diff --git a/.cvsignore b/.cvsignore index f169a74..4d44afa 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssh-5.0p1-noacss.tar.bz2 +openssh-5.1p1-noacss.tar.bz2 diff --git a/openssh-4.5p1-controlcleanup.patch b/openssh-4.5p1-controlcleanup.patch deleted file mode 100644 index 23822c5..0000000 --- a/openssh-4.5p1-controlcleanup.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- openssh-4.5p1/ssh.c~ 2007-03-24 16:25:18.000000000 +0000 -+++ openssh-4.5p1/ssh.c 2007-03-24 16:31:06.000000000 +0000 -@@ -1347,7 +1347,11 @@ - } - if (errno == ENOENT) - debug("Control socket \"%.100s\" does not exist", path); -- else { -+ else if (errno == ECONNREFUSED) { -+ debug("Control socket connect(%.100s): %s", path, -+ strerror(errno)); -+ unlink(path); -+ } else { - error("Control socket connect(%.100s): %s", path, - strerror(errno)); - } diff --git a/openssh-4.7p1-master-race.patch b/openssh-4.7p1-master-race.patch deleted file mode 100644 index 8662c43..0000000 --- a/openssh-4.7p1-master-race.patch +++ /dev/null @@ -1,85 +0,0 @@ ---- openssh-4.7p1/ssh.c.masterrace 2008-03-06 13:55:11.000000000 +0000 -+++ openssh-4.7p1/ssh.c 2008-03-06 13:55:19.000000000 +0000 -@@ -1065,7 +1065,7 @@ client_global_request_reply_fwd(int type - } - } - --static void -+static int - ssh_control_listener(void) - { - struct sockaddr_un addr; -@@ -1073,10 +1073,11 @@ ssh_control_listener(void) - int addr_len; - - if (options.control_path == NULL || -- options.control_master == SSHCTL_MASTER_NO) -- return; -+ options.control_master == SSHCTL_MASTER_NO || -+ control_fd != -1) -+ return 1; - -- debug("setting up multiplex master socket"); -+ debug("trying to set up multiplex master socket"); - - memset(&addr, '\0', sizeof(addr)); - addr.sun_family = AF_UNIX; -@@ -1093,11 +1094,9 @@ ssh_control_listener(void) - old_umask = umask(0177); - if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) { - control_fd = -1; -- if (errno == EINVAL || errno == EADDRINUSE) -- fatal("ControlSocket %s already exists", -- options.control_path); -- else -+ if (errno != EINVAL && errno != EADDRINUSE) - fatal("%s bind(): %s", __func__, strerror(errno)); -+ return 0; - } - umask(old_umask); - -@@ -1105,6 +1104,9 @@ ssh_control_listener(void) - fatal("%s listen(): %s", __func__, strerror(errno)); - - set_nonblock(control_fd); -+ -+ debug("control master listening on %s", options.control_path); -+ return 1; - } - - /* request pty/x11/agent/tcpfwd/shell for channel */ -@@ -1196,7 +1198,9 @@ ssh_session2(void) - ssh_init_forwarding(); - - /* Start listening for multiplex clients */ -- ssh_control_listener(); -+ if (!ssh_control_listener()) -+ fatal("control master socket %s already exists", -+ options.control_path); - - /* - * If we are the control master, and if control_persist is set, -@@ -1375,7 +1379,13 @@ control_client(const char *path) - switch (options.control_master) { - case SSHCTL_MASTER_AUTO: - case SSHCTL_MASTER_AUTO_ASK: -- debug("auto-mux: Trying existing master"); -+ /* see if we can create a control master socket -+ to avoid a race between two auto clients */ -+ if (mux_command == SSHMUX_COMMAND_OPEN && -+ ssh_control_listener()) -+ return; -+ debug("trying to connect to control master socket %s", -+ options.control_path); - /* FALLTHROUGH */ - case SSHCTL_MASTER_NO: - break; -@@ -1522,6 +1532,8 @@ control_client(const char *path) - signal(SIGTERM, control_client_sighandler); - signal(SIGWINCH, control_client_sigrelay); - -+ debug("connected to control master; waiting for exit"); -+ - if (tty_flag) - enter_raw_mode(); - diff --git a/openssh-5.0p1-unbreakalive.patch b/openssh-5.0p1-unbreakalive.patch deleted file mode 100644 index b1dafa5..0000000 --- a/openssh-5.0p1-unbreakalive.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: packet.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/packet.c,v -retrieving revision 1.152 -diff -u -p packet.c ---- packet.c 8 May 2008 06:59:01 -0000 -+++ packet.c 19 May 2008 04:00:34 -0000 -@@ -1185,9 +1185,10 @@ packet_read_poll_seqnr(u_int32_t *seqnr_ - for (;;) { - if (compat20) { - type = packet_read_poll2(seqnr_p); -- keep_alive_timeouts = 0; -- if (type) -+ if (type) { -+ keep_alive_timeouts = 0; - DBG(debug("received packet type %d", type)); -+ } - switch (type) { - case SSH2_MSG_IGNORE: - debug3("Received SSH2_MSG_IGNORE"); diff --git a/openssh-4.2p1-askpass-progress.patch b/openssh-5.1p1-askpass-progress.patch similarity index 81% rename from openssh-4.2p1-askpass-progress.patch rename to openssh-5.1p1-askpass-progress.patch index c4a50b2..ec93b87 100644 --- a/openssh-4.2p1-askpass-progress.patch +++ b/openssh-5.1p1-askpass-progress.patch @@ -1,5 +1,6 @@ ---- openssh-4.2p1/contrib/gnome-ssh-askpass2.c.progress 2005-11-28 11:11:24.000000000 +0100 -+++ openssh-4.2p1/contrib/gnome-ssh-askpass2.c 2005-12-20 15:22:42.000000000 +0100 +diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c +--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress 2008-07-23 19:05:26.000000000 +0200 ++++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c 2008-07-23 19:05:26.000000000 +0200 @@ -53,6 +53,7 @@ #include #include @@ -8,7 +9,7 @@ #include #include -@@ -83,13 +84,24 @@ +@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); } @@ -34,7 +35,7 @@ GdkGrabStatus status; grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); -@@ -102,13 +114,31 @@ +@@ -102,13 +114,31 @@ passphrase_dialog(char *message) "%s", message); @@ -66,8 +67,8 @@ + gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); - gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label), -@@ -118,6 +148,8 @@ + gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); +@@ -119,6 +149,8 @@ passphrase_dialog(char *message) gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); g_signal_connect(G_OBJECT(entry), "activate", G_CALLBACK(ok_dialog), dialog); diff --git a/openssh-4.7p1-cloexec.patch b/openssh-5.1p1-cloexec.patch similarity index 57% rename from openssh-4.7p1-cloexec.patch rename to openssh-5.1p1-cloexec.patch index b1442bf..5dbff42 100644 --- a/openssh-4.7p1-cloexec.patch +++ b/openssh-5.1p1-cloexec.patch @@ -1,15 +1,15 @@ -diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c ---- openssh-4.7p1/sshconnect2.c.cloexec 2008-03-06 15:58:03.000000000 +0100 -+++ openssh-4.7p1/sshconnect2.c 2008-05-21 09:27:06.000000000 +0200 +diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c +--- openssh-5.1p1/sshconnect2.c.cloexec 2008-07-23 15:21:23.000000000 +0200 ++++ openssh-5.1p1/sshconnect2.c 2008-07-23 15:23:19.000000000 +0200 @@ -38,6 +38,7 @@ #include #include #include +#include - - #include "openbsd-compat/sys-queue.h" - -@@ -1257,6 +1258,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i + #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) + #include + #endif +@@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i return -1; } if (pid == 0) { @@ -17,9 +17,9 @@ diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c permanently_drop_suid(getuid()); close(from[0]); if (dup2(from[1], STDOUT_FILENO) < 0) -diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c ---- openssh-4.7p1/sshconnect.c.cloexec 2006-10-23 19:02:24.000000000 +0200 -+++ openssh-4.7p1/sshconnect.c 2008-03-06 15:58:03.000000000 +0100 +diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c +--- openssh-5.1p1/sshconnect.c.cloexec 2008-07-02 14:34:30.000000000 +0200 ++++ openssh-5.1p1/sshconnect.c 2008-07-23 15:21:23.000000000 +0200 @@ -38,6 +38,7 @@ #include #include @@ -28,7 +28,7 @@ diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c #include "xmalloc.h" #include "key.h" -@@ -189,8 +190,11 @@ ssh_create_socket(int privileged, struct +@@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct return sock; } sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); diff --git a/openssh-4.7p1-gssapi-role.patch b/openssh-5.1p1-gssapi-role.patch similarity index 63% rename from openssh-4.7p1-gssapi-role.patch rename to openssh-5.1p1-gssapi-role.patch index baecc6f..cb18897 100644 --- a/openssh-4.7p1-gssapi-role.patch +++ b/openssh-5.1p1-gssapi-role.patch @@ -1,8 +1,9 @@ Written-by: Nalin Dahyabhai Reviewed-by: Tomas Mraz ---- auth2-gss.c 2008-01-02 16:34:03.000000000 -0500 -+++ auth2-gss.c 2008-01-02 16:33:19.000000000 -0500 -@@ -258,6 +258,7 @@ +diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c +--- openssh-5.1p1/auth2-gss.c.gssapi-role 2007-12-02 12:59:45.000000000 +0100 ++++ openssh-5.1p1/auth2-gss.c 2008-07-23 19:18:15.000000000 +0200 +@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ctxt; Gssctxt *gssctxt; int authenticated = 0; @@ -10,7 +11,7 @@ Reviewed-by: Tomas Mraz Buffer b; gss_buffer_desc mic, gssbuf; u_int len; -@@ -270,7 +271,11 @@ +@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple mic.value = packet_get_string(&len); mic.length = len; @@ -23,8 +24,8 @@ Reviewed-by: Tomas Mraz "gssapi-with-mic"); gssbuf.value = buffer_ptr(&b); -@@ -285,6 +290,8 @@ - } +@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple + logit("GSSAPI MIC check failed"); buffer_free(&b); + if (micuser != authctxt->user) diff --git a/openssh-4.7p1-log-in-chroot.patch b/openssh-5.1p1-log-in-chroot.patch similarity index 57% rename from openssh-4.7p1-log-in-chroot.patch rename to openssh-5.1p1-log-in-chroot.patch index e510f58..be1ed35 100644 --- a/openssh-4.7p1-log-in-chroot.patch +++ b/openssh-5.1p1-log-in-chroot.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c ---- openssh-4.7p1/sshd.c.log-chroot 2007-09-06 17:24:13.000000000 +0200 -+++ openssh-4.7p1/sshd.c 2007-09-06 17:24:13.000000000 +0200 -@@ -596,6 +596,10 @@ privsep_preauth_child(void) +diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c +--- openssh-5.1p1/sshd.c.log-chroot 2008-07-23 15:18:52.000000000 +0200 ++++ openssh-5.1p1/sshd.c 2008-07-23 15:18:52.000000000 +0200 +@@ -591,6 +591,10 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); @@ -12,9 +12,9 @@ diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c /* Change our root directory */ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, -diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c ---- openssh-4.7p1/log.c.log-chroot 2007-05-20 07:08:16.000000000 +0200 -+++ openssh-4.7p1/log.c 2007-09-06 17:29:34.000000000 +0200 +diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c +--- openssh-5.1p1/log.c.log-chroot 2008-06-10 15:01:51.000000000 +0200 ++++ openssh-5.1p1/log.c 2008-07-23 15:18:52.000000000 +0200 @@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL static int log_on_stderr = 1; static int log_facility = LOG_AUTH; @@ -23,7 +23,7 @@ diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c extern char *__progname; -@@ -370,10 +371,21 @@ do_log(LogLevel level, const char *fmt, +@@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt, syslog_r(pri, &sdata, "%.500s", fmtbuf); closelog_r(&sdata); #else @@ -45,13 +45,13 @@ diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c + openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility); + log_fd_keep = 1; +} -diff -up openssh-4.7p1/log.h.log-chroot openssh-4.7p1/log.h ---- openssh-4.7p1/log.h.log-chroot 2006-08-18 16:32:21.000000000 +0200 -+++ openssh-4.7p1/log.h 2007-09-06 17:24:13.000000000 +0200 -@@ -62,4 +62,6 @@ void debug3(const char *, ...) __att +diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h +--- openssh-5.1p1/log.h.log-chroot 2008-06-13 02:22:54.000000000 +0200 ++++ openssh-5.1p1/log.h 2008-07-23 15:20:11.000000000 +0200 +@@ -66,4 +66,6 @@ void debug3(const char *, ...) __att void do_log(LogLevel, const char *, va_list); - void cleanup_exit(int) __dead; + void cleanup_exit(int) __attribute__((noreturn)); + +void open_log(void); #endif diff --git a/openssh-4.7p1-mls.patch b/openssh-5.1p1-mls.patch similarity index 89% rename from openssh-4.7p1-mls.patch rename to openssh-5.1p1-mls.patch index 48eba4c..baf34ad 100644 --- a/openssh-4.7p1-mls.patch +++ b/openssh-5.1p1-mls.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/misc.c.mls openssh-4.7p1/misc.c ---- openssh-4.7p1/misc.c.mls 2007-01-05 06:24:48.000000000 +0100 -+++ openssh-4.7p1/misc.c 2007-09-06 17:39:28.000000000 +0200 -@@ -418,6 +418,7 @@ char * +diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c +--- openssh-5.1p1/misc.c.mls 2008-06-13 06:48:59.000000000 +0200 ++++ openssh-5.1p1/misc.c 2008-07-23 18:53:37.000000000 +0200 +@@ -427,6 +427,7 @@ char * colon(char *cp) { int flag = 0; @@ -9,7 +9,7 @@ diff -up openssh-4.7p1/misc.c.mls openssh-4.7p1/misc.c if (*cp == ':') /* Leading colon is part of file name. */ return (0); -@@ -431,8 +432,13 @@ colon(char *cp) +@@ -440,8 +441,13 @@ colon(char *cp) return (cp+1); if (*cp == ':' && !flag) return (cp); @@ -25,10 +25,10 @@ diff -up openssh-4.7p1/misc.c.mls openssh-4.7p1/misc.c } return (0); } -diff -up openssh-4.7p1/session.c.mls openssh-4.7p1/session.c ---- openssh-4.7p1/session.c.mls 2007-09-06 17:39:28.000000000 +0200 -+++ openssh-4.7p1/session.c 2007-09-06 17:39:28.000000000 +0200 -@@ -1347,10 +1347,6 @@ do_setusercontext(struct passwd *pw) +diff -up openssh-5.1p1/session.c.mls openssh-5.1p1/session.c +--- openssh-5.1p1/session.c.mls 2008-06-16 15:29:18.000000000 +0200 ++++ openssh-5.1p1/session.c 2008-07-23 18:53:37.000000000 +0200 +@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw) #endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); @@ -39,9 +39,9 @@ diff -up openssh-4.7p1/session.c.mls openssh-4.7p1/session.c } static void -diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-compat/port-linux.c ---- openssh-4.7p1/openbsd-compat/port-linux.c.mls 2007-09-06 17:39:28.000000000 +0200 -+++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-08-07 17:38:18.000000000 +0200 +diff -up openssh-5.1p1/openbsd-compat/port-linux.c.mls openssh-5.1p1/openbsd-compat/port-linux.c +--- openssh-5.1p1/openbsd-compat/port-linux.c.mls 2008-07-23 18:53:37.000000000 +0200 ++++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-07-23 18:53:37.000000000 +0200 @@ -33,12 +33,23 @@ #include "key.h" #include "hostfile.h" @@ -65,7 +65,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com +extern int rexeced_flag; /* Wrapper around is_selinux_enabled() to log its return value once only */ - static int + int @@ -54,17 +65,173 @@ ssh_selinux_enabled(void) return (enabled); } @@ -246,7 +246,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com #ifdef HAVE_GETSEUSERBYNAME if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { sename = NULL; -@@ -72,37 +239,62 @@ ssh_selinux_getctxbyname(char *pwname) +@@ -72,38 +239,63 @@ ssh_selinux_getctxbyname(char *pwname) } #else sename = pwname; @@ -300,7 +300,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com + reqlvl = ""; + + debug("%s: current connection level '%s'", __func__, reqlvl); - } ++ } + + if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) { + r = get_user_context(sename, role, reqlvl, user_sc); @@ -323,14 +323,15 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com + } + } else { + *user_sc = *default_sc; -+ } -+ } + } + } + if (r != 0) { + error("%s: Failed to get default SELinux security " + "context for %s", __func__, pwname); - } ++ } #ifdef HAVE_GETSEUSERBYNAME + if (sename != NULL) @@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname) if (lvl != NULL) xfree(lvl); @@ -418,10 +419,10 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-com /* XXX: should these calls fatal() upon failure in enforcing mode? */ -diff -up openssh-4.7p1/configure.ac.mls openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.mls 2007-10-17 19:05:10.000000000 +0200 -+++ openssh-4.7p1/configure.ac 2007-10-17 19:05:38.000000000 +0200 -@@ -3213,6 +3213,7 @@ AC_ARG_WITH(selinux, +diff -up openssh-5.1p1/configure.ac.mls openssh-5.1p1/configure.ac +--- openssh-5.1p1/configure.ac.mls 2008-07-23 18:53:37.000000000 +0200 ++++ openssh-5.1p1/configure.ac 2008-07-23 18:53:37.000000000 +0200 +@@ -3311,6 +3311,7 @@ AC_ARG_WITH(selinux, SSHDLIBS="$SSHDLIBS $LIBSELINUX" LIBS="$LIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) @@ -429,10 +430,10 @@ diff -up openssh-4.7p1/configure.ac.mls openssh-4.7p1/configure.ac LIBS="$save_LIBS" fi ] ) -diff -up openssh-4.7p1/sshd.c.mls openssh-4.7p1/sshd.c ---- openssh-4.7p1/sshd.c.mls 2007-09-06 17:39:28.000000000 +0200 -+++ openssh-4.7p1/sshd.c 2007-09-06 17:39:28.000000000 +0200 -@@ -1838,6 +1838,9 @@ main(int ac, char **av) +diff -up openssh-5.1p1/sshd.c.mls openssh-5.1p1/sshd.c +--- openssh-5.1p1/sshd.c.mls 2008-07-23 18:53:37.000000000 +0200 ++++ openssh-5.1p1/sshd.c 2008-07-23 18:53:37.000000000 +0200 +@@ -1896,6 +1896,9 @@ main(int ac, char **av) restore_uid(); } #endif diff --git a/openssh-4.7p1-nss-keys.patch b/openssh-5.1p1-nss-keys.patch similarity index 87% rename from openssh-4.7p1-nss-keys.patch rename to openssh-5.1p1-nss-keys.patch index 7d6573c..8805f3e 100644 --- a/openssh-4.7p1-nss-keys.patch +++ b/openssh-5.1p1-nss-keys.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/key.c.nss-keys openssh-4.7p1/key.c ---- openssh-4.7p1/key.c.nss-keys 2007-08-08 06:28:26.000000000 +0200 -+++ openssh-4.7p1/key.c 2007-11-20 14:40:17.000000000 +0100 -@@ -93,6 +93,54 @@ key_new(int type) +diff -up openssh-5.1p1/key.c.nss-keys openssh-5.1p1/key.c +--- openssh-5.1p1/key.c.nss-keys 2008-07-11 09:35:09.000000000 +0200 ++++ openssh-5.1p1/key.c 2008-07-23 19:16:00.000000000 +0200 +@@ -96,6 +96,54 @@ key_new(int type) return k; } @@ -56,7 +56,7 @@ diff -up openssh-4.7p1/key.c.nss-keys openssh-4.7p1/key.c Key * key_new_private(int type) { -@@ -148,6 +196,19 @@ key_free(Key *k) +@@ -151,6 +199,19 @@ key_free(Key *k) fatal("key_free: bad key type %d", k->type); break; } @@ -76,9 +76,9 @@ diff -up openssh-4.7p1/key.c.nss-keys openssh-4.7p1/key.c xfree(k); } -diff -up openssh-4.7p1/ssh-dss.c.nss-keys openssh-4.7p1/ssh-dss.c ---- openssh-4.7p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100 -+++ openssh-4.7p1/ssh-dss.c 2007-11-20 14:26:43.000000000 +0100 +diff -up openssh-5.1p1/ssh-dss.c.nss-keys openssh-5.1p1/ssh-dss.c +--- openssh-5.1p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100 ++++ openssh-5.1p1/ssh-dss.c 2008-07-23 19:16:00.000000000 +0200 @@ -39,6 +39,10 @@ #include "log.h" #include "key.h" @@ -136,10 +136,10 @@ diff -up openssh-4.7p1/ssh-dss.c.nss-keys openssh-4.7p1/ssh-dss.c if (datafellows & SSH_BUG_SIGBLOB) { if (lenp != NULL) *lenp = SIGBLOB_LEN; -diff -up openssh-4.7p1/ssh-agent.c.nss-keys openssh-4.7p1/ssh-agent.c ---- openssh-4.7p1/ssh-agent.c.nss-keys 2007-03-21 10:45:07.000000000 +0100 -+++ openssh-4.7p1/ssh-agent.c 2007-11-20 14:26:43.000000000 +0100 -@@ -79,6 +79,10 @@ +diff -up openssh-5.1p1/ssh-agent.c.nss-keys openssh-5.1p1/ssh-agent.c +--- openssh-5.1p1/ssh-agent.c.nss-keys 2008-07-04 15:10:49.000000000 +0200 ++++ openssh-5.1p1/ssh-agent.c 2008-07-23 19:16:00.000000000 +0200 +@@ -80,6 +80,10 @@ #include "scard.h" #endif @@ -150,7 +150,7 @@ diff -up openssh-4.7p1/ssh-agent.c.nss-keys openssh-4.7p1/ssh-agent.c #if defined(HAVE_SYS_PRCTL_H) #include /* For prctl() and PR_SET_DUMPABLE */ #endif -@@ -701,6 +705,114 @@ send: +@@ -714,6 +718,114 @@ send: } #endif /* SMARTCARD */ @@ -265,7 +265,7 @@ diff -up openssh-4.7p1/ssh-agent.c.nss-keys openssh-4.7p1/ssh-agent.c /* dispatch incoming messages */ static void -@@ -793,6 +905,15 @@ process_message(SocketEntry *e) +@@ -806,6 +918,15 @@ process_message(SocketEntry *e) process_remove_smartcard_key(e); break; #endif /* SMARTCARD */ @@ -281,9 +281,9 @@ diff -up openssh-4.7p1/ssh-agent.c.nss-keys openssh-4.7p1/ssh-agent.c default: /* Unknown message. Respond with failure. */ error("Unknown message %d", type); -diff -up openssh-4.7p1/authfd.h.nss-keys openssh-4.7p1/authfd.h ---- openssh-4.7p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200 -+++ openssh-4.7p1/authfd.h 2007-11-20 14:26:43.000000000 +0100 +diff -up openssh-5.1p1/authfd.h.nss-keys openssh-5.1p1/authfd.h +--- openssh-5.1p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200 ++++ openssh-5.1p1/authfd.h 2008-07-23 19:16:00.000000000 +0200 @@ -49,6 +49,12 @@ #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 @@ -306,10 +306,10 @@ diff -up openssh-4.7p1/authfd.h.nss-keys openssh-4.7p1/authfd.h int ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], -diff -up openssh-4.7p1/configure.ac.nss-keys openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.nss-keys 2007-11-20 14:26:43.000000000 +0100 -+++ openssh-4.7p1/configure.ac 2007-11-20 14:26:43.000000000 +0100 -@@ -3230,6 +3230,20 @@ AC_ARG_WITH(linux-audit, +diff -up openssh-5.1p1/configure.ac.nss-keys openssh-5.1p1/configure.ac +--- openssh-5.1p1/configure.ac.nss-keys 2008-07-23 19:16:00.000000000 +0200 ++++ openssh-5.1p1/configure.ac 2008-07-23 19:16:00.000000000 +0200 +@@ -3328,6 +3328,20 @@ AC_ARG_WITH(linux-audit, fi ] ) @@ -330,7 +330,7 @@ diff -up openssh-4.7p1/configure.ac.nss-keys openssh-4.7p1/configure.ac # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, -@@ -4052,6 +4066,7 @@ echo " OSF SIA support +@@ -4157,6 +4171,7 @@ echo " OSF SIA support echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" echo " Linux audit support: $LINUX_AUDIT_MSG" @@ -338,9 +338,9 @@ diff -up openssh-4.7p1/configure.ac.nss-keys openssh-4.7p1/configure.ac echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" -diff -up /dev/null openssh-4.7p1/README.nss ---- /dev/null 2007-11-05 08:22:09.502001637 +0100 -+++ openssh-4.7p1/README.nss 2007-11-20 14:26:43.000000000 +0100 +diff -up /dev/null openssh-5.1p1/README.nss +--- /dev/null 2008-07-15 11:15:04.125063641 +0200 ++++ openssh-5.1p1/README.nss 2008-07-23 19:16:00.000000000 +0200 @@ -0,0 +1,36 @@ +How to use NSS tokens with OpenSSH? + @@ -378,9 +378,9 @@ diff -up /dev/null openssh-4.7p1/README.nss + if you want to use a specific token and/or key: + + $ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID' -diff -up openssh-4.7p1/authfd.c.nss-keys openssh-4.7p1/authfd.c ---- openssh-4.7p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-4.7p1/authfd.c 2007-11-20 14:26:43.000000000 +0100 +diff -up openssh-5.1p1/authfd.c.nss-keys openssh-5.1p1/authfd.c +--- openssh-5.1p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.1p1/authfd.c 2008-07-23 19:16:00.000000000 +0200 @@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection return decode_reply(type); } @@ -427,9 +427,9 @@ diff -up openssh-4.7p1/authfd.c.nss-keys openssh-4.7p1/authfd.c /* * Removes all identities from the agent. This call is not meant to be used * by normal applications. -diff -up openssh-4.7p1/readconf.h.nss-keys openssh-4.7p1/readconf.h ---- openssh-4.7p1/readconf.h.nss-keys 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-4.7p1/readconf.h 2007-11-20 14:26:43.000000000 +0100 +diff -up openssh-5.1p1/readconf.h.nss-keys openssh-5.1p1/readconf.h +--- openssh-5.1p1/readconf.h.nss-keys 2008-06-29 16:04:03.000000000 +0200 ++++ openssh-5.1p1/readconf.h 2008-07-23 19:16:00.000000000 +0200 @@ -84,6 +84,8 @@ typedef struct { char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ @@ -439,9 +439,9 @@ diff -up openssh-4.7p1/readconf.h.nss-keys openssh-4.7p1/readconf.h int verify_host_key_dns; /* Verify host key using DNS */ int num_identity_files; /* Number of files for RSA/DSA identities. */ -diff -up /dev/null openssh-4.7p1/nsskeys.c ---- /dev/null 2007-11-05 08:22:09.502001637 +0100 -+++ openssh-4.7p1/nsskeys.c 2007-11-20 14:26:43.000000000 +0100 +diff -up /dev/null openssh-5.1p1/nsskeys.c +--- /dev/null 2008-07-15 11:15:04.125063641 +0200 ++++ openssh-5.1p1/nsskeys.c 2008-07-23 19:16:00.000000000 +0200 @@ -0,0 +1,327 @@ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -770,9 +770,9 @@ diff -up /dev/null openssh-4.7p1/nsskeys.c +} + +#endif /* HAVE_LIBNSS */ -diff -up openssh-4.7p1/ssh.c.nss-keys openssh-4.7p1/ssh.c ---- openssh-4.7p1/ssh.c.nss-keys 2007-08-08 06:32:41.000000000 +0200 -+++ openssh-4.7p1/ssh.c 2007-11-20 14:26:43.000000000 +0100 +diff -up openssh-5.1p1/ssh.c.nss-keys openssh-5.1p1/ssh.c +--- openssh-5.1p1/ssh.c.nss-keys 2008-07-04 04:53:50.000000000 +0200 ++++ openssh-5.1p1/ssh.c 2008-07-23 19:16:00.000000000 +0200 @@ -104,6 +104,9 @@ #ifdef SMARTCARD #include "scard.h" @@ -783,7 +783,7 @@ diff -up openssh-4.7p1/ssh.c.nss-keys openssh-4.7p1/ssh.c extern char *__progname; -@@ -1217,9 +1220,11 @@ load_public_identity_files(void) +@@ -1235,9 +1238,11 @@ load_public_identity_files(void) int i = 0; Key *public; struct passwd *pw; @@ -796,7 +796,7 @@ diff -up openssh-4.7p1/ssh.c.nss-keys openssh-4.7p1/ssh.c if (options.smartcard_device != NULL && options.num_identity_files < SSH_MAX_IDENTITY_FILES && (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) { -@@ -1240,6 +1245,27 @@ load_public_identity_files(void) +@@ -1260,6 +1265,27 @@ load_public_identity_files(void) xfree(keys); } #endif /* SMARTCARD */ @@ -823,10 +823,10 @@ diff -up openssh-4.7p1/ssh.c.nss-keys openssh-4.7p1/ssh.c + if ((pw = getpwuid(original_real_uid)) == NULL) fatal("load_public_identity_files: getpwuid failed"); - if (gethostname(thishost, sizeof(thishost)) == -1) -diff -up /dev/null openssh-4.7p1/nsskeys.h ---- /dev/null 2007-11-05 08:22:09.502001637 +0100 -+++ openssh-4.7p1/nsskeys.h 2007-11-20 14:26:43.000000000 +0100 + pwname = xstrdup(pw->pw_name); +diff -up /dev/null openssh-5.1p1/nsskeys.h +--- /dev/null 2008-07-15 11:15:04.125063641 +0200 ++++ openssh-5.1p1/nsskeys.h 2008-07-23 19:16:00.000000000 +0200 @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -867,9 +867,9 @@ diff -up /dev/null openssh-4.7p1/nsskeys.h + +#endif +#endif -diff -up openssh-4.7p1/Makefile.in.nss-keys openssh-4.7p1/Makefile.in ---- openssh-4.7p1/Makefile.in.nss-keys 2007-06-11 06:01:42.000000000 +0200 -+++ openssh-4.7p1/Makefile.in 2007-11-20 14:26:43.000000000 +0100 +diff -up openssh-5.1p1/Makefile.in.nss-keys openssh-5.1p1/Makefile.in +--- openssh-5.1p1/Makefile.in.nss-keys 2008-07-08 16:21:12.000000000 +0200 ++++ openssh-5.1p1/Makefile.in 2008-07-23 19:16:00.000000000 +0200 @@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ @@ -878,10 +878,10 @@ diff -up openssh-4.7p1/Makefile.in.nss-keys openssh-4.7p1/Makefile.in + entropy.o scard-opensc.o gss-genr.o umac.o nsskeys.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o -diff -up openssh-4.7p1/key.h.nss-keys openssh-4.7p1/key.h ---- openssh-4.7p1/key.h.nss-keys 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-4.7p1/key.h 2007-11-20 14:26:43.000000000 +0100 + sshconnect.o sshconnect1.o sshconnect2.o mux.o +diff -up openssh-5.1p1/key.h.nss-keys openssh-5.1p1/key.h +--- openssh-5.1p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200 ++++ openssh-5.1p1/key.h 2008-07-23 19:16:00.000000000 +0200 @@ -29,11 +29,17 @@ #include #include @@ -900,7 +900,7 @@ diff -up openssh-4.7p1/key.h.nss-keys openssh-4.7p1/key.h KEY_UNSPEC }; enum fp_type { -@@ -47,16 +53,30 @@ enum fp_rep { +@@ -48,16 +54,30 @@ enum fp_rep { /* key is stored in external hardware */ #define KEY_FLAG_EXT 0x0001 @@ -931,12 +931,12 @@ diff -up openssh-4.7p1/key.h.nss-keys openssh-4.7p1/key.h void key_free(Key *); Key *key_demote(const Key *); int key_equal(const Key *, const Key *); -diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c ---- openssh-4.7p1/ssh-add.c.nss-keys 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-4.7p1/ssh-add.c 2007-11-20 14:26:43.000000000 +0100 -@@ -43,6 +43,14 @@ - +diff -up openssh-5.1p1/ssh-add.c.nss-keys openssh-5.1p1/ssh-add.c +--- openssh-5.1p1/ssh-add.c.nss-keys 2008-02-28 09:13:52.000000000 +0100 ++++ openssh-5.1p1/ssh-add.c 2008-07-23 19:16:00.000000000 +0200 +@@ -44,6 +44,14 @@ #include + #include "openbsd-compat/openssl-compat.h" +#ifdef HAVE_LIBNSS +#include @@ -949,7 +949,7 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c #include #include #include -@@ -56,6 +64,7 @@ +@@ -57,6 +65,7 @@ #include "rsa.h" #include "log.h" #include "key.h" @@ -957,7 +957,7 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c #include "buffer.h" #include "authfd.h" #include "authfile.h" -@@ -306,6 +315,117 @@ do_file(AuthenticationConnection *ac, in +@@ -307,6 +316,117 @@ do_file(AuthenticationConnection *ac, in return 0; } @@ -1075,7 +1075,7 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c static void usage(void) { -@@ -333,6 +453,10 @@ main(int argc, char **argv) +@@ -334,6 +454,10 @@ main(int argc, char **argv) AuthenticationConnection *ac = NULL; char *sc_reader_id = NULL; int i, ch, deleting = 0, ret = 0; @@ -1086,7 +1086,7 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -350,7 +474,7 @@ main(int argc, char **argv) +@@ -351,7 +475,7 @@ main(int argc, char **argv) "Could not open a connection to your authentication agent.\n"); exit(2); } @@ -1095,7 +1095,7 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c switch (ch) { case 'l': case 'L': -@@ -372,6 +496,11 @@ main(int argc, char **argv) +@@ -373,6 +497,11 @@ main(int argc, char **argv) if (delete_all(ac) == -1) ret = 1; goto done; @@ -1107,7 +1107,7 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c case 's': sc_reader_id = optarg; break; -@@ -386,6 +515,11 @@ main(int argc, char **argv) +@@ -387,6 +516,11 @@ main(int argc, char **argv) goto done; } break; @@ -1119,7 +1119,7 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c default: usage(); ret = 1; -@@ -399,6 +533,40 @@ main(int argc, char **argv) +@@ -400,6 +534,40 @@ main(int argc, char **argv) ret = 1; goto done; } @@ -1160,9 +1160,9 @@ diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c if (argc == 0) { char buf[MAXPATHLEN]; struct passwd *pw; -diff -up openssh-4.7p1/ssh-rsa.c.nss-keys openssh-4.7p1/ssh-rsa.c ---- openssh-4.7p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-4.7p1/ssh-rsa.c 2007-11-20 14:26:43.000000000 +0100 +diff -up openssh-5.1p1/ssh-rsa.c.nss-keys openssh-5.1p1/ssh-rsa.c +--- openssh-5.1p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200 ++++ openssh-5.1p1/ssh-rsa.c 2008-07-23 19:16:00.000000000 +0200 @@ -32,6 +32,10 @@ #include "compat.h" #include "ssh.h" @@ -1233,10 +1233,10 @@ diff -up openssh-4.7p1/ssh-rsa.c.nss-keys openssh-4.7p1/ssh-rsa.c /* encode signature */ buffer_init(&b); buffer_put_cstring(&b, "ssh-rsa"); -diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c ---- openssh-4.7p1/ssh-keygen.c.nss-keys 2007-02-19 12:10:25.000000000 +0100 -+++ openssh-4.7p1/ssh-keygen.c 2007-11-20 14:26:43.000000000 +0100 -@@ -52,6 +52,11 @@ +diff -up openssh-5.1p1/ssh-keygen.c.nss-keys openssh-5.1p1/ssh-keygen.c +--- openssh-5.1p1/ssh-keygen.c.nss-keys 2008-07-14 03:28:29.000000000 +0200 ++++ openssh-5.1p1/ssh-keygen.c 2008-07-23 19:16:00.000000000 +0200 +@@ -53,6 +53,11 @@ #include "scard.h" #endif @@ -1248,7 +1248,7 @@ diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ #define DEFAULT_BITS 2048 #define DEFAULT_BITS_DSA 1024 -@@ -499,6 +504,26 @@ do_download(struct passwd *pw, const cha +@@ -501,6 +506,26 @@ do_download(struct passwd *pw, const cha } #endif /* SMARTCARD */ @@ -1275,7 +1275,7 @@ diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c static void do_fingerprint(struct passwd *pw) { -@@ -1056,7 +1081,8 @@ main(int argc, char **argv) +@@ -1083,7 +1108,8 @@ main(int argc, char **argv) Key *private, *public; struct passwd *pw; struct stat st; @@ -1284,8 +1284,8 @@ diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c + int use_nss = 0; u_int32_t memory = 0, generator_wanted = 0, trials = 100; int do_gen_candidates = 0, do_screen_candidates = 0; - int log_level = SYSLOG_LEVEL_INFO; -@@ -1090,7 +1116,7 @@ main(int argc, char **argv) + BIGNUM *start = NULL; +@@ -1116,7 +1142,7 @@ main(int argc, char **argv) } while ((opt = getopt(argc, argv, @@ -1294,7 +1294,7 @@ diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c switch (opt) { case 'b': bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr); -@@ -1130,6 +1156,10 @@ main(int argc, char **argv) +@@ -1156,6 +1182,10 @@ main(int argc, char **argv) case 'g': print_generic = 1; break; @@ -1305,7 +1305,7 @@ diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c case 'P': identity_passphrase = optarg; break; -@@ -1161,10 +1191,10 @@ main(int argc, char **argv) +@@ -1187,10 +1217,10 @@ main(int argc, char **argv) case 't': key_type_name = optarg; break; @@ -1319,7 +1319,7 @@ diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c reader_id = optarg; break; case 'v': -@@ -1269,6 +1299,17 @@ main(int argc, char **argv) +@@ -1299,6 +1329,17 @@ main(int argc, char **argv) exit(0); } } @@ -1337,9 +1337,9 @@ diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c if (reader_id != NULL) { #ifdef SMARTCARD if (download) -diff -up openssh-4.7p1/readconf.c.nss-keys openssh-4.7p1/readconf.c ---- openssh-4.7p1/readconf.c.nss-keys 2007-03-21 10:46:03.000000000 +0100 -+++ openssh-4.7p1/readconf.c 2007-11-20 14:26:43.000000000 +0100 +diff -up openssh-5.1p1/readconf.c.nss-keys openssh-5.1p1/readconf.c +--- openssh-5.1p1/readconf.c.nss-keys 2008-06-29 16:04:03.000000000 +0200 ++++ openssh-5.1p1/readconf.c 2008-07-23 19:16:00.000000000 +0200 @@ -124,6 +124,7 @@ typedef enum { oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, @@ -1348,7 +1348,7 @@ diff -up openssh-4.7p1/readconf.c.nss-keys openssh-4.7p1/readconf.c oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, -@@ -209,6 +210,13 @@ static struct { +@@ -210,6 +211,13 @@ static struct { #else { "smartcarddevice", oUnsupported }, #endif @@ -1362,7 +1362,7 @@ diff -up openssh-4.7p1/readconf.c.nss-keys openssh-4.7p1/readconf.c { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, { "verifyhostkeydns", oVerifyHostKeyDNS }, -@@ -601,6 +609,14 @@ parse_string: +@@ -603,6 +611,14 @@ parse_string: charptr = &options->smartcard_device; goto parse_string; @@ -1377,7 +1377,7 @@ diff -up openssh-4.7p1/readconf.c.nss-keys openssh-4.7p1/readconf.c case oProxyCommand: charptr = &options->proxy_command; parse_command: -@@ -1049,6 +1065,8 @@ initialize_options(Options * options) +@@ -1055,6 +1071,8 @@ initialize_options(Options * options) options->preferred_authentications = NULL; options->bind_address = NULL; options->smartcard_device = NULL; @@ -1386,7 +1386,7 @@ diff -up openssh-4.7p1/readconf.c.nss-keys openssh-4.7p1/readconf.c options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; options->identities_only = - 1; -@@ -1177,6 +1195,8 @@ fill_default_options(Options * options) +@@ -1184,6 +1202,8 @@ fill_default_options(Options * options) options->no_host_authentication_for_localhost = 0; if (options->identities_only == -1) options->identities_only = 0; diff --git a/openssh-4.7p1-redhat.patch b/openssh-5.1p1-redhat.patch similarity index 71% rename from openssh-4.7p1-redhat.patch rename to openssh-5.1p1-redhat.patch index 1618a71..d1479cb 100644 --- a/openssh-4.7p1-redhat.patch +++ b/openssh-5.1p1-redhat.patch @@ -1,6 +1,6 @@ -diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config ---- openssh-4.7p1/sshd_config.redhat 2007-03-21 10:42:25.000000000 +0100 -+++ openssh-4.7p1/sshd_config 2007-09-06 16:23:58.000000000 +0200 +diff -up openssh-5.1p1/sshd_config.redhat openssh-5.1p1/sshd_config +--- openssh-5.1p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200 ++++ openssh-5.1p1/sshd_config 2008-07-23 14:11:12.000000000 +0200 @@ -33,6 +33,7 @@ Protocol 2 # Logging # obsoletes QuietMode and FascistLogging @@ -9,7 +9,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config #LogLevel INFO # Authentication: -@@ -59,9 +60,11 @@ Protocol 2 +@@ -60,9 +61,11 @@ Protocol 2 # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no @@ -21,7 +21,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config # Kerberos options #KerberosAuthentication no -@@ -71,7 +74,9 @@ Protocol 2 +@@ -72,7 +75,9 @@ Protocol 2 # GSSAPI options #GSSAPIAuthentication no @@ -31,16 +31,18 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -83,10 +88,16 @@ Protocol 2 +@@ -84,11 +89,18 @@ Protocol 2 # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no +UsePAM yes ++ ++# Accept locale-related environment variables ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+# Accept locale-related environment variables -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE + #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no @@ -48,9 +50,9 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes -diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config ---- openssh-4.7p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200 -+++ openssh-4.7p1/ssh_config 2007-09-06 16:21:49.000000000 +0200 +diff -up openssh-5.1p1/ssh_config.redhat openssh-5.1p1/ssh_config +--- openssh-5.1p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200 ++++ openssh-5.1p1/ssh_config 2008-07-23 14:07:29.000000000 +0200 @@ -43,3 +43,13 @@ # Tunnel no # TunnelDevice any:any @@ -65,10 +67,10 @@ diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0 ---- openssh-4.7p1/sshd_config.0.redhat 2007-09-04 08:50:11.000000000 +0200 -+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:21:49.000000000 +0200 -@@ -435,9 +435,9 @@ DESCRIPTION +diff -up openssh-5.1p1/sshd_config.0.redhat openssh-5.1p1/sshd_config.0 +--- openssh-5.1p1/sshd_config.0.redhat 2008-07-21 10:30:51.000000000 +0200 ++++ openssh-5.1p1/sshd_config.0 2008-07-23 14:07:29.000000000 +0200 +@@ -490,9 +490,9 @@ DESCRIPTION SyslogFacility Gives the facility code that is used when logging messages from @@ -81,10 +83,10 @@ diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0 TCPKeepAlive Specifies whether the system should send TCP keepalive messages -diff -up openssh-4.7p1/sshd_config.5.redhat openssh-4.7p1/sshd_config.5 ---- openssh-4.7p1/sshd_config.5.redhat 2007-06-11 06:07:13.000000000 +0200 -+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:21:49.000000000 +0200 -@@ -748,7 +748,7 @@ Note that this option applies to protoco +diff -up openssh-5.1p1/sshd_config.5.redhat openssh-5.1p1/sshd_config.5 +--- openssh-5.1p1/sshd_config.5.redhat 2008-07-02 14:35:43.000000000 +0200 ++++ openssh-5.1p1/sshd_config.5 2008-07-23 14:07:29.000000000 +0200 +@@ -846,7 +846,7 @@ Note that this option applies to protoco .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . diff --git a/openssh-3.9p1-scp-manpage.patch b/openssh-5.1p1-scp-manpage.patch similarity index 57% rename from openssh-3.9p1-scp-manpage.patch rename to openssh-5.1p1-scp-manpage.patch index 325f9a2..e314a05 100644 --- a/openssh-3.9p1-scp-manpage.patch +++ b/openssh-5.1p1-scp-manpage.patch @@ -1,8 +1,9 @@ ---- scp.orig 2007-12-22 20:37:27.000000000 +0100 -+++ scp.1 2007-12-22 20:36:42.000000000 +0100 -@@ -60,6 +60,14 @@ - that the file is to be copied to/from that host. - Copies between two remote hosts are permitted. +diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1 +--- openssh-5.1p1/scp.1.manpage 2008-07-12 09:12:49.000000000 +0200 ++++ openssh-5.1p1/scp.1 2008-07-23 19:18:15.000000000 +0200 +@@ -66,6 +66,14 @@ treating file names containing + as host specifiers. + Copies between two remote hosts are also permitted. .Pp +When copying a source file to a target file which already exists, +.Nm diff --git a/openssh-4.7p1-selinux.patch b/openssh-5.1p1-selinux.patch similarity index 54% rename from openssh-4.7p1-selinux.patch rename to openssh-5.1p1-selinux.patch index 4346660..8cd618a 100644 --- a/openssh-4.7p1-selinux.patch +++ b/openssh-5.1p1-selinux.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.selinux 2007-09-06 19:46:32.000000000 +0200 -+++ openssh-4.7p1/configure.ac 2007-09-06 19:52:23.000000000 +0200 -@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux, +diff -up openssh-5.1p1/configure.ac.selinux openssh-5.1p1/configure.ac +--- openssh-5.1p1/configure.ac.selinux 2008-07-23 16:32:13.000000000 +0200 ++++ openssh-5.1p1/configure.ac 2008-07-23 16:32:13.000000000 +0200 +@@ -3309,6 +3309,7 @@ AC_ARG_WITH(selinux, AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], AC_MSG_ERROR(SELinux support requires libselinux library)) SSHDLIBS="$SSHDLIBS $LIBSELINUX" @@ -9,10 +9,10 @@ diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) LIBS="$save_LIBS" fi ] -diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c ---- openssh-4.7p1/auth1.c.selinux 2007-09-06 19:46:32.000000000 +0200 -+++ openssh-4.7p1/auth1.c 2007-09-06 19:46:32.000000000 +0200 -@@ -388,7 +388,7 @@ void +diff -up openssh-5.1p1/auth1.c.selinux openssh-5.1p1/auth1.c +--- openssh-5.1p1/auth1.c.selinux 2008-07-23 16:32:13.000000000 +0200 ++++ openssh-5.1p1/auth1.c 2008-07-23 16:32:13.000000000 +0200 +@@ -391,7 +391,7 @@ void do_authentication(Authctxt *authctxt) { u_int ulen; @@ -21,7 +21,7 @@ diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -397,11 +397,19 @@ do_authentication(Authctxt *authctxt) +@@ -400,11 +400,19 @@ do_authentication(Authctxt *authctxt) user = packet_get_string(&ulen); packet_check_eom(); @@ -41,9 +41,28 @@ diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h ---- openssh-4.7p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-4.7p1/monitor_wrap.h 2007-09-06 19:46:32.000000000 +0200 +diff -up openssh-5.1p1/auth2-pubkey.c.selinux openssh-5.1p1/auth2-pubkey.c +--- openssh-5.1p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200 ++++ openssh-5.1p1/auth2-pubkey.c 2008-07-23 16:32:13.000000000 +0200 +@@ -117,7 +117,14 @@ userauth_pubkey(Authctxt *authctxt) + } + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); +- buffer_put_cstring(&b, authctxt->user); ++ if (authctxt->role) { ++ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); ++ buffer_append(&b, authctxt->user, strlen(authctxt->user)); ++ buffer_put_char(&b, '/'); ++ buffer_append(&b, authctxt->role, strlen(authctxt->role)); ++ } else { ++ buffer_put_cstring(&b, authctxt->user); ++ } + buffer_put_cstring(&b, + datafellows & SSH_BUG_PKSERVICE ? + "ssh-userauth" : +diff -up openssh-5.1p1/monitor_wrap.h.selinux openssh-5.1p1/monitor_wrap.h +--- openssh-5.1p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 ++++ openssh-5.1p1/monitor_wrap.h 2008-07-23 16:32:13.000000000 +0200 @@ -41,6 +41,7 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); @@ -52,9 +71,9 @@ diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h ---- openssh-4.7p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 -+++ openssh-4.7p1/monitor.h 2007-09-06 19:46:32.000000000 +0200 +diff -up openssh-5.1p1/monitor.h.selinux openssh-5.1p1/monitor.h +--- openssh-5.1p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 ++++ openssh-5.1p1/monitor.h 2008-07-23 16:32:13.000000000 +0200 @@ -30,7 +30,7 @@ enum monitor_reqtype { @@ -64,10 +83,29 @@ diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, -diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c ---- openssh-4.7p1/monitor_wrap.c.selinux 2007-06-11 06:01:42.000000000 +0200 -+++ openssh-4.7p1/monitor_wrap.c 2007-09-06 19:46:32.000000000 +0200 -@@ -294,6 +294,23 @@ mm_inform_authserv(char *service, char * +diff -up openssh-5.1p1/auth2-hostbased.c.selinux openssh-5.1p1/auth2-hostbased.c +--- openssh-5.1p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 ++++ openssh-5.1p1/auth2-hostbased.c 2008-07-23 16:32:13.000000000 +0200 +@@ -106,7 +106,14 @@ userauth_hostbased(Authctxt *authctxt) + buffer_put_string(&b, session_id2, session_id2_len); + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); +- buffer_put_cstring(&b, authctxt->user); ++ if (authctxt->role) { ++ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); ++ buffer_append(&b, authctxt->user, strlen(authctxt->user)); ++ buffer_put_char(&b, '/'); ++ buffer_append(&b, authctxt->role, strlen(authctxt->role)); ++ } else { ++ buffer_put_cstring(&b, authctxt->user); ++ } + buffer_put_cstring(&b, service); + buffer_put_cstring(&b, "hostbased"); + buffer_put_string(&b, pkalg, alen); +diff -up openssh-5.1p1/monitor_wrap.c.selinux openssh-5.1p1/monitor_wrap.c +--- openssh-5.1p1/monitor_wrap.c.selinux 2008-07-11 09:36:48.000000000 +0200 ++++ openssh-5.1p1/monitor_wrap.c 2008-07-23 16:32:13.000000000 +0200 +@@ -296,6 +296,23 @@ mm_inform_authserv(char *service, char * buffer_free(&m); } @@ -91,9 +129,9 @@ diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd-compat/port-linux.c ---- openssh-4.7p1/openbsd-compat/port-linux.c.selinux 2007-06-28 00:48:03.000000000 +0200 -+++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-09-06 19:46:32.000000000 +0200 +diff -up openssh-5.1p1/openbsd-compat/port-linux.c.selinux openssh-5.1p1/openbsd-compat/port-linux.c +--- openssh-5.1p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100 ++++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-07-23 16:32:13.000000000 +0200 @@ -30,11 +30,16 @@ #ifdef WITH_SELINUX #include "log.h" @@ -109,7 +147,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd +extern Authctxt *the_authctxt; + /* Wrapper around is_selinux_enabled() to log its return value once only */ - static int + int ssh_selinux_enabled(void) @@ -53,23 +58,36 @@ ssh_selinux_enabled(void) static security_context_t @@ -155,9 +193,9 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd if (r != 0) { switch (security_getenforce()) { -diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h ---- openssh-4.7p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200 -+++ openssh-4.7p1/auth.h 2007-09-06 19:46:32.000000000 +0200 +diff -up openssh-5.1p1/auth.h.selinux openssh-5.1p1/auth.h +--- openssh-5.1p1/auth.h.selinux 2008-07-02 14:37:30.000000000 +0200 ++++ openssh-5.1p1/auth.h 2008-07-23 16:32:13.000000000 +0200 @@ -58,6 +58,7 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -166,10 +204,10 @@ diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h void *kbdintctxt; #ifdef BSD_AUTH auth_session_t *as; -diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c ---- openssh-4.7p1/auth2.c.selinux 2007-05-20 06:58:41.000000000 +0200 -+++ openssh-4.7p1/auth2.c 2007-09-06 19:46:32.000000000 +0200 -@@ -141,7 +141,7 @@ input_userauth_request(int type, u_int32 +diff -up openssh-5.1p1/auth2.c.selinux openssh-5.1p1/auth2.c +--- openssh-5.1p1/auth2.c.selinux 2008-07-05 01:44:53.000000000 +0200 ++++ openssh-5.1p1/auth2.c 2008-07-23 16:32:13.000000000 +0200 +@@ -209,7 +209,7 @@ input_userauth_request(int type, u_int32 { Authctxt *authctxt = ctxt; Authmethod *m = NULL; @@ -178,7 +216,7 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c int authenticated = 0; if (authctxt == NULL) -@@ -153,6 +153,9 @@ input_userauth_request(int type, u_int32 +@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32 debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -188,7 +226,7 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c if ((style = strchr(user, ':')) != NULL) *style++ = 0; -@@ -178,8 +181,11 @@ input_userauth_request(int type, u_int32 +@@ -246,8 +249,11 @@ input_userauth_request(int type, u_int32 use_privsep ? " [net]" : ""); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; @@ -198,13 +236,13 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c mm_inform_authserv(service, style); + mm_inform_authrole(role); + } + userauth_banner(); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { - packet_disconnect("Change of username or service not allowed: " -diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c ---- openssh-4.7p1/monitor.c.selinux 2007-05-20 07:10:16.000000000 +0200 -+++ openssh-4.7p1/monitor.c 2007-09-06 19:46:32.000000000 +0200 -@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *); +diff -up openssh-5.1p1/monitor.c.selinux openssh-5.1p1/monitor.c +--- openssh-5.1p1/monitor.c.selinux 2008-07-11 09:36:48.000000000 +0200 ++++ openssh-5.1p1/monitor.c 2008-07-23 16:36:10.000000000 +0200 +@@ -134,6 +134,7 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); @@ -212,7 +250,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] +@@ -205,6 +206,7 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -220,7 +258,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -657,6 +659,7 @@ mm_answer_pwnamallow(int sock, Buffer *m +@@ -658,6 +660,7 @@ mm_answer_pwnamallow(int sock, Buffer *m else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -228,7 +266,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } -@@ -702,6 +705,23 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -703,6 +706,23 @@ mm_answer_authserv(int sock, Buffer *m) } int @@ -252,3 +290,39 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c mm_answer_authpassword(int sock, Buffer *m) { static int call_count; +@@ -1080,7 +1100,7 @@ static int + monitor_valid_userblob(u_char *data, u_int datalen) + { + Buffer b; +- char *p; ++ char *p, *r; + u_int len; + int fail = 0; + +@@ -1106,6 +1126,8 @@ monitor_valid_userblob(u_char *data, u_i + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + fail++; + p = buffer_get_string(&b, NULL); ++ if ((r = strchr(p, '/')) != NULL) ++ *r = '\0'; + if (strcmp(authctxt->user, p) != 0) { + logit("wrong user name passed to monitor: expected %s != %.100s", + authctxt->user, p); +@@ -1137,7 +1159,7 @@ monitor_valid_hostbasedblob(u_char *data + char *chost) + { + Buffer b; +- char *p; ++ char *p, *r; + u_int len; + int fail = 0; + +@@ -1154,6 +1176,8 @@ monitor_valid_hostbasedblob(u_char *data + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + fail++; + p = buffer_get_string(&b, NULL); ++ if ((r = strchr(p, '/')) != NULL) ++ *r = '\0'; + if (strcmp(authctxt->user, p) != 0) { + logit("wrong user name passed to monitor: expected %s != %.100s", + authctxt->user, p); diff --git a/openssh-3.8.1p1-skip-initial.patch b/openssh-5.1p1-skip-initial.patch similarity index 57% rename from openssh-3.8.1p1-skip-initial.patch rename to openssh-5.1p1-skip-initial.patch index 77be56e..be3204e 100644 --- a/openssh-3.8.1p1-skip-initial.patch +++ b/openssh-5.1p1-skip-initial.patch @@ -2,10 +2,11 @@ Skip the initial empty-password check if permit_empty_passwd is disabled. This doesn't change the timing profiles of the host because the additional condition check which can short-circuit the call to pam_authenticate() has no dependency on the identity of the user who is being authenticated. ---- openssh-3.8p1/auth1.c 2004-02-26 21:05:25.000000000 -0500 -+++ openssh-3.8p1/auth1.c 2004-02-26 21:05:20.000000000 -0500 -@@ -76,7 +76,7 @@ - authctxt->valid ? "" : "illegal user ", authctxt->user); +diff -up openssh-5.1p1/auth1.c.skip-initial openssh-5.1p1/auth1.c +--- openssh-5.1p1/auth1.c.skip-initial 2008-07-09 12:54:05.000000000 +0200 ++++ openssh-5.1p1/auth1.c 2008-07-23 18:26:01.000000000 +0200 +@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt) + authctxt->valid ? "" : "invalid user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ - if (options.password_authentication && @@ -13,11 +14,12 @@ on the identity of the user who is being authenticated. #ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif ---- openssh-3.8p1/auth2-none.c 2004-02-26 21:07:34.000000000 -0500 -+++ openssh-3.8p1/auth2-none.c 2004-02-26 21:07:28.000000000 -0500 -@@ -100,7 +100,7 @@ +diff -up openssh-5.1p1/auth2-none.c.skip-initial openssh-5.1p1/auth2-none.c +--- openssh-5.1p1/auth2-none.c.skip-initial 2008-07-02 14:56:09.000000000 +0200 ++++ openssh-5.1p1/auth2-none.c 2008-07-23 18:26:01.000000000 +0200 +@@ -65,7 +65,7 @@ userauth_none(Authctxt *authctxt) if (check_nt_auth(1, authctxt->pw) == 0) - return(0); + return (0); #endif - if (options.password_authentication) + if (options.permit_empty_passwd && options.password_authentication) diff --git a/openssh-4.7p1-vendor.patch b/openssh-5.1p1-vendor.patch similarity index 51% rename from openssh-4.7p1-vendor.patch rename to openssh-5.1p1-vendor.patch index eff213a..826a1df 100644 --- a/openssh-4.7p1-vendor.patch +++ b/openssh-5.1p1-vendor.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/configure.ac 2007-09-06 16:27:47.000000000 +0200 -@@ -3792,6 +3792,12 @@ AC_ARG_WITH(lastlog, +diff -up openssh-5.1p1/configure.ac.vendor openssh-5.1p1/configure.ac +--- openssh-5.1p1/configure.ac.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/configure.ac 2008-07-23 14:13:22.000000000 +0200 +@@ -3890,6 +3890,12 @@ AC_ARG_WITH(lastlog, fi ] ) @@ -14,7 +14,7 @@ diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac dnl lastlog, [uw]tmpx? detection dnl NOTE: set the paths in the platform section to avoid the -@@ -4041,6 +4047,7 @@ echo " IP address in \$DISPLAY hac +@@ -4146,6 +4152,7 @@ echo " IP address in \$DISPLAY hac echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" @@ -22,47 +22,47 @@ diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac if test ! -z "$USE_RAND_HELPER" ; then echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" fi -diff -up openssh-4.7p1/sshd_config.5.vendor openssh-4.7p1/sshd_config.5 ---- openssh-4.7p1/sshd_config.5.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:27:47.000000000 +0200 -@@ -725,6 +725,14 @@ This option applies to protocol version +diff -up openssh-5.1p1/sshd_config.5.vendor openssh-5.1p1/sshd_config.5 +--- openssh-5.1p1/sshd_config.5.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config.5 2008-07-23 14:19:23.000000000 +0200 +@@ -812,6 +812,14 @@ This option applies to protocol version .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. - The minimum value is 512, and the default is 768. -+.It Cm ShowPatchLevel -+Specifies whether -+.Nm sshd -+will display the patch level of the binary in the identification string. -+The patch level is set at compile-time. -+The default is -+.Dq no . -+This option applies to protocol version 1 only. + The minimum value is 512, and the default is 1024. ++.It Cm ShowPatchLevel ++Specifies whether ++.Nm sshd ++will display the patch level of the binary in the identification string. ++The patch level is set at compile-time. ++The default is ++.Dq no . ++This option applies to protocol version 1 only. .It Cm StrictModes Specifies whether .Xr sshd 8 -diff -up openssh-4.7p1/servconf.h.vendor openssh-4.7p1/servconf.h ---- openssh-4.7p1/servconf.h.vendor 2007-02-19 12:25:38.000000000 +0100 -+++ openssh-4.7p1/servconf.h 2007-09-06 16:27:47.000000000 +0200 -@@ -120,6 +120,7 @@ typedef struct { - int max_startups; +diff -up openssh-5.1p1/servconf.h.vendor openssh-5.1p1/servconf.h +--- openssh-5.1p1/servconf.h.vendor 2008-06-10 15:01:51.000000000 +0200 ++++ openssh-5.1p1/servconf.h 2008-07-23 14:13:22.000000000 +0200 +@@ -126,6 +126,7 @@ typedef struct { int max_authtries; + int max_sessions; char *banner; /* SSH-2 banner message */ + int show_patchlevel; /* Show vendor patch level to clients */ int use_dns; int client_alive_interval; /* * poke the client this often to -diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c ---- openssh-4.7p1/servconf.c.vendor 2007-05-20 07:03:16.000000000 +0200 -+++ openssh-4.7p1/servconf.c 2007-09-06 16:29:11.000000000 +0200 -@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions - options->max_startups = -1; +diff -up openssh-5.1p1/servconf.c.vendor openssh-5.1p1/servconf.c +--- openssh-5.1p1/servconf.c.vendor 2008-07-04 05:51:12.000000000 +0200 ++++ openssh-5.1p1/servconf.c 2008-07-23 14:32:27.000000000 +0200 +@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions options->max_authtries = -1; + options->max_sessions = -1; options->banner = NULL; + options->show_patchlevel = -1; options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; -@@ -250,6 +251,9 @@ fill_default_server_options(ServerOption +@@ -259,6 +260,9 @@ fill_default_server_options(ServerOption if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; @@ -72,23 +72,24 @@ diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; -@@ -293,6 +297,7 @@ typedef enum { +@@ -296,7 +300,7 @@ typedef enum { + sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, + sMaxStartups, sMaxAuthTries, sMaxSessions, +- sBanner, sUseDNS, sHostbasedAuthentication, ++ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, - sUsePrivilegeSeparation, -+ sShowPatchLevel, - sDeprecated, sUnsupported - } ServerOpCodes; - -@@ -390,6 +395,7 @@ static struct { - { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, - { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, +@@ -401,6 +405,7 @@ static struct { + { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, + { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, + { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, -@@ -1005,6 +1011,10 @@ parse_flag: +@@ -1020,6 +1025,10 @@ process_server_config_line(ServerOptions intptr = &use_privsep; goto parse_flag; @@ -99,12 +100,20 @@ diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) -diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0 ---- openssh-4.7p1/sshd_config.0.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:27:47.000000000 +0200 -@@ -418,6 +418,11 @@ DESCRIPTION +@@ -1584,6 +1593,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sUseLogin, o->use_login); + dump_cfg_fmtint(sCompression, o->compression); + dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); ++ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); + dump_cfg_fmtint(sUseDNS, o->use_dns); + dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); + dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); +diff -up openssh-5.1p1/sshd_config.0.vendor openssh-5.1p1/sshd_config.0 +--- openssh-5.1p1/sshd_config.0.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config.0 2008-07-23 14:13:22.000000000 +0200 +@@ -466,6 +466,11 @@ DESCRIPTION Defines the number of bits in the ephemeral protocol version 1 - server key. The minimum value is 512, and the default is 768. + server key. The minimum value is 512, and the default is 1024. + ShowPatchLevel + Specifies whether sshd will display the specific patch level of @@ -114,10 +123,10 @@ diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0 StrictModes Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. -diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config ---- openssh-4.7p1/sshd_config.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config 2007-09-06 16:27:47.000000000 +0200 -@@ -109,6 +109,7 @@ X11Forwarding yes +diff -up openssh-5.1p1/sshd_config.vendor openssh-5.1p1/sshd_config +--- openssh-5.1p1/sshd_config.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config 2008-07-23 14:13:22.000000000 +0200 +@@ -112,6 +112,7 @@ X11Forwarding yes #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 @@ -125,20 +134,19 @@ diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 -diff -up openssh-4.7p1/sshd.c.vendor openssh-4.7p1/sshd.c ---- openssh-4.7p1/sshd.c.vendor 2007-06-05 10:22:32.000000000 +0200 -+++ openssh-4.7p1/sshd.c 2007-09-06 16:27:47.000000000 +0200 -@@ -419,7 +419,8 @@ sshd_exchange_identification(int sock_in - major = PROTOCOL_MAJOR_1; +diff -up openssh-5.1p1/sshd.c.vendor openssh-5.1p1/sshd.c +--- openssh-5.1p1/sshd.c.vendor 2008-07-11 09:36:49.000000000 +0200 ++++ openssh-5.1p1/sshd.c 2008-07-23 14:35:43.000000000 +0200 +@@ -416,7 +416,7 @@ sshd_exchange_identification(int sock_in minor = PROTOCOL_MINOR_1; } -- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); -+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION); + snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, +- SSH_VERSION, newline); ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline); server_version_string = xstrdup(buf); /* Send our protocol version identification. */ -@@ -1434,7 +1435,8 @@ main(int ac, char **av) +@@ -1484,7 +1484,8 @@ main(int ac, char **av) exit(1); } diff --git a/openssh.spec b/openssh.spec index 2849676..f2f7b0c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -62,8 +62,8 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh -Version: 5.0p1 -Release: 3%{?dist}%{?rescue_rel} +Version: 5.1p1 +Release: 1%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -74,31 +74,28 @@ Source0: openssh-%{version}-noacss.tar.bz2 Source1: openssh-nukeacss.sh Source2: sshd.pam Source3: sshd.init -Patch0: openssh-4.7p1-redhat.patch -Patch2: openssh-3.8.1p1-skip-initial.patch +Patch0: openssh-5.1p1-redhat.patch +Patch2: openssh-5.1p1-skip-initial.patch Patch3: openssh-3.8.1p1-krb5-config.patch -Patch4: openssh-4.7p1-vendor.patch -Patch12: openssh-4.7p1-selinux.patch -Patch13: openssh-4.7p1-mls.patch +Patch4: openssh-5.1p1-vendor.patch +Patch12: openssh-5.1p1-selinux.patch +Patch13: openssh-5.1p1-mls.patch Patch16: openssh-4.7p1-audit.patch Patch17: openssh-4.3p2-cve-2007-3102.patch +Patch18: openssh-5.0p1-pam_selinux.patch Patch22: openssh-3.9p1-askpass-keep-above.patch Patch24: openssh-4.3p1-fromto-remote.patch -Patch27: openssh-4.7p1-log-in-chroot.patch +Patch27: openssh-5.1p1-log-in-chroot.patch Patch30: openssh-4.0p1-exit-deadlock.patch -Patch35: openssh-4.2p1-askpass-progress.patch +Patch35: openssh-5.1p1-askpass-progress.patch Patch38: openssh-4.3p2-askpass-grab-info.patch Patch39: openssh-4.3p2-no-v6only.patch Patch44: openssh-4.3p2-allow-ip-opts.patch Patch49: openssh-4.3p2-gssapi-canohost.patch -Patch51: openssh-4.7p1-nss-keys.patch -Patch54: openssh-4.7p1-gssapi-role.patch -Patch55: openssh-4.7p1-cloexec.patch -Patch58: openssh-4.5p1-controlcleanup.patch -Patch59: openssh-4.7p1-master-race.patch -Patch60: openssh-5.0p1-pam_selinux.patch -Patch61: openssh-5.0p1-unbreakalive.patch -Patch62: openssh-3.9p1-scp-manpage.patch +Patch51: openssh-5.1p1-nss-keys.patch +Patch54: openssh-5.1p1-gssapi-role.patch +Patch55: openssh-5.1p1-cloexec.patch +Patch62: openssh-5.1p1-scp-manpage.patch License: BSD Group: Applications/Internet @@ -202,7 +199,6 @@ into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. %prep - %setup -q %patch0 -p1 -b .redhat %patch2 -p1 -b .skip-initial @@ -215,6 +211,7 @@ an X11 passphrase dialog for OpenSSH. %patch13 -p1 -b .mls %patch16 -p1 -b .audit %patch17 -p1 -b .inject-fix +%patch18 -p1 -b .pam_selinux %endif %patch22 -p1 -b .keep-above @@ -227,13 +224,9 @@ an X11 passphrase dialog for OpenSSH. %patch44 -p1 -b .ip-opts %patch49 -p1 -b .canohost %patch51 -p1 -b .nss-keys -%patch54 -p0 -b .gssapi-role +%patch54 -p1 -b .gssapi-role %patch55 -p1 -b .cloexec -%patch58 -p1 -b .controlcleanup -%patch59 -p1 -b .master-race -%patch60 -p1 -b .pam_selinux -%patch61 -p0 -b .unbreakalive -%patch62 -p0 -b .manpage +%patch62 -p1 -b .manpage autoreconf @@ -423,7 +416,7 @@ fi %files %defattr(-,root,root) -%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README* TODO WARNING* %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %if ! %{rescue} @@ -468,6 +461,7 @@ fi %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config @@ -484,6 +478,11 @@ fi %endif %changelog +* Wed Jul 23 2008 Tomas Mraz - 5.1p1-1 +- upgrade to new upstream release +- fixed a problem with public key authentication and explicitely + specified SELinux role + * Wed May 21 2008 Tomas Mraz - 5.0p1-3 - pass the connection socket to ssh-keysign (#447680) diff --git a/sources b/sources index dcc3173..eda40d2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e39c15a5fb9036bd64256c78a6fbf394 openssh-5.0p1-noacss.tar.bz2 +5273579190b10f53baaf87f3c6eb0d73 openssh-5.1p1-noacss.tar.bz2