
|
||||
diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h
|
||||
--- openssh-5.4p1/auth.h.gsskex 2010-03-01 18:14:25.000000000 +0100
|
||||
+++ openssh-5.4p1/auth.h 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -53,6 +53,7 @@ struct Authctxt {
|
||||
int valid; /* user exists and is allowed to login */
|
||||
int attempt;
|
||||
@ -148,10 +148,10 @@ diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
|
||||
int force_pwchange;
|
||||
char *user; /* username sent by the client */
|
||||
char *service;
|
||||
diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
|
||||
--- openssh-5.3p1/auth-krb5.c.gsskex 2006-08-05 04:39:39.000000000 +0200
|
||||
+++ openssh-5.3p1/auth-krb5.c 2009-11-20 14:39:04.000000000 +0100
|
||||
@@ -166,8 +166,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c
|
||||
--- openssh-5.4p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100
|
||||
+++ openssh-5.4p1/auth-krb5.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
|
||||
len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||
authctxt->krb5_ccname = xmalloc(len);
|
||||
@ -165,7 +165,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -219,15 +224,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||
@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||
#ifndef HEIMDAL
|
||||
krb5_error_code
|
||||
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||
@ -190,7 +190,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
|
||||
old_umask = umask(0177);
|
||||
tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||
umask(old_umask);
|
||||
@@ -242,6 +254,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
|
||||
@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
|
||||
return errno;
|
||||
}
|
||||
close(tmpfd);
|
||||
@ -198,9 +198,9 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
|
||||
|
||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||
}
|
||||
diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi
|
||||
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
|
||||
+++ openssh-5.3p1/ChangeLog.gssapi 2009-11-20 14:39:04.000000000 +0100
|
||||
diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi
|
||||
--- openssh-5.4p1/ChangeLog.gssapi.gsskex 2010-03-01 18:14:28.000000000 +0100
|
||||
+++ openssh-5.4p1/ChangeLog.gssapi 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -0,0 +1,95 @@
|
||||
+20090615
|
||||
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
|
||||
@ -297,9 +297,9 @@ diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi
|
||||
+ add support for GssapiTrustDns option for gssapi-with-mic
|
||||
+ (from jbasney AT ncsa.uiuc.edu)
|
||||
+ <gssapi-with-mic support is Bugzilla #1008>
|
||||
diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
|
||||
--- openssh-5.3p1/clientloop.c.gsskex 2009-08-28 03:21:07.000000000 +0200
|
||||
+++ openssh-5.3p1/clientloop.c 2009-11-20 14:48:53.000000000 +0100
|
||||
diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c
|
||||
--- openssh-5.4p1/clientloop.c.gsskex 2010-01-30 07:28:35.000000000 +0100
|
||||
+++ openssh-5.4p1/clientloop.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -111,6 +111,10 @@
|
||||
#include "msg.h"
|
||||
#include "roaming.h"
|
||||
@ -311,7 +311,7 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
|
||||
/* import options */
|
||||
extern Options options;
|
||||
|
||||
@@ -1430,6 +1434,13 @@ client_loop(int have_pty, int escape_cha
|
||||
@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha
|
||||
/* Do channel operations unless rekeying in progress. */
|
||||
if (!rekeying) {
|
||||
channel_after_select(readset, writeset);
|
||||
@ -325,9 +325,9 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
|
||||
if (need_rekeying || packet_need_rekeying()) {
|
||||
debug("need rekeying");
|
||||
xxx_kex->done = 0;
|
||||
diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac
|
||||
--- openssh-5.3p1/configure.ac.gsskex 2009-11-20 14:39:02.000000000 +0100
|
||||
+++ openssh-5.3p1/configure.ac 2009-11-20 14:39:04.000000000 +0100
|
||||
diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac
|
||||
--- openssh-5.4p1/configure.ac.gsskex 2010-03-01 18:14:27.000000000 +0100
|
||||
+++ openssh-5.4p1/configure.ac 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
|
||||
@ -359,9 +359,9 @@ diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac
|
||||
m4_pattern_allow(AU_IPv)
|
||||
AC_CHECK_DECL(AU_IPv4, [],
|
||||
AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
|
||||
diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c
|
||||
--- openssh-5.3p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-5.3p1/gss-genr.c 2009-11-20 14:39:04.000000000 +0100
|
||||
diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c
|
||||
--- openssh-5.4p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-5.4p1/gss-genr.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -39,12 +39,167 @@
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
@ -700,9 +700,9 @@ diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c
|
||||
+}
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c
|
||||
--- openssh-5.3p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
|
||||
+++ openssh-5.3p1/gss-serv.c 2009-11-20 14:39:05.000000000 +0100
|
||||
diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c
|
||||
--- openssh-5.4p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
|
||||
+++ openssh-5.4p1/gss-serv.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
|
||||
|
||||
@ -1016,9 +1016,9 @@ diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c
|
||||
}
|
||||
|
||||
#endif
|
||||
diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c
|
||||
--- openssh-5.3p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-5.3p1/gss-serv-krb5.c 2009-11-20 14:39:04.000000000 +0100
|
||||
diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c
|
||||
--- openssh-5.4p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-5.4p1/gss-serv-krb5.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
@ -1139,12 +1139,12 @@ diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c
|
||||
};
|
||||
|
||||
#endif /* KRB5 */
|
||||
diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
|
||||
--- openssh-5.3p1/kex.c.gsskex 2009-06-21 10:15:25.000000000 +0200
|
||||
+++ openssh-5.3p1/kex.c 2009-11-20 14:50:11.000000000 +0100
|
||||
@@ -49,6 +49,10 @@
|
||||
#include "dispatch.h"
|
||||
diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c
|
||||
--- openssh-5.4p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100
|
||||
+++ openssh-5.4p1/kex.c 2010-03-01 18:18:42.000000000 +0100
|
||||
@@ -50,6 +50,10 @@
|
||||
#include "monitor.h"
|
||||
#include "roaming.h"
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+#include "ssh-gss.h"
|
||||
@ -1153,7 +1153,7 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
# if defined(HAVE_EVP_SHA256)
|
||||
# define evp_ssh_sha256 EVP_sha256
|
||||
@@ -325,6 +329,20 @@ choose_kex(Kex *k, char *client, char *s
|
||||
@@ -326,6 +330,20 @@ choose_kex(Kex *k, char *client, char *s
|
||||
k->kex_type = KEX_DH_GEX_SHA256;
|
||||
k->evp_md = evp_ssh_sha256();
|
||||
#endif
|
||||
@ -1174,9 +1174,9 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
|
||||
} else
|
||||
fatal("bad kex alg %s", k->name);
|
||||
}
|
||||
diff -up /dev/null openssh-5.3p1/kexgssc.c
|
||||
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
|
||||
+++ openssh-5.3p1/kexgssc.c 2009-11-20 14:39:05.000000000 +0100
|
||||
diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c
|
||||
--- openssh-5.4p1/kexgssc.c.gsskex 2010-03-01 18:14:28.000000000 +0100
|
||||
+++ openssh-5.4p1/kexgssc.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -0,0 +1,334 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1512,9 +1512,9 @@ diff -up /dev/null openssh-5.3p1/kexgssc.c
|
||||
+}
|
||||
+
|
||||
+#endif /* GSSAPI */
|
||||
diff -up /dev/null openssh-5.3p1/kexgsss.c
|
||||
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
|
||||
+++ openssh-5.3p1/kexgsss.c 2009-11-20 14:39:05.000000000 +0100
|
||||
diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c
|
||||
--- openssh-5.4p1/kexgsss.c.gsskex 2010-03-01 18:14:28.000000000 +0100
|
||||
+++ openssh-5.4p1/kexgsss.c 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -0,0 +1,288 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1804,10 +1804,10 @@ diff -up /dev/null openssh-5.3p1/kexgsss.c
|
||||
+ ssh_gssapi_rekey_creds();
|
||||
+}
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
|
||||
--- openssh-5.3p1/kex.h.gsskex 2009-06-21 10:15:25.000000000 +0200
|
||||
+++ openssh-5.3p1/kex.h 2009-11-20 14:39:05.000000000 +0100
|
||||
@@ -66,6 +66,9 @@ enum kex_exchange {
|
||||
diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h
|
||||
--- openssh-5.4p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/kex.h 2010-03-01 18:14:28.000000000 +0100
|
||||
@@ -67,6 +67,9 @@ enum kex_exchange {
|
||||
KEX_DH_GRP14_SHA1,
|
||||
KEX_DH_GEX_SHA1,
|
||||
KEX_DH_GEX_SHA256,
|
||||
@ -1817,7 +1817,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
|
||||
KEX_MAX
|
||||
};
|
||||
|
||||
@@ -121,6 +124,12 @@ struct Kex {
|
||||
@@ -123,6 +126,12 @@ struct Kex {
|
||||
sig_atomic_t done;
|
||||
int flags;
|
||||
const EVP_MD *evp_md;
|
||||
@ -1830,7 +1830,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
|
||||
char *client_version_string;
|
||||
char *server_version_string;
|
||||
int (*verify_host_key)(Key *);
|
||||
@@ -143,6 +152,11 @@ void kexdh_server(Kex *);
|
||||
@@ -146,6 +155,11 @@ void kexdh_server(Kex *);
|
||||
void kexgex_client(Kex *);
|
||||
void kexgex_server(Kex *);
|
||||
|
||||
@ -1842,54 +1842,58 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
|
||||
void
|
||||
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.3p1/key.c.gsskex openssh-5.3p1/key.c
|
||||
--- openssh-5.3p1/key.c.gsskex 2009-11-20 14:38:59.000000000 +0100
|
||||
+++ openssh-5.3p1/key.c 2009-11-20 14:39:05.000000000 +0100
|
||||
@@ -825,6 +825,8 @@ key_type_from_name(char *name)
|
||||
return KEY_RSA;
|
||||
} else if (strcmp(name, "ssh-dss") == 0) {
|
||||
return KEY_DSA;
|
||||
diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c
|
||||
--- openssh-5.4p1/key.c.gsskex 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/key.c 2010-03-01 18:20:43.000000000 +0100
|
||||
@@ -969,6 +969,8 @@ key_type_from_name(char *name)
|
||||
return KEY_RSA_CERT;
|
||||
} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
|
||||
return KEY_DSA_CERT;
|
||||
+ } else if (strcmp(name, "null") == 0) {
|
||||
+ return KEY_NULL;
|
||||
}
|
||||
debug2("key_type_from_name: unknown key type '%s'", name);
|
||||
return KEY_UNSPEC;
|
||||
diff -up openssh-5.3p1/key.h.gsskex openssh-5.3p1/key.h
|
||||
--- openssh-5.3p1/key.h.gsskex 2009-11-20 14:38:59.000000000 +0100
|
||||
+++ openssh-5.3p1/key.h 2009-11-20 14:50:59.000000000 +0100
|
||||
@@ -40,6 +40,7 @@ enum types {
|
||||
KEY_RSA,
|
||||
diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h
|
||||
--- openssh-5.4p1/key.h.gsskex 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/key.h 2010-03-01 18:21:22.000000000 +0100
|
||||
@@ -37,6 +37,7 @@ enum types {
|
||||
KEY_DSA,
|
||||
KEY_NSS,
|
||||
KEY_RSA_CERT,
|
||||
KEY_DSA_CERT,
|
||||
+ KEY_NULL,
|
||||
KEY_UNSPEC
|
||||
};
|
||||
enum fp_type {
|
||||
diff -up openssh-5.3p1/Makefile.in.gsskex openssh-5.3p1/Makefile.in
|
||||
--- openssh-5.3p1/Makefile.in.gsskex 2009-11-20 14:39:02.000000000 +0100
|
||||
+++ openssh-5.3p1/Makefile.in 2009-11-20 15:06:44.000000000 +0100
|
||||
@@ -71,7 +71,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in
|
||||
--- openssh-5.4p1/Makefile.in.gsskex 2010-03-01 18:14:27.000000000 +0100
|
||||
+++ openssh-5.4p1/Makefile.in 2010-03-01 18:23:31.000000000 +0100
|
||||
@@ -74,11 +74,11 @@
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
|
||||
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
|
||||
- entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o
|
||||
+ entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o \
|
||||
+ kexgssc.o
|
||||
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
|
||||
entropy.o gss-genr.o umac.o jpake.o schnorr.o \
|
||||
- ssh-pkcs11.o
|
||||
+ ssh-pkcs11.o kexgssc.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
@@ -85,7 +86,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
|
||||
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
|
||||
auth-krb5.o \
|
||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
|
||||
- roaming_common.o roaming_client.o
|
||||
+ roaming_common.o roaming_client.o kexgssc.o
|
||||
|
||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||
@@ -91,7 +91,7 @@
|
||||
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
|
||||
roaming_common.o
|
||||
diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
|
||||
--- openssh-5.3p1/monitor.c.gsskex 2009-11-20 14:38:55.000000000 +0100
|
||||
+++ openssh-5.3p1/monitor.c 2009-11-20 14:39:05.000000000 +0100
|
||||
- roaming_common.o roaming_serv.o
|
||||
+ roaming_common.o roaming_serv.o kexgsss.o
|
||||
|
||||
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||
diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c
|
||||
--- openssh-5.4p1/monitor.c.gsskex 2010-03-01 18:14:25.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor.c 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
int mm_answer_gss_accept_ctx(int, Buffer *);
|
||||
int mm_answer_gss_userok(int, Buffer *);
|
||||
@ -1956,7 +1960,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
|
||||
kex->server = 1;
|
||||
kex->hostkey_type = buffer_get_int(m);
|
||||
kex->kex_type = buffer_get_int(m);
|
||||
@@ -1943,6 +1967,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
@@ -1944,6 +1968,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
OM_uint32 major;
|
||||
u_int len;
|
||||
|
||||
@ -1966,7 +1970,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
|
||||
goid.elements = buffer_get_string(m, &len);
|
||||
goid.length = len;
|
||||
|
||||
@@ -1970,6 +1997,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -1971,6 +1998,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
OM_uint32 flags = 0; /* GSI needs this */
|
||||
u_int len;
|
||||
|
||||
@ -1976,7 +1980,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
|
||||
in.value = buffer_get_string(m, &len);
|
||||
in.length = len;
|
||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||
@@ -1987,6 +2017,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -1988,6 +2018,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||
@ -1984,7 +1988,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
@@ -1998,6 +2029,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
@@ -1999,6 +2030,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
OM_uint32 ret;
|
||||
u_int len;
|
||||
|
||||
@ -1994,7 +1998,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
|
||||
gssbuf.value = buffer_get_string(m, &len);
|
||||
gssbuf.length = len;
|
||||
mic.value = buffer_get_string(m, &len);
|
||||
@@ -2024,7 +2058,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2025,7 +2059,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
{
|
||||
int authenticated;
|
||||
|
||||
@ -2007,7 +2011,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
|
||||
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, authenticated);
|
||||
@@ -2037,6 +2075,74 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2038,6 +2076,74 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
@ -2082,9 +2086,9 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#ifdef JPAKE
|
||||
diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h
|
||||
--- openssh-5.3p1/monitor.h.gsskex 2009-11-20 14:38:55.000000000 +0100
|
||||
+++ openssh-5.3p1/monitor.h 2009-11-20 14:39:05.000000000 +0100
|
||||
diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h
|
||||
--- openssh-5.4p1/monitor.h.gsskex 2010-03-01 18:14:25.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor.h 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -56,6 +56,8 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
|
||||
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
|
||||
@ -2094,9 +2098,9 @@ diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h
|
||||
MONITOR_REQ_PAM_START,
|
||||
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
|
||||
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
|
||||
diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c
|
||||
--- openssh-5.3p1/monitor_wrap.c.gsskex 2009-11-20 14:38:55.000000000 +0100
|
||||
+++ openssh-5.3p1/monitor_wrap.c 2009-11-20 14:39:05.000000000 +0100
|
||||
diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c
|
||||
--- openssh-5.4p1/monitor_wrap.c.gsskex 2010-03-01 18:14:25.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -1267,7 +1267,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
}
|
||||
|
||||
@ -2158,9 +2162,9 @@ diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#ifdef JPAKE
|
||||
diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h
|
||||
--- openssh-5.3p1/monitor_wrap.h.gsskex 2009-11-20 14:38:55.000000000 +0100
|
||||
+++ openssh-5.3p1/monitor_wrap.h 2009-11-20 14:39:05.000000000 +0100
|
||||
diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h
|
||||
--- openssh-5.4p1/monitor_wrap.h.gsskex 2010-03-01 18:14:25.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
@ -2173,10 +2177,10 @@ diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
|
||||
--- openssh-5.3p1/readconf.c.gsskex 2009-11-20 14:38:59.000000000 +0100
|
||||
+++ openssh-5.3p1/readconf.c 2009-11-20 14:39:06.000000000 +0100
|
||||
@@ -128,6 +128,7 @@ typedef enum {
|
||||
diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c
|
||||
--- openssh-5.4p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100
|
||||
+++ openssh-5.4p1/readconf.c 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -127,6 +127,7 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
@ -2184,7 +2188,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
||||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
||||
@@ -165,10 +166,18 @@ static struct {
|
||||
@@ -164,10 +165,18 @@ static struct {
|
||||
{ "afstokenpassing", oUnsupported },
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
@ -2203,7 +2207,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -462,10 +471,26 @@ parse_flag:
|
||||
@@ -456,10 +465,26 @@ parse_flag:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2230,7 +2234,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1029,7 +1054,11 @@ initialize_options(Options * options)
|
||||
@@ -1015,7 +1040,11 @@ initialize_options(Options * options)
|
||||
options->pubkey_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
@ -2242,7 +2246,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1123,8 +1152,14 @@ fill_default_options(Options * options)
|
||||
@@ -1107,8 +1136,14 @@ fill_default_options(Options * options)
|
||||
options->challenge_response_authentication = 1;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2257,9 +2261,9 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h
|
||||
--- openssh-5.3p1/readconf.h.gsskex 2009-11-20 14:38:59.000000000 +0100
|
||||
+++ openssh-5.3p1/readconf.h 2009-11-20 14:39:06.000000000 +0100
|
||||
diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h
|
||||
--- openssh-5.4p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100
|
||||
+++ openssh-5.4p1/readconf.h 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -44,7 +44,11 @@ typedef struct {
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
@ -2272,10 +2276,10 @@ diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
|
||||
--- openssh-5.3p1/servconf.c.gsskex 2009-11-20 14:39:03.000000000 +0100
|
||||
+++ openssh-5.3p1/servconf.c 2009-11-20 14:52:27.000000000 +0100
|
||||
@@ -92,7 +92,10 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c
|
||||
--- openssh-5.4p1/servconf.c.gsskex 2010-03-01 18:14:28.000000000 +0100
|
||||
+++ openssh-5.4p1/servconf.c 2010-03-01 18:25:32.000000000 +0100
|
||||
@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
@ -2286,7 +2290,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -213,8 +216,14 @@ fill_default_server_options(ServerOption
|
||||
@@ -215,8 +218,14 @@ fill_default_server_options(ServerOption
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2301,7 +2305,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -308,7 +317,9 @@ typedef enum {
|
||||
@@ -310,7 +319,9 @@ typedef enum {
|
||||
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
@ -2311,8 +2315,8 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
|
||||
+ sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sZeroKnowledgePasswordAuthentication,
|
||||
@@ -371,9 +382,15 @@ static struct {
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
@@ -373,9 +384,15 @@ static struct {
|
||||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
@ -2328,7 +2332,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
|
||||
#endif
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
@@ -906,10 +923,22 @@ process_server_config_line(ServerOptions
|
||||
@@ -935,10 +952,22 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2351,10 +2355,10 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h
|
||||
--- openssh-5.3p1/servconf.h.gsskex 2009-11-20 14:39:03.000000000 +0100
|
||||
+++ openssh-5.3p1/servconf.h 2009-11-20 14:39:06.000000000 +0100
|
||||
@@ -91,7 +91,10 @@ typedef struct {
|
||||
diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h
|
||||
--- openssh-5.4p1/servconf.h.gsskex 2010-03-01 18:14:28.000000000 +0100
|
||||
+++ openssh-5.4p1/servconf.h 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -94,7 +94,10 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
@ -2365,9 +2369,9 @@ diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5
|
||||
--- openssh-5.3p1/ssh_config.5.gsskex 2009-02-23 00:53:58.000000000 +0100
|
||||
+++ openssh-5.3p1/ssh_config.5 2009-11-20 14:39:06.000000000 +0100
|
||||
diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5
|
||||
--- openssh-5.4p1/ssh_config.5.gsskex 2010-02-11 23:26:02.000000000 +0100
|
||||
+++ openssh-5.4p1/ssh_config.5 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -478,11 +478,38 @@ Specifies whether user authentication ba
|
||||
The default is
|
||||
.Dq no .
|
||||
@ -2408,9 +2412,9 @@ diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config
|
||||
--- openssh-5.3p1/ssh_config.gsskex 2009-11-20 14:38:53.000000000 +0100
|
||||
+++ openssh-5.3p1/ssh_config 2009-11-20 14:39:06.000000000 +0100
|
||||
diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config
|
||||
--- openssh-5.4p1/ssh_config.gsskex 2010-03-01 18:14:24.000000000 +0100
|
||||
+++ openssh-5.4p1/ssh_config 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -26,6 +26,8 @@
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
@ -2420,9 +2424,9 @@ diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
|
||||
--- openssh-5.3p1/sshconnect2.c.gsskex 2009-11-20 14:39:01.000000000 +0100
|
||||
+++ openssh-5.3p1/sshconnect2.c 2009-11-20 15:05:03.000000000 +0100
|
||||
diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c
|
||||
--- openssh-5.4p1/sshconnect2.c.gsskex 2010-03-01 18:14:27.000000000 +0100
|
||||
+++ openssh-5.4p1/sshconnect2.c 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
{
|
||||
Kex *kex;
|
||||
@ -2503,7 +2507,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
|
||||
xxx_kex = kex;
|
||||
|
||||
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
|
||||
@@ -247,6 +299,7 @@ void input_gssapi_token(int type, u_int3
|
||||
@@ -253,6 +305,7 @@ void input_gssapi_token(int type, u_int3
|
||||
void input_gssapi_hash(int type, u_int32_t, void *);
|
||||
void input_gssapi_error(int, u_int32_t, void *);
|
||||
void input_gssapi_errtok(int, u_int32_t, void *);
|
||||
@ -2511,7 +2515,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
|
||||
#endif
|
||||
|
||||
void userauth(Authctxt *, char *);
|
||||
@@ -262,6 +315,10 @@ static char *authmethods_get(void);
|
||||
@@ -268,6 +321,10 @@ static char *authmethods_get(void);
|
||||
|
||||
Authmethod authmethods[] = {
|
||||
#ifdef GSSAPI
|
||||
@ -2522,7 +2526,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
|
||||
{"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
NULL,
|
||||
@@ -555,23 +612,35 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
@@ -576,23 +633,35 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
int ok = 0;
|
||||
char* remotehost = NULL;
|
||||
const char* canonicalhost = get_canonical_hostname(1);
|
||||
@ -2560,7 +2564,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
|
||||
ok = 1; /* Mechanism works */
|
||||
} else {
|
||||
mech++;
|
||||
@@ -668,8 +737,8 @@ input_gssapi_response(int type, u_int32_
|
||||
@@ -689,8 +758,8 @@ input_gssapi_response(int type, u_int32_
|
||||
{
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
@ -2571,7 +2575,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
|
||||
|
||||
if (authctxt == NULL)
|
||||
fatal("input_gssapi_response: no authentication context");
|
||||
@@ -779,6 +848,48 @@ input_gssapi_error(int type, u_int32_t p
|
||||
@@ -800,6 +869,48 @@ input_gssapi_error(int type, u_int32_t p
|
||||
xfree(msg);
|
||||
xfree(lang);
|
||||
}
|
||||
@ -2620,9 +2624,9 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
int
|
||||
diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
|
||||
--- openssh-5.3p1/sshd.c.gsskex 2009-11-20 14:39:01.000000000 +0100
|
||||
+++ openssh-5.3p1/sshd.c 2009-11-20 14:53:31.000000000 +0100
|
||||
diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c
|
||||
--- openssh-5.4p1/sshd.c.gsskex 2010-03-01 18:14:27.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd.c 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -129,6 +129,10 @@ int allow_severity;
|
||||
int deny_severity;
|
||||
#endif /* LIBWRAP */
|
||||
@ -2634,7 +2638,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
|
||||
#ifndef O_NOCTTY
|
||||
#define O_NOCTTY 0
|
||||
#endif
|
||||
@@ -1546,10 +1550,13 @@ main(int ac, char **av)
|
||||
@@ -1592,10 +1596,13 @@ main(int ac, char **av)
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
}
|
||||
@ -2648,7 +2652,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
|
||||
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
|
||||
logit("sshd: no hostkeys available -- exiting.");
|
||||
exit(1);
|
||||
@@ -1837,6 +1844,60 @@ main(int ac, char **av)
|
||||
@@ -1928,6 +1935,60 @@ main(int ac, char **av)
|
||||
/* Log the connection. */
|
||||
verbose("Connection from %.500s port %d", remote_ip, remote_port);
|
||||
|
||||
@ -2709,7 +2713,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
|
||||
/*
|
||||
* We don't want to listen forever unless the other side
|
||||
* successfully authenticates itself. So we set up an alarm which is
|
||||
@@ -2223,12 +2284,61 @@ do_ssh2_kex(void)
|
||||
@@ -2314,12 +2375,61 @@ do_ssh2_kex(void)
|
||||
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
|
||||
|
||||
@ -2771,9 +2775,9 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
|
||||
kex->server = 1;
|
||||
kex->client_version_string=client_version_string;
|
||||
kex->server_version_string=server_version_string;
|
||||
diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
|
||||
--- openssh-5.3p1/sshd_config.5.gsskex 2009-11-20 14:39:03.000000000 +0100
|
||||
+++ openssh-5.3p1/sshd_config.5 2009-11-20 14:39:06.000000000 +0100
|
||||
diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5
|
||||
--- openssh-5.4p1/sshd_config.5.gsskex 2010-03-01 18:14:28.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd_config.5 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -379,12 +379,40 @@ Specifies whether user authentication ba
|
||||
The default is
|
||||
.Dq no .
|
||||
@ -2815,10 +2819,10 @@ diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
|
||||
.It Cm HostbasedAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful public key client host authentication is allowed
|
||||
diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
|
||||
--- openssh-5.3p1/sshd_config.gsskex 2009-11-20 14:39:04.000000000 +0100
|
||||
+++ openssh-5.3p1/sshd_config 2009-11-20 14:54:30.000000000 +0100
|
||||
@@ -80,6 +80,8 @@ ChallengeResponseAuthentication no
|
||||
diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config
|
||||
--- openssh-5.4p1/sshd_config.gsskex 2010-03-01 18:14:28.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd_config 2010-03-01 18:14:29.000000000 +0100
|
||||
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
|
||||
GSSAPIAuthentication yes
|
||||
#GSSAPICleanupCredentials yes
|
||||
GSSAPICleanupCredentials yes
|
||||
@ -2827,9 +2831,9 @@ diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff -up openssh-5.3p1/ssh-gss.h.gsskex openssh-5.3p1/ssh-gss.h
|
||||
--- openssh-5.3p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh-gss.h 2009-11-20 14:39:06.000000000 +0100
|
||||
diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h
|
||||
--- openssh-5.4p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
|
||||
+++ openssh-5.4p1/ssh-gss.h 2010-03-01 18:14:30.000000000 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
|
||||
/*
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
|
||||
--- openssh-5.3p1/configure.ac.mls 2009-10-02 14:04:31.000000000 +0200
|
||||
+++ openssh-5.3p1/configure.ac 2009-10-02 14:04:31.000000000 +0200
|
||||
@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux,
|
||||
diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac
|
||||
--- openssh-5.4p1/configure.ac.mls 2010-03-01 15:24:27.000000000 +0100
|
||||
+++ openssh-5.4p1/configure.ac 2010-03-01 15:24:28.000000000 +0100
|
||||
@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux,
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
LIBS="$LIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
@ -9,9 +9,9 @@ diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
|
||||
--- openssh-5.3p1/misc.c.mls 2009-02-21 22:47:02.000000000 +0100
|
||||
+++ openssh-5.3p1/misc.c 2009-10-02 14:04:31.000000000 +0200
|
||||
diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c
|
||||
--- openssh-5.4p1/misc.c.mls 2010-01-10 00:31:12.000000000 +0100
|
||||
+++ openssh-5.4p1/misc.c 2010-03-01 15:24:28.000000000 +0100
|
||||
@@ -423,6 +423,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
@ -36,15 +36,16 @@ diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.3p1/openbsd-compat/port-linux.c.mls 2009-10-02 14:04:31.000000000 +0200
|
||||
+++ openssh-5.3p1/openbsd-compat/port-linux.c 2009-10-02 14:04:31.000000000 +0200
|
||||
@@ -33,12 +33,23 @@
|
||||
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.4p1/openbsd-compat/port-linux.c.mls 2010-03-01 15:24:27.000000000 +0100
|
||||
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:25:50.000000000 +0100
|
||||
@@ -35,13 +35,24 @@
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
+#include "xmalloc.h"
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/flask.h>
|
||||
+#include <selinux/context.h>
|
||||
@ -63,7 +64,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
|
||||
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
@@ -54,17 +65,173 @@ ssh_selinux_enabled(void)
|
||||
@@ -57,17 +68,173 @@ ssh_selinux_enabled(void)
|
||||
return (enabled);
|
||||
}
|
||||
|
||||
@ -243,7 +244,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
sename = NULL;
|
||||
@@ -72,38 +239,63 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
}
|
||||
#else
|
||||
sename = pwname;
|
||||
@ -329,7 +330,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if (sename != NULL)
|
||||
@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
if (lvl != NULL)
|
||||
xfree(lvl);
|
||||
#endif
|
||||
@ -351,7 +352,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
|
||||
security_context_t user_ctx = NULL;
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
|
||||
debug3("%s: setting execution context", __func__);
|
||||
|
||||
@ -404,7 +405,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
|
||||
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
@ -416,10 +417,10 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
|
||||
--- openssh-5.3p1/session.c.mls 2009-08-20 08:20:50.000000000 +0200
|
||||
+++ openssh-5.3p1/session.c 2009-10-02 14:06:12.000000000 +0200
|
||||
@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
|
||||
diff -up openssh-5.4p1/session.c.mls openssh-5.4p1/session.c
|
||||
--- openssh-5.4p1/session.c.mls 2010-01-12 09:51:48.000000000 +0100
|
||||
+++ openssh-5.4p1/session.c 2010-03-01 15:24:28.000000000 +0100
|
||||
@@ -1559,10 +1559,6 @@ do_setusercontext(struct passwd *pw)
|
||||
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
||||
@ -430,10 +431,10 @@ diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
|
||||
}
|
||||
|
||||
static void
|
||||
diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c
|
||||
--- openssh-5.3p1/sshd.c.mls 2009-10-02 14:04:31.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd.c 2009-10-02 14:04:31.000000000 +0200
|
||||
@@ -1896,6 +1896,9 @@ main(int ac, char **av)
|
||||
diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c
|
||||
--- openssh-5.4p1/sshd.c.mls 2010-03-01 15:24:27.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd.c 2010-03-01 15:24:28.000000000 +0100
|
||||
@@ -1987,6 +1987,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
Binary file not shown.
@ -186,7 +186,7 @@ diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c
|
||||
diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
|
||||
--- openssh-5.3p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200
|
||||
+++ openssh-5.3p1/key.h 2009-11-27 13:43:01.000000000 +0100
|
||||
@@ -29,11 +29,17 @@
|
||||
@@ -30,6 +30,11 @@
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/dsa.h>
|
||||
|
||||
@ -198,13 +198,15 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
|
||||
typedef struct Key Key;
|
||||
enum types {
|
||||
KEY_RSA1,
|
||||
KEY_RSA,
|
||||
@@ -37,6 +42,7 @@
|
||||
KEY_DSA,
|
||||
KEY_RSA_CERT,
|
||||
KEY_DSA_CERT,
|
||||
+ KEY_NSS,
|
||||
KEY_UNSPEC
|
||||
};
|
||||
enum fp_type {
|
||||
@@ -48,16 +54,30 @@ enum fp_rep {
|
||||
@@ -51,6 +57,15 @@
|
||||
|
||||
/* key is stored in external hardware */
|
||||
#define KEY_FLAG_EXT 0x0001
|
||||
@ -218,23 +220,25 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
|
||||
+};
|
||||
+#endif
|
||||
|
||||
struct Key {
|
||||
int type;
|
||||
int flags;
|
||||
#define CERT_MAX_PRINCIPALS 256
|
||||
struct KeyCert {
|
||||
@@ -70,11 +85,16 @@
|
||||
RSA *rsa;
|
||||
DSA *dsa;
|
||||
struct KeyCert *cert;
|
||||
+#ifdef HAVE_LIBNSS
|
||||
+ NSSKey *nss;
|
||||
+#endif
|
||||
};
|
||||
|
||||
Key *key_new(int);
|
||||
void key_add_private(Key *);
|
||||
Key *key_new_private(int);
|
||||
+Key *key_new_nss(int);
|
||||
+Key *key_new_nss_copy(int, const Key *);
|
||||
void key_free(Key *);
|
||||
Key *key_demote(const Key *);
|
||||
int key_equal(const Key *, const Key *);
|
||||
int key_equal_public(const Key *, const Key *);
|
||||
diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in
|
||||
--- openssh-5.3p1/Makefile.in.nss-keys 2009-08-28 02:47:38.000000000 +0200
|
||||
+++ openssh-5.3p1/Makefile.in 2009-11-27 13:43:01.000000000 +0100
|
@ -1,18 +1,6 @@
|
||||
diff -up openssh-5.0p1/auth-pam.h.pam_selinux openssh-5.0p1/auth-pam.h
|
||||
--- openssh-5.0p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200
|
||||
+++ openssh-5.0p1/auth-pam.h 2008-04-30 14:25:28.000000000 +0200
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c
|
||||
--- openssh-5.0p1/auth-pam.c.pam_selinux 2008-03-11 12:58:25.000000000 +0100
|
||||
+++ openssh-5.0p1/auth-pam.c 2008-04-30 14:25:21.000000000 +0200
|
||||
diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c
|
||||
--- openssh-5.4p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-5.4p1/auth-pam.c 2010-03-01 15:27:23.000000000 +0100
|
||||
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
@ -22,18 +10,30 @@ diff -up openssh-5.0p1/auth-pam.c.pam_selinux openssh-5.0p1/auth-pam.c
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux 2008-04-07 22:01:37.000000000 +0200
|
||||
+++ openssh-5.0p1/openbsd-compat/port-linux.c 2008-04-30 14:26:17.000000000 +0200
|
||||
@@ -34,6 +34,7 @@
|
||||
diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h
|
||||
--- openssh-5.4p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200
|
||||
+++ openssh-5.4p1/auth-pam.h 2010-03-01 15:27:23.000000000 +0100
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux 2010-03-01 15:27:22.000000000 +0100
|
||||
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:27:53.000000000 +0100
|
||||
@@ -36,6 +36,7 @@
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "xmalloc.h"
|
||||
+#include "servconf.h"
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/flask.h>
|
||||
@@ -47,6 +48,7 @@
|
||||
@@ -50,6 +51,7 @@
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
@ -41,7 +41,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope
|
||||
extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
@@ -208,29 +210,38 @@ get_user_context(const char *sename, con
|
||||
@@ -211,29 +213,38 @@ get_user_context(const char *sename, con
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -92,7 +92,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
@@ -311,6 +322,36 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
@@ -314,6 +325,36 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
return (r);
|
||||
}
|
||||
|
||||
@ -129,7 +129,7 @@ diff -up openssh-5.0p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.0p1/ope
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
@@ -322,6 +363,24 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
@@ -325,6 +366,24 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
if (!ssh_selinux_enabled())
|
||||
return;
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
|
||||
--- openssh-5.3p1/auth2-pubkey.c.pka 2009-03-08 01:40:28.000000000 +0100
|
||||
+++ openssh-5.3p1/auth2-pubkey.c 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -175,26 +175,14 @@ done:
|
||||
diff -up openssh-5.4p1/auth2-pubkey.c.pka openssh-5.4p1/auth2-pubkey.c
|
||||
--- openssh-5.4p1/auth2-pubkey.c.pka 2010-03-01 18:10:48.000000000 +0100
|
||||
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 18:10:50.000000000 +0100
|
||||
@@ -186,27 +186,15 @@ done:
|
||||
|
||||
/* return 1 if user allows given key */
|
||||
static int
|
||||
@ -9,6 +9,7 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
|
||||
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||
{
|
||||
char line[SSH_MAX_PUBKEY_BYTES];
|
||||
const char *reason;
|
||||
int found_key = 0;
|
||||
- FILE *f;
|
||||
u_long linenum = 0;
|
||||
@ -27,9 +28,9 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
|
||||
- }
|
||||
-
|
||||
found_key = 0;
|
||||
found = key_new(key->type);
|
||||
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
|
||||
|
||||
@@ -239,21 +227,160 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
@@ -277,21 +265,160 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -193,63 +194,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
|
||||
file = authorized_keys_file(pw);
|
||||
success = user_key_allowed2(pw, key, file);
|
||||
xfree(file);
|
||||
diff -up openssh-5.3p1/configure.pka openssh-5.3p1/configure
|
||||
--- openssh-5.3p1/configure.pka 2009-10-13 19:27:51.000000000 +0200
|
||||
+++ openssh-5.3p1/configure 2009-10-15 06:26:33.000000000 +0200
|
||||
@@ -769,6 +769,7 @@ with_skey
|
||||
with_tcp_wrappers
|
||||
with_libedit
|
||||
with_audit
|
||||
+with_pka
|
||||
with_ssl_dir
|
||||
with_openssl_header_check
|
||||
with_ssl_engine
|
||||
@@ -1473,6 +1474,7 @@ Optional Packages:
|
||||
--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
|
||||
--with-libedit[=PATH] Enable libedit support for sftp
|
||||
--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)
|
||||
+ --with-pka Enable pubkey agent support
|
||||
--with-ssl-dir=PATH Specify path to OpenSSL installation
|
||||
--without-openssl-header-check Disable OpenSSL version consistency check
|
||||
--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
|
||||
@@ -13443,6 +13445,25 @@ $as_echo "$as_me: error: Unknown audit m
|
||||
fi
|
||||
|
||||
|
||||
+# Check whether user wants pubkey agent support
|
||||
+PKA_MSG="no"
|
||||
+
|
||||
+# Check whether --with-pka was given.
|
||||
+if test "${with_pka+set}" = set; then
|
||||
+ withval=$with_pka;
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+
|
||||
+cat >>confdefs.h <<\_ACEOF
|
||||
+#define WITH_PUBKEY_AGENT 1
|
||||
+_ACEOF
|
||||
+
|
||||
+ PKA_MSG="yes"
|
||||
+ fi
|
||||
+
|
||||
+
|
||||
+fi
|
||||
+
|
||||
+
|
||||
|
||||
|
||||
|
||||
@@ -32772,6 +32793,7 @@ echo " Linux audit support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
+echo " PKA support: $PKA_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
|
||||
--- openssh-5.3p1/configure.ac.pka 2009-09-11 06:56:08.000000000 +0200
|
||||
+++ openssh-5.3p1/configure.ac 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -1319,6 +1319,18 @@ AC_ARG_WITH(audit,
|
||||
diff -up openssh-5.4p1/configure.ac.pka openssh-5.4p1/configure.ac
|
||||
--- openssh-5.4p1/configure.ac.pka 2010-03-01 18:10:47.000000000 +0100
|
||||
+++ openssh-5.4p1/configure.ac 2010-03-01 18:10:50.000000000 +0100
|
||||
@@ -1323,6 +1323,18 @@ AC_ARG_WITH(audit,
|
||||
esac ]
|
||||
)
|
||||
|
||||
@ -268,7 +216,7 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS( \
|
||||
arc4random \
|
||||
@@ -4229,6 +4241,7 @@ echo " SELinux support
|
||||
@@ -4206,6 +4218,7 @@ echo " Linux audit support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
@ -276,10 +224,10 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
|
||||
--- openssh-5.3p1/servconf.c.pka 2009-06-21 12:26:17.000000000 +0200
|
||||
+++ openssh-5.3p1/servconf.c 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -127,6 +127,8 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-5.4p1/servconf.c.pka openssh-5.4p1/servconf.c
|
||||
--- openssh-5.4p1/servconf.c.pka 2010-03-01 18:10:46.000000000 +0100
|
||||
+++ openssh-5.4p1/servconf.c 2010-03-01 18:13:23.000000000 +0100
|
||||
@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
options->chroot_directory = NULL;
|
||||
@ -288,18 +236,18 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
|
||||
options->zero_knowledge_password_authentication = -1;
|
||||
}
|
||||
|
||||
@@ -306,6 +308,7 @@ typedef enum {
|
||||
@@ -312,6 +314,7 @@ typedef enum {
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sZeroKnowledgePasswordAuthentication,
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
+ sPubkeyAgent, sPubkeyAgentRunAs,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -424,6 +427,13 @@ static struct {
|
||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||
@@ -432,6 +435,13 @@ static struct {
|
||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
||||
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
|
||||
+#ifdef WITH_PUBKEY_AGENT
|
||||
+ { "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
|
||||
+ { "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
|
||||
@ -310,7 +258,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -1294,6 +1304,20 @@ process_server_config_line(ServerOptions
|
||||
@@ -1332,6 +1342,20 @@ process_server_config_line(ServerOptions
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
@ -331,7 +279,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
@@ -1387,6 +1411,8 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -1425,6 +1449,8 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
M_CP_INTOPT(rsa_authentication);
|
||||
M_CP_INTOPT(pubkey_authentication);
|
||||
@ -340,10 +288,10 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
|
||||
M_CP_INTOPT(kerberos_authentication);
|
||||
M_CP_INTOPT(hostbased_authentication);
|
||||
M_CP_INTOPT(kbd_interactive_authentication);
|
||||
@@ -1626,6 +1652,10 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
|
||||
@@ -1666,6 +1692,10 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
+#ifdef WITH_PUBKEY_AGENT
|
||||
+ dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
|
||||
+ dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
|
||||
@ -351,10 +299,10 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
|
||||
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h
|
||||
--- openssh-5.3p1/servconf.h.pka 2009-01-28 06:31:23.000000000 +0100
|
||||
+++ openssh-5.3p1/servconf.h 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -151,6 +151,8 @@ typedef struct {
|
||||
diff -up openssh-5.4p1/servconf.h.pka openssh-5.4p1/servconf.h
|
||||
--- openssh-5.4p1/servconf.h.pka 2010-03-01 18:10:46.000000000 +0100
|
||||
+++ openssh-5.4p1/servconf.h 2010-03-01 18:10:50.000000000 +0100
|
||||
@@ -155,6 +155,8 @@ typedef struct {
|
||||
int num_permitted_opens;
|
||||
|
||||
char *chroot_directory;
|
||||
@ -363,26 +311,20 @@ diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h
|
||||
} ServerOptions;
|
||||
|
||||
void initialize_server_options(ServerOptions *);
|
||||
diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
|
||||
--- openssh-5.3p1/sshd_config.0.pka 2009-09-26 08:31:16.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd_config.0 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -344,10 +344,11 @@ DESCRIPTION
|
||||
AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
|
||||
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
|
||||
diff -up openssh-5.4p1/sshd_config.0.pka openssh-5.4p1/sshd_config.0
|
||||
--- openssh-5.4p1/sshd_config.0.pka 2010-03-01 18:10:46.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd_config.0 2010-03-01 18:10:50.000000000 +0100
|
||||
@@ -352,7 +352,8 @@ DESCRIPTION
|
||||
KbdInteractiveAuthentication, KerberosAuthentication,
|
||||
- MaxAuthTries, MaxSessions, PasswordAuthentication,
|
||||
- PermitEmptyPasswords, PermitOpen, PermitRootLogin,
|
||||
- RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
|
||||
- X11Forwarding and X11UseLocalHost.
|
||||
+ MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
|
||||
+ PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
|
||||
+ PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
|
||||
+ RSAAuthentication, X11DisplayOffset, X11Forwarding and
|
||||
+ X11UseLocalHost.
|
||||
MaxAuthTries, MaxSessions, PasswordAuthentication,
|
||||
PermitEmptyPasswords, PermitOpen, PermitRootLogin,
|
||||
- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
|
||||
+ PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
|
||||
+ RhostsRSAAuthentication, RSAAuthentication,
|
||||
X11DisplayOffset, X11Forwarding and X11UseLocalHost.
|
||||
|
||||
MaxAuthTries
|
||||
Specifies the maximum number of authentication attempts permitted
|
||||
@@ -455,6 +456,17 @@ DESCRIPTION
|
||||
@@ -461,6 +462,17 @@ DESCRIPTION
|
||||
fault is ``yes''. Note that this option applies to protocol ver-
|
||||
sion 2 only.
|
||||
|
||||
@ -400,22 +342,10 @@ diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
|
||||
RhostsRSAAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication to-
|
||||
gether with successful RSA host authentication is allowed. The
|
||||
diff -up openssh-5.3p1/sshd_config.pka openssh-5.3p1/sshd_config
|
||||
--- openssh-5.3p1/sshd_config.pka 2008-07-02 14:35:43.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd_config 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -46,6 +46,8 @@ Protocol 2
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
+#PubkeyAgent none
|
||||
+#PubkeyAgentRunAs nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
|
||||
--- openssh-5.3p1/sshd_config.5.pka 2009-08-28 02:27:08.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd_config.5 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -610,6 +610,9 @@ Available keywords are
|
||||
diff -up openssh-5.4p1/sshd_config.5.pka openssh-5.4p1/sshd_config.5
|
||||
--- openssh-5.4p1/sshd_config.5.pka 2010-03-01 18:10:46.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd_config.5 2010-03-01 18:10:50.000000000 +0100
|
||||
@@ -618,6 +618,9 @@ Available keywords are
|
||||
.Cm KerberosAuthentication ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
@ -425,7 +355,7 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
|
||||
.Cm PasswordAuthentication ,
|
||||
.Cm PermitEmptyPasswords ,
|
||||
.Cm PermitOpen ,
|
||||
@@ -805,6 +808,16 @@ Specifies whether public key authenticat
|
||||
@@ -814,6 +817,16 @@ Specifies whether public key authenticat
|
||||
The default is
|
||||
.Dq yes .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
@ -442,3 +372,15 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
|
||||
.It Cm RhostsRSAAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful RSA host authentication is allowed.
|
||||
diff -up openssh-5.4p1/sshd_config.pka openssh-5.4p1/sshd_config
|
||||
--- openssh-5.4p1/sshd_config.pka 2010-03-01 18:10:46.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd_config 2010-03-01 18:10:50.000000000 +0100
|
||||
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
+#PubkeyAgent none
|
||||
+#PubkeyAgentRunAs nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
@ -1,10 +1,10 @@
|
||||
diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
|
||||
--- openssh-5.2p1/ssh_config.redhat 2009-02-21 02:45:02.000000000 +0100
|
||||
+++ openssh-5.2p1/ssh_config 2009-08-09 08:45:11.302092427 +0200
|
||||
@@ -44,3 +44,14 @@
|
||||
# TunnelDevice any:any
|
||||
diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config
|
||||
--- openssh-5.4p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
|
||||
+++ openssh-5.4p1/ssh_config 2010-03-01 15:15:51.000000000 +0100
|
||||
@@ -45,3 +45,14 @@
|
||||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
+Host *
|
||||
+ GSSAPIAuthentication yes
|
||||
+# If this option is set to yes then remote X11 clients will have full access
|
||||
@ -16,10 +16,10 @@ diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+ SendEnv XMODIFIERS
|
||||
diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
|
||||
--- openssh-5.2p1/sshd_config.0.redhat 2009-02-23 01:18:15.000000000 +0100
|
||||
+++ openssh-5.2p1/sshd_config.0 2009-08-09 08:45:11.276555108 +0200
|
||||
@@ -491,9 +491,9 @@ DESCRIPTION
|
||||
diff -up openssh-5.4p1/sshd_config.0.redhat openssh-5.4p1/sshd_config.0
|
||||
--- openssh-5.4p1/sshd_config.0.redhat 2010-03-01 14:30:04.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd_config.0 2010-03-01 15:14:13.000000000 +0100
|
||||
@@ -501,9 +501,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
@ -32,10 +32,10 @@ diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
|
||||
--- openssh-5.2p1/sshd_config.5.redhat 2009-02-23 01:00:24.000000000 +0100
|
||||
+++ openssh-5.2p1/sshd_config.5 2009-08-09 08:45:11.278927203 +0200
|
||||
@@ -848,7 +848,7 @@ Note that this option applies to protoco
|
||||
diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5
|
||||
--- openssh-5.4p1/sshd_config.5.redhat 2010-02-26 21:55:06.000000000 +0100
|
||||
+++ openssh-5.4p1/sshd_config.5 2010-03-01 15:14:14.000000000 +0100
|
||||
@@ -865,7 +865,7 @@ Note that this option applies to protoco
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
@ -44,10 +44,10 @@ diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
||||
diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
|
||||
--- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200
|
||||
+++ openssh-5.2p1/sshd_config 2009-08-09 08:47:40.850857227 +0200
|
||||
@@ -33,6 +33,7 @@ Protocol 2
|
||||
diff -up openssh-5.4p1/sshd_config.redhat openssh-5.4p1/sshd_config
|
||||
--- openssh-5.4p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200
|
||||
+++ openssh-5.4p1/sshd_config 2010-03-01 15:14:14.000000000 +0100
|
||||
@@ -31,6 +31,7 @@
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
@ -55,7 +55,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
@@ -60,9 +61,11 @@ Protocol 2
|
||||
@@ -58,9 +59,11 @@
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
@ -67,7 +67,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
@@ -72,7 +75,9 @@ Protocol 2
|
||||
@@ -70,7 +73,9 @@
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
@ -77,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -84,11 +89,19 @@ Protocol 2
|
||||
@@ -82,11 +87,19 @@
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
|
||||
--- openssh-5.2p1/auth1.c.selinux 2008-07-09 12:54:05.000000000 +0200
|
||||
+++ openssh-5.2p1/auth1.c 2009-08-11 22:43:07.918183730 +0200
|
||||
@@ -392,6 +392,9 @@ do_authentication(Authctxt *authctxt)
|
||||
diff -up openssh-5.4p1/auth1.c.selinux openssh-5.4p1/auth1.c
|
||||
--- openssh-5.4p1/auth1.c.selinux 2010-03-01 15:19:56.000000000 +0100
|
||||
+++ openssh-5.4p1/auth1.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
char *user, *style = NULL;
|
||||
@ -11,7 +11,7 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
|
||||
|
||||
/* Get the name of the user that we wish to log in as. */
|
||||
packet_read_expect(SSH_CMSG_USER);
|
||||
@@ -400,11 +403,25 @@ do_authentication(Authctxt *authctxt)
|
||||
@@ -392,11 +395,25 @@ do_authentication(Authctxt *authctxt)
|
||||
user = packet_get_string(&ulen);
|
||||
packet_check_eom();
|
||||
|
||||
@ -37,9 +37,9 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
|
||||
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
|
||||
--- openssh-5.2p1/auth2.c.selinux 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.2p1/auth2.c 2009-08-11 22:43:07.919756192 +0200
|
||||
diff -up openssh-5.4p1/auth2.c.selinux openssh-5.4p1/auth2.c
|
||||
--- openssh-5.4p1/auth2.c.selinux 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-5.4p1/auth2.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
@ -79,9 +79,9 @@ diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
|
||||
userauth_banner();
|
||||
} else if (strcmp(user, authctxt->user) != 0 ||
|
||||
strcmp(service, authctxt->service) != 0) {
|
||||
diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
|
||||
--- openssh-5.2p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
|
||||
+++ openssh-5.2p1/auth2-gss.c 2009-08-11 22:43:07.921723295 +0200
|
||||
diff -up openssh-5.4p1/auth2-gss.c.selinux openssh-5.4p1/auth2-gss.c
|
||||
--- openssh-5.4p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
|
||||
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
@ -114,9 +114,9 @@ diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
|
||||
xfree(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
|
||||
--- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
|
||||
+++ openssh-5.2p1/auth2-hostbased.c 2009-08-11 22:43:07.923721059 +0200
|
||||
diff -up openssh-5.4p1/auth2-hostbased.c.selinux openssh-5.4p1/auth2-hostbased.c
|
||||
--- openssh-5.4p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
|
||||
+++ openssh-5.4p1/auth2-hostbased.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
@ -134,10 +134,10 @@ diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
|
||||
--- openssh-5.2p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200
|
||||
+++ openssh-5.2p1/auth2-pubkey.c 2009-08-11 22:43:07.925704588 +0200
|
||||
@@ -117,7 +117,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
diff -up openssh-5.4p1/auth2-pubkey.c.selinux openssh-5.4p1/auth2-pubkey.c
|
||||
--- openssh-5.4p1/auth2-pubkey.c.selinux 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -119,7 +119,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
@ -154,9 +154,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
|
||||
buffer_put_cstring(&b,
|
||||
datafellows & SSH_BUG_PKSERVICE ?
|
||||
"ssh-userauth" :
|
||||
diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
|
||||
--- openssh-5.2p1/auth.h.selinux 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.2p1/auth.h 2009-08-11 22:43:07.927199901 +0200
|
||||
diff -up openssh-5.4p1/auth.h.selinux openssh-5.4p1/auth.h
|
||||
--- openssh-5.4p1/auth.h.selinux 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/auth.h 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -58,6 +58,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
@ -167,21 +167,21 @@ diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
|
||||
void *kbdintctxt;
|
||||
void *jpake_ctx;
|
||||
#ifdef BSD_AUTH
|
||||
diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac
|
||||
--- openssh-5.2p1/configure.ac.selinux 2009-02-16 05:37:03.000000000 +0100
|
||||
+++ openssh-5.2p1/configure.ac 2009-08-11 22:43:07.930259052 +0200
|
||||
@@ -3335,6 +3335,7 @@ AC_ARG_WITH(selinux,
|
||||
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
|
||||
AC_MSG_ERROR(SELinux support requires libselinux library))
|
||||
diff -up openssh-5.4p1/configure.ac.selinux openssh-5.4p1/configure.ac
|
||||
--- openssh-5.4p1/configure.ac.selinux 2010-03-01 15:19:57.000000000 +0100
|
||||
+++ openssh-5.4p1/configure.ac 2010-03-01 15:21:12.000000000 +0100
|
||||
@@ -3358,6 +3358,7 @@ AC_ARG_WITH(selinux,
|
||||
],
|
||||
AC_MSG_ERROR(SELinux support requires libselinux library))
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
+ LIBS="$LIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
--- openssh-5.2p1/monitor.c.selinux 2009-02-14 06:33:31.000000000 +0100
|
||||
+++ openssh-5.2p1/monitor.c 2009-08-11 22:43:07.933623092 +0200
|
||||
@@ -135,6 +135,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
diff -up openssh-5.4p1/monitor.c.selinux openssh-5.4p1/monitor.c
|
||||
--- openssh-5.4p1/monitor.c.selinux 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -137,6 +137,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
@ -191,7 +191,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -211,6 +214,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -213,6 +216,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -201,7 +201,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -680,6 +686,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
@@ -682,6 +688,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
@ -211,7 +211,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
|
||||
@@ -724,6 +733,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
@@ -726,6 +735,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -237,7 +237,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
@@ -1102,7 +1130,7 @@ static int
|
||||
@@ -1104,7 +1132,7 @@ static int
|
||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
{
|
||||
Buffer b;
|
||||
@ -246,7 +246,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1128,6 +1156,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
@@ -1130,6 +1158,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_string(&b, NULL);
|
||||
@ -255,7 +255,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
if (strcmp(authctxt->user, p) != 0) {
|
||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||
authctxt->user, p);
|
||||
@@ -1159,7 +1189,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1161,7 +1191,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
char *chost)
|
||||
{
|
||||
Buffer b;
|
||||
@ -264,7 +264,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1176,6 +1206,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1178,6 +1208,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_string(&b, NULL);
|
||||
@ -273,9 +273,9 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
|
||||
if (strcmp(authctxt->user, p) != 0) {
|
||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||
authctxt->user, p);
|
||||
diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
|
||||
--- openssh-5.2p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.2p1/monitor.h 2009-08-11 22:43:07.935612930 +0200
|
||||
diff -up openssh-5.4p1/monitor.h.selinux openssh-5.4p1/monitor.h
|
||||
--- openssh-5.4p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor.h 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -31,6 +31,9 @@
|
||||
enum monitor_reqtype {
|
||||
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
||||
@ -286,9 +286,9 @@ diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
|
||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||
diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
|
||||
--- openssh-5.2p1/monitor_wrap.c.selinux 2008-11-05 06:20:47.000000000 +0100
|
||||
+++ openssh-5.2p1/monitor_wrap.c 2009-08-11 22:43:07.937212340 +0200
|
||||
diff -up openssh-5.4p1/monitor_wrap.c.selinux openssh-5.4p1/monitor_wrap.c
|
||||
--- openssh-5.4p1/monitor_wrap.c.selinux 2009-06-22 08:11:07.000000000 +0200
|
||||
+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char *
|
||||
buffer_free(&m);
|
||||
}
|
||||
@ -315,9 +315,9 @@ diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
|
||||
--- openssh-5.2p1/monitor_wrap.h.selinux 2008-11-05 06:20:47.000000000 +0100
|
||||
+++ openssh-5.2p1/monitor_wrap.h 2009-08-11 22:43:07.938268752 +0200
|
||||
diff -up openssh-5.4p1/monitor_wrap.h.selinux openssh-5.4p1/monitor_wrap.h
|
||||
--- openssh-5.4p1/monitor_wrap.h.selinux 2009-03-05 14:58:22.000000000 +0100
|
||||
+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 15:19:57.000000000 +0100
|
||||
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||
@ -328,17 +328,18 @@ diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.2p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100
|
||||
+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-11 22:44:14.529196220 +0200
|
||||
@@ -30,11 +30,16 @@
|
||||
#ifdef WITH_SELINUX
|
||||
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.selinux openssh-5.4p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.4p1/openbsd-compat/port-linux.c.selinux 2010-03-01 05:52:50.000000000 +0100
|
||||
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:22:19.000000000 +0100
|
||||
@@ -32,12 +32,17 @@
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/flask.h>
|
||||
#include <selinux/get_context_list.h>
|
||||
@ -348,7 +349,7 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
ssh_selinux_enabled(void)
|
||||
@@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
|
||||
@@ -56,23 +61,36 @@ ssh_selinux_enabled(void)
|
||||
static security_context_t
|
||||
ssh_selinux_getctxbyname(char *pwname)
|
||||
{
|
46
openssh.spec
46
openssh.spec
@ -27,7 +27,8 @@
|
||||
%define libedit 1
|
||||
|
||||
# Do we want NSS tokens support
|
||||
%define nss 1
|
||||
#NSS support is broken from 5.4p1
|
||||
%define nss 0
|
||||
|
||||
# Whether or not /sbin/nologin exists.
|
||||
%define nologin 1
|
||||
@ -68,10 +69,10 @@
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: 5.3p1
|
||||
Version: 5.4p1
|
||||
# Do not rewind release to 1 on version upgrades unless the pam_ssh_agent_auth
|
||||
# is updated as well.
|
||||
Release: 22%{?dist}%{?rescue_rel}
|
||||
Release: 0.snap20100302.1%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#URL1: http://pamsshagentauth.sourceforge.net
|
||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
@ -79,39 +80,37 @@ URL: http://www.openssh.com/portable.html
|
||||
# This package differs from the upstream OpenSSH tarball in that
|
||||
# the ACSS cipher is removed by running openssh-nukeacss.sh in
|
||||
# the unpacked source directory.
|
||||
Source0: openssh-%{version}-noacss.tar.bz2
|
||||
Source0: openssh-%{version}-snap20100302-noacss.tar.bz2
|
||||
Source1: openssh-nukeacss.sh
|
||||
Source2: sshd.pam
|
||||
Source3: sshd.init
|
||||
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
|
||||
Source5: pam_ssh_agent-rmheaders
|
||||
Patch0: openssh-5.2p1-redhat.patch
|
||||
Patch0: openssh-5.4p1-redhat.patch
|
||||
Patch2: openssh-5.3p1-skip-initial.patch
|
||||
Patch4: openssh-5.2p1-vendor.patch
|
||||
Patch5: openssh-5.2p1-engine.patch
|
||||
Patch10: pam_ssh_agent_auth-0.9-build.patch
|
||||
Patch12: openssh-5.2p1-selinux.patch
|
||||
Patch13: openssh-5.3p1-mls.patch
|
||||
Patch12: openssh-5.4p1-selinux.patch
|
||||
Patch13: openssh-5.4p1-mls.patch
|
||||
Patch16: openssh-5.3p1-audit.patch
|
||||
Patch18: openssh-5.0p1-pam_selinux.patch
|
||||
Patch19: openssh-5.2p1-sesftp.patch
|
||||
Patch22: openssh-3.9p1-askpass-keep-above.patch
|
||||
Patch18: openssh-5.4p1-pam_selinux.patch
|
||||
Patch24: openssh-4.3p1-fromto-remote.patch
|
||||
Patch27: openssh-5.1p1-log-in-chroot.patch
|
||||
Patch30: openssh-4.0p1-exit-deadlock.patch
|
||||
Patch35: openssh-5.1p1-askpass-progress.patch
|
||||
Patch38: openssh-4.3p2-askpass-grab-info.patch
|
||||
#??? - 201594
|
||||
Patch39: openssh-4.3p2-no-v6only.patch
|
||||
Patch44: openssh-5.2p1-allow-ip-opts.patch
|
||||
Patch49: openssh-4.3p2-gssapi-canohost.patch
|
||||
Patch51: openssh-5.3p1-nss-keys.patch
|
||||
Patch55: openssh-5.1p1-cloexec.patch
|
||||
#???
|
||||
Patch51: openssh-5.4p1-nss-keys.patch
|
||||
Patch62: openssh-5.1p1-scp-manpage.patch
|
||||
Patch65: openssh-5.3p1-fips.patch
|
||||
Patch65: openssh-5.4p1-fips.patch
|
||||
Patch69: openssh-5.3p1-selabel.patch
|
||||
Patch71: openssh-5.2p1-edns.patch
|
||||
Patch72: openssh-5.3p1-pka.patch
|
||||
Patch73: openssh-5.3p1-gsskex.patch
|
||||
Patch72: openssh-5.4p1-pka.patch
|
||||
Patch73: openssh-5.4p1-gsskex.patch
|
||||
Patch74: openssh-5.3p1-randclean.patch
|
||||
Patch75: openssh-5.3p1-dso.patch
|
||||
|
||||
@ -189,6 +188,7 @@ Provides: openssh-askpass-gnome
|
||||
Summary: PAM module for authentication with ssh-agent
|
||||
Group: System Environment/Base
|
||||
Version: %{pam_ssh_agent_ver}
|
||||
Release: 23%{?dist}%{?rescue_rel}
|
||||
License: BSD
|
||||
|
||||
%description
|
||||
@ -234,7 +234,6 @@ The module is most useful for su and sudo service stacks.
|
||||
%patch0 -p1 -b .redhat
|
||||
%patch2 -p1 -b .skip-initial
|
||||
%patch4 -p1 -b .vendor
|
||||
%patch5 -p1 -b .engine
|
||||
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
@ -250,20 +249,17 @@ popd
|
||||
%patch13 -p1 -b .mls
|
||||
%patch16 -p1 -b .audit
|
||||
%patch18 -p1 -b .pam_selinux
|
||||
%patch19 -p1 -b .sesftp
|
||||
%endif
|
||||
|
||||
%patch22 -p1 -b .keep-above
|
||||
%patch24 -p1 -b .fromto-remote
|
||||
%patch27 -p1 -b .log-chroot
|
||||
%patch30 -p1 -b .exit-deadlock
|
||||
%patch35 -p1 -b .progress
|
||||
%patch38 -p1 -b .grab-info
|
||||
%patch39 -p1 -b .no-v6only
|
||||
#???%patch39 -p1 -b .no-v6only
|
||||
%patch44 -p1 -b .ip-opts
|
||||
%patch49 -p1 -b .canohost
|
||||
%patch51 -p1 -b .nss-keys
|
||||
%patch55 -p1 -b .cloexec
|
||||
#???%patch51 -p1 -b .nss-keys
|
||||
%patch62 -p1 -b .manpage
|
||||
%patch65 -p1 -b .fips
|
||||
%patch69 -p1 -b .selabel
|
||||
@ -316,6 +312,7 @@ fi
|
||||
--disable-strip \
|
||||
--without-zlib-version-check \
|
||||
--with-ssl-engine \
|
||||
--with-pka \
|
||||
%if %{nss}
|
||||
--with-nss \
|
||||
%endif
|
||||
@ -489,11 +486,13 @@ fi
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||
%attr(0755,root,root) %{_bindir}/sftp
|
||||
%attr(0755,root,root) %{_bindir}/ssh-copy-id
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
||||
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||
%endif
|
||||
|
||||
%if ! %{rescue}
|
||||
@ -529,6 +528,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Mar 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-0.snap20100302.1
|
||||
- Prepare update to 5.4p1
|
||||
|
||||
* Mon Feb 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-22
|
||||
- ImplicitDSOLinking (#564824)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user