From 1499a28f3778df684688dc357e3dd993f1056452 Mon Sep 17 00:00:00 2001 From: Jan F Date: Tue, 1 Mar 2011 07:44:22 +0100 Subject: [PATCH] improove ssk-keycat --- openssh-5.8p1-audit1.patch | 28 +++---- openssh-5.8p1-audit1a.patch | 21 ----- openssh-5.8p1-audit4.patch | 69 ++++++++-------- openssh-5.8p1-audit4a.patch | 13 --- openssh-5.8p1-audit5.patch | 88 ++++++++++++-------- openssh-5.8p1-audit5a.patch | 21 ----- openssh-5.8p1-keycat2.patch | 132 ++++++++++++++++++++++++++++++ openssh-5.8p1-ldap.patch | 156 +++++++++++++++++++++--------------- openssh-5.8p1-ldap2.patch | 57 ------------- openssh.spec | 7 +- 10 files changed, 332 insertions(+), 260 deletions(-) create mode 100644 openssh-5.8p1-keycat2.patch diff --git a/openssh-5.8p1-audit1.patch b/openssh-5.8p1-audit1.patch index ea7def7..08674a9 100644 --- a/openssh-5.8p1-audit1.patch +++ b/openssh-5.8p1-audit1.patch @@ -1,6 +1,6 @@ diff -up openssh-5.8p1/audit-bsm.c.audit1 openssh-5.8p1/audit-bsm.c --- openssh-5.8p1/audit-bsm.c.audit1 2011-01-17 11:15:29.000000000 +0100 -+++ openssh-5.8p1/audit-bsm.c 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/audit-bsm.c 2011-02-28 22:39:02.000000000 +0100 @@ -305,6 +305,12 @@ audit_run_command(const char *command) } @@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit1 openssh-5.8p1/audit-bsm.c /* not implemented */ diff -up openssh-5.8p1/audit.c.audit1 openssh-5.8p1/audit.c --- openssh-5.8p1/audit.c.audit1 2011-01-17 11:15:30.000000000 +0100 -+++ openssh-5.8p1/audit.c 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/audit.c 2011-02-28 22:39:02.000000000 +0100 @@ -182,5 +182,18 @@ audit_run_command(const char *command) debug("audit run command euid %d user %s command '%.200s'", geteuid(), audit_username(), command); @@ -38,7 +38,7 @@ diff -up openssh-5.8p1/audit.c.audit1 openssh-5.8p1/audit.c #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.8p1/audit.h.audit1 openssh-5.8p1/audit.h --- openssh-5.8p1/audit.h.audit1 2011-01-17 11:15:30.000000000 +0100 -+++ openssh-5.8p1/audit.h 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/audit.h 2011-02-28 22:39:02.000000000 +0100 @@ -52,6 +52,7 @@ void audit_event(ssh_audit_event_t); void audit_session_open(struct logininfo *); void audit_session_close(struct logininfo *); @@ -49,7 +49,7 @@ diff -up openssh-5.8p1/audit.h.audit1 openssh-5.8p1/audit.h #endif /* _SSH_AUDIT_H */ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c --- openssh-5.8p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100 -+++ openssh-5.8p1/audit-linux.c 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/audit-linux.c 2011-02-28 22:39:02.000000000 +0100 @@ -35,13 +35,20 @@ #include "log.h" @@ -179,7 +179,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c +{ + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns), + NULL, "ssh", 1, AUDIT_USER_END); -+ if (!--user_login_count) ++ if (user_login_count && !--user_login_count) + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns), + NULL, "ssh", 1, AUDIT_USER_LOGOUT); } @@ -203,7 +203,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c - /* not implemented */ + linux_audit_user_logxxx(li->uid, NULL, li->hostname, + NULL, li->line, 1, AUDIT_USER_END); -+ if (!--user_login_count) ++ if (user_login_count && !--user_login_count) + linux_audit_user_logxxx(li->uid, NULL, li->hostname, + NULL, li->line, 1, AUDIT_USER_LOGOUT); } @@ -259,7 +259,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c default: diff -up openssh-5.8p1/monitor.c.audit1 openssh-5.8p1/monitor.c --- openssh-5.8p1/monitor.c.audit1 2010-09-10 03:23:34.000000000 +0200 -+++ openssh-5.8p1/monitor.c 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/monitor.c 2011-02-28 22:39:02.000000000 +0100 @@ -177,6 +177,7 @@ int mm_answer_gss_checkmic(int, Buffer * #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); @@ -307,7 +307,7 @@ diff -up openssh-5.8p1/monitor.c.audit1 openssh-5.8p1/monitor.c void diff -up openssh-5.8p1/monitor.h.audit1 openssh-5.8p1/monitor.h --- openssh-5.8p1/monitor.h.audit1 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.8p1/monitor.h 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/monitor.h 2011-02-28 22:39:02.000000000 +0100 @@ -60,6 +60,7 @@ enum monitor_reqtype { MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, @@ -318,7 +318,7 @@ diff -up openssh-5.8p1/monitor.h.audit1 openssh-5.8p1/monitor.h MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, diff -up openssh-5.8p1/monitor_wrap.c.audit1 openssh-5.8p1/monitor_wrap.c --- openssh-5.8p1/monitor_wrap.c.audit1 2010-08-31 14:41:14.000000000 +0200 -+++ openssh-5.8p1/monitor_wrap.c 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/monitor_wrap.c 2011-02-28 22:39:02.000000000 +0100 @@ -1163,6 +1163,20 @@ mm_audit_run_command(const char *command mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); buffer_free(&m); @@ -342,7 +342,7 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit1 openssh-5.8p1/monitor_wrap.c #ifdef GSSAPI diff -up openssh-5.8p1/monitor_wrap.h.audit1 openssh-5.8p1/monitor_wrap.h --- openssh-5.8p1/monitor_wrap.h.audit1 2009-03-05 14:58:22.000000000 +0100 -+++ openssh-5.8p1/monitor_wrap.h 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/monitor_wrap.h 2011-02-28 22:39:02.000000000 +0100 @@ -74,6 +74,7 @@ void mm_sshpam_free_ctx(void *); #include "audit.h" void mm_audit_event(ssh_audit_event_t); @@ -353,7 +353,7 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit1 openssh-5.8p1/monitor_wrap.h struct Session; diff -up openssh-5.8p1/session.c.audit1 openssh-5.8p1/session.c --- openssh-5.8p1/session.c.audit1 2010-12-01 02:02:59.000000000 +0100 -+++ openssh-5.8p1/session.c 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/session.c 2011-02-28 22:39:02.000000000 +0100 @@ -809,14 +809,16 @@ do_exec(Session *s, const char *command) } @@ -388,7 +388,7 @@ diff -up openssh-5.8p1/session.c.audit1 openssh-5.8p1/session.c if (s->display) diff -up openssh-5.8p1/session.h.audit1 openssh-5.8p1/session.h --- openssh-5.8p1/session.h.audit1 2008-05-19 07:34:50.000000000 +0200 -+++ openssh-5.8p1/session.h 2011-02-24 13:49:49.000000000 +0100 ++++ openssh-5.8p1/session.h 2011-02-28 22:39:02.000000000 +0100 @@ -60,6 +60,11 @@ struct Session { char *name; char *val; @@ -402,8 +402,8 @@ diff -up openssh-5.8p1/session.h.audit1 openssh-5.8p1/session.h void do_authenticated(Authctxt *); diff -up openssh-5.8p1/sshd.c.audit1 openssh-5.8p1/sshd.c ---- openssh-5.8p1/sshd.c.audit1 2011-02-24 13:50:29.000000000 +0100 -+++ openssh-5.8p1/sshd.c 2011-02-24 13:50:47.000000000 +0100 +--- openssh-5.8p1/sshd.c.audit1 2011-01-11 07:20:31.000000000 +0100 ++++ openssh-5.8p1/sshd.c 2011-02-28 22:39:02.000000000 +0100 @@ -2342,7 +2342,8 @@ cleanup_exit(int i) do_cleanup(the_authctxt); #ifdef SSH_AUDIT_EVENTS diff --git a/openssh-5.8p1-audit1a.patch b/openssh-5.8p1-audit1a.patch index dce297a..e69de29 100644 --- a/openssh-5.8p1-audit1a.patch +++ b/openssh-5.8p1-audit1a.patch @@ -1,21 +0,0 @@ -diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c ---- openssh-5.8p1/audit-linux.c.audit1a 2011-02-28 14:45:40.000000000 +0100 -+++ openssh-5.8p1/audit-linux.c 2011-02-28 14:46:50.000000000 +0100 -@@ -155,7 +155,7 @@ audit_end_command(const char *command) - { - linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns), - NULL, "ssh", 1, AUDIT_USER_END); -- if (!--user_login_count) -+ if (user_login_count && !--user_login_count) - linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns), - NULL, "ssh", 1, AUDIT_USER_LOGOUT); - } -@@ -175,7 +175,7 @@ audit_session_close(struct logininfo *li - { - linux_audit_user_logxxx(li->uid, NULL, li->hostname, - NULL, li->line, 1, AUDIT_USER_END); -- if (!--user_login_count) -+ if (user_login_count && !--user_login_count) - linux_audit_user_logxxx(li->uid, NULL, li->hostname, - NULL, li->line, 1, AUDIT_USER_LOGOUT); - } diff --git a/openssh-5.8p1-audit4.patch b/openssh-5.8p1-audit4.patch index 94f129e..28fe5b8 100644 --- a/openssh-5.8p1-audit4.patch +++ b/openssh-5.8p1-audit4.patch @@ -1,6 +1,6 @@ diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c ---- openssh-5.8p1/audit-bsm.c.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/audit-bsm.c 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/audit-bsm.c 2011-02-28 23:07:12.000000000 +0100 @@ -401,4 +401,10 @@ audit_kex_body(int ctos, char *enc, char { /* not implemented */ @@ -13,8 +13,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c +} #endif /* BSM */ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c ---- openssh-5.8p1/audit.c.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/audit.c 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/audit.c.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/audit.c 2011-02-28 23:07:12.000000000 +0100 @@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid())); } @@ -45,8 +45,8 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h ---- openssh-5.8p1/audit.h.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/audit.h 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/audit.h.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/audit.h 2011-02-28 23:07:12.000000000 +0100 @@ -61,5 +61,7 @@ void audit_unsupported(int); void audit_kex(int, char *, char *, char *); void audit_unsupported_body(int); @@ -56,8 +56,8 @@ diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h #endif /* _SSH_AUDIT_H */ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c ---- openssh-5.8p1/audit-linux.c.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/audit-linux.c 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/audit-linux.c.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/audit-linux.c 2011-02-28 23:07:12.000000000 +0100 @@ -285,6 +285,8 @@ audit_unsupported_body(int what) #endif } @@ -107,8 +107,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c + #endif /* USE_LINUX_AUDIT */ diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c ---- openssh-5.8p1/auditstub.c.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/auditstub.c 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/auditstub.c.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/auditstub.c 2011-02-28 23:07:12.000000000 +0100 @@ -27,6 +27,8 @@ * Red Hat author: Jan F. Chadima */ @@ -132,8 +132,8 @@ diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c +{ +} diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c ---- openssh-5.8p1/kex.c.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/kex.c 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/kex.c.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/kex.c 2011-02-28 23:07:12.000000000 +0100 @@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i fprintf(stderr, "\n"); } @@ -171,7 +171,7 @@ diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c + diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h --- openssh-5.8p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200 -+++ openssh-5.8p1/kex.h 2011-02-24 13:54:02.000000000 +0100 ++++ openssh-5.8p1/kex.h 2011-02-28 23:07:12.000000000 +0100 @@ -156,6 +156,8 @@ void kexgex_server(Kex *); void kexecdh_client(Kex *); void kexecdh_server(Kex *); @@ -183,7 +183,7 @@ diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c --- openssh-5.8p1/mac.c.audit4 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.8p1/mac.c 2011-02-24 13:54:02.000000000 +0100 ++++ openssh-5.8p1/mac.c 2011-02-28 23:07:12.000000000 +0100 @@ -162,6 +162,20 @@ mac_clear(Mac *mac) mac->umac_ctx = NULL; } @@ -207,15 +207,15 @@ diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c int diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h --- openssh-5.8p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200 -+++ openssh-5.8p1/mac.h 2011-02-24 13:54:02.000000000 +0100 ++++ openssh-5.8p1/mac.h 2011-02-28 23:07:13.000000000 +0100 @@ -28,3 +28,4 @@ int mac_setup(Mac *, char *); int mac_init(Mac *); u_char *mac_compute(Mac *, u_int32_t, u_char *, int); void mac_clear(Mac *); +void mac_destroy(Mac *); diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c ---- openssh-5.8p1/monitor.c.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/monitor.c 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/monitor.c.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/monitor.c 2011-02-28 23:07:13.000000000 +0100 @@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer int mm_answer_audit_end_command(int, Buffer *); int mm_answer_audit_unsupported_body(int, Buffer *); @@ -311,8 +311,8 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h ---- openssh-5.8p1/monitor.h.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/monitor.h 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/monitor.h.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/monitor.h 2011-02-28 23:07:13.000000000 +0100 @@ -69,6 +69,7 @@ enum monitor_reqtype { MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM, MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED, @@ -322,8 +322,8 @@ diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h struct mm_master; diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c ---- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/monitor_wrap.c 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/monitor_wrap.c 2011-02-28 23:07:13.000000000 +0100 @@ -601,12 +601,14 @@ mm_send_keystate(struct monitor *monitor fatal("%s: conversion of newkeys failed", __func__); @@ -360,8 +360,8 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h ---- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/monitor_wrap.h 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/monitor_wrap.h 2011-02-28 23:07:13.000000000 +0100 @@ -77,6 +77,7 @@ void mm_audit_run_command(const char *); void mm_audit_end_command(const char *); void mm_audit_unsupported_body(int); @@ -372,7 +372,7 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h struct Session; diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c --- openssh-5.8p1/packet.c.audit4 2010-11-24 00:46:37.000000000 +0100 -+++ openssh-5.8p1/packet.c 2011-02-24 13:54:02.000000000 +0100 ++++ openssh-5.8p1/packet.c 2011-02-28 23:07:13.000000000 +0100 @@ -60,6 +60,7 @@ #include @@ -532,7 +532,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c + diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h --- openssh-5.8p1/packet.h.audit4 2010-11-20 05:19:38.000000000 +0100 -+++ openssh-5.8p1/packet.h 2011-02-24 13:54:02.000000000 +0100 ++++ openssh-5.8p1/packet.h 2011-02-28 23:07:13.000000000 +0100 @@ -125,4 +125,5 @@ void packet_restore_state(void); void *packet_get_input(void); void *packet_get_output(void); @@ -540,8 +540,8 @@ diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h +void packet_destroy_all(int, int); #endif /* PACKET_H */ diff -up openssh-5.8p1/session.c.audit4 openssh-5.8p1/session.c ---- openssh-5.8p1/session.c.audit4 2011-02-24 13:54:01.000000000 +0100 -+++ openssh-5.8p1/session.c 2011-02-24 13:54:02.000000000 +0100 +--- openssh-5.8p1/session.c.audit4 2011-02-28 23:07:11.000000000 +0100 ++++ openssh-5.8p1/session.c 2011-02-28 23:07:13.000000000 +0100 @@ -1617,6 +1617,9 @@ do_child(Session *s, const char *command /* remove hostkey from the child's memory */ @@ -553,8 +553,8 @@ diff -up openssh-5.8p1/session.c.audit4 openssh-5.8p1/session.c /* Force a password change */ if (s->authctxt->force_pwchange) { diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c ---- openssh-5.8p1/sshd.c.audit4 2011-02-24 13:54:02.000000000 +0100 -+++ openssh-5.8p1/sshd.c 2011-02-24 13:55:09.000000000 +0100 +--- openssh-5.8p1/sshd.c.audit4 2011-02-28 23:07:12.000000000 +0100 ++++ openssh-5.8p1/sshd.c 2011-02-28 23:07:13.000000000 +0100 @@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt) return (0); } @@ -564,17 +564,18 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c static void privsep_postauth(Authctxt *authctxt) { -@@ -688,6 +690,9 @@ privsep_postauth(Authctxt *authctxt) +@@ -688,6 +690,10 @@ privsep_postauth(Authctxt *authctxt) verbose("User child is on pid %ld", (long)pmonitor->m_pid); close(pmonitor->m_recvfd); buffer_clear(&loginmsg); + newkeys_destroy(current_keys[MODE_OUT]); + newkeys_destroy(current_keys[MODE_IN]); -+ packet_destroy_all(1, 0); ++ audit_session_key_free_body(2, getpid(), getuid()); ++ packet_destroy_all(0, 0); monitor_child_postauth(pmonitor); /* NEVERREACHED */ -@@ -1974,6 +1979,7 @@ main(int ac, char **av) +@@ -1974,6 +1980,7 @@ main(int ac, char **av) */ if (use_privsep) { mm_send_keystate(pmonitor); @@ -582,7 +583,7 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c exit(0); } -@@ -2026,6 +2032,8 @@ main(int ac, char **av) +@@ -2026,6 +2033,8 @@ main(int ac, char **av) do_authenticated(authctxt); /* The connection has been terminated. */ @@ -591,7 +592,7 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); verbose("Transferred: sent %llu, received %llu bytes", -@@ -2345,6 +2353,7 @@ cleanup_exit(int i) +@@ -2345,6 +2354,7 @@ cleanup_exit(int i) { if (the_authctxt) do_cleanup(the_authctxt); diff --git a/openssh-5.8p1-audit4a.patch b/openssh-5.8p1-audit4a.patch index a4a3d66..e69de29 100644 --- a/openssh-5.8p1-audit4a.patch +++ b/openssh-5.8p1-audit4a.patch @@ -1,13 +0,0 @@ -diff -ur openssh/sshd.c openssh-5.8p1/sshd.c ---- openssh/sshd.c 2011-02-23 16:23:05.720096223 +0100 -+++ openssh-5.8p1/sshd.c 2011-02-23 17:04:24.206612620 +0100 -@@ -748,7 +748,8 @@ - buffer_clear(&loginmsg); - newkeys_destroy(current_keys[MODE_OUT]); - newkeys_destroy(current_keys[MODE_IN]); -- packet_destroy_all(1, 0); -+ audit_session_key_free_body(2, getpid(), getuid()); -+ packet_destroy_all(0, 0); - monitor_child_postauth(pmonitor); - - /* NEVERREACHED */ diff --git a/openssh-5.8p1-audit5.patch b/openssh-5.8p1-audit5.patch index 9923f0b..e18f275 100644 --- a/openssh-5.8p1-audit5.patch +++ b/openssh-5.8p1-audit5.patch @@ -1,6 +1,6 @@ diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c ---- openssh-5.8p1/audit-bsm.c.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/audit-bsm.c 2011-02-24 13:39:32.000000000 +0100 +--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-28 23:17:12.000000000 +0100 ++++ openssh-5.8p1/audit-bsm.c 2011-02-28 23:17:13.000000000 +0100 @@ -407,4 +407,22 @@ audit_session_key_free_body(int ctos, pi { /* not implemented */ @@ -25,8 +25,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c +} #endif /* BSM */ diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c ---- openssh-5.8p1/audit.c.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/audit.c 2011-02-24 13:39:32.000000000 +0100 +--- openssh-5.8p1/audit.c.audit5 2011-02-28 23:17:12.000000000 +0100 ++++ openssh-5.8p1/audit.c 2011-02-28 23:17:13.000000000 +0100 @@ -276,5 +276,24 @@ audit_session_key_free_body(int ctos, pi debug("audit session key discard euid %u direction %d from pid %ld uid %u", (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid); @@ -53,8 +53,8 @@ diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h ---- openssh-5.8p1/audit.h.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/audit.h 2011-02-24 13:39:32.000000000 +0100 +--- openssh-5.8p1/audit.h.audit5 2011-02-28 23:17:12.000000000 +0100 ++++ openssh-5.8p1/audit.h 2011-02-28 23:17:13.000000000 +0100 @@ -48,6 +48,8 @@ enum ssh_audit_event_type { }; typedef enum ssh_audit_event_type ssh_audit_event_t; @@ -73,8 +73,8 @@ diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h #endif /* _SSH_AUDIT_H */ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c ---- openssh-5.8p1/audit-linux.c.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/audit-linux.c 2011-02-24 13:39:32.000000000 +0100 +--- openssh-5.8p1/audit-linux.c.audit5 2011-02-28 23:17:12.000000000 +0100 ++++ openssh-5.8p1/audit-linux.c 2011-02-28 23:17:13.000000000 +0100 @@ -343,4 +343,50 @@ audit_session_key_free_body(int ctos, pi error("cannot write into audit"); } @@ -127,9 +127,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c +} #endif /* USE_LINUX_AUDIT */ diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c ---- openssh-5.8p1/key.c.audit5 2011-02-24 13:39:31.000000000 +0100 -+++ openssh-5.8p1/key.c 2011-02-24 13:39:32.000000000 +0100 -@@ -1795,6 +1795,30 @@ key_demote(const Key *k) +--- openssh-5.8p1/key.c.audit5 2011-02-28 23:17:10.000000000 +0100 ++++ openssh-5.8p1/key.c 2011-02-28 23:17:13.000000000 +0100 +@@ -1797,6 +1797,30 @@ key_demote(const Key *k) } int @@ -161,8 +161,8 @@ diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c { if (k == NULL) diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h ---- openssh-5.8p1/key.h.audit5 2011-02-24 13:39:31.000000000 +0100 -+++ openssh-5.8p1/key.h 2011-02-24 13:39:32.000000000 +0100 +--- openssh-5.8p1/key.h.audit5 2011-02-28 23:17:10.000000000 +0100 ++++ openssh-5.8p1/key.h 2011-02-28 23:17:13.000000000 +0100 @@ -109,6 +109,7 @@ Key *key_generate(int, u_int); Key *key_from_private(const Key *); int key_type_from_name(char *); @@ -172,9 +172,18 @@ diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h int key_to_certified(Key *, int); int key_drop_cert(Key *); diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c ---- openssh-5.8p1/monitor.c.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/monitor.c 2011-02-24 13:39:32.000000000 +0100 -@@ -182,6 +182,7 @@ int mm_answer_audit_end_command(int, Buf +--- openssh-5.8p1/monitor.c.audit5 2011-02-28 23:17:13.000000000 +0100 ++++ openssh-5.8p1/monitor.c 2011-02-28 23:17:14.000000000 +0100 +@@ -106,6 +106,8 @@ extern Buffer auth_debug; + extern int auth_debug_init; + extern Buffer loginmsg; + ++extern void destroy_sensitive_data(int); ++ + /* State exported from the child */ + + struct { +@@ -182,6 +184,7 @@ int mm_answer_audit_end_command(int, Buf int mm_answer_audit_unsupported_body(int, Buffer *); int mm_answer_audit_kex_body(int, Buffer *); int mm_answer_audit_session_key_free_body(int, Buffer *); @@ -182,7 +191,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c #endif static Authctxt *authctxt; -@@ -233,6 +234,7 @@ struct mon_table mon_dispatch_proto20[] +@@ -233,6 +236,7 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body}, @@ -190,7 +199,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -273,6 +275,7 @@ struct mon_table mon_dispatch_postauth20 +@@ -273,6 +277,7 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body}, @@ -198,7 +207,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c #endif {0, 0, NULL} }; -@@ -307,6 +310,7 @@ struct mon_table mon_dispatch_proto15[] +@@ -307,6 +312,7 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body}, @@ -206,7 +215,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c #endif {0, 0, NULL} }; -@@ -322,6 +326,7 @@ struct mon_table mon_dispatch_postauth15 +@@ -322,6 +328,7 @@ struct mon_table mon_dispatch_postauth15 {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body}, @@ -214,7 +223,16 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c #endif {0, 0, NULL} }; -@@ -2309,4 +2314,24 @@ mm_answer_audit_session_key_free_body(in +@@ -1597,6 +1604,8 @@ mm_answer_term(int sock, Buffer *req) + sshpam_cleanup(); + #endif + ++ destroy_sensitive_data(0); ++ + while (waitpid(pmonitor->m_pid, &status, 0) == -1) + if (errno != EINTR) + exit(1); +@@ -2309,4 +2318,24 @@ mm_answer_audit_session_key_free_body(in mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m); return 0; } @@ -240,8 +258,8 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h ---- openssh-5.8p1/monitor.h.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/monitor.h 2011-02-24 13:39:32.000000000 +0100 +--- openssh-5.8p1/monitor.h.audit5 2011-02-28 23:17:13.000000000 +0100 ++++ openssh-5.8p1/monitor.h 2011-02-28 23:17:14.000000000 +0100 @@ -70,6 +70,7 @@ enum monitor_reqtype { MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED, MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX, @@ -251,8 +269,8 @@ diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h struct mm_master; diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c ---- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/monitor_wrap.c 2011-02-24 13:39:32.000000000 +0100 +--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-28 23:17:13.000000000 +0100 ++++ openssh-5.8p1/monitor_wrap.c 2011-02-28 23:17:14.000000000 +0100 @@ -1480,4 +1480,20 @@ mm_audit_session_key_free_body(int ctos, &m); buffer_free(&m); @@ -275,8 +293,8 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h ---- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/monitor_wrap.h 2011-02-24 13:39:32.000000000 +0100 +--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-28 23:17:13.000000000 +0100 ++++ openssh-5.8p1/monitor_wrap.h 2011-02-28 23:17:14.000000000 +0100 @@ -78,6 +78,7 @@ void mm_audit_end_command(const char *); void mm_audit_unsupported_body(int); void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t); @@ -286,8 +304,8 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h struct Session; diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c ---- openssh-5.8p1/session.c.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/session.c 2011-02-24 13:43:35.000000000 +0100 +--- openssh-5.8p1/session.c.audit5 2011-02-28 23:17:13.000000000 +0100 ++++ openssh-5.8p1/session.c 2011-02-28 23:17:14.000000000 +0100 @@ -132,7 +132,7 @@ extern int log_stderr; extern int debug_flag; extern u_int utmp_len; @@ -307,8 +325,8 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c monitor over a single socket, with no synchronization. */ packet_destroy_all(0, 1); diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c ---- openssh-5.8p1/sshd.c.audit5 2011-02-24 13:39:32.000000000 +0100 -+++ openssh-5.8p1/sshd.c 2011-02-24 13:43:08.000000000 +0100 +--- openssh-5.8p1/sshd.c.audit5 2011-02-28 23:17:13.000000000 +0100 ++++ openssh-5.8p1/sshd.c 2011-02-28 23:17:14.000000000 +0100 @@ -253,7 +253,7 @@ Buffer loginmsg; struct passwd *privsep_pw = NULL; @@ -422,7 +440,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c } /* Certs do not need demotion */ } -@@ -1119,6 +1169,7 @@ server_accept_loop(int *sock_in, int *so +@@ -1120,6 +1170,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); @@ -430,7 +448,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c close_listen_socks(); unlink(options.pid_file); exit(255); -@@ -2022,7 +2073,7 @@ main(int ac, char **av) +@@ -2023,7 +2074,7 @@ main(int ac, char **av) privsep_postauth(authctxt); /* the monitor process [priv] will not return */ if (!compat20) @@ -439,7 +457,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c } packet_set_timeout(options.client_alive_interval, -@@ -2261,7 +2312,7 @@ do_ssh1_kex(void) +@@ -2262,7 +2313,7 @@ do_ssh1_kex(void) session_id[i] = session_key[i] ^ session_key[i + 16]; } /* Destroy the private and public keys. No longer. */ @@ -448,7 +466,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c if (use_privsep) mm_ssh1_session_id(session_id); -@@ -2351,8 +2402,22 @@ do_ssh2_kex(void) +@@ -2352,8 +2403,22 @@ do_ssh2_kex(void) void cleanup_exit(int i) { diff --git a/openssh-5.8p1-audit5a.patch b/openssh-5.8p1-audit5a.patch index e70cf9e..e69de29 100644 --- a/openssh-5.8p1-audit5a.patch +++ b/openssh-5.8p1-audit5a.patch @@ -1,21 +0,0 @@ -diff -ur openssh/monitor.c openssh-5.8p1/monitor.c ---- openssh/monitor.c 2011-02-23 14:22:42.007937852 +0100 -+++ openssh-5.8p1/monitor.c 2011-02-23 19:26:01.491710679 +0100 -@@ -106,6 +106,8 @@ - extern int auth_debug_init; - extern Buffer loginmsg; - -+extern void destroy_sensitive_data(int); -+ - /* State exported from the child */ - - struct { -@@ -1651,6 +1653,8 @@ - sshpam_cleanup(); - #endif - -+ destroy_sensitive_data(0); -+ - while (waitpid(pmonitor->m_pid, &status, 0) == -1) - if (errno != EINTR) - exit(1); diff --git a/openssh-5.8p1-keycat2.patch b/openssh-5.8p1-keycat2.patch new file mode 100644 index 0000000..9a88c9a --- /dev/null +++ b/openssh-5.8p1-keycat2.patch @@ -0,0 +1,132 @@ +diff -up openssh-5.8p1/auth2-pubkey.c.keycat2 openssh-5.8p1/auth2-pubkey.c +--- openssh-5.8p1/auth2-pubkey.c.keycat2 2011-03-01 06:57:03.000000000 +0100 ++++ openssh-5.8p1/auth2-pubkey.c 2011-03-01 07:25:04.000000000 +0100 +@@ -579,6 +579,14 @@ user_key_via_command_allowed2(struct pas + close(i); + } + ++#ifdef WITH_SELINUX ++ if (ssh_selinux_setup_env_variables() < 0) { ++ error ("failed to copy environment: %s", ++ strerror(errno)); ++ _exit(127); ++ } ++#endif ++ + execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL); + + /* if we got here, it didn't work */ +diff -up openssh-5.8p1/openbsd-compat/port-linux.c.keycat2 openssh-5.8p1/openbsd-compat/port-linux.c +--- openssh-5.8p1/openbsd-compat/port-linux.c.keycat2 2011-03-01 07:00:32.000000000 +0100 ++++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-03-01 07:23:13.000000000 +0100 +@@ -309,7 +309,7 @@ ssh_selinux_getctxbyname(char *pwname, + + /* Setup environment variables for pam_selinux */ + static int +-ssh_selinux_setup_pam_variables(void) ++ssh_selinux_setup_variables(int(*set_it)(const char *, const char *)) + { + const char *reqlvl; + char *role; +@@ -320,16 +320,16 @@ ssh_selinux_setup_pam_variables(void) + + ssh_selinux_get_role_level(&role, &reqlvl); + +- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); ++ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); + + if (inetd_flag && !rexeced_flag) { + use_current = "1"; + } else { + use_current = ""; +- rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: ""); ++ rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: ""); + } + +- rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); ++ rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current); + + if (role != NULL) + xfree(role); +@@ -337,6 +337,24 @@ ssh_selinux_setup_pam_variables(void) + return rv; + } + ++static int ++ssh_selinux_setup_pam_variables(void) ++{ ++ return ssh_selinux_setup_variables(do_pam_putenv); ++} ++ ++static int ++do_setenv(char *name, char *value) ++{ ++ return setenv(name, value, 1); ++} ++ ++int ++ssh_selinux_setup_env_variables(void) ++{ ++ return ssh_selinux_setup_variables(do_setenv); ++} ++ + /* Set the execution context to the default for the specified user */ + void + ssh_selinux_setup_exec_context(char *pwname) +diff -up openssh-5.8p1/ssh-keycat.c.keycat2 openssh-5.8p1/ssh-keycat.c +--- openssh-5.8p1/ssh-keycat.c.keycat2 2011-03-01 06:56:02.000000000 +0100 ++++ openssh-5.8p1/ssh-keycat.c 2011-03-01 06:56:02.000000000 +0100 +@@ -65,6 +65,7 @@ + #define ERR_FDOPEN 10 + #define ERR_STAT 11 + #define ERR_WRITE 12 ++#define ERR_PAM_PUTENV 13 + #define BUFLEN 4096 + + /* Just ignore the messages in the conversation function */ +@@ -166,6 +167,34 @@ fail: + return rv; + } + ++static const char *env_names[] = { "SELINUX_ROLE_REQUESTED", ++ "SELINUX_LEVEL_REQUESTED", ++ "SELINUX_USE_CURRENT_RANGE" ++}; ++ ++extern char **environ; ++ ++int ++set_pam_environment(pam_handle_t *pamh) ++{ ++ int i; ++ size_t j; ++ ++ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) { ++ int len = strlen(env_names[j]); ++ ++ for (i = 0; environ[i] != NULL; ++i) { ++ if (strncmp(env_names[j], environ[i], len) == 0 && ++ environ[i][len] == '=') { ++ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS) ++ return ERR_PAM_PUTENV; ++ } ++ } ++ } ++ ++ return 0; ++} ++ + int + main(int argc, char *argv[]) + { +@@ -183,6 +212,10 @@ main(int argc, char *argv[]) + return ERR_PAM_START; + } + ++ ev = set_pam_environment(pamh); ++ if (ev != 0) ++ goto finish; ++ + retval = pam_open_session(pamh, PAM_SILENT); + if (retval != PAM_SUCCESS) { + ev = ERR_OPEN_SESSION; diff --git a/openssh-5.8p1-ldap.patch b/openssh-5.8p1-ldap.patch index ca7183b..0498021 100644 --- a/openssh-5.8p1-ldap.patch +++ b/openssh-5.8p1-ldap.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac ---- openssh-5.6p1/configure.ac.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/configure.ac 2010-10-20 09:21:04.000000000 +0200 -@@ -1366,6 +1366,106 @@ AC_ARG_WITH(authorized-keys-command, +diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac +--- openssh-5.8p1/configure.ac.ldap 2011-02-28 23:21:05.000000000 +0100 ++++ openssh-5.8p1/configure.ac 2011-02-28 23:21:06.000000000 +0100 +@@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command, ] ) @@ -108,9 +108,27 @@ diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS( \ arc4random \ -diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c ---- openssh-5.6p1/ldapbody.c.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldapbody.c 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys +--- openssh-5.8p1/HOWTO.ldap-keys.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/HOWTO.ldap-keys 2011-02-28 23:21:06.000000000 +0100 +@@ -0,0 +1,14 @@ ++ ++1) configure LDAP server ++2) add appropriate schema ++3) insert users into LDAP ++4) on the ssh side set in sshd_config ++AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper ++AuthorizedKeysCommandRunAs ++5) do not forget to set ++PubkeyAuthentication yes ++ ++ ++To debug the ssh-ldap-helper is possible to set ++the necessary flags in the ssh-ldap-wrapper. ++ +diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c +--- openssh-5.8p1/ldapbody.c.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldapbody.c 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -606,9 +624,9 @@ diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c + return; +} + -diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h ---- openssh-5.6p1/ldapbody.h.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldapbody.h 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h +--- openssh-5.8p1/ldapbody.h.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldapbody.h 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -647,9 +665,9 @@ diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h + +#endif /* LDAPBODY_H */ + -diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c ---- openssh-5.6p1/ldapconf.c.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldapconf.c 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c +--- openssh-5.8p1/ldapconf.c.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldapconf.c 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1333,9 +1351,9 @@ diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h ---- openssh-5.6p1/ldapconf.h.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldapconf.h 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h +--- openssh-5.8p1/ldapconf.h.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldapconf.h 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1408,9 +1426,9 @@ diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf ---- openssh-5.6p1/ldap.conf.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldap.conf 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf +--- openssh-5.8p1/ldap.conf.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldap.conf 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -1500,9 +1518,9 @@ diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf +#tls_cert +#tls_key + -diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c ---- openssh-5.6p1/ldap-helper.c.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldap-helper.c 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c +--- openssh-5.8p1/ldap-helper.c.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldap-helper.c 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,154 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1557,7 +1575,7 @@ diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c + fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n"); + fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n"); + fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n"); -+ fprintf(stderr, " -w Warn on unknown commands int the config file.\n"); ++ fprintf(stderr, " -w Warn on unknown commands in the config file.\n"); + exit(1); +} + @@ -1658,9 +1676,9 @@ diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c +void *buffer_get_string(Buffer *b, u_int *l) {} +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + -diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h ---- openssh-5.6p1/ldap-helper.h.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldap-helper.h 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h +--- openssh-5.8p1/ldap-helper.h.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldap-helper.h 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1694,9 +1712,9 @@ diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h ---- openssh-5.6p1/ldapincludes.h.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldapincludes.h 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h +--- openssh-5.8p1/ldapincludes.h.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldapincludes.h 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1739,9 +1757,9 @@ diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h +#endif + +#endif /* LDAPINCLUDES_H */ -diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c ---- openssh-5.6p1/ldapmisc.c.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldapmisc.c 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c +--- openssh-5.8p1/ldapmisc.c.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldapmisc.c 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -1822,9 +1840,9 @@ diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c +} +#endif + -diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h ---- openssh-5.6p1/ldapmisc.h.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ldapmisc.h 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h +--- openssh-5.8p1/ldapmisc.h.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ldapmisc.h 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1861,9 +1879,9 @@ diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h + +#endif /* LDAPMISC_H */ + -diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example.txt ---- openssh-5.6p1/lpk-user-example.txt.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/lpk-user-example.txt 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt +--- openssh-5.8p1/lpk-user-example.txt.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/lpk-user-example.txt 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,117 @@ + +Post to ML -> User Made Quick Install Doc. @@ -1982,18 +2000,19 @@ diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example. +puTTY). Login should succeed. + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in ---- openssh-5.6p1/Makefile.in.ldap 2010-10-20 09:21:03.000000000 +0200 -+++ openssh-5.6p1/Makefile.in 2010-10-20 10:36:39.000000000 +0200 -@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas +diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in +--- openssh-5.8p1/Makefile.in.ldap 2011-02-28 23:21:03.000000000 +0100 ++++ openssh-5.8p1/Makefile.in 2011-02-28 23:21:06.000000000 +0100 +@@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper ++SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper RAND_HELPER=$(libexecdir)/ssh-rand-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -61,8 +62,9 @@ EXEEXT=@EXEEXT@ +@@ -63,8 +65,9 @@ MANFMT=@MANFMT@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ @@ -2004,7 +2023,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ -@@ -94,8 +96,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -96,8 +99,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o @@ -2015,7 +2034,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -163,6 +165,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss +@@ -166,6 +169,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) @@ -2025,17 +2044,18 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -267,6 +272,9 @@ install-files: +@@ -270,6 +276,10 @@ install-files: fi $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ + $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ ++ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ + fi $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -@@ -286,6 +294,10 @@ install-files: +@@ -289,6 +299,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -2046,7 +2066,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in -rm -f $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -@@ -322,6 +334,13 @@ install-sysconf: +@@ -325,6 +339,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -2060,7 +2080,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -385,6 +404,7 @@ uninstall: +@@ -396,6 +417,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -2068,9 +2088,9 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 tests interop-tests: $(TARGETS) -diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lpk-openldap.schema ---- openssh-5.6p1/openssh-lpk-openldap.schema.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/openssh-lpk-openldap.schema 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema +--- openssh-5.8p1/openssh-lpk-openldap.schema.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/openssh-lpk-openldap.schema 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2093,9 +2113,9 @@ diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lp + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun.schema ---- openssh-5.6p1/openssh-lpk-sun.schema.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/openssh-lpk-sun.schema 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema +--- openssh-5.8p1/openssh-lpk-sun.schema.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/openssh-lpk-sun.schema 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2120,9 +2140,9 @@ diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk ---- openssh-5.6p1/README.lpk.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/README.lpk 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk +--- openssh-5.8p1/README.lpk.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/README.lpk 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,274 @@ +OpenSSH LDAP PUBLIC KEY PATCH +Copyright (c) 2003 Eric AUGE (eau@phear.org) @@ -2398,9 +2418,9 @@ diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk +- CONTACT : + Jan F. Chadima + -diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5 ---- openssh-5.6p1/ssh-ldap.conf.5.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ssh-ldap.conf.5 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5 +--- openssh-5.8p1/ssh-ldap.conf.5.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ssh-ldap.conf.5 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,373 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2775,9 +2795,9 @@ diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff -up openssh-5.6p1/ssh-ldap-helper.8.ldap openssh-5.6p1/ssh-ldap-helper.8 ---- openssh-5.6p1/ssh-ldap-helper.8.ldap 2010-10-20 09:21:04.000000000 +0200 -+++ openssh-5.6p1/ssh-ldap-helper.8 2010-10-20 09:21:04.000000000 +0200 +diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8 +--- openssh-5.8p1/ssh-ldap-helper.8.ldap 2011-02-28 23:21:06.000000000 +0100 ++++ openssh-5.8p1/ssh-ldap-helper.8 2011-02-28 23:21:06.000000000 +0100 @@ -0,0 +1,78 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2857,3 +2877,11 @@ diff -up openssh-5.6p1/ssh-ldap-helper.8.ldap openssh-5.6p1/ssh-ldap-helper.8 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com +diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper +--- openssh-5.8p1/ssh-ldap-wrapper.ldap 2011-02-28 23:21:07.000000000 +0100 ++++ openssh-5.8p1/ssh-ldap-wrapper 2011-02-28 23:21:07.000000000 +0100 +@@ -0,0 +1,4 @@ ++#!/bin/sh ++ ++exec /usr/libexec/openssh/ssh-ldap-helper -s "$1" ++ diff --git a/openssh-5.8p1-ldap2.patch b/openssh-5.8p1-ldap2.patch index 416c93e..e69de29 100644 --- a/openssh-5.8p1-ldap2.patch +++ b/openssh-5.8p1-ldap2.patch @@ -1,57 +0,0 @@ -diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys ---- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-02-25 11:48:59.000000000 +0100 -+++ openssh-5.8p1/HOWTO.ldap-keys 2011-02-25 11:48:59.000000000 +0100 -@@ -0,0 +1,14 @@ -+ -+1) configure LDAP server -+2) add appropriate schema -+3) insert users into LDAP -+4) on the ssh side set in sshd_config -+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper -+AuthorizedKeysCommandRunAs -+5) do not forget to set -+PubkeyAuthentication yes -+ -+ -+To debug the ssh-ldap-helper is possible to set -+the necessary flags in the ssh-ldap-wrapper. -+ -diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c ---- openssh-5.8p1/ldap-helper.c.ldap2 2011-02-25 11:48:59.000000000 +0100 -+++ openssh-5.8p1/ldap-helper.c 2011-02-25 11:48:59.000000000 +0100 -@@ -51,7 +51,7 @@ usage(void) - fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n"); - fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n"); - fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n"); -- fprintf(stderr, " -w Warn on unknown commands int the config file.\n"); -+ fprintf(stderr, " -w Warn on unknown commands in the config file.\n"); - exit(1); - } - -diff -up openssh-5.8p1/Makefile.in.ldap2 openssh-5.8p1/Makefile.in ---- openssh-5.8p1/Makefile.in.ldap2 2011-02-25 11:48:59.000000000 +0100 -+++ openssh-5.8p1/Makefile.in 2011-02-25 11:55:59.000000000 +0100 -@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign - SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper - SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper -+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper - RAND_HELPER=$(libexecdir)/ssh-rand-helper - PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -277,6 +278,7 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) - if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ - $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ -+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ - fi - $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap2 openssh-5.8p1/ssh-ldap-wrapper ---- openssh-5.8p1/ssh-ldap-wrapper.ldap2 2011-02-25 11:48:59.000000000 +0100 -+++ openssh-5.8p1/ssh-ldap-wrapper 2011-02-25 11:48:59.000000000 +0100 -@@ -0,0 +1,4 @@ -+#!/bin/sh -+ -+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1" -+ diff --git a/openssh.spec b/openssh.spec index 03c5f8f..a328322 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.8p1 -%define openssh_rel 11 +%define openssh_rel 12 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 30 @@ -152,6 +152,7 @@ Patch56: openssh-5.2p1-edns.patch Patch57: openssh-5.1p1-scp-manpage.patch #? Patch58: openssh-5.8p1-keycat.patch +Patch158: openssh-5.8p1-keycat2.patch #http://www.sxw.org.uk/computing/patches/openssh.html Patch60: openssh-5.8p1-gsskex.patch #? @@ -347,6 +348,7 @@ popd %patch56 -p1 -b .edns %patch57 -p1 -b .manpage %patch58 -p1 -b .keycat +%patch158 -p1 -b .keycat2 %patch60 -p1 -b .gsskex %patch61 -p1 -b .canohost @@ -641,6 +643,9 @@ fi %endif %changelog +* Tue Mar 1 2011 Jan F. Chadima - 5.8p1-12 + 0.9.2-30 +- improove ssk-keycat + * Mon Feb 28 2011 Jan F. Chadima - 5.8p1-11 + 0.9.2-30 - add ssk-keycat