diff --git a/openssh-4.3p2-no-v6only.patch b/openssh-4.3p2-no-v6only.patch deleted file mode 100644 index a789812..0000000 --- a/openssh-4.3p2-no-v6only.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssh-4.3p2/channels.c.no-v6only 2006-07-17 15:39:31.000000000 +0200 -+++ openssh-4.3p2/channels.c 2006-08-08 12:44:51.000000000 +0200 -@@ -2794,7 +2794,7 @@ - } - } - #ifdef IPV6_V6ONLY -- if (ai->ai_family == AF_INET6) { -+ if (x11_use_localhost && ai->ai_family == AF_INET6) { - int on = 1; - if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) - error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); diff --git a/openssh-5.2p1-engine.patch b/openssh-5.2p1-engine.patch deleted file mode 100644 index 132653d..0000000 --- a/openssh-5.2p1-engine.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- openssh-5.2p1/openbsd-compat/openssl-compat.c~ 2010-01-27 17:36:29.000000000 -0500 -+++ openssh-5.2p1/openbsd-compat/openssl-compat.c 2010-01-28 10:52:53.000000000 -0500 -@@ -58,5 +58,6 @@ - /* Enable use of crypto hardware */ - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); -+ OPENSSL_config(NULL); - } - #endif diff --git a/openssh-5.2p1-sesftp.patch b/openssh-5.2p1-sesftp.patch deleted file mode 100644 index 3470e8f..0000000 --- a/openssh-5.2p1-sesftp.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c ---- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp 2009-08-12 00:29:37.712368892 +0200 -+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-12 00:29:37.732544890 +0200 -@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons - freecon(user_ctx); - debug3("%s: done", __func__); - } -+ -+void -+ssh_selinux_change_context(const char *newname) -+{ -+ int len, newlen; -+ char *oldctx, *newctx, *cx; -+ -+ if (!ssh_selinux_enabled()) -+ return; -+ -+ if (getcon((security_context_t *)&oldctx) < 0) { -+ logit("%s: getcon failed with %s", __func__, strerror (errno)); -+ return; -+ } -+ if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == NULL) { -+ logit ("%s: unparseable context %s", __func__, oldctx); -+ return; -+ } -+ -+ newlen = strlen(oldctx) + strlen(newname) + 1; -+ newctx = xmalloc(newlen); -+ len = cx - oldctx + 1; -+ memcpy(newctx, oldctx, len); -+ strlcpy(newctx + len, newname, newlen - len); -+ if ((cx = index(cx + 1, ':'))) -+ strlcat(newctx, cx, newlen); -+ debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx); -+ if (setcon(newctx) < 0) -+ logit("%s: setcon failed with %s", __func__, strerror (errno)); -+ xfree(oldctx); -+ xfree(newctx); -+} - #endif /* WITH_SELINUX */ -diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h ---- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100 -+++ openssh-5.2p1/openbsd-compat/port-linux.h 2009-08-12 00:29:37.733388083 +0200 -@@ -23,6 +23,7 @@ - int ssh_selinux_enabled(void); - void ssh_selinux_setup_pty(char *, const char *); - void ssh_selinux_setup_exec_context(char *); -+void ssh_selinux_change_context(const char *); - #endif - - #endif /* ! _PORT_LINUX_H */ -diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c ---- openssh-5.2p1/session.c.sesftp 2009-08-12 00:29:37.659250161 +0200 -+++ openssh-5.2p1/session.c 2009-08-12 00:29:37.729578695 +0200 -@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command - argv[i] = NULL; - optind = optreset = 1; - __progname = argv[0]; -+#ifdef WITH_SELINUX -+ ssh_selinux_change_context("sftpd_t"); -+#endif - exit(sftp_server_main(i, argv, s->pw)); - } - diff --git a/openssh-5.3p1-nss-keys.patch b/openssh-5.3p1-nss-keys.patch deleted file mode 100644 index 50a6441..0000000 --- a/openssh-5.3p1-nss-keys.patch +++ /dev/null @@ -1,1522 +0,0 @@ -diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c ---- openssh-5.3p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.3p1/authfd.c 2009-11-27 13:43:00.000000000 +0100 -@@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection - return decode_reply(type); - } - -+int -+ssh_update_nss_key(AuthenticationConnection *auth, int add, -+ const char *tokenname, const char *keyname, -+ const char *pass, u_int life, u_int confirm) -+{ -+ Buffer msg; -+ int type, constrained = (life || confirm); -+ -+ if (add) { -+ type = constrained ? -+ SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED : -+ SSH_AGENTC_ADD_NSS_KEY; -+ } else -+ type = SSH_AGENTC_REMOVE_NSS_KEY; -+ -+ buffer_init(&msg); -+ buffer_put_char(&msg, type); -+ buffer_put_cstring(&msg, tokenname); -+ buffer_put_cstring(&msg, keyname); -+ buffer_put_cstring(&msg, pass); -+ -+ if (constrained) { -+ if (life != 0) { -+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); -+ buffer_put_int(&msg, life); -+ } -+ if (confirm != 0) -+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM); -+ } -+ -+ if (ssh_request_reply(auth, &msg, &msg) == 0) { -+ buffer_free(&msg); -+ return 0; -+ } -+ type = buffer_get_char(&msg); -+ buffer_free(&msg); -+ return decode_reply(type); -+} -+ - /* - * Removes all identities from the agent. This call is not meant to be used - * by normal applications. -diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h ---- openssh-5.3p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200 -+++ openssh-5.3p1/authfd.h 2009-11-27 13:43:01.000000000 +0100 -@@ -49,6 +49,12 @@ - #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 - #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 - -+/* nss */ -+#define SSH_AGENTC_ADD_NSS_KEY 30 -+#define SSH_AGENTC_REMOVE_NSS_KEY 31 -+#define SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED 32 -+ -+ - #define SSH_AGENT_CONSTRAIN_LIFETIME 1 - #define SSH_AGENT_CONSTRAIN_CONFIRM 2 - -@@ -83,6 +89,8 @@ int ssh_remove_all_identities(Authentic - int ssh_lock_agent(AuthenticationConnection *, int, const char *); - int ssh_update_card(AuthenticationConnection *, int, const char *, - const char *, u_int, u_int); -+int ssh_update_nss_key(AuthenticationConnection *, int, const char *, -+ const char *, const char *, u_int, u_int); - - int - ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], -diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.nss-keys 2009-11-27 13:42:57.000000000 +0100 -+++ openssh-5.3p1/configure.ac 2009-11-27 13:48:44.000000000 +0100 -@@ -3526,6 +3526,21 @@ AC_ARG_WITH(kerberos5, - ] - ) - -+# Check whether user wants NSS support -+LIBNSS_MSG="no" -+AC_ARG_WITH(nss, -+ [ --with-nss Enable NSS support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.]) -+ LIBNSS_MSG="yes" -+ CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4" -+ AC_CHECK_HEADERS(pk11pub.h) -+ LIBS="$LIBS -lnss3 -lplc4" -+ AC_CHECK_DECLS([SEC_ERROR_LOCKED_PASSWORD], [], [], [#include ]) -+ fi -+ ]) -+AC_SUBST(LIBNSS) -+ - # Looking for programs, paths and files - - PRIVSEP_PATH=/var/empty -@@ -4253,6 +4269,7 @@ echo " TCP Wrappers support - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" -+echo " NSS support: $LIBNSS_MSG" - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo " BSD Auth support: $BSD_AUTH_MSG" -diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c ---- openssh-5.3p1/key.c.nss-keys 2008-11-03 09:24:17.000000000 +0100 -+++ openssh-5.3p1/key.c 2009-11-27 13:43:01.000000000 +0100 -@@ -96,6 +96,54 @@ key_new(int type) - return k; - } - -+#ifdef HAVE_LIBNSS -+Key * -+key_new_nss(int type) -+{ -+ Key *k = key_new(type); -+ -+ k->nss = xcalloc(1, sizeof(*k->nss)); -+ k->flags = KEY_FLAG_EXT | KEY_FLAG_NSS; -+ -+ return k; -+} -+ -+Key * -+key_new_nss_copy(int type, const Key *c) -+{ -+ Key *k = key_new_nss(type); -+ -+ switch (k->type) { -+ case KEY_RSA: -+ if ((BN_copy(k->rsa->n, c->rsa->n) == NULL) || -+ (BN_copy(k->rsa->e, c->rsa->e) == NULL)) -+ fatal("key_new_nss_copy: BN_copy failed"); -+ break; -+ case KEY_DSA: -+ if ((BN_copy(k->dsa->p, c->rsa->p) == NULL) || -+ (BN_copy(k->dsa->q, c->dsa->q) == NULL) || -+ (BN_copy(k->dsa->g, c->dsa->g) == NULL) || -+ (BN_copy(k->dsa->pub_key, c->dsa->pub_key) == NULL)) -+ fatal("key_new_nss_copy: BN_copy failed"); -+ break; -+ } -+ -+ k->nss->privk = SECKEY_CopyPrivateKey(c->nss->privk); -+ if (k->nss->privk == NULL) -+ fatal("key_new_nss_copy: SECKEY_CopyPrivateKey failed"); -+ -+ k->nss->pubk = SECKEY_CopyPublicKey(c->nss->pubk); -+ if (k->nss->pubk == NULL) -+ fatal("key_new_nss_copy: SECKEY_CopyPublicKey failed"); -+ -+ if (c->nss->privk->wincx) -+ k->nss->privk->wincx = xstrdup(c->nss->privk->wincx); -+ -+ return k; -+} -+#endif -+ -+ - Key * - key_new_private(int type) - { -@@ -151,6 +199,19 @@ key_free(Key *k) - fatal("key_free: bad key type %d", k->type); - break; - } -+#ifdef HAVE_LIBNSS -+ if (k->flags & KEY_FLAG_NSS) { -+ if (k->nss->privk != NULL && k->nss->privk->wincx != NULL) { -+ memset(k->nss->privk->wincx, 0, -+ strlen(k->nss->privk->wincx)); -+ xfree(k->nss->privk->wincx); -+ k->nss->privk->wincx = NULL; -+ } -+ SECKEY_DestroyPrivateKey(k->nss->privk); -+ SECKEY_DestroyPublicKey(k->nss->pubk); -+ xfree(k->nss); -+ } -+#endif - xfree(k); - } - -diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h ---- openssh-5.3p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200 -+++ openssh-5.3p1/key.h 2009-11-27 13:43:01.000000000 +0100 -@@ -29,11 +29,17 @@ - #include - #include - -+#ifdef HAVE_LIBNSS -+#include -+#include -+#endif -+ - typedef struct Key Key; - enum types { - KEY_RSA1, - KEY_RSA, - KEY_DSA, -+ KEY_NSS, - KEY_UNSPEC - }; - enum fp_type { -@@ -48,16 +54,30 @@ enum fp_rep { - - /* key is stored in external hardware */ - #define KEY_FLAG_EXT 0x0001 -+#define KEY_FLAG_NSS 0x0002 -+ -+#ifdef HAVE_LIBNSS -+typedef struct NSSKey NSSKey; -+struct NSSKey { -+ SECKEYPrivateKey *privk; -+ SECKEYPublicKey *pubk; -+}; -+#endif - - struct Key { - int type; - int flags; - RSA *rsa; - DSA *dsa; -+#ifdef HAVE_LIBNSS -+ NSSKey *nss; -+#endif - }; - - Key *key_new(int); - Key *key_new_private(int); -+Key *key_new_nss(int); -+Key *key_new_nss_copy(int, const Key *); - void key_free(Key *); - Key *key_demote(const Key *); - int key_equal(const Key *, const Key *); -diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in ---- openssh-5.3p1/Makefile.in.nss-keys 2009-08-28 02:47:38.000000000 +0200 -+++ openssh-5.3p1/Makefile.in 2009-11-27 13:43:01.000000000 +0100 -@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ - monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ - kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ -- entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o -+ entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o - - SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -diff -up /dev/null openssh-5.3p1/nsskeys.c ---- /dev/null 2009-11-27 11:08:21.619709673 +0100 -+++ openssh-5.3p1/nsskeys.c 2009-11-27 13:45:42.000000000 +0100 -@@ -0,0 +1,443 @@ -+/* -+ * Copyright (c) 2001 Markus Friedl. All rights reserved. -+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved. -+ * Copyright (c) 2009 Pierre Ossman for Cendio AB -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "includes.h" -+#ifdef HAVE_LIBNSS -+ -+#include -+ -+#include -+#include -+#include -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "xmalloc.h" -+#include "key.h" -+#include "log.h" -+#include "misc.h" -+#include "nsskeys.h" -+#include "pathnames.h" -+ -+static char * -+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg) -+{ -+ char *password = arg; -+ if (retry || password == NULL) -+ return NULL; -+ -+ return PL_strdup(password); -+} -+ -+int -+nss_init(PK11PasswordFunc pwfn) -+{ -+ char *dbpath; -+ char buf[MAXPATHLEN]; -+ -+ if (NSS_IsInitialized()) -+ return 0; -+ -+ if ((dbpath=getenv("NSS_DB_PATH")) == NULL) { -+ struct passwd *pw; -+ if ((pw = getpwuid(getuid())) == NULL || -+ pw->pw_dir == NULL) { -+ return -1; -+ } -+ snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir, -+ _PATH_SSH_USER_DIR); -+ dbpath = buf; -+ } -+ -+ if (NSS_Init(dbpath) != SECSuccess) { -+ debug("Failed to initialize NSS library. Attempting without DB..."); -+ if (NSS_NoDB_Init(NULL) != SECSuccess) -+ return -1; -+ } -+ -+ if (pwfn == NULL) { -+ pwfn = password_cb; -+ } -+ -+ PK11_SetPasswordFunc(pwfn); -+ -+ return 0; -+} -+ -+int -+nss_load_module(const char *modpath) -+{ -+ char spec[MAXPATHLEN + 40]; -+ SECMODModule *module; -+ -+ debug("loading PKCS#11 module '%s'", modpath); -+ -+ snprintf(spec, sizeof(spec), "library=\"%s\" name=\"Foobar\"", modpath); -+ module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE); -+ if (!module || !module->loaded) { -+ if (module) -+ SECMOD_DestroyModule(module); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+static Key * -+make_key_from_privkey(SECKEYPrivateKey *privk, char *password) -+{ -+ Key *k; -+ switch (SECKEY_GetPrivateKeyType(privk)) { -+ case rsaKey: -+ k = key_new_nss(KEY_RSA); -+ break; -+ case dsaKey: -+ k = key_new_nss(KEY_DSA); -+ break; -+ default: -+ return NULL; -+ } -+ k->nss->pubk = SECKEY_ConvertToPublicKey(privk); -+ if (k->nss->pubk != NULL) { -+ k->nss->privk = SECKEY_CopyPrivateKey(privk); -+ } -+ if (k->nss->privk != NULL) { -+ if (password != NULL) { -+ k->nss->privk->wincx = xstrdup(password); -+ } -+ return k; -+ } -+ key_free(k); -+ return NULL; -+} -+ -+static Key ** -+add_key_to_list(Key *k, Key **keys, size_t *i, size_t *allocated) -+{ -+ if (*allocated < *i + 2) { -+ *allocated += 16; -+ keys = xrealloc(keys, *allocated, sizeof(k)); -+ } -+ keys[*i] = k; -+ (*i)++; -+ keys[*i] = NULL; -+ return keys; -+} -+ -+static int -+nss_convert_pubkey(Key *k) -+{ -+ u_char *n; -+ unsigned int len; -+ char *p; -+ -+ switch (k->type) { -+ case KEY_RSA: -+ n = k->nss->pubk->u.rsa.modulus.data; -+ len = k->nss->pubk->u.rsa.modulus.len; -+ -+ if (BN_bin2bn(n, len, k->rsa->n) == NULL) { -+ fatal("nss_convert_pubkey: BN_bin2bn failed"); -+ } -+ -+ n = k->nss->pubk->u.rsa.publicExponent.data; -+ len = k->nss->pubk->u.rsa.publicExponent.len; -+ -+ if (BN_bin2bn(n, len, k->rsa->e) == NULL) { -+ fatal("nss_convert_pubkey: BN_bin2bn failed"); -+ } -+ break; -+ case KEY_DSA: -+ n = k->nss->pubk->u.dsa.params.prime.data; -+ len = k->nss->pubk->u.dsa.params.prime.len; -+ -+ if (BN_bin2bn(n, len, k->dsa->p) == NULL) { -+ fatal("nss_convert_pubkey: BN_bin2bn failed"); -+ } -+ -+ n = k->nss->pubk->u.dsa.params.subPrime.data; -+ len = k->nss->pubk->u.dsa.params.subPrime.len; -+ -+ if (BN_bin2bn(n, len, k->dsa->q) == NULL) { -+ fatal("nss_convert_pubkey: BN_bin2bn failed"); -+ } -+ -+ n = k->nss->pubk->u.dsa.params.base.data; -+ len = k->nss->pubk->u.dsa.params.base.len; -+ -+ if (BN_bin2bn(n, len, k->dsa->g) == NULL) { -+ fatal("nss_convert_pubkey: BN_bin2bn failed"); -+ } -+ -+ n = k->nss->pubk->u.dsa.publicValue.data; -+ len = k->nss->pubk->u.dsa.publicValue.len; -+ -+ if (BN_bin2bn(n, len, k->dsa->pub_key) == NULL) { -+ fatal("nss_convert_pubkey: BN_bin2bn failed"); -+ } -+ break; -+ } -+ -+ p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); -+ debug("fingerprint %u %s", key_size(k), p); -+ xfree(p); -+ -+ return 0; -+} -+ -+static int -+nss_authenticate(PK11SlotInfo *slot, char *password, int pwprompts, char **output) -+{ -+ int i, quit; -+ -+ *output = NULL; -+ -+ if (!PK11_NeedLogin(slot)) -+ return 0; -+ -+ for (i = 0; i < pwprompts; i++) { -+ SECStatus rv; -+ CK_TOKEN_INFO info; -+ -+ rv = PK11_GetTokenInfo(slot, &info); -+ if (rv != SECSuccess) { -+ error("Failed to get information for token %s", -+ PK11_GetTokenName(slot)); -+ return -1; -+ } -+ -+ if (info.flags & CKF_USER_PIN_LOCKED) { -+ error("Passphrase for token %s is locked", -+ PK11_GetTokenName(slot)); -+ return -1; -+ } -+ -+ if (info.flags & CKF_USER_PIN_FINAL_TRY) -+ debug2("Final passphrase attempt for token %s", -+ PK11_GetTokenName(slot)); -+ else if (info.flags & CKF_USER_PIN_COUNT_LOW) -+ debug2("Previous failed passphrase attempt for token %s", -+ PK11_GetTokenName(slot)); -+ -+ if (password != NULL) -+ *output = xstrdup(password); -+ else { -+ char *prompt; -+ if (asprintf(&prompt, "Enter passphrase for token %s: ", -+ PK11_GetTokenName(slot)) < 0) -+ fatal("password_cb: asprintf failed"); -+ *output = read_passphrase(prompt, RP_ALLOW_STDIN); -+ } -+ -+ if (strcmp(*output, "") == 0) { -+ debug2("no passphrase given, ignoring slot"); -+ quit = 1; -+ goto cleanup; -+ } -+ -+ quit = 0; -+ -+ rv = PK11_Authenticate(slot, PR_TRUE, *output); -+ if (rv == SECSuccess) -+ return 0; -+ -+ switch (PORT_GetError()) { -+ case SEC_ERROR_BAD_PASSWORD: -+ debug2("Incorrect passphrase, try again..."); -+ break; -+ case SEC_ERROR_INVALID_ARGS: -+ case SEC_ERROR_BAD_DATA: -+ debug2("Invalid passphrase, try again..."); -+ break; -+#if HAVE_SEC_ERROR_LOCKED_PASSWORD -+ case SEC_ERROR_LOCKED_PASSWORD: -+ error("Unable to authenticate, token passphrase is locked"); -+ quit = 1; -+ break; -+#endif -+ default: -+ error("Failure while authenticating against token"); -+ quit = 1; -+ } -+ -+cleanup: -+ memset(*output, 0, strlen(*output)); -+ xfree(*output); -+ *output = NULL; -+ -+ /* No point in retrying the same password */ -+ if (password != NULL) -+ break; -+ -+ if (quit) -+ break; -+ } -+ -+ return -1; -+} -+ -+static Key ** -+nss_find_privkeys(const char *tokenname, const char *keyname, -+ char *password, int pwprompts) -+{ -+ Key *k = NULL; -+ Key **keys = NULL; -+ PK11SlotList *slots; -+ PK11SlotListElement *sle; -+ size_t allocated = 0; -+ size_t i = 0; -+ -+ if ((slots=PK11_FindSlotsByNames(NULL, NULL, tokenname, PR_TRUE)) == NULL) { -+ if (tokenname == NULL) { -+ debug("No NSS token found"); -+ } else { -+ debug("NSS token not found: %s", tokenname); -+ } -+ return NULL; -+ } -+ -+ for (sle = slots->head; sle; sle = sle->next) { -+ SECKEYPrivateKeyList *list; -+ SECKEYPrivateKeyListNode *node; -+ char *tmppass; -+ -+ if (nss_authenticate(sle->slot, password, pwprompts, &tmppass) == -1) -+ break; -+ -+ debug("Looking for: %s:%s", tokenname, keyname); -+ list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname, -+ tmppass); -+ if (list == NULL && keyname != NULL) { -+ char *fooname; -+ /* NSS bug workaround */ -+ if (asprintf(&fooname, "%s~", keyname) < 0) { -+ error("nss_find_privkey: asprintf failed"); -+ PK11_FreeSlotList(slots); -+ return NULL; -+ } -+ list = PK11_ListPrivKeysInSlot(sle->slot, fooname, -+ tmppass); -+ free(fooname); -+ } -+ if (list == NULL && keyname != NULL) { -+ CERTCertificate *cert; -+ SECKEYPrivateKey *privk; -+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), -+ (char *)keyname); -+ if (cert == NULL) -+ goto cleanup; -+ privk = PK11_FindPrivateKeyFromCert(sle->slot, cert, tmppass); -+ CERT_DestroyCertificate(cert); -+ if (privk == NULL) -+ goto cleanup; -+ if ((k=make_key_from_privkey(privk, tmppass)) != NULL) { -+ nss_convert_pubkey(k); -+ keys = add_key_to_list(k, keys, &i, &allocated); -+ } -+ SECKEY_DestroyPrivateKey(privk); -+ } else { -+ if (list == NULL) -+ goto cleanup; -+ for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list); -+ node=PRIVKEY_LIST_NEXT(node)) -+ if ((k=make_key_from_privkey(node->key, tmppass)) != NULL) { -+ nss_convert_pubkey(k); -+ keys = add_key_to_list(k, keys, &i, &allocated); -+ } -+ SECKEY_DestroyPrivateKeyList(list); -+ } -+cleanup: -+ if (tmppass != NULL) { -+ memset(tmppass, 0, strlen(tmppass)); -+ xfree(tmppass); -+ } -+ } -+ PK11_FreeSlotList(slots); -+ -+ return keys; -+} -+ -+Key ** -+nss_get_keys(const char *tokenname, const char *keyname, -+ char *password, int pwprompts, int num_modules, const char **modules) -+{ -+ int i; -+ Key **keys; -+ -+ if (nss_init(NULL) == -1) { -+ error("Failed to initialize NSS library"); -+ return NULL; -+ } -+ -+ for (i = 0;i < num_modules;i++) { -+ if (nss_load_module(modules[i]) == -1) { -+ error("Failed to load PKCS#11 module '%s'", modules[i]); -+ return NULL; -+ } -+ } -+ -+ keys = nss_find_privkeys(tokenname, keyname, password, pwprompts); -+ if (keys == NULL && keyname != NULL) { -+ error("Cannot find key in nss, token removed"); -+ return NULL; -+ } -+#if 0 -+ keys = xcalloc(3, sizeof(Key *)); -+ -+ if (k->type == KEY_RSA) { -+ n = key_new_nss_copy(KEY_RSA1, k); -+ -+ keys[0] = n; -+ keys[1] = k; -+ keys[2] = NULL; -+ } else { -+ keys[0] = k; -+ keys[1] = NULL; -+ } -+#endif -+ return keys; -+} -+ -+char * -+nss_get_key_label(Key *key) -+{ -+ char *label, *nickname; -+ -+ nickname = PK11_GetPrivateKeyNickname(key->nss->privk); -+ label = xstrdup(nickname); -+ PORT_Free(nickname); -+ -+ return label; -+} -+ -+#endif /* HAVE_LIBNSS */ -diff -up /dev/null openssh-5.3p1/nsskeys.h ---- /dev/null 2009-11-27 11:08:21.619709673 +0100 -+++ openssh-5.3p1/nsskeys.h 2009-11-27 13:43:01.000000000 +0100 -@@ -0,0 +1,39 @@ -+/* -+ * Copyright (c) 2001 Markus Friedl. All rights reserved. -+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#ifndef NSSKEYS_H -+#define NSSKEYS_H -+#ifdef HAVE_LIBNSS -+#include -+#include -+ -+int nss_init(PK11PasswordFunc); -+Key **nss_get_keys(const char *, const char *, char *, int , int , const char **); -+char *nss_get_key_label(Key *); -+/*void sc_close(void);*/ -+/*int sc_put_key(Key *, const char *);*/ -+ -+#endif -+#endif -diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c ---- openssh-5.3p1/readconf.c.nss-keys 2009-07-05 23:12:27.000000000 +0200 -+++ openssh-5.3p1/readconf.c 2009-11-27 13:43:01.000000000 +0100 -@@ -124,6 +124,7 @@ typedef enum { - oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, - oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, - oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, -+ oUseNSS, oNSSToken, oNSSModule, - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -@@ -210,6 +211,15 @@ static struct { - #else - { "smartcarddevice", oUnsupported }, - #endif -+#ifdef HAVE_LIBNSS -+ { "usenss", oUseNSS }, -+ { "nsstoken", oNSSToken }, -+ { "nssmodule", oNSSModule }, -+#else -+ { "usenss", oUnsupported }, -+ { "nsstoken", oNSSToken }, -+ { "nssmodule", oUnsupported }, -+#endif - { "clearallforwardings", oClearAllForwardings }, - { "enablesshkeysign", oEnableSSHKeysign }, - { "verifyhostkeydns", oVerifyHostKeyDNS }, -@@ -613,6 +623,28 @@ parse_string: - charptr = &options->smartcard_device; - goto parse_string; - -+ case oUseNSS: -+ intptr = &options->use_nss; -+ goto parse_flag; -+ -+ case oNSSToken: -+ charptr = &options->nss_token; -+ goto parse_command; -+ -+ case oNSSModule: -+ arg = strdelim(&s); -+ if (!arg || *arg == '\0') -+ fatal("%.200s line %d: Missing argument.", filename, linenum); -+ if (*activep) { -+ intptr = &options->num_nss_modules; -+ if (*intptr >= SSH_MAX_NSS_MODULES) -+ fatal("%.200s line %d: Too many PKCS#11 modules specified (max %d).", -+ filename, linenum, SSH_MAX_NSS_MODULES); -+ charptr = &options->nss_modules[*intptr]; -+ *charptr = xstrdup(arg); -+ *intptr = *intptr + 1; -+ } -+ break; - case oProxyCommand: - charptr = &options->proxy_command; - parse_command: -@@ -1052,6 +1084,9 @@ initialize_options(Options * options) - options->preferred_authentications = NULL; - options->bind_address = NULL; - options->smartcard_device = NULL; -+ options->use_nss = -1; -+ options->nss_token = NULL; -+ options->num_nss_modules = 0; - options->enable_ssh_keysign = - 1; - options->no_host_authentication_for_localhost = - 1; - options->identities_only = - 1; -@@ -1183,6 +1218,8 @@ fill_default_options(Options * options) - options->no_host_authentication_for_localhost = 0; - if (options->identities_only == -1) - options->identities_only = 0; -+ if (options->use_nss == -1) -+ options->use_nss = 0; - if (options->enable_ssh_keysign == -1) - options->enable_ssh_keysign = 0; - if (options->rekey_limit == -1) -diff -up openssh-5.3p1/readconf.h.nss-keys openssh-5.3p1/readconf.h ---- openssh-5.3p1/readconf.h.nss-keys 2009-07-05 23:12:27.000000000 +0200 -+++ openssh-5.3p1/readconf.h 2009-11-27 13:43:01.000000000 +0100 -@@ -85,6 +85,10 @@ typedef struct { - char *preferred_authentications; - char *bind_address; /* local socket address for connection to sshd */ - char *smartcard_device; /* Smartcard reader device */ -+ int use_nss; /* Use NSS library for keys */ -+ char *nss_token; /* Look for NSS keys on token */ -+ int num_nss_modules; /* Number of PCKS#11 modules. */ -+ char *nss_modules[SSH_MAX_NSS_MODULES]; - int verify_host_key_dns; /* Verify host key using DNS */ - - int num_identity_files; /* Number of files for RSA/DSA identities. */ -diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c ---- openssh-5.3p1/ssh-add.c.nss-keys 2008-02-28 09:13:52.000000000 +0100 -+++ openssh-5.3p1/ssh-add.c 2009-11-27 13:43:01.000000000 +0100 -@@ -44,6 +44,14 @@ - #include - #include "openbsd-compat/openssl-compat.h" - -+#ifdef HAVE_LIBNSS -+#include -+#include -+#include -+#include -+#include -+#endif -+ - #include - #include - #include -@@ -57,6 +65,7 @@ - #include "rsa.h" - #include "log.h" - #include "key.h" -+#include "nsskeys.h" - #include "buffer.h" - #include "authfd.h" - #include "authfile.h" -@@ -307,6 +316,128 @@ do_file(AuthenticationConnection *ac, in - return 0; - } - -+#ifdef HAVE_LIBNSS -+static char * -+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg) -+{ -+ char **passcache = arg; -+ char *password, *p2 = NULL; -+ char *prompt; -+ -+ if (retry) -+ return NULL; -+ -+ if (asprintf(&prompt, "Enter passphrase for token %s: ", -+ PK11_GetTokenName(slot)) < 0) -+ fatal("password_cb: asprintf failed"); -+ -+ password = read_passphrase(prompt, RP_ALLOW_STDIN); -+ -+ if (password != NULL && (p2=PL_strdup(password)) == NULL) { -+ memset(password, 0, strlen(password)); -+ fatal("password_cb: PL_strdup failed"); -+ } -+ -+ if (passcache != NULL) { -+ if (*passcache != NULL) { -+ memset(*passcache, 0, strlen(*passcache)); -+ xfree(*passcache); -+ } -+ *passcache = password; -+ } else { -+ memset(password, 0, strlen(password)); -+ xfree(password); -+ } -+ -+ return p2; -+} -+ -+static int -+add_slot_keys(AuthenticationConnection *ac, PK11SlotInfo *slot, int add) -+{ -+ SECKEYPrivateKeyList *list; -+ SECKEYPrivateKeyListNode *node; -+ char *passcache = NULL; -+ char *tokenname; -+ char **xkeyname = NULL; -+ -+ int count = 0; -+ int i; -+ -+ if (PK11_NeedLogin(slot)) -+ PK11_Authenticate(slot, PR_TRUE, &passcache); -+ -+ if ((list=PK11_ListPrivKeysInSlot(slot, NULL, NULL)) == NULL) { -+ return 0; -+ } -+ -+ tokenname = PK11_GetTokenName(slot); -+ -+ for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list); -+ node=PRIVKEY_LIST_NEXT(node)) { -+ char *keyname; -+ SECKEYPublicKey *pub; -+ -+ keyname = PK11_GetPrivateKeyNickname(node->key); -+ if (keyname == NULL || *keyname == '\0') { -+ /* no nickname to refer to */ -+ CERTCertificate *cert; -+ char *kn; -+ cert = PK11_GetCertFromPrivateKey(node->key); -+ if (cert == NULL) -+ continue; -+ kn = strchr(cert->nickname, ':'); -+ if (kn == NULL) -+ kn = cert->nickname; -+ else -+ kn++; -+ keyname = PORT_Strdup(kn); -+ CERT_DestroyCertificate(cert); -+ if (keyname == NULL) -+ continue; -+ } -+ pub = SECKEY_ConvertToPublicKey(node->key); -+ if (pub == NULL) { -+ fprintf(stderr, "No public key for: %s:%s\n", -+ tokenname, keyname); -+ continue; /* not possible to obtain public key */ -+ } -+ SECKEY_DestroyPublicKey(pub); -+ -+ if ((count % 10) == 0) -+ xkeyname = xrealloc (xkeyname, count + 10, sizeof (char *)); -+ -+ xkeyname[count++] = keyname; -+ } -+ -+ PK11_Logout(slot); -+ -+ for (i = 0; i < count; i++) { -+ if (ssh_update_nss_key(ac, add, tokenname, xkeyname[i], -+ passcache?passcache:"", lifetime, confirm)) { -+ fprintf(stderr, "Key %s: %s:%s\n", -+ add?"added":"removed", tokenname, xkeyname[i]); -+ } else { -+ fprintf(stderr, "Could not %s key: %s:%s\n", -+ add?"add":"remove", tokenname, xkeyname[i]); -+ } -+ PORT_Free(xkeyname[i]); -+ } -+ -+ if (xkeyname != NULL) -+ free (xkeyname); -+ -+ if (passcache != NULL) { -+ memset(passcache, 0, strlen(passcache)); -+ xfree(passcache); -+ } -+ -+ SECKEY_DestroyPrivateKeyList(list); -+ -+ return count; -+} -+#endif -+ - static void - usage(void) - { -@@ -334,6 +465,10 @@ main(int argc, char **argv) - AuthenticationConnection *ac = NULL; - char *sc_reader_id = NULL; - int i, ch, deleting = 0, ret = 0; -+#ifdef HAVE_LIBNSS -+ char *token_id = NULL; -+ int use_nss = 0; -+#endif - - /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ - sanitise_stdfd(); -@@ -351,7 +486,7 @@ main(int argc, char **argv) - "Could not open a connection to your authentication agent.\n"); - exit(2); - } -- while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) { -+ while ((ch = getopt(argc, argv, "lLcdDnxXe:s:t:T:")) != -1) { - switch (ch) { - case 'l': - case 'L': -@@ -373,6 +508,11 @@ main(int argc, char **argv) - if (delete_all(ac) == -1) - ret = 1; - goto done; -+#ifdef HAVE_LIBNSS -+ case 'n': -+ use_nss = 1; -+ break; -+#endif - case 's': - sc_reader_id = optarg; - break; -@@ -387,6 +527,11 @@ main(int argc, char **argv) - goto done; - } - break; -+#ifdef HAVE_LIBNSS -+ case 'T': -+ token_id = optarg; -+ break; -+#endif - default: - usage(); - ret = 1; -@@ -400,6 +545,40 @@ main(int argc, char **argv) - ret = 1; - goto done; - } -+#ifdef HAVE_LIBNSS -+ if (use_nss) { -+ PK11SlotList *slots; -+ PK11SlotListElement *sle; -+ int count = 0; -+ if (nss_init(password_cb) == -1) { -+ fprintf(stderr, "Failed to initialize NSS library\n"); -+ ret = 1; -+ goto done; -+ } -+ -+ if ((slots=PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, -+ NULL)) == NULL) { -+ fprintf(stderr, "No tokens found\n"); -+ ret = 1; -+ goto nss_done; -+ } -+ -+ for (sle = slots->head; sle; sle = sle->next) { -+ int rv; -+ if ((rv=add_slot_keys(ac, sle->slot, !deleting)) == -1) { -+ ret = 1; -+ } -+ count += rv; -+ } -+ if (count == 0) { -+ ret = 1; -+ } -+nss_done: -+ NSS_Shutdown(); -+ clear_pass(); -+ goto done; -+ } -+#endif - if (argc == 0) { - char buf[MAXPATHLEN]; - struct passwd *pw; -diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c ---- openssh-5.3p1/ssh-agent.c.nss-keys 2009-06-21 09:50:15.000000000 +0200 -+++ openssh-5.3p1/ssh-agent.c 2009-11-27 13:43:01.000000000 +0100 -@@ -80,6 +80,10 @@ - #include "scard.h" - #endif - -+#ifdef HAVE_LIBNSS -+#include "nsskeys.h" -+#endif -+ - #if defined(HAVE_SYS_PRCTL_H) - #include /* For prctl() and PR_SET_DUMPABLE */ - #endif -@@ -714,6 +718,114 @@ send: - } - #endif /* SMARTCARD */ - -+#ifdef HAVE_LIBNSS -+static void -+process_add_nss_key (SocketEntry *e) -+{ -+ char *tokenname = NULL, *keyname = NULL, *password = NULL; -+ int i, version, success = 0, death = 0, confirm = 0; -+ Key **keys, *k; -+ Identity *id; -+ Idtab *tab; -+ -+ tokenname = buffer_get_string(&e->request, NULL); -+ keyname = buffer_get_string(&e->request, NULL); -+ password = buffer_get_string(&e->request, NULL); -+ -+ while (buffer_len(&e->request)) { -+ switch (buffer_get_char(&e->request)) { -+ case SSH_AGENT_CONSTRAIN_LIFETIME: -+ death = time(NULL) + buffer_get_int(&e->request); -+ break; -+ case SSH_AGENT_CONSTRAIN_CONFIRM: -+ confirm = 1; -+ break; -+ default: -+ break; -+ } -+ } -+ if (lifetime && !death) -+ death = time(NULL) + lifetime; -+ -+ keys = nss_get_keys(tokenname, keyname, password, 1, 0, NULL); -+ /* password is owned by keys[0] now */ -+ xfree(tokenname); -+ xfree(keyname); -+ -+ if (keys == NULL) { -+ memset(password, 0, strlen(password)); -+ xfree(password); -+ error("nss_get_keys failed"); -+ goto send; -+ } -+ for (i = 0; keys[i] != NULL; i++) { -+ k = keys[i]; -+ version = k->type == KEY_RSA1 ? 1 : 2; -+ tab = idtab_lookup(version); -+ if (lookup_identity(k, version) == NULL) { -+ id = xmalloc(sizeof(Identity)); -+ id->key = k; -+ id->comment = nss_get_key_label(k); -+ id->death = death; -+ id->confirm = confirm; -+ TAILQ_INSERT_TAIL(&tab->idlist, id, next); -+ tab->nentries++; -+ success = 1; -+ } else { -+ key_free(k); -+ } -+ keys[i] = NULL; -+ } -+ xfree(keys); -+send: -+ buffer_put_int(&e->output, 1); -+ buffer_put_char(&e->output, -+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); -+} -+ -+static void -+process_remove_nss_key(SocketEntry *e) -+{ -+ char *tokenname = NULL, *keyname = NULL, *password = NULL; -+ int i, version, success = 0; -+ Key **keys, *k = NULL; -+ Identity *id; -+ Idtab *tab; -+ -+ tokenname = buffer_get_string(&e->request, NULL); -+ keyname = buffer_get_string(&e->request, NULL); -+ password = buffer_get_string(&e->request, NULL); -+ -+ keys = nss_get_keys(tokenname, keyname, password, 1, 0, NULL); -+ xfree(tokenname); -+ xfree(keyname); -+ xfree(password); -+ -+ if (keys == NULL || keys[0] == NULL) { -+ error("nss_get_keys failed"); -+ goto send; -+ } -+ for (i = 0; keys[i] != NULL; i++) { -+ k = keys[i]; -+ version = k->type == KEY_RSA1 ? 1 : 2; -+ if ((id = lookup_identity(k, version)) != NULL) { -+ tab = idtab_lookup(version); -+ TAILQ_REMOVE(&tab->idlist, id, next); -+ tab->nentries--; -+ free_identity(id); -+ success = 1; -+ } -+ key_free(k); -+ keys[i] = NULL; -+ } -+ xfree(keys); -+send: -+ buffer_put_int(&e->output, 1); -+ buffer_put_char(&e->output, -+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); -+} -+#endif /* HAVE_LIBNSS */ -+ - /* dispatch incoming messages */ - - static void -@@ -806,6 +918,15 @@ process_message(SocketEntry *e) - process_remove_smartcard_key(e); - break; - #endif /* SMARTCARD */ -+#ifdef HAVE_LIBNSS -+ case SSH_AGENTC_ADD_NSS_KEY: -+ case SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED: -+ process_add_nss_key(e); -+ break; -+ case SSH_AGENTC_REMOVE_NSS_KEY: -+ process_remove_nss_key(e); -+ break; -+#endif /* SMARTCARD */ - default: - /* Unknown message. Respond with failure. */ - error("Unknown message %d", type); -diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c ---- openssh-5.3p1/ssh.c.nss-keys 2009-07-05 23:16:56.000000000 +0200 -+++ openssh-5.3p1/ssh.c 2009-11-27 13:43:01.000000000 +0100 -@@ -105,6 +105,9 @@ - #ifdef SMARTCARD - #include "scard.h" - #endif -+#ifdef HAVE_LIBNSS -+#include "nsskeys.h" -+#endif - - extern char *__progname; - -@@ -1234,9 +1237,11 @@ load_public_identity_files(void) - int i = 0; - Key *public; - struct passwd *pw; --#ifdef SMARTCARD -+#if defined(SMARTCARD) || defined(HAVE_LIBNSS) - Key **keys; -+#endif - -+#ifdef SMARTCARD - if (options.smartcard_device != NULL && - options.num_identity_files < SSH_MAX_IDENTITY_FILES && - (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) { -@@ -1259,6 +1264,29 @@ load_public_identity_files(void) - xfree(keys); - } - #endif /* SMARTCARD */ -+#ifdef HAVE_LIBNSS -+ if (options.use_nss && -+ options.num_identity_files < SSH_MAX_IDENTITY_FILES && -+ (keys = nss_get_keys(options.nss_token, NULL, NULL, -+ options.number_of_password_prompts, options.num_nss_modules, -+ options.nss_modules)) != NULL) { -+ int count; -+ for (count = 0; keys[count] != NULL; count++) { -+ memmove(&options.identity_files[1], &options.identity_files[0], -+ sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); -+ memmove(&options.identity_keys[1], &options.identity_keys[0], -+ sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); -+ options.num_identity_files++; -+ options.identity_keys[0] = keys[count]; -+ options.identity_files[0] = nss_get_key_label(keys[count]); -+ } -+ if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) -+ options.num_identity_files = SSH_MAX_IDENTITY_FILES; -+ i += count; -+ xfree(keys); -+ } -+#endif /* HAVE_LIBNSS */ -+ - if ((pw = getpwuid(original_real_uid)) == NULL) - fatal("load_public_identity_files: getpwuid failed"); - pwname = xstrdup(pw->pw_name); -diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c ---- openssh-5.3p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100 -+++ openssh-5.3p1/ssh-dss.c 2009-11-27 13:43:01.000000000 +0100 -@@ -39,6 +39,10 @@ - #include "log.h" - #include "key.h" - -+#ifdef HAVE_LIBNSS -+#include -+#endif -+ - #define INTBLOB_LEN 20 - #define SIGBLOB_LEN (2*INTBLOB_LEN) - -@@ -57,6 +61,34 @@ ssh_dss_sign(const Key *key, u_char **si - error("ssh_dss_sign: no DSA key"); - return -1; - } -+#ifdef HAVE_LIBNSS -+ if (key->flags & KEY_FLAG_NSS) { -+ SECItem sigitem; -+ SECItem *rawsig; -+ -+ memset(&sigitem, 0, sizeof(sigitem)); -+ if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk, -+ SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) != SECSuccess) { -+ error("ssh_dss_sign: sign failed"); -+ return -1; -+ } -+ -+ if ((rawsig=DSAU_DecodeDerSig(&sigitem)) == NULL) { -+ error("ssh_dss_sign: der decode failed"); -+ SECITEM_ZfreeItem(&sigitem, PR_FALSE); -+ return -1; -+ } -+ SECITEM_ZfreeItem(&sigitem, PR_FALSE); -+ if (rawsig->len != SIGBLOB_LEN) { -+ error("ssh_dss_sign: unsupported signature length %d", -+ rawsig->len); -+ SECITEM_ZfreeItem(rawsig, PR_TRUE); -+ return -1; -+ } -+ memcpy(sigblob, rawsig->data, SIGBLOB_LEN); -+ SECITEM_ZfreeItem(rawsig, PR_TRUE); -+ } else { -+#endif - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); -@@ -80,7 +112,9 @@ ssh_dss_sign(const Key *key, u_char **si - BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen); - BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen); - DSA_SIG_free(sig); -- -+#ifdef HAVE_LIBNSS -+ } -+#endif - if (datafellows & SSH_BUG_SIGBLOB) { - if (lenp != NULL) - *lenp = SIGBLOB_LEN; -diff -up openssh-5.3p1/ssh.h.nss-keys openssh-5.3p1/ssh.h ---- openssh-5.3p1/ssh.h.nss-keys 2006-08-05 04:39:41.000000000 +0200 -+++ openssh-5.3p1/ssh.h 2009-11-27 13:43:01.000000000 +0100 -@@ -28,6 +28,12 @@ - #define SSH_MAX_IDENTITY_FILES 100 - - /* -+ * Maximum number of PKCS#11 modules that can be specified in configuration -+ * files or on the command line. -+ */ -+#define SSH_MAX_NSS_MODULES 10 -+ -+/* - * Maximum length of lines in authorized_keys file. - * Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with - * some room for options and comments. -diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c ---- openssh-5.3p1/ssh-keygen.c.nss-keys 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.3p1/ssh-keygen.c 2009-11-27 13:43:01.000000000 +0100 -@@ -53,6 +53,11 @@ - #include "scard.h" - #endif - -+#ifdef HAVE_LIBNSS -+#include -+#include "nsskeys.h" -+#endif -+ - /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ - #define DEFAULT_BITS 2048 - #define DEFAULT_BITS_DSA 1024 -@@ -501,6 +506,26 @@ do_download(struct passwd *pw, const cha - } - #endif /* SMARTCARD */ - -+#ifdef HAVE_LIBNSS -+static void -+do_nss_download(struct passwd *pw, const char *tokenname, const char *keyname) -+{ -+ Key **keys = NULL; -+ int i; -+ -+ keys = nss_get_keys(tokenname, keyname, NULL, 1, 0, NULL); -+ if (keys == NULL) -+ fatal("cannot find public key in NSS"); -+ for (i = 0; keys[i]; i++) { -+ key_write(keys[i], stdout); -+ key_free(keys[i]); -+ fprintf(stdout, "\n"); -+ } -+ xfree(keys); -+ exit(0); -+} -+#endif /* HAVE_LIBNSS */ -+ - static void - do_fingerprint(struct passwd *pw) - { -@@ -1083,7 +1108,8 @@ main(int argc, char **argv) - Key *private, *public; - struct passwd *pw; - struct stat st; -- int opt, type, fd, download = 0; -+ int opt, type, fd, download = 1; -+ int use_nss = 0; - u_int32_t memory = 0, generator_wanted = 0, trials = 100; - int do_gen_candidates = 0, do_screen_candidates = 0; - BIGNUM *start = NULL; -@@ -1116,7 +1142,7 @@ main(int argc, char **argv) - } - - while ((opt = getopt(argc, argv, -- "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { -+ "degiqpclnBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { - switch (opt) { - case 'b': - bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr); -@@ -1156,6 +1182,10 @@ main(int argc, char **argv) - case 'g': - print_generic = 1; - break; -+ case 'n': -+ use_nss = 1; -+ download = 1; -+ break; - case 'P': - identity_passphrase = optarg; - break; -@@ -1187,10 +1217,10 @@ main(int argc, char **argv) - case 't': - key_type_name = optarg; - break; -- case 'D': -- download = 1; -- /*FALLTHROUGH*/ - case 'U': -+ download = 0; -+ /*FALLTHROUGH*/ -+ case 'D': - reader_id = optarg; - break; - case 'v': -@@ -1299,6 +1329,17 @@ main(int argc, char **argv) - exit(0); - } - } -+ -+ if (use_nss) { -+#ifdef HAVE_LIBNSS -+ if (download) -+ do_nss_download(pw, reader_id, identity_file); -+ else -+ fatal("no support for NSS key upload."); -+#else -+ fatal("no support for NSS keys."); -+#endif -+ } - if (reader_id != NULL) { - #ifdef SMARTCARD - if (download) -diff -up openssh-5.3p1/ssh-rsa.c.nss-keys openssh-5.3p1/ssh-rsa.c ---- openssh-5.3p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-5.3p1/ssh-rsa.c 2009-11-27 13:43:01.000000000 +0100 -@@ -32,6 +32,10 @@ - #include "compat.h" - #include "ssh.h" - -+#ifdef HAVE_LIBNSS -+#include -+#endif -+ - static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *); - - /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ -@@ -50,6 +54,38 @@ ssh_rsa_sign(const Key *key, u_char **si - error("ssh_rsa_sign: no RSA key"); - return -1; - } -+ -+ slen = RSA_size(key->rsa); -+ sig = xmalloc(slen); -+ -+#ifdef HAVE_LIBNSS -+ if (key->flags & KEY_FLAG_NSS) { -+ SECItem sigitem; -+ SECOidTag alg; -+ -+ memset(&sigitem, 0, sizeof(sigitem)); -+ alg = (datafellows & SSH_BUG_RSASIGMD5) ? -+ SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION : -+ SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; -+ -+ if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk, -+ alg) != SECSuccess) { -+ error("ssh_rsa_sign: sign failed"); -+ return -1; -+ } -+ if (sigitem.len > slen) { -+ error("ssh_rsa_sign: slen %u slen2 %u", slen, sigitem.len); -+ xfree(sig); -+ SECITEM_ZfreeItem(&sigitem, PR_FALSE); -+ return -1; -+ } -+ if (sigitem.len < slen) { -+ memset(sig, 0, slen - sigitem.len); -+ } -+ memcpy(sig+slen-sigitem.len, sigitem.data, sigitem.len); -+ SECITEM_ZfreeItem(&sigitem, PR_FALSE); -+ } else { -+#endif - nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; - if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { - error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid); -@@ -59,9 +95,6 @@ ssh_rsa_sign(const Key *key, u_char **si - EVP_DigestUpdate(&md, data, datalen); - EVP_DigestFinal(&md, digest, &dlen); - -- slen = RSA_size(key->rsa); -- sig = xmalloc(slen); -- - ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa); - memset(digest, 'd', sizeof(digest)); - -@@ -83,6 +116,9 @@ ssh_rsa_sign(const Key *key, u_char **si - xfree(sig); - return -1; - } -+#ifdef HAVE_LIBNSS -+ } -+#endif - /* encode signature */ - buffer_init(&b); - buffer_put_cstring(&b, "ssh-rsa"); diff --git a/openssh-5.3p1-fips.patch b/openssh-5.4p1-fips.patch similarity index 78% rename from openssh-5.3p1-fips.patch rename to openssh-5.4p1-fips.patch index 01a715c..943ab0f 100644 --- a/openssh-5.3p1-fips.patch +++ b/openssh-5.4p1-fips.patch @@ -1,15 +1,15 @@ -diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c ---- openssh-5.3p1/auth2-pubkey.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/auth2-pubkey.c 2009-10-02 14:12:00.000000000 +0200 -@@ -33,6 +33,7 @@ - #include - #include +diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c +--- openssh-5.4p1/auth2-pubkey.c.fips 2010-03-01 17:55:26.000000000 +0100 ++++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 17:57:56.000000000 +0100 +@@ -35,6 +35,7 @@ + #include + #include #include +#include #include "xmalloc.h" #include "ssh.h" -@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key +@@ -269,7 +270,7 @@ user_key_allowed2(struct passwd *pw, Key found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); @@ -18,10 +18,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c verbose("Found matching %s key: %s", key_type(found), fp); xfree(fp); -diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c ---- openssh-5.3p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.3p1/authfile.c 2009-10-02 14:12:00.000000000 +0200 -@@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch +diff -up openssh-5.4p1/authfile.c.fips openssh-5.4p1/authfile.c +--- openssh-5.4p1/authfile.c.fips 2010-01-12 09:42:29.000000000 +0100 ++++ openssh-5.4p1/authfile.c 2010-03-01 17:55:28.000000000 +0100 +@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch /* Allocate space for the private part of the key in the buffer. */ cp = buffer_append_space(&encrypted, buffer_len(&buffer)); @@ -38,7 +38,7 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c cipher_crypt(&ciphercontext, cp, buffer_ptr(&buffer), buffer_len(&buffer)); cipher_cleanup(&ciphercontext); -@@ -414,8 +420,14 @@ key_load_private_rsa1(int fd, const char +@@ -421,8 +427,14 @@ key_load_private_rsa1(int fd, const char cp = buffer_append_space(&decrypted, buffer_len(&buffer)); /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ @@ -55,9 +55,9 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c cipher_crypt(&ciphercontext, cp, buffer_ptr(&buffer), buffer_len(&buffer)); cipher_cleanup(&ciphercontext); -diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c ---- openssh-5.3p1/cipher.c.fips 2009-10-02 13:44:03.000000000 +0200 -+++ openssh-5.3p1/cipher.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/cipher.c.fips openssh-5.4p1/cipher.c +--- openssh-5.4p1/cipher.c.fips 2010-03-01 15:09:22.000000000 +0100 ++++ openssh-5.4p1/cipher.c 2010-03-01 17:55:28.000000000 +0100 @@ -40,6 +40,7 @@ #include @@ -142,9 +142,9 @@ diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c } /* -diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c ---- openssh-5.3p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 -+++ openssh-5.3p1/cipher-ctr.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/cipher-ctr.c.fips openssh-5.4p1/cipher-ctr.c +--- openssh-5.4p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 ++++ openssh-5.4p1/cipher-ctr.c 2010-03-01 17:55:28.000000000 +0100 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -155,9 +155,9 @@ diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c #endif return (&aes_ctr); } -diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h ---- openssh-5.3p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 -+++ openssh-5.3p1/cipher.h 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/cipher.h.fips openssh-5.4p1/cipher.h +--- openssh-5.4p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 ++++ openssh-5.4p1/cipher.h 2010-03-01 17:55:28.000000000 +0100 @@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); @@ -167,9 +167,9 @@ diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); u_int cipher_is_cbc(const Cipher *); -diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c ---- openssh-5.3p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.3p1/mac.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/mac.c.fips openssh-5.4p1/mac.c +--- openssh-5.4p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 ++++ openssh-5.4p1/mac.c 2010-03-01 17:55:28.000000000 +0100 @@ -28,6 +28,7 @@ #include @@ -219,10 +219,10 @@ diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c for (i = 0; macs[i].name; i++) { if (strcmp(name, macs[i].name) == 0) { -diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in ---- openssh-5.3p1/Makefile.in.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/Makefile.in 2009-10-02 14:20:18.000000000 +0200 -@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS) +diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in +--- openssh-5.4p1/Makefile.in.fips 2010-02-24 08:18:51.000000000 +0100 ++++ openssh-5.4p1/Makefile.in 2010-03-01 17:55:28.000000000 +0100 +@@ -139,31 +139,31 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -240,28 +240,31 @@ diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in - $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o -- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o +- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o - $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h ---- openssh-5.3p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 -+++ openssh-5.3p1/myproposal.h 2009-10-02 14:12:00.000000000 +0200 -@@ -53,7 +53,12 @@ +diff -up openssh-5.4p1/myproposal.h.fips openssh-5.4p1/myproposal.h +--- openssh-5.4p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/myproposal.h 2010-03-01 17:55:28.000000000 +0100 +@@ -55,7 +55,12 @@ "hmac-sha1-96,hmac-md5-96" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" @@ -275,23 +278,9 @@ diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, -diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c ---- openssh-5.3p1/nsskeys.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/nsskeys.c 2009-10-02 14:12:00.000000000 +0200 -@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k) - break; - } - -- p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); -- debug("fingerprint %u %s", key_size(k), p); -+ p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX); -+ debug("SHA1 fingerprint %u %s", key_size(k), p); - xfree(p); - - return 0; -diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c ---- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 -+++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.4p1/openbsd-compat/bsd-arc4random.c +--- openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 ++++ openssh-5.4p1/openbsd-compat/bsd-arc4random.c 2010-03-01 17:55:28.000000000 +0100 @@ -39,6 +39,7 @@ static int rc4_ready = 0; static RC4_KEY rc4; @@ -333,9 +322,9 @@ diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbs #endif /* !HAVE_ARC4RANDOM */ #ifndef ARC4RANDOM_BUF -diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c ---- openssh-5.3p1/ssh-add.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/ssh-add.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c +--- openssh-5.4p1/ssh-add.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/ssh-add.c 2010-03-01 17:55:28.000000000 +0100 @@ -42,6 +42,7 @@ #include @@ -343,8 +332,8 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c +#include #include "openbsd-compat/openssl-compat.h" - #ifdef HAVE_LIBNSS -@@ -254,7 +255,7 @@ list_identities(AuthenticationConnection + #include +@@ -270,7 +271,7 @@ list_identities(AuthenticationConnection key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; if (do_fp) { @@ -353,9 +342,9 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); -diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c ---- openssh-5.3p1/ssh-agent.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/ssh-agent.c.fips openssh-5.4p1/ssh-agent.c +--- openssh-5.4p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/ssh-agent.c 2010-03-01 17:55:28.000000000 +0100 @@ -51,6 +51,7 @@ #include @@ -364,7 +353,7 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c #include "openbsd-compat/openssl-compat.h" #include -@@ -200,9 +201,9 @@ confirm_key(Identity *id) +@@ -199,9 +200,9 @@ confirm_key(Identity *id) char *p; int ret = -1; @@ -377,9 +366,9 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c ret = 0; xfree(p); -diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c ---- openssh-5.3p1/ssh.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/ssh.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/ssh.c.fips openssh-5.4p1/ssh.c +--- openssh-5.4p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/ssh.c 2010-03-01 17:55:28.000000000 +0100 @@ -72,6 +72,8 @@ #include @@ -389,7 +378,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -221,6 +223,10 @@ main(int ac, char **av) +@@ -225,6 +227,10 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); @@ -400,8 +389,8 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c init_rng(); /* -@@ -281,6 +287,9 @@ main(int ac, char **av) - "ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) { +@@ -285,6 +291,9 @@ main(int ac, char **av) + "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': + if (FIPS_mode()) { @@ -410,7 +399,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c options.protocol = SSH_PROTO_1; break; case '2': -@@ -552,7 +561,6 @@ main(int ac, char **av) +@@ -581,7 +590,6 @@ main(int ac, char **av) if (!host) usage(); @@ -418,7 +407,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c ERR_load_crypto_strings(); /* Initialize the command to execute on remote host. */ -@@ -638,6 +646,10 @@ main(int ac, char **av) +@@ -667,6 +675,10 @@ main(int ac, char **av) seed_rng(); @@ -429,7 +418,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c if (options.user == NULL) options.user = xstrdup(pw->pw_name); -@@ -704,6 +716,12 @@ main(int ac, char **av) +@@ -733,6 +745,12 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; @@ -442,9 +431,9 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, -diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c ---- openssh-5.3p1/sshconnect2.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/sshconnect2.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/sshconnect2.c.fips openssh-5.4p1/sshconnect2.c +--- openssh-5.4p1/sshconnect2.c.fips 2010-03-01 17:55:28.000000000 +0100 ++++ openssh-5.4p1/sshconnect2.c 2010-03-01 17:55:29.000000000 +0100 @@ -44,6 +44,8 @@ #include #endif @@ -477,7 +466,7 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.hostkeyalgorithms; -@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t +@@ -529,8 +539,8 @@ input_userauth_pk_ok(int type, u_int32_t key->type, pktype); goto done; } @@ -488,19 +477,19 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c xfree(fp); /* -diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c ---- openssh-5.3p1/sshconnect.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/sshconnect.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c +--- openssh-5.4p1/sshconnect.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/sshconnect.c 2010-03-01 17:55:29.000000000 +0100 @@ -40,6 +40,8 @@ + #include #include - #include +#include + #include "xmalloc.h" #include "key.h" #include "hostfile.h" -@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so +@@ -789,6 +791,7 @@ check_host_key(char *hostname, struct so goto fail; } else if (options.strict_host_key_checking == 2) { char msg1[1024], msg2[1024]; @@ -508,7 +497,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c if (show_other_keys(host, host_key)) snprintf(msg1, sizeof(msg1), -@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so +@@ -797,8 +800,8 @@ check_host_key(char *hostname, struct so else snprintf(msg1, sizeof(msg1), "."); /* The default */ @@ -519,7 +508,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c SSH_FP_RANDOMART); msg2[0] = '\0'; if (options.verify_host_key_dns) { -@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so +@@ -814,10 +817,10 @@ check_host_key(char *hostname, struct so snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" @@ -532,7 +521,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c options.visual_host_key ? "\n" : "", options.visual_host_key ? ra : "", msg2); -@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con +@@ -1131,17 +1134,18 @@ show_key_from_file(const char *file, con Key *found; char *fp, *ra; int line, ret; @@ -555,7 +544,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c xfree(ra); xfree(fp); } -@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key) +@@ -1187,8 +1191,9 @@ warn_changed_key(Key *host_key) { char *fp; const char *type = key_type(host_key); @@ -566,7 +555,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); -@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key) +@@ -1196,8 +1201,8 @@ warn_changed_key(Key *host_key) error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that the %s host key has just been changed.", type); @@ -577,9 +566,9 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c error("Please contact your system administrator."); xfree(fp); -diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c ---- openssh-5.3p1/sshd.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/sshd.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c +--- openssh-5.4p1/sshd.c.fips 2010-03-01 17:55:27.000000000 +0100 ++++ openssh-5.4p1/sshd.c 2010-03-01 17:55:29.000000000 +0100 @@ -76,6 +76,8 @@ #include #include @@ -589,7 +578,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1261,6 +1263,12 @@ main(int ac, char **av) +@@ -1298,6 +1300,12 @@ main(int ac, char **av) (void)set_auth_parameters(ac, av); #endif __progname = ssh_get_progname(av[0]); @@ -602,7 +591,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c init_rng(); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -@@ -1413,8 +1421,6 @@ main(int ac, char **av) +@@ -1459,8 +1467,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -611,7 +600,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) -@@ -1532,6 +1538,10 @@ main(int ac, char **av) +@@ -1578,6 +1584,10 @@ main(int ac, char **av) debug("private host key: #%d type %d %s", i, key->type, key_type(key)); } @@ -622,7 +611,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1656,6 +1666,10 @@ main(int ac, char **av) +@@ -1742,6 +1752,10 @@ main(int ac, char **av) /* Initialize the random number generator. */ arc4random_stir(); @@ -633,7 +622,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c /* Chdir to the root directory so that the current disk can be unmounted if desired. */ chdir("/"); -@@ -2183,6 +2197,9 @@ do_ssh2_kex(void) +@@ -2274,6 +2288,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -643,7 +632,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2192,6 +2209,9 @@ do_ssh2_kex(void) +@@ -2283,6 +2300,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -653,9 +642,9 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c } if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = -diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c ---- openssh-5.3p1/ssh-keygen.c.fips 2009-10-02 14:12:00.000000000 +0200 -+++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:12:00.000000000 +0200 +diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c +--- openssh-5.4p1/ssh-keygen.c.fips 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/ssh-keygen.c 2010-03-01 17:55:29.000000000 +0100 @@ -21,6 +21,7 @@ #include @@ -664,7 +653,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c #include "openbsd-compat/openssl-compat.h" #include -@@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw) +@@ -524,7 +525,7 @@ do_fingerprint(struct passwd *pw) enum fp_type fptype; struct stat st; @@ -673,7 +662,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; if (!have_identity) -@@ -1506,14 +1507,15 @@ passphrase_again: +@@ -1808,14 +1809,15 @@ passphrase_again: fclose(f); if (!quiet) { diff --git a/openssh-5.3p1-gsskex.patch b/openssh-5.4p1-gsskex.patch similarity index 90% rename from openssh-5.3p1-gsskex.patch rename to openssh-5.4p1-gsskex.patch index 0ff0d54..8a626a4 100644 --- a/openssh-5.3p1-gsskex.patch +++ b/openssh-5.4p1-gsskex.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c ---- openssh-5.3p1/auth2.c.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/auth2.c 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c +--- openssh-5.4p1/auth2.c.gsskex 2010-03-01 18:14:24.000000000 +0100 ++++ openssh-5.4p1/auth2.c 2010-03-01 18:14:28.000000000 +0100 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -35,9 +35,9 @@ diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c authctxt->failures++; if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS -diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c ---- openssh-5.3p1/auth2-gss.c.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/auth2-gss.c 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c +--- openssh-5.4p1/auth2-gss.c.gsskex 2010-03-01 18:14:24.000000000 +0100 ++++ openssh-5.4p1/auth2-gss.c 2010-03-01 18:14:28.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ @@ -137,9 +137,9 @@ diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h ---- openssh-5.3p1/auth.h.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/auth.h 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h +--- openssh-5.4p1/auth.h.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/auth.h 2010-03-01 18:14:28.000000000 +0100 @@ -53,6 +53,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; @@ -148,10 +148,10 @@ diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h int force_pwchange; char *user; /* username sent by the client */ char *service; -diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c ---- openssh-5.3p1/auth-krb5.c.gsskex 2006-08-05 04:39:39.000000000 +0200 -+++ openssh-5.3p1/auth-krb5.c 2009-11-20 14:39:04.000000000 +0100 -@@ -166,8 +166,13 @@ auth_krb5_password(Authctxt *authctxt, c +diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c +--- openssh-5.4p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 ++++ openssh-5.4p1/auth-krb5.c 2010-03-01 18:14:28.000000000 +0100 +@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c len = strlen(authctxt->krb5_ticket_file) + 6; authctxt->krb5_ccname = xmalloc(len); @@ -165,7 +165,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c #ifdef USE_PAM if (options.use_pam) -@@ -219,15 +224,22 @@ krb5_cleanup_proc(Authctxt *authctxt) +@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt) #ifndef HEIMDAL krb5_error_code ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { @@ -190,7 +190,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c old_umask = umask(0177); tmpfd = mkstemp(ccname + strlen("FILE:")); umask(old_umask); -@@ -242,6 +254,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c +@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c return errno; } close(tmpfd); @@ -198,9 +198,9 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c return (krb5_cc_resolve(ctx, ccname, ccache)); } -diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi ---- /dev/null 2009-11-13 11:29:57.672908570 +0100 -+++ openssh-5.3p1/ChangeLog.gssapi 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi +--- openssh-5.4p1/ChangeLog.gssapi.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/ChangeLog.gssapi 2010-03-01 18:14:28.000000000 +0100 @@ -0,0 +1,95 @@ +20090615 + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c @@ -297,9 +297,9 @@ diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi + add support for GssapiTrustDns option for gssapi-with-mic + (from jbasney AT ncsa.uiuc.edu) + -diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c ---- openssh-5.3p1/clientloop.c.gsskex 2009-08-28 03:21:07.000000000 +0200 -+++ openssh-5.3p1/clientloop.c 2009-11-20 14:48:53.000000000 +0100 +diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c +--- openssh-5.4p1/clientloop.c.gsskex 2010-01-30 07:28:35.000000000 +0100 ++++ openssh-5.4p1/clientloop.c 2010-03-01 18:14:28.000000000 +0100 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -311,7 +311,7 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c /* import options */ extern Options options; -@@ -1430,6 +1434,13 @@ client_loop(int have_pty, int escape_cha +@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); @@ -325,9 +325,9 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); xxx_kex->done = 0; -diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.gsskex 2009-11-20 14:39:02.000000000 +0100 -+++ openssh-5.3p1/configure.ac 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac +--- openssh-5.4p1/configure.ac.gsskex 2010-03-01 18:14:27.000000000 +0100 ++++ openssh-5.4p1/configure.ac 2010-03-01 18:14:28.000000000 +0100 @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE(SSH_TUN_PREPEND_AF, 1, @@ -359,9 +359,9 @@ diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac m4_pattern_allow(AU_IPv) AC_CHECK_DECL(AU_IPv4, [], AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) -diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c ---- openssh-5.3p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.3p1/gss-genr.c 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c +--- openssh-5.4p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.4p1/gss-genr.c 2010-03-01 18:14:28.000000000 +0100 @@ -39,12 +39,167 @@ #include "buffer.h" #include "log.h" @@ -700,9 +700,9 @@ diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c ---- openssh-5.3p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 -+++ openssh-5.3p1/gss-serv.c 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c +--- openssh-5.4p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 ++++ openssh-5.4p1/gss-serv.c 2010-03-01 18:14:28.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ @@ -1016,9 +1016,9 @@ diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c } #endif -diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c ---- openssh-5.3p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.3p1/gss-serv-krb5.c 2009-11-20 14:39:04.000000000 +0100 +diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c +--- openssh-5.4p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.4p1/gss-serv-krb5.c 2010-03-01 18:14:28.000000000 +0100 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1139,12 +1139,12 @@ diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c }; #endif /* KRB5 */ -diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c ---- openssh-5.3p1/kex.c.gsskex 2009-06-21 10:15:25.000000000 +0200 -+++ openssh-5.3p1/kex.c 2009-11-20 14:50:11.000000000 +0100 -@@ -49,6 +49,10 @@ - #include "dispatch.h" +diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c +--- openssh-5.4p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 ++++ openssh-5.4p1/kex.c 2010-03-01 18:18:42.000000000 +0100 +@@ -50,6 +50,10 @@ #include "monitor.h" + #include "roaming.h" +#ifdef GSSAPI +#include "ssh-gss.h" @@ -1153,7 +1153,7 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) # define evp_ssh_sha256 EVP_sha256 -@@ -325,6 +329,20 @@ choose_kex(Kex *k, char *client, char *s +@@ -326,6 +330,20 @@ choose_kex(Kex *k, char *client, char *s k->kex_type = KEX_DH_GEX_SHA256; k->evp_md = evp_ssh_sha256(); #endif @@ -1174,9 +1174,9 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c } else fatal("bad kex alg %s", k->name); } -diff -up /dev/null openssh-5.3p1/kexgssc.c ---- /dev/null 2009-11-13 11:29:57.672908570 +0100 -+++ openssh-5.3p1/kexgssc.c 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c +--- openssh-5.4p1/kexgssc.c.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/kexgssc.c 2010-03-01 18:14:28.000000000 +0100 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1512,9 +1512,9 @@ diff -up /dev/null openssh-5.3p1/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up /dev/null openssh-5.3p1/kexgsss.c ---- /dev/null 2009-11-13 11:29:57.672908570 +0100 -+++ openssh-5.3p1/kexgsss.c 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c +--- openssh-5.4p1/kexgsss.c.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/kexgsss.c 2010-03-01 18:14:28.000000000 +0100 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1804,10 +1804,10 @@ diff -up /dev/null openssh-5.3p1/kexgsss.c + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h ---- openssh-5.3p1/kex.h.gsskex 2009-06-21 10:15:25.000000000 +0200 -+++ openssh-5.3p1/kex.h 2009-11-20 14:39:05.000000000 +0100 -@@ -66,6 +66,9 @@ enum kex_exchange { +diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h +--- openssh-5.4p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/kex.h 2010-03-01 18:14:28.000000000 +0100 +@@ -67,6 +67,9 @@ enum kex_exchange { KEX_DH_GRP14_SHA1, KEX_DH_GEX_SHA1, KEX_DH_GEX_SHA256, @@ -1817,7 +1817,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h KEX_MAX }; -@@ -121,6 +124,12 @@ struct Kex { +@@ -123,6 +126,12 @@ struct Kex { sig_atomic_t done; int flags; const EVP_MD *evp_md; @@ -1830,7 +1830,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h char *client_version_string; char *server_version_string; int (*verify_host_key)(Key *); -@@ -143,6 +152,11 @@ void kexdh_server(Kex *); +@@ -146,6 +155,11 @@ void kexdh_server(Kex *); void kexgex_client(Kex *); void kexgex_server(Kex *); @@ -1842,54 +1842,58 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff -up openssh-5.3p1/key.c.gsskex openssh-5.3p1/key.c ---- openssh-5.3p1/key.c.gsskex 2009-11-20 14:38:59.000000000 +0100 -+++ openssh-5.3p1/key.c 2009-11-20 14:39:05.000000000 +0100 -@@ -825,6 +825,8 @@ key_type_from_name(char *name) - return KEY_RSA; - } else if (strcmp(name, "ssh-dss") == 0) { - return KEY_DSA; +diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c +--- openssh-5.4p1/key.c.gsskex 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/key.c 2010-03-01 18:20:43.000000000 +0100 +@@ -969,6 +969,8 @@ key_type_from_name(char *name) + return KEY_RSA_CERT; + } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { + return KEY_DSA_CERT; + } else if (strcmp(name, "null") == 0) { + return KEY_NULL; } debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; -diff -up openssh-5.3p1/key.h.gsskex openssh-5.3p1/key.h ---- openssh-5.3p1/key.h.gsskex 2009-11-20 14:38:59.000000000 +0100 -+++ openssh-5.3p1/key.h 2009-11-20 14:50:59.000000000 +0100 -@@ -40,6 +40,7 @@ enum types { - KEY_RSA, +diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h +--- openssh-5.4p1/key.h.gsskex 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/key.h 2010-03-01 18:21:22.000000000 +0100 +@@ -37,6 +37,7 @@ enum types { KEY_DSA, - KEY_NSS, + KEY_RSA_CERT, + KEY_DSA_CERT, + KEY_NULL, KEY_UNSPEC }; enum fp_type { -diff -up openssh-5.3p1/Makefile.in.gsskex openssh-5.3p1/Makefile.in ---- openssh-5.3p1/Makefile.in.gsskex 2009-11-20 14:39:02.000000000 +0100 -+++ openssh-5.3p1/Makefile.in 2009-11-20 15:06:44.000000000 +0100 -@@ -71,7 +71,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ +diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in +--- openssh-5.4p1/Makefile.in.gsskex 2010-03-01 18:14:27.000000000 +0100 ++++ openssh-5.4p1/Makefile.in 2010-03-01 18:23:31.000000000 +0100 +@@ -74,11 +74,11 @@ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ - kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ -- entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o -+ entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o \ -+ kexgssc.o + kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ + entropy.o gss-genr.o umac.o jpake.o schnorr.o \ +- ssh-pkcs11.o ++ ssh-pkcs11.o kexgssc.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -@@ -85,7 +86,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ - auth-krb5.o \ -- auth2-gss.o gss-serv.o gss-serv-krb5.o \ -+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ +- roaming_common.o roaming_client.o ++ roaming_common.o roaming_client.o kexgssc.o + + SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + sshpty.o sshlogin.o servconf.o serverloop.o \ +@@ -91,7 +91,7 @@ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ - roaming_common.o -diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c ---- openssh-5.3p1/monitor.c.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/monitor.c 2009-11-20 14:39:05.000000000 +0100 +- roaming_common.o roaming_serv.o ++ roaming_common.o roaming_serv.o kexgsss.o + + MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out + MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 +diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c +--- openssh-5.4p1/monitor.c.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/monitor.c 2010-03-01 18:14:29.000000000 +0100 @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -1956,7 +1960,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -1943,6 +1967,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -1944,6 +1968,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -1966,7 +1970,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -1970,6 +1997,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1971,6 +1998,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1976,7 +1980,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -1987,6 +2017,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -1988,6 +2018,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1984,7 +1988,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c } return (0); } -@@ -1998,6 +2029,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -1999,6 +2030,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -1994,7 +1998,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2024,7 +2058,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2025,7 +2059,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -2007,7 +2011,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2037,6 +2075,74 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2038,6 +2076,74 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2082,9 +2086,9 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h ---- openssh-5.3p1/monitor.h.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/monitor.h 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h +--- openssh-5.4p1/monitor.h.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/monitor.h 2010-03-01 18:14:29.000000000 +0100 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2094,9 +2098,9 @@ diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, -diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c ---- openssh-5.3p1/monitor_wrap.c.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/monitor_wrap.c 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c +--- openssh-5.4p1/monitor_wrap.c.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/monitor_wrap.c 2010-03-01 18:14:29.000000000 +0100 @@ -1267,7 +1267,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } @@ -2158,9 +2162,9 @@ diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h ---- openssh-5.3p1/monitor_wrap.h.gsskex 2009-11-20 14:38:55.000000000 +0100 -+++ openssh-5.3p1/monitor_wrap.h 2009-11-20 14:39:05.000000000 +0100 +diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h +--- openssh-5.4p1/monitor_wrap.h.gsskex 2010-03-01 18:14:25.000000000 +0100 ++++ openssh-5.4p1/monitor_wrap.h 2010-03-01 18:14:29.000000000 +0100 @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2173,10 +2177,10 @@ diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c ---- openssh-5.3p1/readconf.c.gsskex 2009-11-20 14:38:59.000000000 +0100 -+++ openssh-5.3p1/readconf.c 2009-11-20 14:39:06.000000000 +0100 -@@ -128,6 +128,7 @@ typedef enum { +diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c +--- openssh-5.4p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100 ++++ openssh-5.4p1/readconf.c 2010-03-01 18:14:29.000000000 +0100 +@@ -127,6 +127,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2184,7 +2188,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, -@@ -165,10 +166,18 @@ static struct { +@@ -164,10 +165,18 @@ static struct { { "afstokenpassing", oUnsupported }, #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2203,7 +2207,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -462,10 +471,26 @@ parse_flag: +@@ -456,10 +465,26 @@ parse_flag: intptr = &options->gss_authentication; goto parse_flag; @@ -2230,7 +2234,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1029,7 +1054,11 @@ initialize_options(Options * options) +@@ -1015,7 +1040,11 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -2242,7 +2246,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1123,8 +1152,14 @@ fill_default_options(Options * options) +@@ -1107,8 +1136,14 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2257,9 +2261,9 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h ---- openssh-5.3p1/readconf.h.gsskex 2009-11-20 14:38:59.000000000 +0100 -+++ openssh-5.3p1/readconf.h 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h +--- openssh-5.4p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100 ++++ openssh-5.4p1/readconf.h 2010-03-01 18:14:29.000000000 +0100 @@ -44,7 +44,11 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2272,10 +2276,10 @@ diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c ---- openssh-5.3p1/servconf.c.gsskex 2009-11-20 14:39:03.000000000 +0100 -+++ openssh-5.3p1/servconf.c 2009-11-20 14:52:27.000000000 +0100 -@@ -92,7 +92,10 @@ initialize_server_options(ServerOptions +diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c +--- openssh-5.4p1/servconf.c.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/servconf.c 2010-03-01 18:25:32.000000000 +0100 +@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -2286,7 +2290,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -213,8 +216,14 @@ fill_default_server_options(ServerOption +@@ -215,8 +218,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2301,7 +2305,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -308,7 +317,9 @@ typedef enum { +@@ -310,7 +319,9 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -2311,8 +2315,8 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c + sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, -@@ -371,9 +382,15 @@ static struct { + sZeroKnowledgePasswordAuthentication, sHostCertificate, +@@ -373,9 +384,15 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2328,7 +2332,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -906,10 +923,22 @@ process_server_config_line(ServerOptions +@@ -935,10 +952,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2351,10 +2355,10 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h ---- openssh-5.3p1/servconf.h.gsskex 2009-11-20 14:39:03.000000000 +0100 -+++ openssh-5.3p1/servconf.h 2009-11-20 14:39:06.000000000 +0100 -@@ -91,7 +91,10 @@ typedef struct { +diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h +--- openssh-5.4p1/servconf.h.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/servconf.h 2010-03-01 18:14:29.000000000 +0100 +@@ -94,7 +94,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -2365,9 +2369,9 @@ diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5 ---- openssh-5.3p1/ssh_config.5.gsskex 2009-02-23 00:53:58.000000000 +0100 -+++ openssh-5.3p1/ssh_config.5 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5 +--- openssh-5.4p1/ssh_config.5.gsskex 2010-02-11 23:26:02.000000000 +0100 ++++ openssh-5.4p1/ssh_config.5 2010-03-01 18:14:29.000000000 +0100 @@ -478,11 +478,38 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2408,9 +2412,9 @@ diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config ---- openssh-5.3p1/ssh_config.gsskex 2009-11-20 14:38:53.000000000 +0100 -+++ openssh-5.3p1/ssh_config 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config +--- openssh-5.4p1/ssh_config.gsskex 2010-03-01 18:14:24.000000000 +0100 ++++ openssh-5.4p1/ssh_config 2010-03-01 18:14:29.000000000 +0100 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2420,9 +2424,9 @@ diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config # BatchMode no # CheckHostIP yes # AddressFamily any -diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c ---- openssh-5.3p1/sshconnect2.c.gsskex 2009-11-20 14:39:01.000000000 +0100 -+++ openssh-5.3p1/sshconnect2.c 2009-11-20 15:05:03.000000000 +0100 +diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c +--- openssh-5.4p1/sshconnect2.c.gsskex 2010-03-01 18:14:27.000000000 +0100 ++++ openssh-5.4p1/sshconnect2.c 2010-03-01 18:14:29.000000000 +0100 @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2503,7 +2507,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c xxx_kex = kex; dispatch_run(DISPATCH_BLOCK, &kex->done, kex); -@@ -247,6 +299,7 @@ void input_gssapi_token(int type, u_int3 +@@ -253,6 +305,7 @@ void input_gssapi_token(int type, u_int3 void input_gssapi_hash(int type, u_int32_t, void *); void input_gssapi_error(int, u_int32_t, void *); void input_gssapi_errtok(int, u_int32_t, void *); @@ -2511,7 +2515,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c #endif void userauth(Authctxt *, char *); -@@ -262,6 +315,10 @@ static char *authmethods_get(void); +@@ -268,6 +321,10 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -2522,7 +2526,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c {"gssapi-with-mic", userauth_gssapi, NULL, -@@ -555,23 +612,35 @@ userauth_gssapi(Authctxt *authctxt) +@@ -576,23 +633,35 @@ userauth_gssapi(Authctxt *authctxt) int ok = 0; char* remotehost = NULL; const char* canonicalhost = get_canonical_hostname(1); @@ -2560,7 +2564,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c ok = 1; /* Mechanism works */ } else { mech++; -@@ -668,8 +737,8 @@ input_gssapi_response(int type, u_int32_ +@@ -689,8 +758,8 @@ input_gssapi_response(int type, u_int32_ { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -2571,7 +2575,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); -@@ -779,6 +848,48 @@ input_gssapi_error(int type, u_int32_t p +@@ -800,6 +869,48 @@ input_gssapi_error(int type, u_int32_t p xfree(msg); xfree(lang); } @@ -2620,9 +2624,9 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c #endif /* GSSAPI */ int -diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c ---- openssh-5.3p1/sshd.c.gsskex 2009-11-20 14:39:01.000000000 +0100 -+++ openssh-5.3p1/sshd.c 2009-11-20 14:53:31.000000000 +0100 +diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c +--- openssh-5.4p1/sshd.c.gsskex 2010-03-01 18:14:27.000000000 +0100 ++++ openssh-5.4p1/sshd.c 2010-03-01 18:14:29.000000000 +0100 @@ -129,6 +129,10 @@ int allow_severity; int deny_severity; #endif /* LIBWRAP */ @@ -2634,7 +2638,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c #ifndef O_NOCTTY #define O_NOCTTY 0 #endif -@@ -1546,10 +1550,13 @@ main(int ac, char **av) +@@ -1592,10 +1596,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2648,7 +2652,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -1837,6 +1844,60 @@ main(int ac, char **av) +@@ -1928,6 +1935,60 @@ main(int ac, char **av) /* Log the connection. */ verbose("Connection from %.500s port %d", remote_ip, remote_port); @@ -2709,7 +2713,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2223,12 +2284,61 @@ do_ssh2_kex(void) +@@ -2314,12 +2375,61 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); @@ -2771,9 +2775,9 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5 ---- openssh-5.3p1/sshd_config.5.gsskex 2009-11-20 14:39:03.000000000 +0100 -+++ openssh-5.3p1/sshd_config.5 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5 +--- openssh-5.4p1/sshd_config.5.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/sshd_config.5 2010-03-01 18:14:29.000000000 +0100 @@ -379,12 +379,40 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2815,10 +2819,10 @@ diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5 .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config ---- openssh-5.3p1/sshd_config.gsskex 2009-11-20 14:39:04.000000000 +0100 -+++ openssh-5.3p1/sshd_config 2009-11-20 14:54:30.000000000 +0100 -@@ -80,6 +80,8 @@ ChallengeResponseAuthentication no +diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config +--- openssh-5.4p1/sshd_config.gsskex 2010-03-01 18:14:28.000000000 +0100 ++++ openssh-5.4p1/sshd_config 2010-03-01 18:14:29.000000000 +0100 +@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes @@ -2827,9 +2831,9 @@ diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff -up openssh-5.3p1/ssh-gss.h.gsskex openssh-5.3p1/ssh-gss.h ---- openssh-5.3p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 -+++ openssh-5.3p1/ssh-gss.h 2009-11-20 14:39:06.000000000 +0100 +diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h +--- openssh-5.4p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 ++++ openssh-5.4p1/ssh-gss.h 2010-03-01 18:14:30.000000000 +0100 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* diff --git a/openssh-5.3p1-mls.patch b/openssh-5.4p1-mls.patch similarity index 88% rename from openssh-5.3p1-mls.patch rename to openssh-5.4p1-mls.patch index 451b7e8..2fb3ee5 100644 --- a/openssh-5.3p1-mls.patch +++ b/openssh-5.4p1-mls.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.mls 2009-10-02 14:04:31.000000000 +0200 -+++ openssh-5.3p1/configure.ac 2009-10-02 14:04:31.000000000 +0200 -@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux, +diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac +--- openssh-5.4p1/configure.ac.mls 2010-03-01 15:24:27.000000000 +0100 ++++ openssh-5.4p1/configure.ac 2010-03-01 15:24:28.000000000 +0100 +@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux, SSHDLIBS="$SSHDLIBS $LIBSELINUX" LIBS="$LIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) @@ -9,9 +9,9 @@ diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac LIBS="$save_LIBS" fi ] ) -diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c ---- openssh-5.3p1/misc.c.mls 2009-02-21 22:47:02.000000000 +0100 -+++ openssh-5.3p1/misc.c 2009-10-02 14:04:31.000000000 +0200 +diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c +--- openssh-5.4p1/misc.c.mls 2010-01-10 00:31:12.000000000 +0100 ++++ openssh-5.4p1/misc.c 2010-03-01 15:24:28.000000000 +0100 @@ -423,6 +423,7 @@ char * colon(char *cp) { @@ -36,15 +36,16 @@ diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c } return (0); } -diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c ---- openssh-5.3p1/openbsd-compat/port-linux.c.mls 2009-10-02 14:04:31.000000000 +0200 -+++ openssh-5.3p1/openbsd-compat/port-linux.c 2009-10-02 14:04:31.000000000 +0200 -@@ -33,12 +33,23 @@ +diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c +--- openssh-5.4p1/openbsd-compat/port-linux.c.mls 2010-03-01 15:24:27.000000000 +0100 ++++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:25:50.000000000 +0100 +@@ -35,13 +35,24 @@ #include "key.h" #include "hostfile.h" #include "auth.h" +#include "xmalloc.h" + #ifdef WITH_SELINUX #include #include +#include @@ -63,7 +64,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com /* Wrapper around is_selinux_enabled() to log its return value once only */ int -@@ -54,17 +65,173 @@ ssh_selinux_enabled(void) +@@ -57,17 +68,173 @@ ssh_selinux_enabled(void) return (enabled); } @@ -243,7 +244,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com #ifdef HAVE_GETSEUSERBYNAME if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { sename = NULL; -@@ -72,38 +239,63 @@ ssh_selinux_getctxbyname(char *pwname) +@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname) } #else sename = pwname; @@ -329,7 +330,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com #ifdef HAVE_GETSEUSERBYNAME if (sename != NULL) -@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname) +@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname) if (lvl != NULL) xfree(lvl); #endif @@ -351,7 +352,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com security_context_t user_ctx = NULL; if (!ssh_selinux_enabled()) -@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn +@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn debug3("%s: setting execution context", __func__); @@ -404,7 +405,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com debug3("%s: done", __func__); } -@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons +@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons debug3("%s: setting TTY context on %s", __func__, tty); @@ -416,10 +417,10 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com /* XXX: should these calls fatal() upon failure in enforcing mode? */ -diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c ---- openssh-5.3p1/session.c.mls 2009-08-20 08:20:50.000000000 +0200 -+++ openssh-5.3p1/session.c 2009-10-02 14:06:12.000000000 +0200 -@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw) +diff -up openssh-5.4p1/session.c.mls openssh-5.4p1/session.c +--- openssh-5.4p1/session.c.mls 2010-01-12 09:51:48.000000000 +0100 ++++ openssh-5.4p1/session.c 2010-03-01 15:24:28.000000000 +0100 +@@ -1559,10 +1559,6 @@ do_setusercontext(struct passwd *pw) if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); @@ -430,10 +431,10 @@ diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c } static void -diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c ---- openssh-5.3p1/sshd.c.mls 2009-10-02 14:04:31.000000000 +0200 -+++ openssh-5.3p1/sshd.c 2009-10-02 14:04:31.000000000 +0200 -@@ -1896,6 +1896,9 @@ main(int ac, char **av) +diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c +--- openssh-5.4p1/sshd.c.mls 2010-03-01 15:24:27.000000000 +0100 ++++ openssh-5.4p1/sshd.c 2010-03-01 15:24:28.000000000 +0100 +@@ -1987,6 +1987,9 @@ main(int ac, char **av) restore_uid(); } #endif diff --git a/openssh-5.4p1-pam_selinux.patch b/openssh-5.4p1-pam_selinux.patch new file mode 100644 index 0000000..6b601da --- /dev/null +++ b/openssh-5.4p1-pam_selinux.patch @@ -0,0 +1,156 @@ +diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c +--- openssh-5.4p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200 ++++ openssh-5.4p1/auth-pam.c 2010-03-01 15:27:23.000000000 +0100 +@@ -1069,7 +1069,7 @@ is_pam_session_open(void) + * during the ssh authentication process. + */ + int +-do_pam_putenv(char *name, char *value) ++do_pam_putenv(char *name, const char *value) + { + int ret = 1; + #ifdef HAVE_PAM_PUTENV +diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h +--- openssh-5.4p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200 ++++ openssh-5.4p1/auth-pam.h 2010-03-01 15:27:23.000000000 +0100 +@@ -38,7 +38,7 @@ void do_pam_session(void); + void do_pam_set_tty(const char *); + void do_pam_setcred(int ); + void do_pam_chauthtok(void); +-int do_pam_putenv(char *, char *); ++int do_pam_putenv(char *, const char *); + char ** fetch_pam_environment(void); + char ** fetch_pam_child_environment(void); + void free_pam_environment(char **); +diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/openbsd-compat/port-linux.c +--- openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux 2010-03-01 15:27:22.000000000 +0100 ++++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:27:53.000000000 +0100 +@@ -36,6 +36,7 @@ + #include "hostfile.h" + #include "auth.h" + #include "xmalloc.h" ++#include "servconf.h" + + #ifdef WITH_SELINUX + #include +@@ -50,6 +51,7 @@ + #include + #endif + ++extern ServerOptions options; + extern Authctxt *the_authctxt; + extern int inetd_flag; + extern int rexeced_flag; +@@ -211,29 +213,38 @@ get_user_context(const char *sename, con + return -1; + } + ++static void ++ssh_selinux_get_role_level(char **role, const char **level) ++{ ++ *role = NULL; ++ *level = NULL; ++ if (the_authctxt) { ++ if (the_authctxt->role != NULL) { ++ char *slash; ++ *role = xstrdup(the_authctxt->role); ++ if ((slash = strchr(*role, '/')) != NULL) { ++ *slash = '\0'; ++ *level = slash + 1; ++ } ++ } ++ } ++} ++ + /* Return the default security context for the given username */ + static int + ssh_selinux_getctxbyname(char *pwname, + security_context_t *default_sc, security_context_t *user_sc) + { + char *sename, *lvl; +- const char *reqlvl = NULL; +- char *role = NULL; ++ const char *reqlvl; ++ char *role; + int r = -1; + context_t con = NULL; + + *default_sc = NULL; + *user_sc = NULL; +- if (the_authctxt) { +- if (the_authctxt->role != NULL) { +- char *slash; +- role = xstrdup(the_authctxt->role); +- if ((slash = strchr(role, '/')) != NULL) { +- *slash = '\0'; +- reqlvl = slash + 1; +- } +- } +- } ++ ++ ssh_selinux_get_role_level(&role, &reqlvl); + + #ifdef HAVE_GETSEUSERBYNAME + if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { +@@ -314,6 +325,36 @@ ssh_selinux_getctxbyname(char *pwname, + return (r); + } + ++/* Setup environment variables for pam_selinux */ ++static int ++ssh_selinux_setup_pam_variables(void) ++{ ++ const char *reqlvl; ++ char *role; ++ char *use_current; ++ int rv; ++ ++ debug3("%s: setting execution context", __func__); ++ ++ ssh_selinux_get_role_level(&role, &reqlvl); ++ ++ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); ++ ++ if (inetd_flag && !rexeced_flag) { ++ use_current = "1"; ++ } else { ++ use_current = ""; ++ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: ""); ++ } ++ ++ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); ++ ++ if (role != NULL) ++ xfree(role); ++ ++ return rv; ++} ++ + /* Set the execution context to the default for the specified user */ + void + ssh_selinux_setup_exec_context(char *pwname) +@@ -325,6 +366,24 @@ ssh_selinux_setup_exec_context(char *pwn + if (!ssh_selinux_enabled()) + return; + ++ if (options.use_pam) { ++ /* do not compute context, just setup environment for pam_selinux */ ++ if (ssh_selinux_setup_pam_variables()) { ++ switch (security_getenforce()) { ++ case -1: ++ fatal("%s: security_getenforce() failed", __func__); ++ case 0: ++ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", ++ __func__); ++ break; ++ default: ++ fatal("%s: SELinux PAM variable setup failure. Aborting connection.", ++ __func__); ++ } ++ } ++ return; ++ } ++ + debug3("%s: setting execution context", __func__); + + r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); diff --git a/openssh-5.3p1-pka.patch b/openssh-5.4p1-pka.patch similarity index 58% rename from openssh-5.3p1-pka.patch rename to openssh-5.4p1-pka.patch index 0733527..ee18f7e 100644 --- a/openssh-5.3p1-pka.patch +++ b/openssh-5.4p1-pka.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c ---- openssh-5.3p1/auth2-pubkey.c.pka 2009-03-08 01:40:28.000000000 +0100 -+++ openssh-5.3p1/auth2-pubkey.c 2010-01-04 16:07:53.000000000 +0100 -@@ -175,26 +175,14 @@ done: +diff -up openssh-5.4p1/auth2-pubkey.c.pka openssh-5.4p1/auth2-pubkey.c +--- openssh-5.4p1/auth2-pubkey.c.pka 2010-03-09 08:01:05.000000000 +0100 ++++ openssh-5.4p1/auth2-pubkey.c 2010-03-09 08:07:15.000000000 +0100 +@@ -187,27 +187,15 @@ done: /* return 1 if user allows given key */ static int @@ -9,6 +9,7 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c +user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw) { char line[SSH_MAX_PUBKEY_BYTES]; + const char *reason; int found_key = 0; - FILE *f; u_long linenum = 0; @@ -27,9 +28,9 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c - } - found_key = 0; - found = key_new(key->type); + found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); -@@ -239,21 +227,160 @@ user_key_allowed2(struct passwd *pw, Key +@@ -278,8 +266,6 @@ user_key_allowed2(struct passwd *pw, Key break; } } @@ -38,11 +39,11 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c key_free(found); if (!found_key) debug2("key not found"); - return found_key; +@@ -327,13 +313,153 @@ user_cert_trusted_ca(struct passwd *pw, + return ret; } -/* check whether given key is in .ssh/authorized_keys* */ -+ +/* return 1 if user allows given key */ +static int +user_key_allowed2(struct passwd *pw, Key *key, char *file) @@ -190,66 +191,13 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c + return success; +#endif + - file = authorized_keys_file(pw); - success = user_key_allowed2(pw, key, file); - xfree(file); -diff -up openssh-5.3p1/configure.pka openssh-5.3p1/configure ---- openssh-5.3p1/configure.pka 2009-10-13 19:27:51.000000000 +0200 -+++ openssh-5.3p1/configure 2009-10-15 06:26:33.000000000 +0200 -@@ -769,6 +769,7 @@ with_skey - with_tcp_wrappers - with_libedit - with_audit -+with_pka - with_ssl_dir - with_openssl_header_check - with_ssl_engine -@@ -1473,6 +1474,7 @@ Optional Packages: - --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) - --with-libedit[=PATH] Enable libedit support for sftp - --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm) -+ --with-pka Enable pubkey agent support - --with-ssl-dir=PATH Specify path to OpenSSL installation - --without-openssl-header-check Disable OpenSSL version consistency check - --with-ssl-engine Enable OpenSSL (hardware) ENGINE support -@@ -13443,6 +13445,25 @@ $as_echo "$as_me: error: Unknown audit m - fi - - -+# Check whether user wants pubkey agent support -+PKA_MSG="no" -+ -+# Check whether --with-pka was given. -+if test "${with_pka+set}" = set; then -+ withval=$with_pka; -+ if test "x$withval" != "xno" ; then -+ -+cat >>confdefs.h <<\_ACEOF -+#define WITH_PUBKEY_AGENT 1 -+_ACEOF -+ -+ PKA_MSG="yes" -+ fi -+ -+ -+fi -+ -+ - - - -@@ -32772,6 +32793,7 @@ echo " Linux audit support - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -+echo " PKA support: $PKA_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" -diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.pka 2009-09-11 06:56:08.000000000 +0200 -+++ openssh-5.3p1/configure.ac 2010-01-04 16:07:53.000000000 +0100 -@@ -1319,6 +1319,18 @@ AC_ARG_WITH(audit, + if (auth_key_is_revoked(key)) + return 0; + if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) +diff -up openssh-5.4p1/configure.ac.pka openssh-5.4p1/configure.ac +--- openssh-5.4p1/configure.ac.pka 2010-03-09 08:01:04.000000000 +0100 ++++ openssh-5.4p1/configure.ac 2010-03-09 08:01:05.000000000 +0100 +@@ -1323,6 +1323,18 @@ AC_ARG_WITH(audit, esac ] ) @@ -268,7 +216,7 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS( \ arc4random \ -@@ -4229,6 +4241,7 @@ echo " SELinux support +@@ -4206,6 +4218,7 @@ echo " Linux audit support echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" @@ -276,30 +224,30 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" -diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c ---- openssh-5.3p1/servconf.c.pka 2009-06-21 12:26:17.000000000 +0200 -+++ openssh-5.3p1/servconf.c 2010-01-04 16:07:53.000000000 +0100 -@@ -127,6 +127,8 @@ initialize_server_options(ServerOptions +diff -up openssh-5.4p1/servconf.c.pka openssh-5.4p1/servconf.c +--- openssh-5.4p1/servconf.c.pka 2010-03-09 08:01:04.000000000 +0100 ++++ openssh-5.4p1/servconf.c 2010-03-09 09:04:57.000000000 +0100 +@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; + options->pubkey_agent = NULL; + options->pubkey_agent_runas = NULL; options->zero_knowledge_password_authentication = -1; - } - -@@ -306,6 +308,7 @@ typedef enum { - sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + options->revoked_keys_file = NULL; + options->trusted_user_ca_keys = NULL; +@@ -315,6 +317,7 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, + sZeroKnowledgePasswordAuthentication, sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, + sPubkeyAgent, sPubkeyAgentRunAs, sDeprecated, sUnsupported } ServerOpCodes; -@@ -424,6 +427,13 @@ static struct { - { "permitopen", sPermitOpen, SSHCFG_ALL }, - { "forcecommand", sForceCommand, SSHCFG_ALL }, - { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, +@@ -437,6 +440,13 @@ static struct { + { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, +#ifdef WITH_PUBKEY_AGENT + { "pubkeyagent", sPubkeyAgent, SSHCFG_ALL }, + { "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL }, @@ -310,9 +258,9 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c { NULL, sBadOption, 0 } }; -@@ -1294,6 +1304,20 @@ process_server_config_line(ServerOptions - *charptr = xstrdup(arg); - break; +@@ -1345,6 +1355,20 @@ process_server_config_line(ServerOptions + charptr = &options->revoked_keys_file; + goto parse_filename; + case sPubkeyAgent: + len = strspn(cp, WHITESPACE); @@ -331,7 +279,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); -@@ -1387,6 +1411,8 @@ copy_set_server_options(ServerOptions *d +@@ -1438,6 +1462,8 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(gss_authentication); M_CP_INTOPT(rsa_authentication); M_CP_INTOPT(pubkey_authentication); @@ -340,51 +288,43 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(kbd_interactive_authentication); -@@ -1626,6 +1652,10 @@ dump_config(ServerOptions *o) - dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); - dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); - dump_cfg_string(sForceCommand, o->adm_forced_command); -+#ifdef WITH_PUBKEY_AGENT +@@ -1683,6 +1709,8 @@ dump_config(ServerOptions *o) + dump_cfg_string(sChrootDirectory, o->chroot_directory); + dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); + dump_cfg_string(sRevokedKeys, o->revoked_keys_file); + dump_cfg_string(sPubkeyAgent, o->pubkey_agent); + dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas); -+#endif /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); -diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h ---- openssh-5.3p1/servconf.h.pka 2009-01-28 06:31:23.000000000 +0100 -+++ openssh-5.3p1/servconf.h 2010-01-04 16:07:53.000000000 +0100 -@@ -151,6 +151,8 @@ typedef struct { - int num_permitted_opens; - +diff -up openssh-5.4p1/servconf.h.pka openssh-5.4p1/servconf.h +--- openssh-5.4p1/servconf.h.pka 2010-03-09 08:01:04.000000000 +0100 ++++ openssh-5.4p1/servconf.h 2010-03-09 09:05:29.000000000 +0100 +@@ -157,6 +157,8 @@ typedef struct { char *chroot_directory; + char *revoked_keys_file; + char *trusted_user_ca_keys; + char *pubkey_agent; + char *pubkey_agent_runas; } ServerOptions; void initialize_server_options(ServerOptions *); -diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0 ---- openssh-5.3p1/sshd_config.0.pka 2009-09-26 08:31:16.000000000 +0200 -+++ openssh-5.3p1/sshd_config.0 2010-01-04 16:07:53.000000000 +0100 -@@ -344,10 +344,11 @@ DESCRIPTION - AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, - GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, +diff -up openssh-5.4p1/sshd_config.0.pka openssh-5.4p1/sshd_config.0 +--- openssh-5.4p1/sshd_config.0.pka 2010-03-09 08:01:04.000000000 +0100 ++++ openssh-5.4p1/sshd_config.0 2010-03-09 09:07:35.000000000 +0100 +@@ -352,7 +352,8 @@ DESCRIPTION KbdInteractiveAuthentication, KerberosAuthentication, -- MaxAuthTries, MaxSessions, PasswordAuthentication, -- PermitEmptyPasswords, PermitOpen, PermitRootLogin, -- RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, -- X11Forwarding and X11UseLocalHost. -+ MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent, -+ PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords, -+ PermitOpen, PermitRootLogin, RhostsRSAAuthentication, -+ RSAAuthentication, X11DisplayOffset, X11Forwarding and -+ X11UseLocalHost. + MaxAuthTries, MaxSessions, PasswordAuthentication, + PermitEmptyPasswords, PermitOpen, PermitRootLogin, +- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, ++ PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs, ++ RhostsRSAAuthentication, RSAAuthentication, + X11DisplayOffset, X11Forwarding and X11UseLocalHost. MaxAuthTries - Specifies the maximum number of authentication attempts permitted -@@ -455,6 +456,17 @@ DESCRIPTION - fault is ``yes''. Note that this option applies to protocol ver- - sion 2 only. +@@ -467,6 +468,17 @@ DESCRIPTION + this file is not readable, then public key authentication will be + refused for all users. + PubkeyAgent + Specifies which agent is used for lookup of the user's public @@ -400,22 +340,10 @@ diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0 RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication to- gether with successful RSA host authentication is allowed. The -diff -up openssh-5.3p1/sshd_config.pka openssh-5.3p1/sshd_config ---- openssh-5.3p1/sshd_config.pka 2008-07-02 14:35:43.000000000 +0200 -+++ openssh-5.3p1/sshd_config 2010-01-04 16:07:53.000000000 +0100 -@@ -46,6 +46,8 @@ Protocol 2 - #RSAAuthentication yes - #PubkeyAuthentication yes - #AuthorizedKeysFile .ssh/authorized_keys -+#PubkeyAgent none -+#PubkeyAgentRunAs nobody - - # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts - #RhostsRSAAuthentication no -diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5 ---- openssh-5.3p1/sshd_config.5.pka 2009-08-28 02:27:08.000000000 +0200 -+++ openssh-5.3p1/sshd_config.5 2010-01-04 16:07:53.000000000 +0100 -@@ -610,6 +610,9 @@ Available keywords are +diff -up openssh-5.4p1/sshd_config.5.pka openssh-5.4p1/sshd_config.5 +--- openssh-5.4p1/sshd_config.5.pka 2010-03-09 08:01:04.000000000 +0100 ++++ openssh-5.4p1/sshd_config.5 2010-03-09 09:06:40.000000000 +0100 +@@ -618,6 +618,9 @@ Available keywords are .Cm KerberosAuthentication , .Cm MaxAuthTries , .Cm MaxSessions , @@ -425,20 +353,32 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5 .Cm PasswordAuthentication , .Cm PermitEmptyPasswords , .Cm PermitOpen , -@@ -805,6 +808,16 @@ Specifies whether public key authenticat - The default is - .Dq yes . - Note that this option applies to protocol version 2 only. -+.It Cm PubkeyAgent -+Specifies which agent is used for lookup of the user's public -+keys. Empty string means to use the authorized_keys file. -+By default there is no PubkeyAgent set. -+Note that this option has an effect only with PubkeyAuthentication -+switched on. -+.It Cm PubkeyAgentRunAs -+Specifies the user under whose account the PubkeyAgent is run. Empty -+string (the default value) means the user being authorized is used. -+.Dq +@@ -819,6 +822,16 @@ Specifies a list of revoked public keys. + Keys listed in this file will be refused for public key authentication. + Note that if this file is not readable, then public key authentication will + be refused for all users. +++.It Cm PubkeyAgent +++Specifies which agent is used for lookup of the user's public +++keys. Empty string means to use the authorized_keys file. +++By default there is no PubkeyAgent set. +++Note that this option has an effect only with PubkeyAuthentication +++switched on. +++.It Cm PubkeyAgentRunAs +++Specifies the user under whose account the PubkeyAgent is run. Empty +++string (the default value) means the user being authorized is used. +++.Dq .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. +diff -up openssh-5.4p1/sshd_config.pka openssh-5.4p1/sshd_config +--- openssh-5.4p1/sshd_config.pka 2010-03-09 08:01:04.000000000 +0100 ++++ openssh-5.4p1/sshd_config 2010-03-09 08:01:06.000000000 +0100 +@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV + #RSAAuthentication yes + #PubkeyAuthentication yes + #AuthorizedKeysFile .ssh/authorized_keys ++#PubkeyAgent none ++#PubkeyAgentRunAs nobody + + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #RhostsRSAAuthentication no diff --git a/openssh-5.2p1-redhat.patch b/openssh-5.4p1-redhat.patch similarity index 73% rename from openssh-5.2p1-redhat.patch rename to openssh-5.4p1-redhat.patch index 4304065..bd2ad80 100644 --- a/openssh-5.2p1-redhat.patch +++ b/openssh-5.4p1-redhat.patch @@ -1,10 +1,10 @@ -diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config ---- openssh-5.2p1/ssh_config.redhat 2009-02-21 02:45:02.000000000 +0100 -+++ openssh-5.2p1/ssh_config 2009-08-09 08:45:11.302092427 +0200 -@@ -44,3 +44,14 @@ - # TunnelDevice any:any +diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config +--- openssh-5.4p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 ++++ openssh-5.4p1/ssh_config 2010-03-01 15:15:51.000000000 +0100 +@@ -45,3 +45,14 @@ # PermitLocalCommand no # VisualHostKey no + # ProxyCommand ssh -q -W %h:%p gateway.example.com +Host * + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access @@ -16,10 +16,10 @@ diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS -diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0 ---- openssh-5.2p1/sshd_config.0.redhat 2009-02-23 01:18:15.000000000 +0100 -+++ openssh-5.2p1/sshd_config.0 2009-08-09 08:45:11.276555108 +0200 -@@ -491,9 +491,9 @@ DESCRIPTION +diff -up openssh-5.4p1/sshd_config.0.redhat openssh-5.4p1/sshd_config.0 +--- openssh-5.4p1/sshd_config.0.redhat 2010-03-01 14:30:04.000000000 +0100 ++++ openssh-5.4p1/sshd_config.0 2010-03-01 15:14:13.000000000 +0100 +@@ -501,9 +501,9 @@ DESCRIPTION SyslogFacility Gives the facility code that is used when logging messages from @@ -32,10 +32,10 @@ diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0 TCPKeepAlive Specifies whether the system should send TCP keepalive messages -diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5 ---- openssh-5.2p1/sshd_config.5.redhat 2009-02-23 01:00:24.000000000 +0100 -+++ openssh-5.2p1/sshd_config.5 2009-08-09 08:45:11.278927203 +0200 -@@ -848,7 +848,7 @@ Note that this option applies to protoco +diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5 +--- openssh-5.4p1/sshd_config.5.redhat 2010-02-26 21:55:06.000000000 +0100 ++++ openssh-5.4p1/sshd_config.5 2010-03-01 15:14:14.000000000 +0100 +@@ -865,7 +865,7 @@ Note that this option applies to protoco .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . @@ -44,10 +44,10 @@ diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. .It Cm TCPKeepAlive -diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config ---- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200 -+++ openssh-5.2p1/sshd_config 2009-08-09 08:47:40.850857227 +0200 -@@ -33,6 +33,7 @@ Protocol 2 +diff -up openssh-5.4p1/sshd_config.redhat openssh-5.4p1/sshd_config +--- openssh-5.4p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200 ++++ openssh-5.4p1/sshd_config 2010-03-01 15:14:14.000000000 +0100 +@@ -31,6 +31,7 @@ # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -55,7 +55,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config #LogLevel INFO # Authentication: -@@ -60,9 +61,11 @@ Protocol 2 +@@ -58,9 +59,11 @@ # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no @@ -67,7 +67,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config # Kerberos options #KerberosAuthentication no -@@ -72,7 +75,9 @@ Protocol 2 +@@ -70,7 +73,9 @@ # GSSAPI options #GSSAPIAuthentication no @@ -77,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -84,11 +89,19 @@ Protocol 2 +@@ -82,11 +87,19 @@ # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no diff --git a/openssh-5.2p1-selinux.patch b/openssh-5.4p1-selinux.patch similarity index 74% rename from openssh-5.2p1-selinux.patch rename to openssh-5.4p1-selinux.patch index 19cea68..465811f 100644 --- a/openssh-5.2p1-selinux.patch +++ b/openssh-5.4p1-selinux.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c ---- openssh-5.2p1/auth1.c.selinux 2008-07-09 12:54:05.000000000 +0200 -+++ openssh-5.2p1/auth1.c 2009-08-11 22:43:07.918183730 +0200 -@@ -392,6 +392,9 @@ do_authentication(Authctxt *authctxt) +diff -up openssh-5.4p1/auth1.c.selinux openssh-5.4p1/auth1.c +--- openssh-5.4p1/auth1.c.selinux 2010-03-01 15:19:56.000000000 +0100 ++++ openssh-5.4p1/auth1.c 2010-03-01 15:19:57.000000000 +0100 +@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt) { u_int ulen; char *user, *style = NULL; @@ -11,7 +11,7 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -400,11 +403,25 @@ do_authentication(Authctxt *authctxt) +@@ -392,11 +395,25 @@ do_authentication(Authctxt *authctxt) user = packet_get_string(&ulen); packet_check_eom(); @@ -37,9 +37,9 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c ---- openssh-5.2p1/auth2.c.selinux 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.2p1/auth2.c 2009-08-11 22:43:07.919756192 +0200 +diff -up openssh-5.4p1/auth2.c.selinux openssh-5.4p1/auth2.c +--- openssh-5.4p1/auth2.c.selinux 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.4p1/auth2.c 2010-03-01 15:19:57.000000000 +0100 @@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 Authctxt *authctxt = ctxt; Authmethod *m = NULL; @@ -79,9 +79,9 @@ diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c userauth_banner(); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { -diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c ---- openssh-5.2p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100 -+++ openssh-5.2p1/auth2-gss.c 2009-08-11 22:43:07.921723295 +0200 +diff -up openssh-5.4p1/auth2-gss.c.selinux openssh-5.4p1/auth2-gss.c +--- openssh-5.4p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100 ++++ openssh-5.4p1/auth2-gss.c 2010-03-01 15:19:57.000000000 +0100 @@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -114,9 +114,9 @@ diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c xfree(mic.value); authctxt->postponed = 0; -diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c ---- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 -+++ openssh-5.2p1/auth2-hostbased.c 2009-08-11 22:43:07.923721059 +0200 +diff -up openssh-5.4p1/auth2-hostbased.c.selinux openssh-5.4p1/auth2-hostbased.c +--- openssh-5.4p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 ++++ openssh-5.4p1/auth2-hostbased.c 2010-03-01 15:19:57.000000000 +0100 @@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) buffer_put_string(&b, session_id2, session_id2_len); /* reconstruct packet */ @@ -134,10 +134,10 @@ diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c buffer_put_cstring(&b, service); buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); -diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c ---- openssh-5.2p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200 -+++ openssh-5.2p1/auth2-pubkey.c 2009-08-11 22:43:07.925704588 +0200 -@@ -117,7 +117,15 @@ userauth_pubkey(Authctxt *authctxt) +diff -up openssh-5.4p1/auth2-pubkey.c.selinux openssh-5.4p1/auth2-pubkey.c +--- openssh-5.4p1/auth2-pubkey.c.selinux 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 15:19:57.000000000 +0100 +@@ -119,7 +119,15 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -154,9 +154,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c buffer_put_cstring(&b, datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : -diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h ---- openssh-5.2p1/auth.h.selinux 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.2p1/auth.h 2009-08-11 22:43:07.927199901 +0200 +diff -up openssh-5.4p1/auth.h.selinux openssh-5.4p1/auth.h +--- openssh-5.4p1/auth.h.selinux 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/auth.h 2010-03-01 15:19:57.000000000 +0100 @@ -58,6 +58,9 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -167,21 +167,21 @@ diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h void *kbdintctxt; void *jpake_ctx; #ifdef BSD_AUTH -diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac ---- openssh-5.2p1/configure.ac.selinux 2009-02-16 05:37:03.000000000 +0100 -+++ openssh-5.2p1/configure.ac 2009-08-11 22:43:07.930259052 +0200 -@@ -3335,6 +3335,7 @@ AC_ARG_WITH(selinux, - AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], - AC_MSG_ERROR(SELinux support requires libselinux library)) +diff -up openssh-5.4p1/configure.ac.selinux openssh-5.4p1/configure.ac +--- openssh-5.4p1/configure.ac.selinux 2010-03-01 15:19:57.000000000 +0100 ++++ openssh-5.4p1/configure.ac 2010-03-01 15:21:12.000000000 +0100 +@@ -3358,6 +3358,7 @@ AC_ARG_WITH(selinux, + ], + AC_MSG_ERROR(SELinux support requires libselinux library)) SSHDLIBS="$SSHDLIBS $LIBSELINUX" + LIBS="$LIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) LIBS="$save_LIBS" fi ] -diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c ---- openssh-5.2p1/monitor.c.selinux 2009-02-14 06:33:31.000000000 +0100 -+++ openssh-5.2p1/monitor.c 2009-08-11 22:43:07.933623092 +0200 -@@ -135,6 +135,9 @@ int mm_answer_sign(int, Buffer *); +diff -up openssh-5.4p1/monitor.c.selinux openssh-5.4p1/monitor.c +--- openssh-5.4p1/monitor.c.selinux 2010-02-26 21:55:05.000000000 +0100 ++++ openssh-5.4p1/monitor.c 2010-03-01 15:19:57.000000000 +0100 +@@ -137,6 +137,9 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); @@ -191,7 +191,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -211,6 +214,9 @@ struct mon_table mon_dispatch_proto20[] +@@ -213,6 +216,9 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -201,7 +201,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -680,6 +686,9 @@ mm_answer_pwnamallow(int sock, Buffer *m +@@ -682,6 +688,9 @@ mm_answer_pwnamallow(int sock, Buffer *m else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -211,7 +211,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } -@@ -724,6 +733,25 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -726,6 +735,25 @@ mm_answer_authserv(int sock, Buffer *m) return (0); } @@ -237,7 +237,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c int mm_answer_authpassword(int sock, Buffer *m) { -@@ -1102,7 +1130,7 @@ static int +@@ -1104,7 +1132,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; @@ -246,7 +246,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c u_int len; int fail = 0; -@@ -1128,6 +1156,8 @@ monitor_valid_userblob(u_char *data, u_i +@@ -1130,6 +1158,8 @@ monitor_valid_userblob(u_char *data, u_i if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_string(&b, NULL); @@ -255,7 +255,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c if (strcmp(authctxt->user, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); -@@ -1159,7 +1189,7 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1161,7 +1191,7 @@ monitor_valid_hostbasedblob(u_char *data char *chost) { Buffer b; @@ -264,7 +264,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c u_int len; int fail = 0; -@@ -1176,6 +1206,8 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1178,6 +1208,8 @@ monitor_valid_hostbasedblob(u_char *data if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_string(&b, NULL); @@ -273,9 +273,9 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c if (strcmp(authctxt->user, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); -diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h ---- openssh-5.2p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.2p1/monitor.h 2009-08-11 22:43:07.935612930 +0200 +diff -up openssh-5.4p1/monitor.h.selinux openssh-5.4p1/monitor.h +--- openssh-5.4p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100 ++++ openssh-5.4p1/monitor.h 2010-03-01 15:19:57.000000000 +0100 @@ -31,6 +31,9 @@ enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, @@ -286,9 +286,9 @@ diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, -diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c ---- openssh-5.2p1/monitor_wrap.c.selinux 2008-11-05 06:20:47.000000000 +0100 -+++ openssh-5.2p1/monitor_wrap.c 2009-08-11 22:43:07.937212340 +0200 +diff -up openssh-5.4p1/monitor_wrap.c.selinux openssh-5.4p1/monitor_wrap.c +--- openssh-5.4p1/monitor_wrap.c.selinux 2009-06-22 08:11:07.000000000 +0200 ++++ openssh-5.4p1/monitor_wrap.c 2010-03-01 15:19:57.000000000 +0100 @@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char * buffer_free(&m); } @@ -315,9 +315,9 @@ diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h ---- openssh-5.2p1/monitor_wrap.h.selinux 2008-11-05 06:20:47.000000000 +0100 -+++ openssh-5.2p1/monitor_wrap.h 2009-08-11 22:43:07.938268752 +0200 +diff -up openssh-5.4p1/monitor_wrap.h.selinux openssh-5.4p1/monitor_wrap.h +--- openssh-5.4p1/monitor_wrap.h.selinux 2009-03-05 14:58:22.000000000 +0100 ++++ openssh-5.4p1/monitor_wrap.h 2010-03-01 15:19:57.000000000 +0100 @@ -41,6 +41,9 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); @@ -328,17 +328,18 @@ diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd-compat/port-linux.c ---- openssh-5.2p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100 -+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-11 22:44:14.529196220 +0200 -@@ -30,11 +30,16 @@ - #ifdef WITH_SELINUX +diff -up openssh-5.4p1/openbsd-compat/port-linux.c.selinux openssh-5.4p1/openbsd-compat/port-linux.c +--- openssh-5.4p1/openbsd-compat/port-linux.c.selinux 2010-03-01 05:52:50.000000000 +0100 ++++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:22:19.000000000 +0100 +@@ -32,12 +32,17 @@ #include "log.h" + #include "xmalloc.h" #include "port-linux.h" +#include "key.h" +#include "hostfile.h" +#include "auth.h" + #ifdef WITH_SELINUX #include #include #include @@ -348,7 +349,7 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd /* Wrapper around is_selinux_enabled() to log its return value once only */ int ssh_selinux_enabled(void) -@@ -53,23 +58,36 @@ ssh_selinux_enabled(void) +@@ -56,23 +61,36 @@ ssh_selinux_enabled(void) static security_context_t ssh_selinux_getctxbyname(char *pwname) { diff --git a/openssh.spec b/openssh.spec index 9bc57dc..dbbe016 100644 --- a/openssh.spec +++ b/openssh.spec @@ -185,7 +185,7 @@ Provides: openssh-askpass-gnome Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh-rel}{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}{?dist}%{?rescue_rel} License: BSD %description