rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

- upgrade to latest upstream

Browse Source 
- use libedit in sftp (#203009)
- fixed audit log injection problem (CVE-2007-3102)
This commit is contained in:
Tomáš Mráz 2007-09-06 19:49:16 +00:00
parent f370730d3b
commit c9833c96a4
14 changed files with 1306 additions and 1240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1 +1 @@
openssh-4.5p1-noacss.tar.bz2 openssh-4.7p1-noacss.tar.bz2

53
openssh-3.9p1-log-in-chroot.patch
View File

@ -1,53 +0,0 @@
--- openssh-3.9p1/log.h.log-chroot 2006-02-22 10:54:04.000000000 +0100
+++ openssh-3.9p1/log.h 2006-02-22 10:53:29.000000000 +0100
@@ -63,4 +63,6 @@
void do_log(LogLevel, const char *, va_list);
void cleanup_exit(int) __dead;
+
+void open_log(void);
#endif
--- openssh-3.9p1/log.c.log-chroot 2006-02-22 13:29:48.000000000 +0100
+++ openssh-3.9p1/log.c 2006-02-22 10:56:01.000000000 +0100
@@ -48,6 +48,7 @@
static int log_on_stderr = 1;
static int log_facility = LOG_AUTH;
static char *argv0;
+static int log_fd_keep;
extern char *__progname;
@@ -330,9 +331,20 @@
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
#else
+ if (!log_fd_keep) {
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
+ }
syslog(pri, "%.500s", fmtbuf);
+ if (!log_fd_keep) {
closelog();
+ }
#endif
}
}
+
+void
+open_log(void)
+{
+ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
+ log_fd_keep = 1;
+}
--- openssh-3.9p1/sshd.c.log-chroot 2006-01-11 13:42:32.000000000 +0100
+++ openssh-3.9p1/sshd.c 2006-02-22 18:58:24.000000000 +0100
@@ -565,6 +565,10 @@
memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
endpwent();
+ /* Open the syslog permanently so the chrooted process still
+ can write to syslog. */
+ open_log();
+
/* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,

62
openssh-4.3p2-cve-2007-3102.patch Normal file
View File

@ -0,0 +1,62 @@
--- openssh-4.3p2/loginrec.c.inject-fix 2007-06-20 21:18:00.000000000 +0200
+++ openssh-4.3p2/loginrec.c 2007-07-13 15:25:35.000000000 +0200
@@ -1389,11 +1389,44 @@
#endif /* USE_WTMPX */
#ifdef HAVE_LINUX_AUDIT
+static void
+_audit_hexscape(const char *what, char *where, unsigned int size)
+{
+ const char *ptr = what;
+ const char *hex = "0123456789ABCDEF";
+
+ while (*ptr) {
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
+ unsigned int i;
+ ptr = what;
+ for (i = 0; *ptr && i+2 < size; i += 2) {
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
+ ptr++;
+ }
+ where[i] = '\0';
+ return;
+ }
+ ptr++;
+ }
+ where[0] = '"';
+ if ((unsigned)(ptr - what) < size - 3)
+ {
+ size = ptr - what + 3;
+ }
+ strncpy(where + 1, what, size - 3);
+ where[size-2] = '"';
+ where[size-1] = '\0';
+}
+
+#define AUDIT_LOG_SIZE 128
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
+
int
linux_audit_record_event(int uid, const char *username,
const char *hostname, const char *ip, const char *ttyn, int success)
{
- char buf[64];
+ char buf[AUDIT_LOG_SIZE];
int audit_fd, rc;
audit_fd = audit_open();
@@ -1406,8 +1439,11 @@
}
if (username == NULL)
snprintf(buf, sizeof(buf), "uid=%d", uid);
- else
- snprintf(buf, sizeof(buf), "acct=%s", username);
+ else {
+ char encoded[AUDIT_ACCT_SIZE];
+ _audit_hexscape(username, encoded, sizeof(encoded));
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
+ }
rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
buf, hostname, ip, ttyn, success);
close(audit_fd);

136
openssh-4.5p1-audit.patch → openssh-4.7p1-audit.patch
View File

@ -1,6 +1,34 @@
--- openssh-4.5p1/loginrec.c.audit 2006-09-07 14:57:54.000000000 +0200 diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c
+++ openssh-4.5p1/loginrec.c 2006-12-21 12:17:35.000000000 +0100 --- openssh-4.7p1/auth.c.audit 2007-03-26 18:35:28.000000000 +0200
@@ -175,6 +175,10 @@ +++ openssh-4.7p1/auth.c 2007-09-06 17:07:44.000000000 +0200
@@ -286,6 +286,12 @@ auth_log(Authctxt *authctxt, int authent
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
+#if HAVE_LINUX_AUDIT
+ if (authenticated == 0 && !authctxt->postponed) {
+ linux_audit_record_event(-1, authctxt->user, NULL,
+ get_remote_ipaddr(), "sshd", 0);
+ }
+#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@ getpwnamallow(const char *user)
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+ "sshd", 0);
+#endif
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c
--- openssh-4.7p1/loginrec.c.audit 2007-04-29 04:10:58.000000000 +0200
+++ openssh-4.7p1/loginrec.c 2007-09-06 17:07:44.000000000 +0200
@@ -176,6 +176,10 @@
#include "auth.h" #include "auth.h"
#include "buffer.h" #include "buffer.h"
@ -11,7 +39,7 @@
#ifdef HAVE_UTIL_H #ifdef HAVE_UTIL_H
# include <util.h> # include <util.h>
#endif #endif
@@ -201,6 +205,9 @@ @@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
int utmpx_write_entry(struct logininfo *li); int utmpx_write_entry(struct logininfo *li);
int wtmp_write_entry(struct logininfo *li); int wtmp_write_entry(struct logininfo *li);
int wtmpx_write_entry(struct logininfo *li); int wtmpx_write_entry(struct logininfo *li);
@ -21,7 +49,7 @@
int lastlog_write_entry(struct logininfo *li); int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li);
@@ -439,6 +446,10 @@ @@ -440,6 +447,10 @@ login_write(struct logininfo *li)
/* set the timestamp */ /* set the timestamp */
login_set_current_time(li); login_set_current_time(li);
@ -32,7 +60,7 @@
#ifdef USE_LOGIN #ifdef USE_LOGIN
syslogin_write_entry(li); syslogin_write_entry(li);
#endif #endif
@@ -1393,6 +1404,51 @@ @@ -1394,6 +1405,51 @@ wtmpx_get_entry(struct logininfo *li)
} }
#endif /* USE_WTMPX */ #endif /* USE_WTMPX */
@ -84,40 +112,10 @@
/** /**
** Low-level libutil login() functions ** Low-level libutil login() functions
**/ **/
--- openssh-4.5p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 diff -up openssh-4.7p1/config.h.in.audit openssh-4.7p1/config.h.in
+++ openssh-4.5p1/loginrec.h 2006-12-21 12:17:35.000000000 +0100 --- openssh-4.7p1/config.h.in.audit 2007-09-04 08:50:04.000000000 +0200
@@ -127,5 +127,9 @@ +++ openssh-4.7p1/config.h.in 2007-09-06 17:07:44.000000000 +0200
char *line_abbrevname(char *dst, const char *src, int dstsize); @@ -1334,6 +1334,9 @@
void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */
--- openssh-4.5p1/Makefile.in.audit 2006-10-23 23:44:47.000000000 +0200
+++ openssh-4.5p1/Makefile.in 2006-12-21 12:19:39.000000000 +0100
@@ -45,6 +45,7 @@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
LIBSELINUX=@LIBSELINUX@
+LIBAUDIT=@LIBAUDIT@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@
@@ -139,7 +140,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-4.5p1/config.h.in.audit 2006-11-07 14:07:01.000000000 +0100
+++ openssh-4.5p1/config.h.in 2006-12-21 12:17:35.000000000 +0100
@@ -1305,6 +1305,9 @@
/* Define if you want SELinux support. */ /* Define if you want SELinux support. */
#undef WITH_SELINUX #undef WITH_SELINUX
@ -127,30 +125,42 @@
/* Define to 1 if your processor stores words with the most significant byte /* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */ first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN #undef WORDS_BIGENDIAN
--- openssh-4.5p1/configure.ac.audit 2006-12-21 12:17:34.000000000 +0100 diff -up openssh-4.7p1/loginrec.h.audit openssh-4.7p1/loginrec.h
+++ openssh-4.5p1/configure.ac 2006-12-21 12:17:35.000000000 +0100 --- openssh-4.7p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
@@ -3161,6 +3161,20 @@ +++ openssh-4.7p1/loginrec.h 2007-09-06 17:07:44.000000000 +0200
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
char *line_abbrevname(char *dst, const char *src, int dstsize);
void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */
diff -up openssh-4.7p1/configure.ac.audit openssh-4.7p1/configure.ac
--- openssh-4.7p1/configure.ac.audit 2007-09-06 17:07:44.000000000 +0200
+++ openssh-4.7p1/configure.ac 2007-09-06 17:15:23.000000000 +0200
@@ -3216,6 +3216,18 @@ AC_ARG_WITH(selinux,
fi ]
) )
AC_SUBST(LIBSELINUX)
+# Check whether user wants Linux audit support +# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no" +LINUX_AUDIT_MSG="no"
+LIBAUDIT=""
+AC_ARG_WITH(linux-audit, +AC_ARG_WITH(linux-audit,
+ [ --with-linux-audit Enable Linux audit support], + [ --with-linux-audit Enable Linux audit support],
+ [ if test "x$withval" != "xno" ; then + [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) + AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+ LINUX_AUDIT_MSG="yes" + LINUX_AUDIT_MSG="yes"
+ AC_CHECK_HEADERS(libaudit.h) + AC_CHECK_HEADERS(libaudit.h)
+ LIBAUDIT="-laudit" + SSHDLIBS="$SSHDLIBS -laudit"
+ fi + fi ]
+ ]) +)
+AC_SUBST(LIBAUDIT)
+ +
# Check whether user wants Kerberos 5 support # Check whether user wants Kerberos 5 support
KRB5_MSG="no" KRB5_MSG="no"
AC_ARG_WITH(kerberos5, AC_ARG_WITH(kerberos5,
@@ -3982,6 +3996,7 @@ @@ -4037,6 +4049,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG" echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG" echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG" echo " SELinux support: $SELINUX_MSG"
@ -158,29 +168,3 @@
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-4.5p1/auth.c.audit 2006-10-27 17:10:16.000000000 +0200
+++ openssh-4.5p1/auth.c 2006-12-21 12:17:35.000000000 +0100
@@ -286,6 +286,12 @@
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
+#if HAVE_LINUX_AUDIT
+ if (authenticated == 0 && !authctxt->postponed) {
+ linux_audit_record_event(-1, authctxt->user, NULL,
+ get_remote_ipaddr(), "sshd", 0);
+ }
+#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+ "sshd", 0);
+#endif
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */

57
openssh-4.7p1-log-in-chroot.patch Normal file
View File

@ -0,0 +1,57 @@
diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c
--- openssh-4.7p1/sshd.c.log-chroot 2007-09-06 17:24:13.000000000 +0200
+++ openssh-4.7p1/sshd.c 2007-09-06 17:24:13.000000000 +0200
@@ -596,6 +596,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
+ /* Open the syslog permanently so the chrooted process still
+ can write to syslog. */
+ open_log();
+
/* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c
--- openssh-4.7p1/log.c.log-chroot 2007-05-20 07:08:16.000000000 +0200
+++ openssh-4.7p1/log.c 2007-09-06 17:29:34.000000000 +0200
@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL
static int log_on_stderr = 1;
static int log_facility = LOG_AUTH;
static char *argv0;
+static int log_fd_keep;
extern char *__progname;
@@ -370,10 +371,21 @@ do_log(LogLevel level, const char *fmt,
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
#else
+ if (!log_fd_keep) {
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
+ }
syslog(pri, "%.500s", fmtbuf);
+ if (!log_fd_keep) {
closelog();
+ }
#endif
}
errno = saved_errno;
}
+
+void
+open_log(void)
+{
+ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
+ log_fd_keep = 1;
+}
diff -up openssh-4.7p1/log.h.log-chroot openssh-4.7p1/log.h
--- openssh-4.7p1/log.h.log-chroot 2006-08-18 16:32:21.000000000 +0200
+++ openssh-4.7p1/log.h 2007-09-06 17:24:13.000000000 +0200
@@ -62,4 +62,6 @@ void debug3(const char *, ...) __att
void do_log(LogLevel, const char *, va_list);
void cleanup_exit(int) __dead;
+
+void open_log(void);
#endif

120
openssh-4.5p1-mls.patch → openssh-4.7p1-mls.patch
View File

@ -1,5 +1,53 @@
--- openssh-4.5p1/openbsd-compat/port-linux.c.mls 2007-01-16 22:13:32.000000000 +0100 diff -up openssh-4.7p1/misc.c.mls openssh-4.7p1/misc.c
+++ openssh-4.5p1/openbsd-compat/port-linux.c 2007-03-20 10:07:39.000000000 +0100 --- openssh-4.7p1/misc.c.mls 2007-01-05 06:24:48.000000000 +0100
+++ openssh-4.7p1/misc.c 2007-09-06 17:39:28.000000000 +0200
@@ -418,6 +418,7 @@ char *
colon(char *cp)
{
int flag = 0;
+ int start = 1;
if (*cp == ':') /* Leading colon is part of file name. */
return (0);
@@ -431,8 +432,13 @@ colon(char *cp)
return (cp+1);
if (*cp == ':' && !flag)
return (cp);
- if (*cp == '/')
- return (0);
+ if (start) {
+ /* Slash on beginning or after dots only denotes file name. */
+ if (*cp == '/')
+ return (0);
+ if (*cp != '.')
+ start = 0;
+ }
}
return (0);
}
diff -up openssh-4.7p1/session.c.mls openssh-4.7p1/session.c
--- openssh-4.7p1/session.c.mls 2007-09-06 17:39:28.000000000 +0200
+++ openssh-4.7p1/session.c 2007-09-06 17:39:28.000000000 +0200
@@ -1347,10 +1347,6 @@ do_setusercontext(struct passwd *pw)
#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
-
-#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
}
static void
diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-compat/port-linux.c
--- openssh-4.7p1/openbsd-compat/port-linux.c.mls 2007-09-06 17:39:28.000000000 +0200
+++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-08-07 17:38:18.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */
+/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
/*
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -33,12 +33,23 @@ @@ -33,12 +33,23 @@
#include "key.h" #include "key.h"
#include "hostfile.h" #include "hostfile.h"
@ -24,7 +72,7 @@
/* Wrapper around is_selinux_enabled() to log its return value once only */ /* Wrapper around is_selinux_enabled() to log its return value once only */
static int static int
@@ -54,17 +65,173 @@ @@ -54,17 +65,173 @@ ssh_selinux_enabled(void)
return (enabled); return (enabled);
} }
@ -204,7 +252,7 @@
#ifdef HAVE_GETSEUSERBYNAME #ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
sename = NULL; sename = NULL;
@@ -72,37 +239,63 @@ @@ -72,37 +239,62 @@ ssh_selinux_getctxbyname(char *pwname)
} }
#else #else
sename = pwname; sename = pwname;
@ -236,6 +284,7 @@
- case 0: - case 0:
- error("%s: Failed to get default SELinux security " - error("%s: Failed to get default SELinux security "
- "context for %s", __func__, pwname); - "context for %s", __func__, pwname);
- break;
- default: - default:
- fatal("%s: Failed to get default SELinux security " - fatal("%s: Failed to get default SELinux security "
- "context for %s (in enforcing mode)", - "context for %s (in enforcing mode)",
@ -257,7 +306,7 @@
+ reqlvl = ""; + reqlvl = "";
+ +
+ debug("%s: current connection level '%s'", __func__, reqlvl); + debug("%s: current connection level '%s'", __func__, reqlvl);
+ } }
+ +
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) { + if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
+ r = get_user_context(sename, role, reqlvl, user_sc); + r = get_user_context(sename, role, reqlvl, user_sc);
@ -280,16 +329,15 @@
+ } + }
+ } else { + } else {
+ *user_sc = *default_sc; + *user_sc = *default_sc;
} + }
} + }
+ if (r != 0) { + if (r != 0) {
+ error("%s: Failed to get default SELinux security " + error("%s: Failed to get default SELinux security "
+ "context for %s", __func__, pwname); + "context for %s", __func__, pwname);
+ } }
#ifdef HAVE_GETSEUSERBYNAME #ifdef HAVE_GETSEUSERBYNAME
if (sename != NULL) @@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname)
@@ -110,14 +303,20 @@
if (lvl != NULL) if (lvl != NULL)
xfree(lvl); xfree(lvl);
#endif #endif
@ -311,7 +359,7 @@
security_context_t user_ctx = NULL; security_context_t user_ctx = NULL;
if (!ssh_selinux_enabled()) if (!ssh_selinux_enabled())
@@ -125,21 +324,39 @@ @@ -126,22 +324,39 @@ ssh_selinux_setup_exec_context(char *pwn
debug3("%s: setting execution context", __func__); debug3("%s: setting execution context", __func__);
@ -342,7 +390,7 @@
- "context for %s", __func__, pwname); - "context for %s", __func__, pwname);
+ error("%s: SELinux failure. Continuing in permissive mode.", + error("%s: SELinux failure. Continuing in permissive mode.",
+ __func__); + __func__);
+ break; break;
default: default:
- fatal("%s: Failed to set SELinux execution context " - fatal("%s: Failed to set SELinux execution context "
- "for %s (in enforcing mode)", __func__, pwname); - "for %s (in enforcing mode)", __func__, pwname);
@ -358,7 +406,7 @@
debug3("%s: done", __func__); debug3("%s: done", __func__);
} }
@@ -157,7 +374,10 @@ @@ -159,7 +374,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty); debug3("%s: setting TTY context on %s", __func__, tty);
@ -370,9 +418,10 @@
/* XXX: should these calls fatal() upon failure in enforcing mode? */ /* XXX: should these calls fatal() upon failure in enforcing mode? */
--- openssh-4.5p1/sshd.c.mls 2007-01-16 22:13:32.000000000 +0100 diff -up openssh-4.7p1/sshd.c.mls openssh-4.7p1/sshd.c
+++ openssh-4.5p1/sshd.c 2007-01-16 22:13:32.000000000 +0100 --- openssh-4.7p1/sshd.c.mls 2007-09-06 17:39:28.000000000 +0200
@@ -1833,6 +1833,9 @@ +++ openssh-4.7p1/sshd.c 2007-09-06 17:39:28.000000000 +0200
@@ -1838,6 +1838,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif
@ -382,42 +431,3 @@
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) { if (options.use_pam) {
do_pam_setcred(1); do_pam_setcred(1);
--- openssh-4.5p1/misc.c.mls 2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.5p1/misc.c 2007-01-16 22:13:32.000000000 +0100
@@ -418,6 +418,7 @@
colon(char *cp)
{
int flag = 0;
+ int start = 1;
if (*cp == ':') /* Leading colon is part of file name. */
return (0);
@@ -431,8 +432,13 @@
return (cp+1);
if (*cp == ':' && !flag)
return (cp);
- if (*cp == '/')
- return (0);
+ if (start) {
+ /* Slash on beginning or after dots only denotes file name. */
+ if (*cp == '/')
+ return (0);
+ if (*cp != '.')
+ start = 0;
+ }
}
return (0);
}
--- openssh-4.5p1/session.c.mls 2007-01-16 22:13:32.000000000 +0100
+++ openssh-4.5p1/session.c 2007-01-16 22:13:32.000000000 +0100
@@ -1347,10 +1347,6 @@
#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
-
-#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
}
static void

1296
openssh-4.5p1-nss-keys.patch → openssh-4.7p1-nss-keys.patch
View File

File diff suppressed because it is too large Load Diff

200
openssh-4.3p2-pam-session.patch → openssh-4.7p1-pam-session.patch
View File

@ -1,28 +1,80 @@
--- openssh-4.3p2/auth-pam.c.pam-session 2006-11-27 17:39:08.000000000 +0100 diff -up openssh-4.7p1/session.c.pam-session openssh-4.7p1/session.c
+++ openssh-4.3p2/auth-pam.c 2006-11-27 19:31:41.000000000 +0100 --- openssh-4.7p1/session.c.pam-session 2007-08-16 15:28:04.000000000 +0200
@@ -563,15 +563,17 @@ +++ openssh-4.7p1/session.c 2007-09-06 17:37:46.000000000 +0200
void @@ -422,11 +422,6 @@ do_exec_no_pty(Session *s, const char *c
sshpam_cleanup(void)
{ session_proctitle(s);
- debug("PAM: cleanup");
- if (sshpam_handle == NULL) -#if defined(USE_PAM)
+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) - if (options.use_pam && !use_privsep)
return; - do_pam_setcred(1);
+ debug("PAM: cleanup"); -#endif /* USE_PAM */
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); -
if (sshpam_cred_established) { /* Fork the child. */
+ debug("PAM: deleting credentials"); if ((pid = fork()) == 0) {
pam_setcred(sshpam_handle, PAM_DELETE_CRED); is_child = 1;
sshpam_cred_established = 0; @@ -557,14 +552,6 @@ do_exec_pty(Session *s, const char *comm
} ptyfd = s->ptyfd;
if (sshpam_session_open) { ttyfd = s->ttyfd;
+ debug("PAM: closing session");
pam_close_session(sshpam_handle, PAM_SILENT); -#if defined(USE_PAM)
sshpam_session_open = 0; - if (options.use_pam) {
} - do_pam_set_tty(s->tty);
--- openssh-4.3p2/sshd.c.pam-session 2006-11-27 17:29:44.000000000 +0100 - if (!use_privsep)
+++ openssh-4.3p2/sshd.c 2006-11-28 21:21:52.000000000 +0100 - do_pam_setcred(1);
@@ -1745,7 +1745,21 @@ - }
-#endif
-
/* Fork the child. */
if ((pid = fork()) == 0) {
is_child = 1;
@@ -1300,17 +1287,9 @@ do_setusercontext(struct passwd *pw)
# ifdef __bsdi__
setpgid(0, 0);
# endif
-#ifdef GSSAPI
- if (options.gss_authentication) {
- temporarily_use_uid(pw);
- ssh_gssapi_storecreds();
- restore_uid();
- }
-#endif
# ifdef USE_PAM
if (options.use_pam) {
- do_pam_session();
- do_pam_setcred(use_privsep);
+ do_pam_setcred(0);
}
# endif /* USE_PAM */
if (setusercontext(lc, pw, pw->pw_uid,
@@ -1337,13 +1316,6 @@ do_setusercontext(struct passwd *pw)
exit(1);
}
endgrent();
-#ifdef GSSAPI
- if (options.gss_authentication) {
- temporarily_use_uid(pw);
- ssh_gssapi_storecreds();
- restore_uid();
- }
-#endif
# ifdef USE_PAM
/*
* PAM credentials may take the form of supplementary groups.
@@ -1351,8 +1323,7 @@ do_setusercontext(struct passwd *pw)
* Reestablish them here.
*/
if (options.use_pam) {
- do_pam_session();
- do_pam_setcred(use_privsep);
+ do_pam_setcred(0);
}
# endif /* USE_PAM */
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
diff -up openssh-4.7p1/sshd.c.pam-session openssh-4.7p1/sshd.c
--- openssh-4.7p1/sshd.c.pam-session 2007-09-06 17:37:46.000000000 +0200
+++ openssh-4.7p1/sshd.c 2007-09-06 17:37:46.000000000 +0200
@@ -1831,7 +1831,21 @@ main(int ac, char **av)
audit_event(SSH_AUTH_SUCCESS); audit_event(SSH_AUTH_SUCCESS);
#endif #endif
@ -45,9 +97,10 @@
* In privilege separation, we fork another child and prepare * In privilege separation, we fork another child and prepare
* file descriptor passing. * file descriptor passing.
*/ */
--- openssh-4.3p2/monitor.c.pam-session 2006-11-27 17:29:44.000000000 +0100 diff -up openssh-4.7p1/monitor.c.pam-session openssh-4.7p1/monitor.c
+++ openssh-4.3p2/monitor.c 2006-11-28 14:01:23.000000000 +0100 --- openssh-4.7p1/monitor.c.pam-session 2007-09-06 17:37:46.000000000 +0200
@@ -1539,6 +1539,11 @@ +++ openssh-4.7p1/monitor.c 2007-09-06 17:37:46.000000000 +0200
@@ -1566,6 +1566,11 @@ mm_answer_term(int sock, Buffer *req)
/* The child is terminating */ /* The child is terminating */
session_destroy_all(&mm_session_close); session_destroy_all(&mm_session_close);
@ -59,71 +112,26 @@
while (waitpid(pmonitor->m_pid, &status, 0) == -1) while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR) if (errno != EINTR)
exit(1); exit(1);
--- openssh-4.3p2/session.c.pam-session 2006-11-27 17:29:43.000000000 +0100 diff -up openssh-4.7p1/auth-pam.c.pam-session openssh-4.7p1/auth-pam.c
+++ openssh-4.3p2/session.c 2006-11-28 21:17:56.000000000 +0100 --- openssh-4.7p1/auth-pam.c.pam-session 2007-08-10 06:32:34.000000000 +0200
@@ -395,11 +395,6 @@ +++ openssh-4.7p1/auth-pam.c 2007-09-06 17:37:46.000000000 +0200
@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { ss
session_proctitle(s); void
sshpam_cleanup(void)
-#if defined(USE_PAM) {
- if (options.use_pam && !use_privsep) - debug("PAM: cleanup");
- do_pam_setcred(1); - if (sshpam_handle == NULL)
-#endif /* USE_PAM */ + if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
- return;
/* Fork the child. */ + debug("PAM: cleanup");
if ((pid = fork()) == 0) { pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
is_child = 1; if (sshpam_cred_established) {
@@ -530,14 +525,6 @@ + debug("PAM: deleting credentials");
ptyfd = s->ptyfd; pam_setcred(sshpam_handle, PAM_DELETE_CRED);
ttyfd = s->ttyfd; sshpam_cred_established = 0;
}
-#if defined(USE_PAM) if (sshpam_session_open) {
- if (options.use_pam) { + debug("PAM: closing session");
- do_pam_set_tty(s->tty); pam_close_session(sshpam_handle, PAM_SILENT);
- if (!use_privsep) sshpam_session_open = 0;
- do_pam_setcred(1); }
- }
-#endif
-
/* Fork the child. */
if ((pid = fork()) == 0) {
is_child = 1;
@@ -1266,16 +1253,8 @@
# ifdef __bsdi__
setpgid(0, 0);
# endif
-#ifdef GSSAPI
- if (options.gss_authentication) {
- temporarily_use_uid(pw);
- ssh_gssapi_storecreds();
- restore_uid();
- }
-#endif
# ifdef USE_PAM
if (options.use_pam) {
- do_pam_session();
do_pam_setcred(0);
}
# endif /* USE_PAM */
@@ -1303,13 +1282,6 @@
exit(1);
}
endgrent();
-#ifdef GSSAPI
- if (options.gss_authentication) {
- temporarily_use_uid(pw);
- ssh_gssapi_storecreds();
- restore_uid();
- }
-#endif
# ifdef USE_PAM
/*
* PAM credentials may take the form of supplementary groups.
@@ -1317,7 +1289,6 @@
* Reestablish them here.
*/
if (options.use_pam) {
- do_pam_session();
do_pam_setcred(0);
}
# endif /* USE_PAM */

66
openssh-4.5p1-redhat.patch → openssh-4.7p1-redhat.patch
View File

@ -1,29 +1,7 @@
--- openssh-4.5p1/sshd_config.0.redhat 2006-11-07 14:07:28.000000000 +0100 diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
+++ openssh-4.5p1/sshd_config.0 2006-12-20 22:04:16.000000000 +0100 --- openssh-4.7p1/sshd_config.redhat 2007-03-21 10:42:25.000000000 +0100
@@ -430,9 +430,9 @@ +++ openssh-4.7p1/sshd_config 2007-09-06 16:23:58.000000000 +0200
@@ -33,6 +33,7 @@ Protocol 2
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
- fault is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
--- openssh-4.5p1/sshd_config.redhat 2006-07-24 06:06:47.000000000 +0200
+++ openssh-4.5p1/sshd_config 2006-12-20 21:59:15.000000000 +0100
@@ -12,6 +12,7 @@
#Port 22
#Protocol 2,1
+Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
@@ -29,6 +30,7 @@
# Logging # Logging
# obsoletes QuietMode and FascistLogging # obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH #SyslogFacility AUTH
@ -31,7 +9,7 @@
#LogLevel INFO #LogLevel INFO
# Authentication: # Authentication:
@@ -55,9 +57,11 @@ @@ -59,9 +60,11 @@ Protocol 2
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PasswordAuthentication yes
#PermitEmptyPasswords no #PermitEmptyPasswords no
@ -43,7 +21,7 @@
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@@ -67,7 +71,9 @@ @@ -71,7 +74,9 @@ Protocol 2
# GSSAPI options # GSSAPI options
#GSSAPIAuthentication no #GSSAPIAuthentication no
@ -53,7 +31,7 @@
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
@@ -79,10 +85,16 @@ @@ -83,10 +88,16 @@ Protocol 2
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
#UsePAM no #UsePAM no
@ -70,9 +48,10 @@
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
--- openssh-4.5p1/ssh_config.redhat 2006-06-13 05:01:10.000000000 +0200 diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config
+++ openssh-4.5p1/ssh_config 2006-12-20 21:59:15.000000000 +0100 --- openssh-4.7p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200
@@ -42,3 +42,13 @@ +++ openssh-4.7p1/ssh_config 2007-09-06 16:21:49.000000000 +0200
@@ -43,3 +43,13 @@
# Tunnel no # Tunnel no
# TunnelDevice any:any # TunnelDevice any:any
# PermitLocalCommand no # PermitLocalCommand no
@ -86,9 +65,26 @@
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL + SendEnv LC_IDENTIFICATION LC_ALL
--- openssh-4.5p1/sshd_config.5.redhat 2006-08-30 03:06:34.000000000 +0200 diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0
+++ openssh-4.5p1/sshd_config.5 2006-12-20 22:05:18.000000000 +0100 --- openssh-4.7p1/sshd_config.0.redhat 2007-09-04 08:50:11.000000000 +0200
@@ -740,7 +740,7 @@ +++ openssh-4.7p1/sshd_config.0 2007-09-06 16:21:49.000000000 +0200
@@ -435,9 +435,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
- fault is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-4.7p1/sshd_config.5.redhat openssh-4.7p1/sshd_config.5
--- openssh-4.7p1/sshd_config.5.redhat 2007-06-11 06:07:13.000000000 +0200
+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:21:49.000000000 +0200
@@ -748,7 +748,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility .It Cm SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
.Xr sshd 8 . .Xr sshd 8 .

243
openssh-4.5p1-selinux.patch → openssh-4.7p1-selinux.patch
View File

@ -1,16 +1,18 @@
--- openssh-4.5p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200 diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac
+++ openssh-4.5p1/auth.h 2006-12-20 22:10:48.000000000 +0100 --- openssh-4.7p1/configure.ac.selinux 2007-09-06 19:46:32.000000000 +0200
@@ -58,6 +58,7 @@ +++ openssh-4.7p1/configure.ac 2007-09-06 19:52:23.000000000 +0200
char *service; @@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux,
struct passwd *pw; /* set if 'valid' */ AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
char *style; AC_MSG_ERROR(SELinux support requires libselinux library))
+ char *role; SSHDLIBS="$SSHDLIBS $LIBSELINUX"
void *kbdintctxt; + LIBS="$LIBS $LIBSELINUX"
#ifdef BSD_AUTH AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
auth_session_t *as; LIBS="$save_LIBS"
--- openssh-4.5p1/auth1.c.selinux 2006-12-20 22:10:35.000000000 +0100 fi ]
+++ openssh-4.5p1/auth1.c 2006-12-20 22:10:48.000000000 +0100 diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c
@@ -388,7 +388,7 @@ --- openssh-4.7p1/auth1.c.selinux 2007-09-06 19:46:32.000000000 +0200
+++ openssh-4.7p1/auth1.c 2007-09-06 19:46:32.000000000 +0200
@@ -388,7 +388,7 @@ void
do_authentication(Authctxt *authctxt) do_authentication(Authctxt *authctxt)
{ {
u_int ulen; u_int ulen;
@ -19,7 +21,7 @@
/* Get the name of the user that we wish to log in as. */ /* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER); packet_read_expect(SSH_CMSG_USER);
@@ -397,11 +397,19 @@ @@ -397,11 +397,19 @@ do_authentication(Authctxt *authctxt)
user = packet_get_string(&ulen); user = packet_get_string(&ulen);
packet_check_eom(); packet_check_eom();
@ -39,58 +41,59 @@
/* Verify that the user is a valid user. */ /* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
--- openssh-4.5p1/monitor.c.selinux 2006-11-07 13:16:08.000000000 +0100 diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h
+++ openssh-4.5p1/monitor.c 2006-12-20 22:10:48.000000000 +0100 --- openssh-4.7p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200
@@ -133,6 +133,7 @@ +++ openssh-4.7p1/monitor_wrap.h 2007-09-06 19:46:32.000000000 +0200
int mm_answer_pwnamallow(int, Buffer *); @@ -41,6 +41,7 @@ int mm_is_monitor(void);
int mm_answer_auth2_read_banner(int, Buffer *); DH *mm_choose_dh(int, int, int);
int mm_answer_authserv(int, Buffer *); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+int mm_answer_authrole(int, Buffer *); void mm_inform_authserv(char *, char *);
int mm_answer_authpassword(int, Buffer *); +void mm_inform_authrole(char *);
int mm_answer_bsdauthquery(int, Buffer *); struct passwd *mm_getpwnamallow(const char *);
int mm_answer_bsdauthrespond(int, Buffer *); char *mm_auth2_read_banner(void);
@@ -204,6 +205,7 @@ int mm_auth_password(struct Authctxt *, char *);
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, --- openssh-4.7p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, +++ openssh-4.7p1/monitor.h 2007-09-06 19:46:32.000000000 +0200
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, @@ -30,7 +30,7 @@
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -653,6 +655,7 @@
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -698,6 +701,23 @@ enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c
--- openssh-4.7p1/monitor_wrap.c.selinux 2007-06-11 06:01:42.000000000 +0200
+++ openssh-4.7p1/monitor_wrap.c 2007-09-06 19:46:32.000000000 +0200
@@ -294,6 +294,23 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
} }
int +/* Inform the privileged process about role */
+mm_answer_authrole(int sock, Buffer *m) +
+void
+mm_inform_authrole(char *role)
+{ +{
+ monitor_permit_authentications(1); + Buffer m;
+ +
+ authctxt->role = buffer_get_string(m, NULL); + debug3("%s entering", __func__);
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+ +
+ if (strlen(authctxt->role) == 0) { + buffer_init(&m);
+ xfree(authctxt->role); + buffer_put_cstring(&m, role ? role : "");
+ authctxt->role = NULL;
+ }
+ +
+ return (0); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+ buffer_free(&m);
+} +}
+ +
+int /* Do the password authentication */
mm_answer_authpassword(int sock, Buffer *m) int
{ mm_auth_password(Authctxt *authctxt, char *password)
static int call_count; diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd-compat/port-linux.c
--- openssh-4.5p1/openbsd-compat/port-linux.c.selinux 2006-09-01 07:38:41.000000000 +0200 --- openssh-4.7p1/openbsd-compat/port-linux.c.selinux 2007-06-28 00:48:03.000000000 +0200
+++ openssh-4.5p1/openbsd-compat/port-linux.c 2006-12-21 12:15:59.000000000 +0100 +++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-09-06 19:46:32.000000000 +0200
@@ -30,11 +30,16 @@ @@ -30,11 +30,16 @@
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
#include "log.h" #include "log.h"
@ -108,7 +111,7 @@
/* Wrapper around is_selinux_enabled() to log its return value once only */ /* Wrapper around is_selinux_enabled() to log its return value once only */
static int static int
ssh_selinux_enabled(void) ssh_selinux_enabled(void)
@@ -53,23 +58,36 @@ @@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
static security_context_t static security_context_t
ssh_selinux_getctxbyname(char *pwname) ssh_selinux_getctxbyname(char *pwname)
{ {
@ -152,29 +155,21 @@
if (r != 0) { if (r != 0) {
switch (security_getenforce()) { switch (security_getenforce()) {
--- openssh-4.5p1/configure.ac.selinux 2006-12-20 22:10:35.000000000 +0100 diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h
+++ openssh-4.5p1/configure.ac 2006-12-21 11:18:48.000000000 +0100 --- openssh-4.7p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200
@@ -3137,8 +3137,16 @@ +++ openssh-4.7p1/auth.h 2007-09-06 19:46:32.000000000 +0200
SELINUX_MSG="no" @@ -58,6 +58,7 @@ struct Authctxt {
LIBSELINUX="" char *service;
AC_ARG_WITH(selinux, struct passwd *pw; /* set if 'valid' */
- [ --with-selinux Enable SELinux support], char *style;
+ [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support], + char *role;
[ if test "x$withval" != "xno" ; then void *kbdintctxt;
+ if test "x$withval" != "xyes"; then #ifdef BSD_AUTH
+ CPPFLAGS="$CPPFLAGS -I${withval}/include" auth_session_t *as;
+ if test -n "${need_dash_r}"; then diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" --- openssh-4.7p1/auth2.c.selinux 2007-05-20 06:58:41.000000000 +0200
+ else +++ openssh-4.7p1/auth2.c 2007-09-06 19:46:32.000000000 +0200
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}" @@ -141,7 +141,7 @@ input_userauth_request(int type, u_int32
+ fi
+ fi
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
SELINUX_MSG="yes"
AC_CHECK_HEADER([selinux/selinux.h], ,
--- openssh-4.5p1/auth2.c.selinux 2006-08-05 04:39:39.000000000 +0200
+++ openssh-4.5p1/auth2.c 2006-12-20 22:10:48.000000000 +0100
@@ -145,7 +145,7 @@
{ {
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
@ -183,7 +178,7 @@
int authenticated = 0; int authenticated = 0;
if (authctxt == NULL) if (authctxt == NULL)
@@ -157,6 +157,9 @@ @@ -153,6 +153,9 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method); debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -193,7 +188,7 @@
if ((style = strchr(user, ':')) != NULL) if ((style = strchr(user, ':')) != NULL)
*style++ = 0; *style++ = 0;
@@ -182,8 +185,11 @@ @@ -178,8 +181,11 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : ""); use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service); authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL; authctxt->style = style ? xstrdup(style) : NULL;
@ -206,50 +201,54 @@
} else if (strcmp(user, authctxt->user) != 0 || } else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) { strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: " packet_disconnect("Change of username or service not allowed: "
--- openssh-4.5p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
+++ openssh-4.5p1/monitor_wrap.h 2006-12-20 22:10:48.000000000 +0100 --- openssh-4.7p1/monitor.c.selinux 2007-05-20 07:10:16.000000000 +0200
@@ -41,6 +41,7 @@ +++ openssh-4.7p1/monitor.c 2007-09-06 19:46:32.000000000 +0200
DH *mm_choose_dh(int, int, int); @@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); int mm_answer_pwnamallow(int, Buffer *);
void mm_inform_authserv(char *, char *); int mm_answer_auth2_read_banner(int, Buffer *);
+void mm_inform_authrole(char *); int mm_answer_authserv(int, Buffer *);
struct passwd *mm_getpwnamallow(const char *); +int mm_answer_authrole(int, Buffer *);
char *mm_auth2_read_banner(void); int mm_answer_authpassword(int, Buffer *);
int mm_auth_password(struct Authctxt *, char *); int mm_answer_bsdauthquery(int, Buffer *);
--- openssh-4.5p1/monitor_wrap.c.selinux 2006-09-01 07:38:37.000000000 +0200 int mm_answer_bsdauthrespond(int, Buffer *);
+++ openssh-4.5p1/monitor_wrap.c 2006-12-20 22:10:48.000000000 +0100 @@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[]
@@ -282,6 +282,23 @@ {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
buffer_free(&m); {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -657,6 +659,7 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -702,6 +705,23 @@ mm_answer_authserv(int sock, Buffer *m)
} }
+/* Inform the privileged process about role */ int
+ +mm_answer_authrole(int sock, Buffer *m)
+void
+mm_inform_authrole(char *role)
+{ +{
+ Buffer m; + monitor_permit_authentications(1);
+ +
+ debug3("%s entering", __func__); + authctxt->role = buffer_get_string(m, NULL);
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+ +
+ buffer_init(&m); + if (strlen(authctxt->role) == 0) {
+ buffer_put_cstring(&m, role ? role : ""); + xfree(authctxt->role);
+ authctxt->role = NULL;
+ }
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); + return (0);
+
+ buffer_free(&m);
+} +}
+ +
/* Do the password authentication */ +int
int mm_answer_authpassword(int sock, Buffer *m)
mm_auth_password(Authctxt *authctxt, char *password) {
--- openssh-4.5p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 static int call_count;
+++ openssh-4.5p1/monitor.h 2006-12-20 22:10:35.000000000 +0100
@@ -30,7 +30,7 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,

11
openssh-4.5p1-sftp-drain-acks.patch → openssh-4.7p1-sftp-drain-acks.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-4.5p1/sftp-client.c.drain-acks openssh-4.5p1/sftp-client.c diff -up openssh-4.7p1/sftp-client.c.drain-acks openssh-4.7p1/sftp-client.c
--- openssh-4.5p1/sftp-client.c.drain-acks 2006-10-23 19:03:02.000000000 +0200 --- openssh-4.7p1/sftp-client.c.drain-acks 2007-02-19 12:13:39.000000000 +0100
+++ openssh-4.5p1/sftp-client.c 2007-08-07 17:46:16.000000000 +0200 +++ openssh-4.7p1/sftp-client.c 2007-09-06 17:54:41.000000000 +0200
@@ -992,7 +992,8 @@ int @@ -992,7 +992,8 @@ int
do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
int pflag) int pflag)
@ -20,7 +20,7 @@ diff -up openssh-4.5p1/sftp-client.c.drain-acks openssh-4.5p1/sftp-client.c
len = 0; len = 0;
else do else do
len = read(local_fd, data, conn->transfer_buflen); len = read(local_fd, data, conn->transfer_buflen);
@@ -1131,17 +1132,6 @@ do_upload(struct sftp_conn *conn, char * @@ -1131,18 +1132,6 @@ do_upload(struct sftp_conn *conn, char *
fatal("Can't find request for ID %u", r_id); fatal("Can't find request for ID %u", r_id);
TAILQ_REMOVE(&acks, ack, tq); TAILQ_REMOVE(&acks, ack, tq);
@ -33,12 +33,13 @@ diff -up openssh-4.5p1/sftp-client.c.drain-acks openssh-4.5p1/sftp-client.c
- close(local_fd); - close(local_fd);
- xfree(data); - xfree(data);
- xfree(ack); - xfree(ack);
- status = -1;
- goto done; - goto done;
- } - }
debug3("In write loop, ack for %u %u bytes at %llu", debug3("In write loop, ack for %u %u bytes at %llu",
ack->id, ack->len, (unsigned long long)ack->offset); ack->id, ack->len, (unsigned long long)ack->offset);
++ackid; ++ackid;
@@ -1153,21 +1143,25 @@ do_upload(struct sftp_conn *conn, char * @@ -1154,21 +1143,25 @@ do_upload(struct sftp_conn *conn, char *
stop_progress_meter(); stop_progress_meter();
xfree(data); xfree(data);

227
openssh-4.5p1-vendor.patch → openssh-4.7p1-vendor.patch
View File

@ -1,48 +1,7 @@
--- openssh-4.5p1/servconf.h.vendor 2006-08-18 16:23:15.000000000 +0200 diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac
+++ openssh-4.5p1/servconf.h 2006-12-20 22:06:27.000000000 +0100 --- openssh-4.7p1/configure.ac.vendor 2007-09-06 16:27:47.000000000 +0200
@@ -120,6 +120,7 @@ +++ openssh-4.7p1/configure.ac 2007-09-06 16:27:47.000000000 +0200
int max_startups; @@ -3792,6 +3792,12 @@ AC_ARG_WITH(lastlog,
int max_authtries;
char *banner; /* SSH-2 banner message */
+ int show_patchlevel; /* Show vendor patch level to clients */
int use_dns;
int client_alive_interval; /*
* poke the client this often to
--- openssh-4.5p1/sshd_config.vendor 2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/sshd_config 2006-12-20 22:06:27.000000000 +0100
@@ -106,6 +106,7 @@
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
--- openssh-4.5p1/sshd.c.vendor 2006-11-07 13:14:42.000000000 +0100
+++ openssh-4.5p1/sshd.c 2006-12-20 22:06:27.000000000 +0100
@@ -418,7 +418,8 @@
major = PROTOCOL_MAJOR_1;
minor = PROTOCOL_MINOR_1;
}
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */
@@ -1429,7 +1430,8 @@
exit(1);
}
- debug("sshd version %.100s", SSH_RELEASE);
+ debug("sshd version %.100s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
/* Store privilege separation user for later use if required. */
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
--- openssh-4.5p1/configure.ac.vendor 2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/configure.ac 2006-12-20 22:06:27.000000000 +0100
@@ -3729,6 +3729,12 @@
fi fi
] ]
) )
@ -55,7 +14,7 @@
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -3978,6 +3984,7 @@ @@ -4041,6 +4047,7 @@ echo " IP address in \$DISPLAY hac
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
@ -63,70 +22,10 @@
if test ! -z "$USE_RAND_HELPER" ; then if test ! -z "$USE_RAND_HELPER" ; then
echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
fi fi
--- openssh-4.5p1/sshd_config.0.vendor 2006-12-20 22:06:27.000000000 +0100 diff -up openssh-4.7p1/sshd_config.5.vendor openssh-4.7p1/sshd_config.5
+++ openssh-4.5p1/sshd_config.0 2006-12-20 22:06:27.000000000 +0100 --- openssh-4.7p1/sshd_config.5.vendor 2007-09-06 16:27:47.000000000 +0200
@@ -413,6 +413,11 @@ +++ openssh-4.7p1/sshd_config.5 2007-09-06 16:27:47.000000000 +0200
Defines the number of bits in the ephemeral protocol version 1 @@ -725,6 +725,14 @@ This option applies to protocol version
server key. The minimum value is 512, and the default is 768.
+ ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of
+ the binary in the server identification string. The patch level
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
+
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
--- openssh-4.5p1/servconf.c.vendor 2006-08-18 16:23:15.000000000 +0200
+++ openssh-4.5p1/servconf.c 2006-12-20 22:08:41.000000000 +0100
@@ -113,6 +113,7 @@
options->max_startups = -1;
options->max_authtries = -1;
options->banner = NULL;
+ options->show_patchlevel = -1;
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -250,6 +251,9 @@
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
@@ -293,6 +297,7 @@
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand,
sUsePrivilegeSeparation,
+ sShowPatchLevel,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -390,6 +395,7 @@
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
{ "banner", sBanner, SSHCFG_GLOBAL },
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1006,6 +1012,10 @@
intptr = &use_privsep;
goto parse_flag;
+ case sShowPatchLevel:
+ intptr = &options->show_patchlevel;
+ goto parse_flag;
+
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
--- openssh-4.5p1/sshd_config.5.vendor 2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/sshd_config.5 2006-12-20 22:06:27.000000000 +0100
@@ -717,6 +717,14 @@
.It Cm ServerKeyBits .It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key. Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 768. The minimum value is 512, and the default is 768.
@ -141,3 +40,111 @@
.It Cm StrictModes .It Cm StrictModes
Specifies whether Specifies whether
.Xr sshd 8 .Xr sshd 8
diff -up openssh-4.7p1/servconf.h.vendor openssh-4.7p1/servconf.h
--- openssh-4.7p1/servconf.h.vendor 2007-02-19 12:25:38.000000000 +0100
+++ openssh-4.7p1/servconf.h 2007-09-06 16:27:47.000000000 +0200
@@ -120,6 +120,7 @@ typedef struct {
int max_startups;
int max_authtries;
char *banner; /* SSH-2 banner message */
+ int show_patchlevel; /* Show vendor patch level to clients */
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c
--- openssh-4.7p1/servconf.c.vendor 2007-05-20 07:03:16.000000000 +0200
+++ openssh-4.7p1/servconf.c 2007-09-06 16:29:11.000000000 +0200
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions
options->max_startups = -1;
options->max_authtries = -1;
options->banner = NULL;
+ options->show_patchlevel = -1;
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -250,6 +251,9 @@ fill_default_server_options(ServerOption
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
@@ -293,6 +297,7 @@ typedef enum {
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand,
sUsePrivilegeSeparation,
+ sShowPatchLevel,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -390,6 +395,7 @@ static struct {
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
{ "banner", sBanner, SSHCFG_ALL },
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1005,6 +1011,10 @@ parse_flag:
intptr = &use_privsep;
goto parse_flag;
+ case sShowPatchLevel:
+ intptr = &options->show_patchlevel;
+ goto parse_flag;
+
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0
--- openssh-4.7p1/sshd_config.0.vendor 2007-09-06 16:27:47.000000000 +0200
+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:27:47.000000000 +0200
@@ -418,6 +418,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 768.
+ ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of
+ the binary in the server identification string. The patch level
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
+
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config
--- openssh-4.7p1/sshd_config.vendor 2007-09-06 16:27:47.000000000 +0200
+++ openssh-4.7p1/sshd_config 2007-09-06 16:27:47.000000000 +0200
@@ -109,6 +109,7 @@ X11Forwarding yes
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
diff -up openssh-4.7p1/sshd.c.vendor openssh-4.7p1/sshd.c
--- openssh-4.7p1/sshd.c.vendor 2007-06-05 10:22:32.000000000 +0200
+++ openssh-4.7p1/sshd.c 2007-09-06 16:27:47.000000000 +0200
@@ -419,7 +419,8 @@ sshd_exchange_identification(int sock_in
major = PROTOCOL_MAJOR_1;
minor = PROTOCOL_MINOR_1;
}
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */
@@ -1434,7 +1435,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %.100s", SSH_RELEASE);
+ debug("sshd version %.100s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
/* Store privilege separation user for later use if required. */
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {

71
openssh.spec
View File

@ -1,10 +1,5 @@
# Do we want SELinux & Audit
%define WITH_SELINUX 1 %define WITH_SELINUX 1
%if %{WITH_SELINUX}
# Audit patch applicable only over SELinux patch
%define WITH_AUDIT 1
%else
%define WITH_AUDIT 0
%endif
# OpenSSH privilege separation requires a user & group ID # OpenSSH privilege separation requires a user & group ID
%define sshd_uid 74 %define sshd_uid 74
@ -28,6 +23,9 @@
# Do we want kerberos5 support (1=yes 0=no) # Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1 %define kerberos5 1
# Do we want libedit support
%define libedit 1
# Do we want NSS tokens support # Do we want NSS tokens support
%define nss 1 %define nss 1
@ -59,42 +57,44 @@
# Turn off some stuff for resuce builds # Turn off some stuff for resuce builds
%if %{rescue} %if %{rescue}
%define kerberos5 0 %define kerberos5 0
%define libedit 0
%endif %endif
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
Version: 4.5p1 Version: 4.7p1
Release: 8%{?dist}%{?rescue_rel} Release: 1%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
# This package differs from the upstream OpenSSH tarball in that # This package differs from the upstream OpenSSH tarball in that
# the ACSS cipher is removed by running openssh-nukeacss.sh in # the ACSS cipher is removed by running openssh-nukeacss.sh in
# the unpacked source directory. # the unpacked source directory.
Source0: openssh-%{version}-noacss.tar.bz2 Source0: openssh-%{version}-noacss.tar.bz2
Source1: openssh-nukeacss.sh Source1: openssh-nukeacss.sh
Patch0: openssh-4.5p1-redhat.patch Patch0: openssh-4.7p1-redhat.patch
Patch2: openssh-3.8.1p1-skip-initial.patch Patch2: openssh-3.8.1p1-skip-initial.patch
Patch3: openssh-3.8.1p1-krb5-config.patch Patch3: openssh-3.8.1p1-krb5-config.patch
Patch4: openssh-4.5p1-vendor.patch Patch4: openssh-4.7p1-vendor.patch
Patch5: openssh-4.3p2-initscript.patch Patch5: openssh-4.3p2-initscript.patch
Patch12: openssh-4.5p1-selinux.patch Patch10: openssh-4.7p1-pam-session.patch
Patch16: openssh-4.5p1-audit.patch Patch12: openssh-4.7p1-selinux.patch
Patch13: openssh-4.7p1-mls.patch
Patch16: openssh-4.7p1-audit.patch
Patch17: openssh-4.3p2-cve-2007-3102.patch
Patch22: openssh-3.9p1-askpass-keep-above.patch Patch22: openssh-3.9p1-askpass-keep-above.patch
Patch24: openssh-4.3p1-fromto-remote.patch Patch24: openssh-4.3p1-fromto-remote.patch
Patch26: openssh-4.2p1-pam-no-stack.patch Patch26: openssh-4.2p1-pam-no-stack.patch
Patch27: openssh-3.9p1-log-in-chroot.patch Patch27: openssh-4.7p1-log-in-chroot.patch
Patch30: openssh-4.0p1-exit-deadlock.patch Patch30: openssh-4.0p1-exit-deadlock.patch
Patch31: openssh-3.9p1-skip-used.patch Patch31: openssh-3.9p1-skip-used.patch
Patch35: openssh-4.2p1-askpass-progress.patch Patch35: openssh-4.2p1-askpass-progress.patch
Patch38: openssh-4.3p2-askpass-grab-info.patch Patch38: openssh-4.3p2-askpass-grab-info.patch
Patch39: openssh-4.3p2-no-v6only.patch Patch39: openssh-4.3p2-no-v6only.patch
Patch44: openssh-4.3p2-allow-ip-opts.patch Patch44: openssh-4.3p2-allow-ip-opts.patch
Patch48: openssh-4.3p2-pam-session.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch50: openssh-4.5p1-mls.patch Patch51: openssh-4.7p1-nss-keys.patch
Patch51: openssh-4.5p1-nss-keys.patch Patch52: openssh-4.7p1-sftp-drain-acks.patch
Patch52: openssh-4.5p1-sftp-drain-acks.patch
License: BSD License: BSD
Group: Applications/Internet Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -126,6 +126,10 @@ BuildRequires: tcp_wrappers-devel
BuildRequires: krb5-devel BuildRequires: krb5-devel
%endif %endif
%if %{libedit}
BuildRequires: libedit-devel
%endif
%if %{nss} %if %{nss}
BuildRequires: nss-devel BuildRequires: nss-devel
%endif %endif
@ -133,9 +137,6 @@ BuildRequires: nss-devel
%if %{WITH_SELINUX} %if %{WITH_SELINUX}
Requires: libselinux >= 1.27.7 Requires: libselinux >= 1.27.7
BuildRequires: libselinux-devel >= 1.27.7 BuildRequires: libselinux-devel >= 1.27.7
%endif
%if %{WITH_AUDIT}
Requires: audit-libs >= 1.0.8 Requires: audit-libs >= 1.0.8
BuildRequires: audit-libs >= 1.0.8 BuildRequires: audit-libs >= 1.0.8
%endif %endif
@ -204,13 +205,14 @@ an X11 passphrase dialog for OpenSSH.
%patch4 -p1 -b .vendor %patch4 -p1 -b .vendor
%patch5 -p1 -b .initscript %patch5 -p1 -b .initscript
%patch10 -p1 -b .pam-session
%if %{WITH_SELINUX} %if %{WITH_SELINUX}
#SELinux #SELinux
%patch12 -p1 -b .selinux %patch12 -p1 -b .selinux
%endif %patch13 -p1 -b .mls
%if %{WITH_AUDIT}
%patch16 -p1 -b .audit %patch16 -p1 -b .audit
%patch17 -p1 -b .inject-fix
%endif %endif
%patch22 -p1 -b .keep-above %patch22 -p1 -b .keep-above
@ -223,9 +225,7 @@ an X11 passphrase dialog for OpenSSH.
%patch38 -p1 -b .grab-info %patch38 -p1 -b .grab-info
%patch39 -p1 -b .no-v6only %patch39 -p1 -b .no-v6only
%patch44 -p1 -b .ip-opts %patch44 -p1 -b .ip-opts
%patch48 -p1 -b .pam-sesssion
%patch49 -p1 -b .canohost %patch49 -p1 -b .canohost
%patch50 -p1 -b .mls
%patch51 -p1 -b .nss-keys %patch51 -p1 -b .nss-keys
%patch52 -p1 -b .drain-acks %patch52 -p1 -b .drain-acks
@ -282,15 +282,17 @@ fi
--with-pam \ --with-pam \
%endif %endif
%if %{WITH_SELINUX} %if %{WITH_SELINUX}
--with-selinux \ --with-selinux --with-linux-audit \
%endif
%if %{WITH_AUDIT}
--with-linux-audit \
%endif %endif
%if %{kerberos5} %if %{kerberos5}
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} --with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
%else %else
--without-kerberos5 --without-kerberos5 \
%endif
%if %{libedit}
--with-libedit
%else
--without-libedit
%endif %endif
%if %{static_libcrypto} %if %{static_libcrypto}
@ -478,6 +480,11 @@ fi
%endif %endif
%changelog %changelog
* Thu Sep 6 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-1
- upgrade to latest upstream
- use libedit in sftp (#203009)
- fixed audit log injection problem (CVE-2007-3102)
* Thu Aug 9 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-8 * Thu Aug 9 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-8
- fix sftp client problems on write error (#247802) - fix sftp client problems on write error (#247802)
- allow disabling autocreation of server keys (#235466) - allow disabling autocreation of server keys (#235466)

2
sources
View File

@ -1 +1 @@
9ef9bf019945105f2ac1760c95c9b339 openssh-4.5p1-noacss.tar.bz2 21634329a8f1cd0e7a7974ade7280bdc openssh-4.7p1-noacss.tar.bz2