- update to 4.5p1 (#212606)

.cvsignore

@@ -1 +1 @@
-openssh-4.3p2-noacss.tar.bz2
+openssh-4.5p1-noacss.tar.bz2

openssh-4.5p1-audit.patch

@@ -0,0 +1,186 @@
+--- openssh-4.5p1/loginrec.c.audit	2006-09-07 14:57:54.000000000 +0200
++++ openssh-4.5p1/loginrec.c	2006-12-21 12:17:35.000000000 +0100
+@@ -175,6 +175,10 @@
+ #include "auth.h"
+ #include "buffer.h"
+ 
++#ifdef HAVE_LINUX_AUDIT
++# include <libaudit.h>
++#endif
++
+ #ifdef HAVE_UTIL_H
+ # include <util.h>
+ #endif
+@@ -201,6 +205,9 @@
+ int utmpx_write_entry(struct logininfo *li);
+ int wtmp_write_entry(struct logininfo *li);
+ int wtmpx_write_entry(struct logininfo *li);
++#ifdef HAVE_LINUX_AUDIT
++int linux_audit_write_entry(struct logininfo *li);
++#endif
+ int lastlog_write_entry(struct logininfo *li);
+ int syslogin_write_entry(struct logininfo *li);
+ 
+@@ -439,6 +446,10 @@
+ 
+ 	/* set the timestamp */
+ 	login_set_current_time(li);
++#ifdef HAVE_LINUX_AUDIT
++	if (linux_audit_write_entry(li) == 0)
++		fatal("linux_audit_write_entry failed: %s", strerror(errno));
++#endif
+ #ifdef USE_LOGIN
+ 	syslogin_write_entry(li);
+ #endif
+@@ -1393,6 +1404,51 @@
+ }
+ #endif /* USE_WTMPX */
+ 
++#ifdef HAVE_LINUX_AUDIT
++int
++linux_audit_record_event(int uid, const char *username,
++	const char *hostname, const char *ip, const char *ttyn, int success)
++{
++	char buf[64];
++	int audit_fd, rc;
++
++	audit_fd = audit_open();
++	if (audit_fd < 0) {
++	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++					errno == EAFNOSUPPORT)
++			return 1; /* No audit support in kernel */
++		else
++			return 0; /* Must prevent login */
++	}
++	if (username == NULL)
++		snprintf(buf, sizeof(buf), "uid=%d", uid);
++	else
++		snprintf(buf, sizeof(buf), "acct=%s", username);
++	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
++		buf, hostname, ip, ttyn, success);
++	close(audit_fd);
++	if (rc >= 0)
++		return 1;
++	else
++		return 0;
++}
++
++int
++linux_audit_write_entry(struct logininfo *li)
++{
++	switch(li->type) {
++	case LTYPE_LOGIN:
++		return (linux_audit_record_event(li->uid, NULL, li->hostname,
++			NULL, li->line, 1));
++	case LTYPE_LOGOUT:
++		return (1);	/* We only care about logins */
++	default:
++		logit("%s: invalid type field", __func__);
++		return (0);
++	}
++}
++#endif /* HAVE_LINUX_AUDIT */
++
+ /**
+  ** Low-level libutil login() functions
+  **/
+--- openssh-4.5p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
++++ openssh-4.5p1/loginrec.h	2006-12-21 12:17:35.000000000 +0100
+@@ -127,5 +127,9 @@
+ char *line_abbrevname(char *dst, const char *src, int dstsize);
+ 
+ void record_failed_login(const char *, const char *, const char *);
++#ifdef HAVE_LINUX_AUDIT
++int linux_audit_record_event(int uid, const char *username,
++	const char *hostname, const char *ip, const char *ttyn, int success);
++#endif /* HAVE_LINUX_AUDIT */
+ 
+ #endif /* _HAVE_LOGINREC_H_ */
+--- openssh-4.5p1/Makefile.in.audit	2006-10-23 23:44:47.000000000 +0200
++++ openssh-4.5p1/Makefile.in	2006-12-21 12:19:39.000000000 +0100
+@@ -45,6 +45,7 @@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ LIBSELINUX=@LIBSELINUX@
++LIBAUDIT=@LIBAUDIT@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBPAM=@LIBPAM@
+@@ -139,7 +140,7 @@
+ 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
+-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
++	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
+ 
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+ 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+--- openssh-4.5p1/config.h.in.audit	2006-11-07 14:07:01.000000000 +0100
++++ openssh-4.5p1/config.h.in	2006-12-21 12:17:35.000000000 +0100
+@@ -1305,6 +1305,9 @@
+ /* Define if you want SELinux support. */
+ #undef WITH_SELINUX
+ 
++/* Define if you want Linux audit support. */
++#undef HAVE_LINUX_AUDIT
++
+ /* Define to 1 if your processor stores words with the most significant byte
+    first (like Motorola and SPARC, unlike Intel and VAX). */
+ #undef WORDS_BIGENDIAN
+--- openssh-4.5p1/configure.ac.audit	2006-12-21 12:17:34.000000000 +0100
++++ openssh-4.5p1/configure.ac	2006-12-21 12:17:35.000000000 +0100
+@@ -3161,6 +3161,20 @@
+ )
+ AC_SUBST(LIBSELINUX)
+ 
++# Check whether user wants Linux audit support
++LINUX_AUDIT_MSG="no"
++LIBAUDIT=""
++AC_ARG_WITH(linux-audit,
++	[  --with-linux-audit   Enable Linux audit support],
++	[ if test "x$withval" != "xno" ; then
++		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
++		LINUX_AUDIT_MSG="yes"
++		AC_CHECK_HEADERS(libaudit.h)
++		LIBAUDIT="-laudit"
++	fi
++	])
++AC_SUBST(LIBAUDIT)
++
+ # Check whether user wants Kerberos 5 support
+ KRB5_MSG="no"
+ AC_ARG_WITH(kerberos5,
+@@ -3982,6 +3996,7 @@
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
++echo "               Linux audit support: $LINUX_AUDIT_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
+ echo "              TCP Wrappers support: $TCPW_MSG"
+--- openssh-4.5p1/auth.c.audit	2006-10-27 17:10:16.000000000 +0200
++++ openssh-4.5p1/auth.c	2006-12-21 12:17:35.000000000 +0100
+@@ -286,6 +286,12 @@
+ 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
+ # endif
+ #endif
++#if HAVE_LINUX_AUDIT
++	if (authenticated == 0 && !authctxt->postponed) {
++		linux_audit_record_event(-1, authctxt->user, NULL,
++			get_remote_ipaddr(), "sshd", 0);
++	}
++#endif
+ #ifdef SSH_AUDIT_EVENTS
+ 	if (authenticated == 0 && !authctxt->postponed)
+ 		audit_event(audit_classify_auth(method));
+@@ -492,6 +498,10 @@
+ 		record_failed_login(user,
+ 		    get_canonical_hostname(options.use_dns), "ssh");
+ #endif
++#ifdef HAVE_LINUX_AUDIT
++		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
++			"sshd", 0);
++#endif
+ #ifdef SSH_AUDIT_EVENTS
+ 		audit_event(SSH_INVALID_USER);
+ #endif /* SSH_AUDIT_EVENTS */

openssh-4.5p1-redhat.patch

@@ -0,0 +1,99 @@
+--- openssh-4.5p1/sshd_config.0.redhat	2006-11-07 14:07:28.000000000 +0100
++++ openssh-4.5p1/sshd_config.0	2006-12-20 22:04:16.000000000 +0100
+@@ -430,9 +430,9 @@
+ 
+      SyslogFacility
+              Gives the facility code that is used when logging messages from
+-             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
+-             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The de-
+-             fault is AUTH.
++             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
++             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
++             The default is AUTH.
+ 
+      TCPKeepAlive
+              Specifies whether the system should send TCP keepalive messages
+--- openssh-4.5p1/sshd_config.redhat	2006-07-24 06:06:47.000000000 +0200
++++ openssh-4.5p1/sshd_config	2006-12-20 21:59:15.000000000 +0100
+@@ -12,6 +12,7 @@
+ 
+ #Port 22
+ #Protocol 2,1
++Protocol 2
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+ #ListenAddress ::
+@@ -29,6 +30,7 @@
+ # Logging
+ # obsoletes QuietMode and FascistLogging
+ #SyslogFacility AUTH
++SyslogFacility AUTHPRIV
+ #LogLevel INFO
+ 
+ # Authentication:
+@@ -55,9 +57,11 @@
+ # To disable tunneled clear text passwords, change to no here!
+ #PasswordAuthentication yes
+ #PermitEmptyPasswords no
++PasswordAuthentication yes
+ 
+ # Change to no to disable s/key passwords
+ #ChallengeResponseAuthentication yes
++ChallengeResponseAuthentication no
+ 
+ # Kerberos options
+ #KerberosAuthentication no
+@@ -67,7 +71,9 @@
+ 
+ # GSSAPI options
+ #GSSAPIAuthentication no
++GSSAPIAuthentication yes
+ #GSSAPICleanupCredentials yes
++GSSAPICleanupCredentials yes
+ 
+ # Set this to 'yes' to enable PAM authentication, account processing, 
+ # and session processing. If this is enabled, PAM authentication will 
+@@ -79,10 +85,16 @@
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+ #UsePAM no
++UsePAM yes
+ 
++# Accept locale-related environment variables
++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
++AcceptEnv LC_IDENTIFICATION LC_ALL
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+ #X11Forwarding no
++X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PrintMotd yes
+--- openssh-4.5p1/ssh_config.redhat	2006-06-13 05:01:10.000000000 +0200
++++ openssh-4.5p1/ssh_config	2006-12-20 21:59:15.000000000 +0100
+@@ -42,3 +42,13 @@
+ #   Tunnel no
+ #   TunnelDevice any:any
+ #   PermitLocalCommand no
++Host *
++	GSSAPIAuthentication yes
++# If this option is set to yes then remote X11 clients will have full access
++# to the original X11 display. As virtually no X11 client supports the untrusted
++# mode correctly we set this to yes.
++	ForwardX11Trusted yes
++# Send locale-related environment variables
++	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
++	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
++	SendEnv LC_IDENTIFICATION LC_ALL
+--- openssh-4.5p1/sshd_config.5.redhat	2006-08-30 03:06:34.000000000 +0200
++++ openssh-4.5p1/sshd_config.5	2006-12-20 22:05:18.000000000 +0100
+@@ -740,7 +740,7 @@
+ .It Cm SyslogFacility
+ Gives the facility code that is used when logging messages from
+ .Xr sshd 8 .
+-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
+ LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
+ .It Cm TCPKeepAlive

openssh-4.5p1-selinux.patch

@@ -0,0 +1,255 @@
+--- openssh-4.5p1/auth.h.selinux	2006-08-18 16:32:46.000000000 +0200
++++ openssh-4.5p1/auth.h	2006-12-20 22:10:48.000000000 +0100
+@@ -58,6 +58,7 @@
+ 	char		*service;
+ 	struct passwd	*pw;		/* set if 'valid' */
+ 	char		*style;
++	char		*role;
+ 	void		*kbdintctxt;
+ #ifdef BSD_AUTH
+ 	auth_session_t	*as;
+--- openssh-4.5p1/auth1.c.selinux	2006-12-20 22:10:35.000000000 +0100
++++ openssh-4.5p1/auth1.c	2006-12-20 22:10:48.000000000 +0100
+@@ -388,7 +388,7 @@
+ do_authentication(Authctxt *authctxt)
+ {
+ 	u_int ulen;
+-	char *user, *style = NULL;
++	char *user, *style = NULL, *role=NULL;
+ 
+ 	/* Get the name of the user that we wish to log in as. */
+ 	packet_read_expect(SSH_CMSG_USER);
+@@ -397,11 +397,19 @@
+ 	user = packet_get_string(&ulen);
+ 	packet_check_eom();
+ 
++	if ((role = strchr(user, '/')) != NULL)
++		*role++ = '\0';
++
+ 	if ((style = strchr(user, ':')) != NULL)
+ 		*style++ = '\0';
++	else
++		if (role && (style = strchr(role, ':')) != NULL)
++			*style++ = '\0';
++			
+ 
+ 	authctxt->user = user;
+ 	authctxt->style = style;
++	authctxt->role = role;
+ 
+ 	/* Verify that the user is a valid user. */
+ 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
+--- openssh-4.5p1/monitor.c.selinux	2006-11-07 13:16:08.000000000 +0100
++++ openssh-4.5p1/monitor.c	2006-12-20 22:10:48.000000000 +0100
+@@ -133,6 +133,7 @@
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
++int mm_answer_authrole(int, Buffer *);
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -204,6 +205,7 @@
+     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
++    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -653,6 +655,7 @@
+ 	else {
+ 		/* Allow service/style information on the auth context */
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
++		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+ 	}
+ 
+@@ -698,6 +701,23 @@
+ }
+ 
+ int
++mm_answer_authrole(int sock, Buffer *m)
++{
++	monitor_permit_authentications(1);
++
++	authctxt->role = buffer_get_string(m, NULL);
++	debug3("%s: role=%s",
++	    __func__, authctxt->role);
++
++	if (strlen(authctxt->role) == 0) {
++		xfree(authctxt->role);
++		authctxt->role = NULL;
++	}
++
++	return (0);
++}
++
++int
+ mm_answer_authpassword(int sock, Buffer *m)
+ {
+ 	static int call_count;
+--- openssh-4.5p1/openbsd-compat/port-linux.c.selinux	2006-09-01 07:38:41.000000000 +0200
++++ openssh-4.5p1/openbsd-compat/port-linux.c	2006-12-21 12:15:59.000000000 +0100
+@@ -30,11 +30,16 @@
+ #ifdef WITH_SELINUX
+ #include "log.h"
+ #include "port-linux.h"
++#include "key.h"
++#include "hostfile.h"
++#include "auth.h"
+ 
+ #include <selinux/selinux.h>
+ #include <selinux/flask.h>
+ #include <selinux/get_context_list.h>
+ 
++extern Authctxt *the_authctxt;
++
+ /* Wrapper around is_selinux_enabled() to log its return value once only */
+ static int
+ ssh_selinux_enabled(void)
+@@ -53,23 +58,36 @@
+ static security_context_t
+ ssh_selinux_getctxbyname(char *pwname)
+ {
+-	security_context_t sc;
+-	char *sename = NULL, *lvl = NULL;
+-	int r;
++	security_context_t sc = NULL;
++	char *sename, *lvl;
++	char *role = NULL;
++	int r = 0;
+ 
++	if (the_authctxt) 
++		role=the_authctxt->role;
+ #ifdef HAVE_GETSEUSERBYNAME
+-	if (getseuserbyname(pwname, &sename, &lvl) != 0)
+-		return NULL;
++	if (r=getseuserbyname(pwname, &sename, &lvl) != 0) {
++		sename = NULL;
++		lvl = NULL;
++	}
+ #else
+ 	sename = pwname;
+ 	lvl = NULL;
+ #endif
+ 
++	if (r == 0) {
+ #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+-	r = get_default_context_with_level(sename, lvl, NULL, &sc);
++		if (role != NULL && role[0])
++			r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
++		else
++			r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ #else
+-	r = get_default_context(sename, NULL, &sc);
++		if (role != NULL && role[0])
++			r = get_default_context_with_role(sename, role, NULL, &sc);
++		else
++			r = get_default_context(sename, NULL, &sc);
+ #endif
++	}
+ 
+ 	if (r != 0) {
+ 		switch (security_getenforce()) {
+--- openssh-4.5p1/configure.ac.selinux	2006-12-20 22:10:35.000000000 +0100
++++ openssh-4.5p1/configure.ac	2006-12-21 11:18:48.000000000 +0100
+@@ -3137,8 +3137,16 @@
+ SELINUX_MSG="no"
+ LIBSELINUX=""
+ AC_ARG_WITH(selinux,
+-	[  --with-selinux   Enable SELinux support],
++	[  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
+ 	[ if test "x$withval" != "xno" ; then
++		if test "x$withval" != "xyes"; then
++			CPPFLAGS="$CPPFLAGS -I${withval}/include"
++			if test -n "${need_dash_r}"; then
++				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++			else
++				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++			fi
++        	fi 
+ 		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
+ 		SELINUX_MSG="yes"
+ 		AC_CHECK_HEADER([selinux/selinux.h], ,
+--- openssh-4.5p1/auth2.c.selinux	2006-08-05 04:39:39.000000000 +0200
++++ openssh-4.5p1/auth2.c	2006-12-20 22:10:48.000000000 +0100
+@@ -145,7 +145,7 @@
+ {
+ 	Authctxt *authctxt = ctxt;
+ 	Authmethod *m = NULL;
+-	char *user, *service, *method, *style = NULL;
++	char *user, *service, *method, *style = NULL, *role = NULL;
+ 	int authenticated = 0;
+ 
+ 	if (authctxt == NULL)
+@@ -157,6 +157,9 @@
+ 	debug("userauth-request for user %s service %s method %s", user, service, method);
+ 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
++	if ((role = strchr(user, '/')) != NULL)
++		*role++ = 0;
++
+ 	if ((style = strchr(user, ':')) != NULL)
+ 		*style++ = 0;
+ 
+@@ -182,8 +185,11 @@
+ 		    use_privsep ? " [net]" : "");
+ 		authctxt->service = xstrdup(service);
+ 		authctxt->style = style ? xstrdup(style) : NULL;
+-		if (use_privsep)
++		authctxt->role = role ? xstrdup(role) : NULL;
++		if (use_privsep) {
+ 			mm_inform_authserv(service, style);
++			mm_inform_authrole(role);
++		}
+ 	} else if (strcmp(user, authctxt->user) != 0 ||
+ 	    strcmp(service, authctxt->service) != 0) {
+ 		packet_disconnect("Change of username or service not allowed: "
+--- openssh-4.5p1/monitor_wrap.h.selinux	2006-08-05 04:39:40.000000000 +0200
++++ openssh-4.5p1/monitor_wrap.h	2006-12-20 22:10:48.000000000 +0100
+@@ -41,6 +41,7 @@
+ DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+ void mm_inform_authserv(char *, char *);
++void mm_inform_authrole(char *);
+ struct passwd *mm_getpwnamallow(const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct Authctxt *, char *);
+--- openssh-4.5p1/monitor_wrap.c.selinux	2006-09-01 07:38:37.000000000 +0200
++++ openssh-4.5p1/monitor_wrap.c	2006-12-20 22:10:48.000000000 +0100
+@@ -282,6 +282,23 @@
+ 	buffer_free(&m);
+ }
+ 
++/* Inform the privileged process about role */
++
++void
++mm_inform_authrole(char *role)
++{
++	Buffer m;
++
++	debug3("%s entering", __func__);
++
++	buffer_init(&m);
++	buffer_put_cstring(&m, role ? role : "");
++
++	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
++
++	buffer_free(&m);
++}
++
+ /* Do the password authentication */
+ int
+ mm_auth_password(Authctxt *authctxt, char *password)
+--- openssh-4.5p1/monitor.h.selinux	2006-03-26 05:30:02.000000000 +0200
++++ openssh-4.5p1/monitor.h	2006-12-20 22:10:35.000000000 +0100
+@@ -30,7 +30,7 @@
+ 
+ enum monitor_reqtype {
+ 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
+-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
++	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
+ 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
+ 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
+ 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,

openssh-4.5p1-vendor.patch

@@ -0,0 +1,143 @@
+--- openssh-4.5p1/servconf.h.vendor	2006-08-18 16:23:15.000000000 +0200
++++ openssh-4.5p1/servconf.h	2006-12-20 22:06:27.000000000 +0100
+@@ -120,6 +120,7 @@
+ 	int	max_startups;
+ 	int	max_authtries;
+ 	char   *banner;			/* SSH-2 banner message */
++	int	show_patchlevel;	/* Show vendor patch level to clients */
+ 	int	use_dns;
+ 	int	client_alive_interval;	/*
+ 					 * poke the client this often to
+--- openssh-4.5p1/sshd_config.vendor	2006-12-20 22:06:27.000000000 +0100
++++ openssh-4.5p1/sshd_config	2006-12-20 22:06:27.000000000 +0100
+@@ -106,6 +106,7 @@
+ #Compression delayed
+ #ClientAliveInterval 0
+ #ClientAliveCountMax 3
++#ShowPatchLevel no
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+ #MaxStartups 10
+--- openssh-4.5p1/sshd.c.vendor	2006-11-07 13:14:42.000000000 +0100
++++ openssh-4.5p1/sshd.c	2006-12-20 22:06:27.000000000 +0100
+@@ -418,7 +418,8 @@
+ 		major = PROTOCOL_MAJOR_1;
+ 		minor = PROTOCOL_MINOR_1;
+ 	}
+-	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
++	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
++		 (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
+ 	server_version_string = xstrdup(buf);
+ 
+ 	/* Send our protocol version identification. */
+@@ -1429,7 +1430,8 @@
+ 		exit(1);
+ 	}
+ 
+-	debug("sshd version %.100s", SSH_RELEASE);
++	debug("sshd version %.100s",
++	      (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
+ 
+ 	/* Store privilege separation user for later use if required. */
+ 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+--- openssh-4.5p1/configure.ac.vendor	2006-12-20 22:06:27.000000000 +0100
++++ openssh-4.5p1/configure.ac	2006-12-20 22:06:27.000000000 +0100
+@@ -3729,6 +3729,12 @@
+ 		fi
+ 	]
+ )
++AC_ARG_ENABLE(vendor-patchlevel,
++  [  --enable-vendor-patchlevel=TAG  specify a vendor patch level],
++  [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
++   SSH_VENDOR_PATCHLEVEL="$enableval"],
++  [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
++   SSH_VENDOR_PATCHLEVEL=none])
+ 
+ dnl lastlog, [uw]tmpx? detection
+ dnl  NOTE: set the paths in the platform section to avoid the
+@@ -3978,6 +3984,7 @@
+ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
+ echo "              Random number source: $RAND_MSG"
++echo "                Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
+ if test ! -z "$USE_RAND_HELPER" ; then
+ echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
+ fi
+--- openssh-4.5p1/sshd_config.0.vendor	2006-12-20 22:06:27.000000000 +0100
++++ openssh-4.5p1/sshd_config.0	2006-12-20 22:06:27.000000000 +0100
+@@ -413,6 +413,11 @@
+              Defines the number of bits in the ephemeral protocol version 1
+              server key.  The minimum value is 512, and the default is 768.
+ 
++     ShowPatchLevel
++	     Specifies whether sshd will display the specific patch level of
++	     the binary in the server identification string.  The patch level
++	     is set at compile-time.  The default is M-bM-^@M-^\noM-bM-^@M-^].
++
+      StrictModes
+              Specifies whether sshd(8) should check file modes and ownership
+              of the user's files and home directory before accepting login.
+--- openssh-4.5p1/servconf.c.vendor	2006-08-18 16:23:15.000000000 +0200
++++ openssh-4.5p1/servconf.c	2006-12-20 22:08:41.000000000 +0100
+@@ -113,6 +113,7 @@
+ 	options->max_startups = -1;
+ 	options->max_authtries = -1;
+ 	options->banner = NULL;
++	options->show_patchlevel = -1;
+ 	options->use_dns = -1;
+ 	options->client_alive_interval = -1;
+ 	options->client_alive_count_max = -1;
+@@ -250,6 +251,9 @@
+ 	if (options->permit_tun == -1)
+ 		options->permit_tun = SSH_TUNMODE_NO;
+ 
++	if (options->show_patchlevel == -1)
++		options->show_patchlevel = 0;
++
+ 	/* Turn privilege separation on by default */
+ 	if (use_privsep == -1)
+ 		use_privsep = 1;
+@@ -293,6 +297,7 @@
+ 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand,
+ 	sUsePrivilegeSeparation,
++	sShowPatchLevel,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -390,6 +395,7 @@
+ 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
+ 	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
+ 	{ "banner", sBanner, SSHCFG_GLOBAL },
++	{ "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
+ 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
+ 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
+ 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
+@@ -1006,6 +1012,10 @@
+ 		intptr = &use_privsep;
+ 		goto parse_flag;
+ 
++	case sShowPatchLevel:
++		intptr = &options->show_patchlevel;
++		goto parse_flag;
++
+ 	case sAllowUsers:
+ 		while ((arg = strdelim(&cp)) && *arg != '\0') {
+ 			if (options->num_allow_users >= MAX_ALLOW_USERS)
+--- openssh-4.5p1/sshd_config.5.vendor	2006-12-20 22:06:27.000000000 +0100
++++ openssh-4.5p1/sshd_config.5	2006-12-20 22:06:27.000000000 +0100
+@@ -717,6 +717,14 @@
+ .It Cm ServerKeyBits
+ Defines the number of bits in the ephemeral protocol version 1 server key.
+ The minimum value is 512, and the default is 768.
++.It Cm ShowPatchLevel
++Specifies whether
++.Nm sshd
++will display the patch level of the binary in the identification string.
++The patch level is set at compile-time.
++The default is
++.Dq no .
++This option applies to protocol version 1 only.
+ .It Cm StrictModes
+ Specifies whether
+ .Xr sshd 8

openssh.spec

@@ -60,8 +60,8 @@
 
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
-Version: 4.3p2
-Release: 14%{?dist}%{?rescue_rel}
+Version: 4.5p1
+Release: 1%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -69,34 +69,23 @@ URL: http://www.openssh.com/portable.html
 # removes the ACSS cipher.
 Source0: openssh-%{version}-noacss.tar.bz2
 Source1: openssh-nukeacss.sh
-Patch0: openssh-4.3p1-redhat.patch
+Patch0: openssh-4.5p1-redhat.patch
 Patch2: openssh-3.8.1p1-skip-initial.patch
 Patch3: openssh-3.8.1p1-krb5-config.patch
-Patch4: openssh-4.3p1-vendor.patch
+Patch4: openssh-4.5p1-vendor.patch
 Patch5: openssh-4.3p2-initscript.patch
-Patch12: openssh-selinux.patch
-Patch16: openssh-4.3p1-audit.patch
-Patch20: openssh-3.9p1-gssapimitm.patch
+Patch12: openssh-4.5p1-selinux.patch
+Patch16: openssh-4.5p1-audit.patch
 Patch22: openssh-3.9p1-askpass-keep-above.patch
-Patch23: openssh-3.9p1-no-log-signal.patch
 Patch24: openssh-4.3p1-fromto-remote.patch
-Patch25: openssh-4.3p2-scp-print-err.patch
 Patch26: openssh-4.2p1-pam-no-stack.patch
 Patch27: openssh-3.9p1-log-in-chroot.patch
 Patch30: openssh-4.0p1-exit-deadlock.patch
 Patch31: openssh-3.9p1-skip-used.patch
 Patch35: openssh-4.2p1-askpass-progress.patch
-Patch36: openssh-4.3p2-buffer-len.patch
-Patch37: openssh-4.3p2-configure-typo.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
 Patch39: openssh-4.3p2-no-v6only.patch
-Patch40: openssh-4.3p2-coverity-memleaks.patch
-Patch41: openssh-4.3p2-gssapi-no-spnego.patch
-Patch42: openssh-4.3p2-no-dup-logs.patch
 Patch44: openssh-4.3p2-allow-ip-opts.patch
-Patch45: openssh-4.3p2-cve-2006-4924.patch
-Patch46: openssh-3.9p1-cve-2006-5051.patch
-Patch47: openssh-4.3p2-cve-2006-5794.patch
 Patch48: openssh-4.3p2-pam-session.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
 License: BSD
@@ -212,27 +201,16 @@ an X11 passphrase dialog for OpenSSH.
 %patch16 -p1 -b .audit
 %endif
 
-#%patch20 -p0 -b .gssapimitm
 %patch22 -p1 -b .keep-above
-%patch23 -p1 -b .signal
 %patch24 -p1 -b .fromto-remote
-%patch25 -p1 -b .print-err
 %patch26 -p1 -b .stack
 %patch27 -p1 -b .log-chroot
 %patch30 -p1 -b .exit-deadlock
 %patch31 -p1 -b .skip-used
 %patch35 -p1 -b .progress
-%patch36 -p0 -b .buffer-len
-%patch37 -p1 -b .typo
 %patch38 -p1 -b .grab-info
 %patch39 -p1 -b .no-v6only
-%patch40 -p1 -b .memleaks
-%patch41 -p1 -b .no-spnego
-%patch42 -p1 -b .no-dups
 %patch44 -p1 -b .ip-opts
-%patch45 -p1 -b .deattack-dos
-%patch46 -p1 -b .sig-no-cleanup
-%patch47 -p1 -b .verify
 %patch48 -p1 -b .pam-sesssion
 %patch49 -p1 -b .canohost
 
@@ -393,10 +371,10 @@ fi
 
 %pre server
 %if %{nologin}
-/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
+/usr/sbin/useradd -c "Privilege-separated SSH" -u %{sshd_uid} \
 	-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
 %else
-/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
+/usr/sbin/useradd -c "Privilege-separated SSH" -u %{sshd_uid} \
 	-s /dev/null -r -d /var/empty/sshd sshd 2> /dev/null || :
 %endif
 
@@ -479,6 +457,9 @@ fi
 %endif
 
 %changelog
+* Thu Dec 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.5p1-1
+- update to 4.5p1 (#212606)
+
 * Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-14
 - fix gssapi with DNS loadbalanced clusters (#216857)
 

sources

@@ -1 +1 @@
-8dcce96be628a67ce992f089d9db81ff  openssh-4.3p2-noacss.tar.bz2
+9ef9bf019945105f2ac1760c95c9b339  openssh-4.5p1-noacss.tar.bz2