- update to 4.5p1 (#212606)

2006-12-21 13:42:47 +00:00 · 2006-12-21 13:42:47 +00:00 · ad07b998ed
commit ad07b998ed
parent 914284ff3f
7 changed files with 696 additions and 32 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1 +1 @@
-openssh-4.3p2-noacss.tar.bz2
+openssh-4.5p1-noacss.tar.bz2
--- a/openssh-4.5p1-audit.patch
+++ b/openssh-4.5p1-audit.patch
@ -0,0 +1,186 @@
 --- openssh-4.5p1/loginrec.c.audit	2006-09-07 14:57:54.000000000 +0200
 +++ openssh-4.5p1/loginrec.c	2006-12-21 12:17:35.000000000 +0100
@@ -175,6 +175,10 @@
 #include "auth.h"
 #include "buffer.h"
 +#ifdef HAVE_LINUX_AUDIT
 +# include <libaudit.h>
 +#endif
 +
 #ifdef HAVE_UTIL_H
 # include <util.h>
 #endif
@@ -201,6 +205,9 @@
 int utmpx_write_entry(struct logininfo *li);
 int wtmp_write_entry(struct logininfo *li);
 int wtmpx_write_entry(struct logininfo *li);
 +#ifdef HAVE_LINUX_AUDIT
 +int linux_audit_write_entry(struct logininfo *li);
 +#endif
 int lastlog_write_entry(struct logininfo *li);
 int syslogin_write_entry(struct logininfo *li);
@@ -439,6 +446,10 @@
 	/* set the timestamp */
 	login_set_current_time(li);
 +#ifdef HAVE_LINUX_AUDIT
 +	if (linux_audit_write_entry(li) == 0)
 +		fatal("linux_audit_write_entry failed: %s", strerror(errno));
 +#endif
 #ifdef USE_LOGIN
 	syslogin_write_entry(li);
 #endif
@@ -1393,6 +1404,51 @@
 }
 #endif /* USE_WTMPX */
 +#ifdef HAVE_LINUX_AUDIT
 +int
 +linux_audit_record_event(int uid, const char *username,
 +	const char *hostname, const char *ip, const char *ttyn, int success)
 +{
 +	char buf[64];
 +	int audit_fd, rc;
 +
 +	audit_fd = audit_open();
 +	if (audit_fd < 0) {
 +	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
 +					errno == EAFNOSUPPORT)
 +			return 1; /* No audit support in kernel */
 +		else
 +			return 0; /* Must prevent login */
 +	}
 +	if (username == NULL)
 +		snprintf(buf, sizeof(buf), "uid=%d", uid);
 +	else
 +		snprintf(buf, sizeof(buf), "acct=%s", username);
 +	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
 +		buf, hostname, ip, ttyn, success);
 +	close(audit_fd);
 +	if (rc >= 0)
 +		return 1;
 +	else
 +		return 0;
 +}
 +
 +int
 +linux_audit_write_entry(struct logininfo *li)
 +{
 +	switch(li->type) {
 +	case LTYPE_LOGIN:
 +		return (linux_audit_record_event(li->uid, NULL, li->hostname,
 +			NULL, li->line, 1));
 +	case LTYPE_LOGOUT:
 +		return (1);	/* We only care about logins */
 +	default:
 +		logit("%s: invalid type field", __func__);
 +		return (0);
 +	}
 +}
 +#endif /* HAVE_LINUX_AUDIT */
 +
 /**
  ** Low-level libutil login() functions
  **/
 --- openssh-4.5p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
 +++ openssh-4.5p1/loginrec.h	2006-12-21 12:17:35.000000000 +0100
@@ -127,5 +127,9 @@
 char *line_abbrevname(char *dst, const char *src, int dstsize);
 void record_failed_login(const char *, const char *, const char *);
 +#ifdef HAVE_LINUX_AUDIT
 +int linux_audit_record_event(int uid, const char *username,
 +	const char *hostname, const char *ip, const char *ttyn, int success);
 +#endif /* HAVE_LINUX_AUDIT */
 #endif /* _HAVE_LOGINREC_H_ */
 --- openssh-4.5p1/Makefile.in.audit	2006-10-23 23:44:47.000000000 +0200
 +++ openssh-4.5p1/Makefile.in	2006-12-21 12:19:39.000000000 +0100
@@ -45,6 +45,7 @@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 LIBSELINUX=@LIBSELINUX@
 +LIBAUDIT=@LIBAUDIT@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
@@ -139,7 +140,7 @@
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 --- openssh-4.5p1/config.h.in.audit	2006-11-07 14:07:01.000000000 +0100
 +++ openssh-4.5p1/config.h.in	2006-12-21 12:17:35.000000000 +0100
@@ -1305,6 +1305,9 @@
 /* Define if you want SELinux support. */
 #undef WITH_SELINUX
 +/* Define if you want Linux audit support. */
 +#undef HAVE_LINUX_AUDIT
 +
 /* Define to 1 if your processor stores words with the most significant byte
    first (like Motorola and SPARC, unlike Intel and VAX). */
 #undef WORDS_BIGENDIAN
 --- openssh-4.5p1/configure.ac.audit	2006-12-21 12:17:34.000000000 +0100
 +++ openssh-4.5p1/configure.ac	2006-12-21 12:17:35.000000000 +0100
@@ -3161,6 +3161,20 @@
 )
 AC_SUBST(LIBSELINUX)
 +# Check whether user wants Linux audit support
 +LINUX_AUDIT_MSG="no"
 +LIBAUDIT=""
 +AC_ARG_WITH(linux-audit,
 +	[  --with-linux-audit   Enable Linux audit support],
 +	[ if test "x$withval" != "xno" ; then
 +		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
 +		LINUX_AUDIT_MSG="yes"
 +		AC_CHECK_HEADERS(libaudit.h)
 +		LIBAUDIT="-laudit"
 +	fi
 +	])
 +AC_SUBST(LIBAUDIT)
 +
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
@@ -3982,6 +3996,7 @@
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 +echo "               Linux audit support: $LINUX_AUDIT_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 --- openssh-4.5p1/auth.c.audit	2006-10-27 17:10:16.000000000 +0200
 +++ openssh-4.5p1/auth.c	2006-12-21 12:17:35.000000000 +0100
@@ -286,6 +286,12 @@
 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
 # endif
 #endif
 +#if HAVE_LINUX_AUDIT
 +	if (authenticated == 0 && !authctxt->postponed) {
 +		linux_audit_record_event(-1, authctxt->user, NULL,
 +			get_remote_ipaddr(), "sshd", 0);
 +	}
 +#endif
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)
 		audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
 +#ifdef HAVE_LINUX_AUDIT
 +		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
 +			"sshd", 0);
 +#endif
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
 #endif /* SSH_AUDIT_EVENTS */
--- a/openssh-4.5p1-redhat.patch
+++ b/openssh-4.5p1-redhat.patch
@ -0,0 +1,99 @@
 --- openssh-4.5p1/sshd_config.0.redhat	2006-11-07 14:07:28.000000000 +0100
 +++ openssh-4.5p1/sshd_config.0	2006-12-20 22:04:16.000000000 +0100
@@ -430,9 +430,9 @@
      SyslogFacility
              Gives the facility code that is used when logging messages from
 -             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
 -             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The de-
 -             fault is AUTH.
 +             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
 +             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 +             The default is AUTH.
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
 --- openssh-4.5p1/sshd_config.redhat	2006-07-24 06:06:47.000000000 +0200
 +++ openssh-4.5p1/sshd_config	2006-12-20 21:59:15.000000000 +0100
@@ -12,6 +12,7 @@
 #Port 22
 #Protocol 2,1
 +Protocol 2
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
@@ -29,6 +30,7 @@
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 +SyslogFacility AUTHPRIV
 #LogLevel INFO
 # Authentication:
@@ -55,9 +57,11 @@
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 +PasswordAuthentication yes
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
 +ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
@@ -67,7 +71,9 @@
 # GSSAPI options
 #GSSAPIAuthentication no
 +GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
 +GSSAPICleanupCredentials yes
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -79,10 +85,16 @@
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
 +UsePAM yes
 +# Accept locale-related environment variables
 +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +AcceptEnv LC_IDENTIFICATION LC_ALL
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
 +X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
 --- openssh-4.5p1/ssh_config.redhat	2006-06-13 05:01:10.000000000 +0200
 +++ openssh-4.5p1/ssh_config	2006-12-20 21:59:15.000000000 +0100
@@ -42,3 +42,13 @@
 #   Tunnel no
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 +Host *
 +	GSSAPIAuthentication yes
 +# If this option is set to yes then remote X11 clients will have full access
 +# to the original X11 display. As virtually no X11 client supports the untrusted
 +# mode correctly we set this to yes.
 +	ForwardX11Trusted yes
 +# Send locale-related environment variables
 +	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +	SendEnv LC_IDENTIFICATION LC_ALL
 --- openssh-4.5p1/sshd_config.5.redhat	2006-08-30 03:06:34.000000000 +0200
 +++ openssh-4.5p1/sshd_config.5	2006-12-20 22:05:18.000000000 +0100
@@ -740,7 +740,7 @@
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
 -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 +The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
--- a/openssh-4.5p1-selinux.patch
+++ b/openssh-4.5p1-selinux.patch
@ -0,0 +1,255 @@
 --- openssh-4.5p1/auth.h.selinux	2006-08-18 16:32:46.000000000 +0200
 +++ openssh-4.5p1/auth.h	2006-12-20 22:10:48.000000000 +0100
@@ -58,6 +58,7 @@
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
 +	char		*role;
 	void		*kbdintctxt;
 #ifdef BSD_AUTH
 	auth_session_t	*as;
 --- openssh-4.5p1/auth1.c.selinux	2006-12-20 22:10:35.000000000 +0100
 +++ openssh-4.5p1/auth1.c	2006-12-20 22:10:48.000000000 +0100
@@ -388,7 +388,7 @@
 do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
 -	char *user, *style = NULL;
 +	char *user, *style = NULL, *role=NULL;
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
@@ -397,11 +397,19 @@
 	user = packet_get_string(&ulen);
 	packet_check_eom();
 +	if ((role = strchr(user, '/')) != NULL)
 +		*role++ = '\0';
 +
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
 +	else
 +		if (role && (style = strchr(role, ':')) != NULL)
 +			*style++ = '\0';
 +			
 	authctxt->user = user;
 	authctxt->style = style;
 +	authctxt->role = role;
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
 --- openssh-4.5p1/monitor.c.selinux	2006-11-07 13:16:08.000000000 +0100
 +++ openssh-4.5p1/monitor.c	2006-12-20 22:10:48.000000000 +0100
@@ -133,6 +133,7 @@
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
 +int mm_answer_authrole(int, Buffer *);
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -204,6 +205,7 @@
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
 +    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -653,6 +655,7 @@
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
 +		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
@@ -698,6 +701,23 @@
 }
 int
 +mm_answer_authrole(int sock, Buffer *m)
 +{
 +	monitor_permit_authentications(1);
 +
 +	authctxt->role = buffer_get_string(m, NULL);
 +	debug3("%s: role=%s",
 +	    __func__, authctxt->role);
 +
 +	if (strlen(authctxt->role) == 0) {
 +		xfree(authctxt->role);
 +		authctxt->role = NULL;
 +	}
 +
 +	return (0);
 +}
 +
 +int
 mm_answer_authpassword(int sock, Buffer *m)
 {
 	static int call_count;
 --- openssh-4.5p1/openbsd-compat/port-linux.c.selinux	2006-09-01 07:38:41.000000000 +0200
 +++ openssh-4.5p1/openbsd-compat/port-linux.c	2006-12-21 12:15:59.000000000 +0100
@@ -30,11 +30,16 @@
 #ifdef WITH_SELINUX
 #include "log.h"
 #include "port-linux.h"
 +#include "key.h"
 +#include "hostfile.h"
 +#include "auth.h"
 #include <selinux/selinux.h>
 #include <selinux/flask.h>
 #include <selinux/get_context_list.h>
 +extern Authctxt *the_authctxt;
 +
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 static int
 ssh_selinux_enabled(void)
@@ -53,23 +58,36 @@
 static security_context_t
 ssh_selinux_getctxbyname(char *pwname)
 {
 -	security_context_t sc;
 -	char *sename = NULL, *lvl = NULL;
 -	int r;
 +	security_context_t sc = NULL;
 +	char *sename, *lvl;
 +	char *role = NULL;
 +	int r = 0;
 +	if (the_authctxt) 
 +		role=the_authctxt->role;
 #ifdef HAVE_GETSEUSERBYNAME
 -	if (getseuserbyname(pwname, &sename, &lvl) != 0)
 -		return NULL;
 +	if (r=getseuserbyname(pwname, &sename, &lvl) != 0) {
 +		sename = NULL;
 +		lvl = NULL;
 +	}
 #else
 	sename = pwname;
 	lvl = NULL;
 #endif
 +	if (r == 0) {
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
 -	r = get_default_context_with_level(sename, lvl, NULL, &sc);
 +		if (role != NULL && role[0])
 +			r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
 +		else
 +			r = get_default_context_with_level(sename, lvl, NULL, &sc);
 #else
 -	r = get_default_context(sename, NULL, &sc);
 +		if (role != NULL && role[0])
 +			r = get_default_context_with_role(sename, role, NULL, &sc);
 +		else
 +			r = get_default_context(sename, NULL, &sc);
 #endif
 +	}
 	if (r != 0) {
 		switch (security_getenforce()) {
 --- openssh-4.5p1/configure.ac.selinux	2006-12-20 22:10:35.000000000 +0100
 +++ openssh-4.5p1/configure.ac	2006-12-21 11:18:48.000000000 +0100
@@ -3137,8 +3137,16 @@
 SELINUX_MSG="no"
 LIBSELINUX=""
 AC_ARG_WITH(selinux,
 -	[  --with-selinux   Enable SELinux support],
 +	[  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
 	[ if test "x$withval" != "xno" ; then
 +		if test "x$withval" != "xyes"; then
 +			CPPFLAGS="$CPPFLAGS -I${withval}/include"
 +			if test -n "${need_dash_r}"; then
 +				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
 +			else
 +				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
 +			fi
 +        	fi 
 		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
 		SELINUX_MSG="yes"
 		AC_CHECK_HEADER([selinux/selinux.h], ,
 --- openssh-4.5p1/auth2.c.selinux	2006-08-05 04:39:39.000000000 +0200
 +++ openssh-4.5p1/auth2.c	2006-12-20 22:10:48.000000000 +0100
@@ -145,7 +145,7 @@
 {
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
 -	char *user, *service, *method, *style = NULL;
 +	char *user, *service, *method, *style = NULL, *role = NULL;
 	int authenticated = 0;
 	if (authctxt == NULL)
@@ -157,6 +157,9 @@
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 +	if ((role = strchr(user, '/')) != NULL)
 +		*role++ = 0;
 +
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
@@ -182,8 +185,11 @@
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
 -		if (use_privsep)
 +		authctxt->role = role ? xstrdup(role) : NULL;
 +		if (use_privsep) {
 			mm_inform_authserv(service, style);
 +			mm_inform_authrole(role);
 +		}
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of username or service not allowed: "
 --- openssh-4.5p1/monitor_wrap.h.selinux	2006-08-05 04:39:40.000000000 +0200
 +++ openssh-4.5p1/monitor_wrap.h	2006-12-20 22:10:48.000000000 +0100
@@ -41,6 +41,7 @@
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *);
 +void mm_inform_authrole(char *);
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
 --- openssh-4.5p1/monitor_wrap.c.selinux	2006-09-01 07:38:37.000000000 +0200
 +++ openssh-4.5p1/monitor_wrap.c	2006-12-20 22:10:48.000000000 +0100
@@ -282,6 +282,23 @@
 	buffer_free(&m);
 }
 +/* Inform the privileged process about role */
 +
 +void
 +mm_inform_authrole(char *role)
 +{
 +	Buffer m;
 +
 +	debug3("%s entering", __func__);
 +
 +	buffer_init(&m);
 +	buffer_put_cstring(&m, role ? role : "");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
 +
 +	buffer_free(&m);
 +}
 +
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
 --- openssh-4.5p1/monitor.h.selinux	2006-03-26 05:30:02.000000000 +0200
 +++ openssh-4.5p1/monitor.h	2006-12-20 22:10:35.000000000 +0100
@@ -30,7 +30,7 @@
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
 -	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
 +	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
--- a/openssh-4.5p1-vendor.patch
+++ b/openssh-4.5p1-vendor.patch
@ -0,0 +1,143 @@
 --- openssh-4.5p1/servconf.h.vendor	2006-08-18 16:23:15.000000000 +0200
 +++ openssh-4.5p1/servconf.h	2006-12-20 22:06:27.000000000 +0100
@@ -120,6 +120,7 @@
 	int	max_startups;
 	int	max_authtries;
 	char   *banner;			/* SSH-2 banner message */
 +	int	show_patchlevel;	/* Show vendor patch level to clients */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
 --- openssh-4.5p1/sshd_config.vendor	2006-12-20 22:06:27.000000000 +0100
 +++ openssh-4.5p1/sshd_config	2006-12-20 22:06:27.000000000 +0100
@@ -106,6 +106,7 @@
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 +#ShowPatchLevel no
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
 --- openssh-4.5p1/sshd.c.vendor	2006-11-07 13:14:42.000000000 +0100
 +++ openssh-4.5p1/sshd.c	2006-12-20 22:06:27.000000000 +0100
@@ -418,7 +418,8 @@
 		major = PROTOCOL_MAJOR_1;
 		minor = PROTOCOL_MINOR_1;
 	}
 -	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
 +	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
 +		 (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
 	server_version_string = xstrdup(buf);
 	/* Send our protocol version identification. */
@@ -1429,7 +1430,8 @@
 		exit(1);
 	}
 -	debug("sshd version %.100s", SSH_RELEASE);
 +	debug("sshd version %.100s",
 +	      (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
 	/* Store privilege separation user for later use if required. */
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
 --- openssh-4.5p1/configure.ac.vendor	2006-12-20 22:06:27.000000000 +0100
 +++ openssh-4.5p1/configure.ac	2006-12-20 22:06:27.000000000 +0100
@@ -3729,6 +3729,12 @@
 		fi
 	]
 )
 +AC_ARG_ENABLE(vendor-patchlevel,
 +  [  --enable-vendor-patchlevel=TAG  specify a vendor patch level],
 +  [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
 +   SSH_VENDOR_PATCHLEVEL="$enableval"],
 +  [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
 +   SSH_VENDOR_PATCHLEVEL=none])
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
@@ -3978,6 +3984,7 @@
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 +echo "                Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
 if test ! -z "$USE_RAND_HELPER" ; then
 echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
 fi
 --- openssh-4.5p1/sshd_config.0.vendor	2006-12-20 22:06:27.000000000 +0100
 +++ openssh-4.5p1/sshd_config.0	2006-12-20 22:06:27.000000000 +0100
@@ -413,6 +413,11 @@
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 768.
 +     ShowPatchLevel
 +	     Specifies whether sshd will display the specific patch level of
 +	     the binary in the server identification string.  The patch level
 +	     is set at compile-time.  The default is M-bM-^@M-^\noM-bM-^@M-^].
 +
      StrictModes
              Specifies whether sshd(8) should check file modes and ownership
              of the user's files and home directory before accepting login.
 --- openssh-4.5p1/servconf.c.vendor	2006-08-18 16:23:15.000000000 +0200
 +++ openssh-4.5p1/servconf.c	2006-12-20 22:08:41.000000000 +0100
@@ -113,6 +113,7 @@
 	options->max_startups = -1;
 	options->max_authtries = -1;
 	options->banner = NULL;
 +	options->show_patchlevel = -1;
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
@@ -250,6 +251,9 @@
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
 +	if (options->show_patchlevel == -1)
 +		options->show_patchlevel = 0;
 +
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = 1;
@@ -293,6 +297,7 @@
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand,
 	sUsePrivilegeSeparation,
 +	sShowPatchLevel,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -390,6 +395,7 @@
 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
 	{ "banner", sBanner, SSHCFG_GLOBAL },
 +	{ "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1006,6 +1012,10 @@
 		intptr = &use_privsep;
 		goto parse_flag;
 +	case sShowPatchLevel:
 +		intptr = &options->show_patchlevel;
 +		goto parse_flag;
 +
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
 --- openssh-4.5p1/sshd_config.5.vendor	2006-12-20 22:06:27.000000000 +0100
 +++ openssh-4.5p1/sshd_config.5	2006-12-20 22:06:27.000000000 +0100
@@ -717,6 +717,14 @@
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 768.
 +.It Cm ShowPatchLevel
 +Specifies whether
 +.Nm sshd
 +will display the patch level of the binary in the identification string.
 +The patch level is set at compile-time.
 +The default is
 +.Dq no .
 +This option applies to protocol version 1 only.
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8
--- a/openssh.spec
+++ b/openssh.spec
@ -60,8 +60,8 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
-Version: 4.3p2
+Version: 4.5p1
-Release: 14%{?dist}%{?rescue_rel}
+Release: 1%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@ -69,34 +69,23 @@ URL: http://www.openssh.com/portable.html
 # removes the ACSS cipher.
 Source0: openssh-%{version}-noacss.tar.bz2
 Source1: openssh-nukeacss.sh
-Patch0: openssh-4.3p1-redhat.patch
+Patch0: openssh-4.5p1-redhat.patch
 Patch2: openssh-3.8.1p1-skip-initial.patch
 Patch3: openssh-3.8.1p1-krb5-config.patch
-Patch4: openssh-4.3p1-vendor.patch
+Patch4: openssh-4.5p1-vendor.patch
 Patch5: openssh-4.3p2-initscript.patch
-Patch12: openssh-selinux.patch
+Patch12: openssh-4.5p1-selinux.patch
-Patch16: openssh-4.3p1-audit.patch
+Patch16: openssh-4.5p1-audit.patch
 Patch20: openssh-3.9p1-gssapimitm.patch
 Patch22: openssh-3.9p1-askpass-keep-above.patch
 Patch23: openssh-3.9p1-no-log-signal.patch
 Patch24: openssh-4.3p1-fromto-remote.patch
 Patch25: openssh-4.3p2-scp-print-err.patch
 Patch26: openssh-4.2p1-pam-no-stack.patch
 Patch27: openssh-3.9p1-log-in-chroot.patch
 Patch30: openssh-4.0p1-exit-deadlock.patch
 Patch31: openssh-3.9p1-skip-used.patch
 Patch35: openssh-4.2p1-askpass-progress.patch
 Patch36: openssh-4.3p2-buffer-len.patch
 Patch37: openssh-4.3p2-configure-typo.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
 Patch39: openssh-4.3p2-no-v6only.patch
 Patch40: openssh-4.3p2-coverity-memleaks.patch
 Patch41: openssh-4.3p2-gssapi-no-spnego.patch
 Patch42: openssh-4.3p2-no-dup-logs.patch
 Patch44: openssh-4.3p2-allow-ip-opts.patch
 Patch45: openssh-4.3p2-cve-2006-4924.patch
 Patch46: openssh-3.9p1-cve-2006-5051.patch
 Patch47: openssh-4.3p2-cve-2006-5794.patch
 Patch48: openssh-4.3p2-pam-session.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
 License: BSD
@ -212,27 +201,16 @@ an X11 passphrase dialog for OpenSSH.
 %patch16 -p1 -b .audit
 %endif
 #%patch20 -p0 -b .gssapimitm
 %patch22 -p1 -b .keep-above
 %patch23 -p1 -b .signal
 %patch24 -p1 -b .fromto-remote
 %patch25 -p1 -b .print-err
 %patch26 -p1 -b .stack
 %patch27 -p1 -b .log-chroot
 %patch30 -p1 -b .exit-deadlock
 %patch31 -p1 -b .skip-used
 %patch35 -p1 -b .progress
 %patch36 -p0 -b .buffer-len
 %patch37 -p1 -b .typo
 %patch38 -p1 -b .grab-info
 %patch39 -p1 -b .no-v6only
 %patch40 -p1 -b .memleaks
 %patch41 -p1 -b .no-spnego
 %patch42 -p1 -b .no-dups
 %patch44 -p1 -b .ip-opts
 %patch45 -p1 -b .deattack-dos
 %patch46 -p1 -b .sig-no-cleanup
 %patch47 -p1 -b .verify
 %patch48 -p1 -b .pam-sesssion
 %patch49 -p1 -b .canohost
@ -393,10 +371,10 @@ fi
 %pre server
 %if %{nologin}
-/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
+/usr/sbin/useradd -c "Privilege-separated SSH" -u %{sshd_uid} \
 	-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
 %else
-/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
+/usr/sbin/useradd -c "Privilege-separated SSH" -u %{sshd_uid} \
 	-s /dev/null -r -d /var/empty/sshd sshd 2> /dev/null || :
 %endif
@ -479,6 +457,9 @@ fi
 %endif
 %changelog
 * Thu Dec 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.5p1-1
 - update to 4.5p1 (#212606)
 * Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-14
 - fix gssapi with DNS loadbalanced clusters (#216857)
--- a/2
+++ b/2
@ -1 +1 @@
-8dcce96be628a67ce992f089d9db81ff  openssh-4.3p2-noacss.tar.bz2
+9ef9bf019945105f2ac1760c95c9b339  openssh-4.5p1-noacss.tar.bz2
`@ -1 +1 @@`
	`openssh-4.3p2-noacss.tar.bz2`	`openssh-4.5p1-noacss.tar.bz2`
`@ -1 +1 @@`
	`8dcce96be628a67ce992f089d9db81ff openssh-4.3p2-noacss.tar.bz2`	`9ef9bf019945105f2ac1760c95c9b339 openssh-4.5p1-noacss.tar.bz2`