From 93a47445394476a930ca7946af0ac015626b110f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Wed, 23 Jul 2008 14:50:23 +0000 Subject: [PATCH] - upgrade to new upstream release - fixed a problem with public key authentication and explicitely specified SELinux role --- .cvsignore | 2 +- openssh-4.5p1-controlcleanup.patch | 15 -- openssh-4.7p1-master-race.patch | 85 ---------- openssh-5.0p1-unbreakalive.patch | 20 --- ...oexec.patch => openssh-5.1p1-cloexec.patch | 22 +-- ...patch => openssh-5.1p1-log-in-chroot.patch | 26 +-- ...redhat.patch => openssh-5.1p1-redhat.patch | 44 ++--- ...linux.patch => openssh-5.1p1-selinux.patch | 154 +++++++++++++----- ...vendor.patch => openssh-5.1p1-vendor.patch | 124 +++++++------- openssh.spec | 28 ++-- sources | 2 +- 11 files changed, 243 insertions(+), 279 deletions(-) delete mode 100644 openssh-4.5p1-controlcleanup.patch delete mode 100644 openssh-4.7p1-master-race.patch delete mode 100644 openssh-5.0p1-unbreakalive.patch rename openssh-4.7p1-cloexec.patch => openssh-5.1p1-cloexec.patch (57%) rename openssh-4.7p1-log-in-chroot.patch => openssh-5.1p1-log-in-chroot.patch (57%) rename openssh-4.7p1-redhat.patch => openssh-5.1p1-redhat.patch (71%) rename openssh-4.7p1-selinux.patch => openssh-5.1p1-selinux.patch (54%) rename openssh-4.7p1-vendor.patch => openssh-5.1p1-vendor.patch (51%) diff --git a/.cvsignore b/.cvsignore index f169a74..4d44afa 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssh-5.0p1-noacss.tar.bz2 +openssh-5.1p1-noacss.tar.bz2 diff --git a/openssh-4.5p1-controlcleanup.patch b/openssh-4.5p1-controlcleanup.patch deleted file mode 100644 index 23822c5..0000000 --- a/openssh-4.5p1-controlcleanup.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- openssh-4.5p1/ssh.c~ 2007-03-24 16:25:18.000000000 +0000 -+++ openssh-4.5p1/ssh.c 2007-03-24 16:31:06.000000000 +0000 -@@ -1347,7 +1347,11 @@ - } - if (errno == ENOENT) - debug("Control socket \"%.100s\" does not exist", path); -- else { -+ else if (errno == ECONNREFUSED) { -+ debug("Control socket connect(%.100s): %s", path, -+ strerror(errno)); -+ unlink(path); -+ } else { - error("Control socket connect(%.100s): %s", path, - strerror(errno)); - } diff --git a/openssh-4.7p1-master-race.patch b/openssh-4.7p1-master-race.patch deleted file mode 100644 index 8662c43..0000000 --- a/openssh-4.7p1-master-race.patch +++ /dev/null @@ -1,85 +0,0 @@ ---- openssh-4.7p1/ssh.c.masterrace 2008-03-06 13:55:11.000000000 +0000 -+++ openssh-4.7p1/ssh.c 2008-03-06 13:55:19.000000000 +0000 -@@ -1065,7 +1065,7 @@ client_global_request_reply_fwd(int type - } - } - --static void -+static int - ssh_control_listener(void) - { - struct sockaddr_un addr; -@@ -1073,10 +1073,11 @@ ssh_control_listener(void) - int addr_len; - - if (options.control_path == NULL || -- options.control_master == SSHCTL_MASTER_NO) -- return; -+ options.control_master == SSHCTL_MASTER_NO || -+ control_fd != -1) -+ return 1; - -- debug("setting up multiplex master socket"); -+ debug("trying to set up multiplex master socket"); - - memset(&addr, '\0', sizeof(addr)); - addr.sun_family = AF_UNIX; -@@ -1093,11 +1094,9 @@ ssh_control_listener(void) - old_umask = umask(0177); - if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) { - control_fd = -1; -- if (errno == EINVAL || errno == EADDRINUSE) -- fatal("ControlSocket %s already exists", -- options.control_path); -- else -+ if (errno != EINVAL && errno != EADDRINUSE) - fatal("%s bind(): %s", __func__, strerror(errno)); -+ return 0; - } - umask(old_umask); - -@@ -1105,6 +1104,9 @@ ssh_control_listener(void) - fatal("%s listen(): %s", __func__, strerror(errno)); - - set_nonblock(control_fd); -+ -+ debug("control master listening on %s", options.control_path); -+ return 1; - } - - /* request pty/x11/agent/tcpfwd/shell for channel */ -@@ -1196,7 +1198,9 @@ ssh_session2(void) - ssh_init_forwarding(); - - /* Start listening for multiplex clients */ -- ssh_control_listener(); -+ if (!ssh_control_listener()) -+ fatal("control master socket %s already exists", -+ options.control_path); - - /* - * If we are the control master, and if control_persist is set, -@@ -1375,7 +1379,13 @@ control_client(const char *path) - switch (options.control_master) { - case SSHCTL_MASTER_AUTO: - case SSHCTL_MASTER_AUTO_ASK: -- debug("auto-mux: Trying existing master"); -+ /* see if we can create a control master socket -+ to avoid a race between two auto clients */ -+ if (mux_command == SSHMUX_COMMAND_OPEN && -+ ssh_control_listener()) -+ return; -+ debug("trying to connect to control master socket %s", -+ options.control_path); - /* FALLTHROUGH */ - case SSHCTL_MASTER_NO: - break; -@@ -1522,6 +1532,8 @@ control_client(const char *path) - signal(SIGTERM, control_client_sighandler); - signal(SIGWINCH, control_client_sigrelay); - -+ debug("connected to control master; waiting for exit"); -+ - if (tty_flag) - enter_raw_mode(); - diff --git a/openssh-5.0p1-unbreakalive.patch b/openssh-5.0p1-unbreakalive.patch deleted file mode 100644 index b1dafa5..0000000 --- a/openssh-5.0p1-unbreakalive.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: packet.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/packet.c,v -retrieving revision 1.152 -diff -u -p packet.c ---- packet.c 8 May 2008 06:59:01 -0000 -+++ packet.c 19 May 2008 04:00:34 -0000 -@@ -1185,9 +1185,10 @@ packet_read_poll_seqnr(u_int32_t *seqnr_ - for (;;) { - if (compat20) { - type = packet_read_poll2(seqnr_p); -- keep_alive_timeouts = 0; -- if (type) -+ if (type) { -+ keep_alive_timeouts = 0; - DBG(debug("received packet type %d", type)); -+ } - switch (type) { - case SSH2_MSG_IGNORE: - debug3("Received SSH2_MSG_IGNORE"); diff --git a/openssh-4.7p1-cloexec.patch b/openssh-5.1p1-cloexec.patch similarity index 57% rename from openssh-4.7p1-cloexec.patch rename to openssh-5.1p1-cloexec.patch index b1442bf..5dbff42 100644 --- a/openssh-4.7p1-cloexec.patch +++ b/openssh-5.1p1-cloexec.patch @@ -1,15 +1,15 @@ -diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c ---- openssh-4.7p1/sshconnect2.c.cloexec 2008-03-06 15:58:03.000000000 +0100 -+++ openssh-4.7p1/sshconnect2.c 2008-05-21 09:27:06.000000000 +0200 +diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c +--- openssh-5.1p1/sshconnect2.c.cloexec 2008-07-23 15:21:23.000000000 +0200 ++++ openssh-5.1p1/sshconnect2.c 2008-07-23 15:23:19.000000000 +0200 @@ -38,6 +38,7 @@ #include #include #include +#include - - #include "openbsd-compat/sys-queue.h" - -@@ -1257,6 +1258,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i + #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) + #include + #endif +@@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i return -1; } if (pid == 0) { @@ -17,9 +17,9 @@ diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c permanently_drop_suid(getuid()); close(from[0]); if (dup2(from[1], STDOUT_FILENO) < 0) -diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c ---- openssh-4.7p1/sshconnect.c.cloexec 2006-10-23 19:02:24.000000000 +0200 -+++ openssh-4.7p1/sshconnect.c 2008-03-06 15:58:03.000000000 +0100 +diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c +--- openssh-5.1p1/sshconnect.c.cloexec 2008-07-02 14:34:30.000000000 +0200 ++++ openssh-5.1p1/sshconnect.c 2008-07-23 15:21:23.000000000 +0200 @@ -38,6 +38,7 @@ #include #include @@ -28,7 +28,7 @@ diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c #include "xmalloc.h" #include "key.h" -@@ -189,8 +190,11 @@ ssh_create_socket(int privileged, struct +@@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct return sock; } sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); diff --git a/openssh-4.7p1-log-in-chroot.patch b/openssh-5.1p1-log-in-chroot.patch similarity index 57% rename from openssh-4.7p1-log-in-chroot.patch rename to openssh-5.1p1-log-in-chroot.patch index e510f58..be1ed35 100644 --- a/openssh-4.7p1-log-in-chroot.patch +++ b/openssh-5.1p1-log-in-chroot.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c ---- openssh-4.7p1/sshd.c.log-chroot 2007-09-06 17:24:13.000000000 +0200 -+++ openssh-4.7p1/sshd.c 2007-09-06 17:24:13.000000000 +0200 -@@ -596,6 +596,10 @@ privsep_preauth_child(void) +diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c +--- openssh-5.1p1/sshd.c.log-chroot 2008-07-23 15:18:52.000000000 +0200 ++++ openssh-5.1p1/sshd.c 2008-07-23 15:18:52.000000000 +0200 +@@ -591,6 +591,10 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); @@ -12,9 +12,9 @@ diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c /* Change our root directory */ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, -diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c ---- openssh-4.7p1/log.c.log-chroot 2007-05-20 07:08:16.000000000 +0200 -+++ openssh-4.7p1/log.c 2007-09-06 17:29:34.000000000 +0200 +diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c +--- openssh-5.1p1/log.c.log-chroot 2008-06-10 15:01:51.000000000 +0200 ++++ openssh-5.1p1/log.c 2008-07-23 15:18:52.000000000 +0200 @@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL static int log_on_stderr = 1; static int log_facility = LOG_AUTH; @@ -23,7 +23,7 @@ diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c extern char *__progname; -@@ -370,10 +371,21 @@ do_log(LogLevel level, const char *fmt, +@@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt, syslog_r(pri, &sdata, "%.500s", fmtbuf); closelog_r(&sdata); #else @@ -45,13 +45,13 @@ diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c + openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility); + log_fd_keep = 1; +} -diff -up openssh-4.7p1/log.h.log-chroot openssh-4.7p1/log.h ---- openssh-4.7p1/log.h.log-chroot 2006-08-18 16:32:21.000000000 +0200 -+++ openssh-4.7p1/log.h 2007-09-06 17:24:13.000000000 +0200 -@@ -62,4 +62,6 @@ void debug3(const char *, ...) __att +diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h +--- openssh-5.1p1/log.h.log-chroot 2008-06-13 02:22:54.000000000 +0200 ++++ openssh-5.1p1/log.h 2008-07-23 15:20:11.000000000 +0200 +@@ -66,4 +66,6 @@ void debug3(const char *, ...) __att void do_log(LogLevel, const char *, va_list); - void cleanup_exit(int) __dead; + void cleanup_exit(int) __attribute__((noreturn)); + +void open_log(void); #endif diff --git a/openssh-4.7p1-redhat.patch b/openssh-5.1p1-redhat.patch similarity index 71% rename from openssh-4.7p1-redhat.patch rename to openssh-5.1p1-redhat.patch index 1618a71..d1479cb 100644 --- a/openssh-4.7p1-redhat.patch +++ b/openssh-5.1p1-redhat.patch @@ -1,6 +1,6 @@ -diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config ---- openssh-4.7p1/sshd_config.redhat 2007-03-21 10:42:25.000000000 +0100 -+++ openssh-4.7p1/sshd_config 2007-09-06 16:23:58.000000000 +0200 +diff -up openssh-5.1p1/sshd_config.redhat openssh-5.1p1/sshd_config +--- openssh-5.1p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200 ++++ openssh-5.1p1/sshd_config 2008-07-23 14:11:12.000000000 +0200 @@ -33,6 +33,7 @@ Protocol 2 # Logging # obsoletes QuietMode and FascistLogging @@ -9,7 +9,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config #LogLevel INFO # Authentication: -@@ -59,9 +60,11 @@ Protocol 2 +@@ -60,9 +61,11 @@ Protocol 2 # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no @@ -21,7 +21,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config # Kerberos options #KerberosAuthentication no -@@ -71,7 +74,9 @@ Protocol 2 +@@ -72,7 +75,9 @@ Protocol 2 # GSSAPI options #GSSAPIAuthentication no @@ -31,16 +31,18 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -83,10 +88,16 @@ Protocol 2 +@@ -84,11 +89,18 @@ Protocol 2 # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no +UsePAM yes ++ ++# Accept locale-related environment variables ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+# Accept locale-related environment variables -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE + #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no @@ -48,9 +50,9 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes -diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config ---- openssh-4.7p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200 -+++ openssh-4.7p1/ssh_config 2007-09-06 16:21:49.000000000 +0200 +diff -up openssh-5.1p1/ssh_config.redhat openssh-5.1p1/ssh_config +--- openssh-5.1p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200 ++++ openssh-5.1p1/ssh_config 2008-07-23 14:07:29.000000000 +0200 @@ -43,3 +43,13 @@ # Tunnel no # TunnelDevice any:any @@ -65,10 +67,10 @@ diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0 ---- openssh-4.7p1/sshd_config.0.redhat 2007-09-04 08:50:11.000000000 +0200 -+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:21:49.000000000 +0200 -@@ -435,9 +435,9 @@ DESCRIPTION +diff -up openssh-5.1p1/sshd_config.0.redhat openssh-5.1p1/sshd_config.0 +--- openssh-5.1p1/sshd_config.0.redhat 2008-07-21 10:30:51.000000000 +0200 ++++ openssh-5.1p1/sshd_config.0 2008-07-23 14:07:29.000000000 +0200 +@@ -490,9 +490,9 @@ DESCRIPTION SyslogFacility Gives the facility code that is used when logging messages from @@ -81,10 +83,10 @@ diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0 TCPKeepAlive Specifies whether the system should send TCP keepalive messages -diff -up openssh-4.7p1/sshd_config.5.redhat openssh-4.7p1/sshd_config.5 ---- openssh-4.7p1/sshd_config.5.redhat 2007-06-11 06:07:13.000000000 +0200 -+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:21:49.000000000 +0200 -@@ -748,7 +748,7 @@ Note that this option applies to protoco +diff -up openssh-5.1p1/sshd_config.5.redhat openssh-5.1p1/sshd_config.5 +--- openssh-5.1p1/sshd_config.5.redhat 2008-07-02 14:35:43.000000000 +0200 ++++ openssh-5.1p1/sshd_config.5 2008-07-23 14:07:29.000000000 +0200 +@@ -846,7 +846,7 @@ Note that this option applies to protoco .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . diff --git a/openssh-4.7p1-selinux.patch b/openssh-5.1p1-selinux.patch similarity index 54% rename from openssh-4.7p1-selinux.patch rename to openssh-5.1p1-selinux.patch index 4346660..8cd618a 100644 --- a/openssh-4.7p1-selinux.patch +++ b/openssh-5.1p1-selinux.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.selinux 2007-09-06 19:46:32.000000000 +0200 -+++ openssh-4.7p1/configure.ac 2007-09-06 19:52:23.000000000 +0200 -@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux, +diff -up openssh-5.1p1/configure.ac.selinux openssh-5.1p1/configure.ac +--- openssh-5.1p1/configure.ac.selinux 2008-07-23 16:32:13.000000000 +0200 ++++ openssh-5.1p1/configure.ac 2008-07-23 16:32:13.000000000 +0200 +@@ -3309,6 +3309,7 @@ AC_ARG_WITH(selinux, AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], AC_MSG_ERROR(SELinux support requires libselinux library)) SSHDLIBS="$SSHDLIBS $LIBSELINUX" @@ -9,10 +9,10 @@ diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) LIBS="$save_LIBS" fi ] -diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c ---- openssh-4.7p1/auth1.c.selinux 2007-09-06 19:46:32.000000000 +0200 -+++ openssh-4.7p1/auth1.c 2007-09-06 19:46:32.000000000 +0200 -@@ -388,7 +388,7 @@ void +diff -up openssh-5.1p1/auth1.c.selinux openssh-5.1p1/auth1.c +--- openssh-5.1p1/auth1.c.selinux 2008-07-23 16:32:13.000000000 +0200 ++++ openssh-5.1p1/auth1.c 2008-07-23 16:32:13.000000000 +0200 +@@ -391,7 +391,7 @@ void do_authentication(Authctxt *authctxt) { u_int ulen; @@ -21,7 +21,7 @@ diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -397,11 +397,19 @@ do_authentication(Authctxt *authctxt) +@@ -400,11 +400,19 @@ do_authentication(Authctxt *authctxt) user = packet_get_string(&ulen); packet_check_eom(); @@ -41,9 +41,28 @@ diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h ---- openssh-4.7p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-4.7p1/monitor_wrap.h 2007-09-06 19:46:32.000000000 +0200 +diff -up openssh-5.1p1/auth2-pubkey.c.selinux openssh-5.1p1/auth2-pubkey.c +--- openssh-5.1p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200 ++++ openssh-5.1p1/auth2-pubkey.c 2008-07-23 16:32:13.000000000 +0200 +@@ -117,7 +117,14 @@ userauth_pubkey(Authctxt *authctxt) + } + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); +- buffer_put_cstring(&b, authctxt->user); ++ if (authctxt->role) { ++ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); ++ buffer_append(&b, authctxt->user, strlen(authctxt->user)); ++ buffer_put_char(&b, '/'); ++ buffer_append(&b, authctxt->role, strlen(authctxt->role)); ++ } else { ++ buffer_put_cstring(&b, authctxt->user); ++ } + buffer_put_cstring(&b, + datafellows & SSH_BUG_PKSERVICE ? + "ssh-userauth" : +diff -up openssh-5.1p1/monitor_wrap.h.selinux openssh-5.1p1/monitor_wrap.h +--- openssh-5.1p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 ++++ openssh-5.1p1/monitor_wrap.h 2008-07-23 16:32:13.000000000 +0200 @@ -41,6 +41,7 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); @@ -52,9 +71,9 @@ diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h ---- openssh-4.7p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 -+++ openssh-4.7p1/monitor.h 2007-09-06 19:46:32.000000000 +0200 +diff -up openssh-5.1p1/monitor.h.selinux openssh-5.1p1/monitor.h +--- openssh-5.1p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 ++++ openssh-5.1p1/monitor.h 2008-07-23 16:32:13.000000000 +0200 @@ -30,7 +30,7 @@ enum monitor_reqtype { @@ -64,10 +83,29 @@ diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, -diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c ---- openssh-4.7p1/monitor_wrap.c.selinux 2007-06-11 06:01:42.000000000 +0200 -+++ openssh-4.7p1/monitor_wrap.c 2007-09-06 19:46:32.000000000 +0200 -@@ -294,6 +294,23 @@ mm_inform_authserv(char *service, char * +diff -up openssh-5.1p1/auth2-hostbased.c.selinux openssh-5.1p1/auth2-hostbased.c +--- openssh-5.1p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 ++++ openssh-5.1p1/auth2-hostbased.c 2008-07-23 16:32:13.000000000 +0200 +@@ -106,7 +106,14 @@ userauth_hostbased(Authctxt *authctxt) + buffer_put_string(&b, session_id2, session_id2_len); + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); +- buffer_put_cstring(&b, authctxt->user); ++ if (authctxt->role) { ++ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); ++ buffer_append(&b, authctxt->user, strlen(authctxt->user)); ++ buffer_put_char(&b, '/'); ++ buffer_append(&b, authctxt->role, strlen(authctxt->role)); ++ } else { ++ buffer_put_cstring(&b, authctxt->user); ++ } + buffer_put_cstring(&b, service); + buffer_put_cstring(&b, "hostbased"); + buffer_put_string(&b, pkalg, alen); +diff -up openssh-5.1p1/monitor_wrap.c.selinux openssh-5.1p1/monitor_wrap.c +--- openssh-5.1p1/monitor_wrap.c.selinux 2008-07-11 09:36:48.000000000 +0200 ++++ openssh-5.1p1/monitor_wrap.c 2008-07-23 16:32:13.000000000 +0200 +@@ -296,6 +296,23 @@ mm_inform_authserv(char *service, char * buffer_free(&m); } @@ -91,9 +129,9 @@ diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd-compat/port-linux.c ---- openssh-4.7p1/openbsd-compat/port-linux.c.selinux 2007-06-28 00:48:03.000000000 +0200 -+++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-09-06 19:46:32.000000000 +0200 +diff -up openssh-5.1p1/openbsd-compat/port-linux.c.selinux openssh-5.1p1/openbsd-compat/port-linux.c +--- openssh-5.1p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100 ++++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-07-23 16:32:13.000000000 +0200 @@ -30,11 +30,16 @@ #ifdef WITH_SELINUX #include "log.h" @@ -109,7 +147,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd +extern Authctxt *the_authctxt; + /* Wrapper around is_selinux_enabled() to log its return value once only */ - static int + int ssh_selinux_enabled(void) @@ -53,23 +58,36 @@ ssh_selinux_enabled(void) static security_context_t @@ -155,9 +193,9 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd if (r != 0) { switch (security_getenforce()) { -diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h ---- openssh-4.7p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200 -+++ openssh-4.7p1/auth.h 2007-09-06 19:46:32.000000000 +0200 +diff -up openssh-5.1p1/auth.h.selinux openssh-5.1p1/auth.h +--- openssh-5.1p1/auth.h.selinux 2008-07-02 14:37:30.000000000 +0200 ++++ openssh-5.1p1/auth.h 2008-07-23 16:32:13.000000000 +0200 @@ -58,6 +58,7 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -166,10 +204,10 @@ diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h void *kbdintctxt; #ifdef BSD_AUTH auth_session_t *as; -diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c ---- openssh-4.7p1/auth2.c.selinux 2007-05-20 06:58:41.000000000 +0200 -+++ openssh-4.7p1/auth2.c 2007-09-06 19:46:32.000000000 +0200 -@@ -141,7 +141,7 @@ input_userauth_request(int type, u_int32 +diff -up openssh-5.1p1/auth2.c.selinux openssh-5.1p1/auth2.c +--- openssh-5.1p1/auth2.c.selinux 2008-07-05 01:44:53.000000000 +0200 ++++ openssh-5.1p1/auth2.c 2008-07-23 16:32:13.000000000 +0200 +@@ -209,7 +209,7 @@ input_userauth_request(int type, u_int32 { Authctxt *authctxt = ctxt; Authmethod *m = NULL; @@ -178,7 +216,7 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c int authenticated = 0; if (authctxt == NULL) -@@ -153,6 +153,9 @@ input_userauth_request(int type, u_int32 +@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32 debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -188,7 +226,7 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c if ((style = strchr(user, ':')) != NULL) *style++ = 0; -@@ -178,8 +181,11 @@ input_userauth_request(int type, u_int32 +@@ -246,8 +249,11 @@ input_userauth_request(int type, u_int32 use_privsep ? " [net]" : ""); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; @@ -198,13 +236,13 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c mm_inform_authserv(service, style); + mm_inform_authrole(role); + } + userauth_banner(); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { - packet_disconnect("Change of username or service not allowed: " -diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c ---- openssh-4.7p1/monitor.c.selinux 2007-05-20 07:10:16.000000000 +0200 -+++ openssh-4.7p1/monitor.c 2007-09-06 19:46:32.000000000 +0200 -@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *); +diff -up openssh-5.1p1/monitor.c.selinux openssh-5.1p1/monitor.c +--- openssh-5.1p1/monitor.c.selinux 2008-07-11 09:36:48.000000000 +0200 ++++ openssh-5.1p1/monitor.c 2008-07-23 16:36:10.000000000 +0200 +@@ -134,6 +134,7 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); @@ -212,7 +250,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] +@@ -205,6 +206,7 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -220,7 +258,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -657,6 +659,7 @@ mm_answer_pwnamallow(int sock, Buffer *m +@@ -658,6 +660,7 @@ mm_answer_pwnamallow(int sock, Buffer *m else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -228,7 +266,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } -@@ -702,6 +705,23 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -703,6 +706,23 @@ mm_answer_authserv(int sock, Buffer *m) } int @@ -252,3 +290,39 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c mm_answer_authpassword(int sock, Buffer *m) { static int call_count; +@@ -1080,7 +1100,7 @@ static int + monitor_valid_userblob(u_char *data, u_int datalen) + { + Buffer b; +- char *p; ++ char *p, *r; + u_int len; + int fail = 0; + +@@ -1106,6 +1126,8 @@ monitor_valid_userblob(u_char *data, u_i + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + fail++; + p = buffer_get_string(&b, NULL); ++ if ((r = strchr(p, '/')) != NULL) ++ *r = '\0'; + if (strcmp(authctxt->user, p) != 0) { + logit("wrong user name passed to monitor: expected %s != %.100s", + authctxt->user, p); +@@ -1137,7 +1159,7 @@ monitor_valid_hostbasedblob(u_char *data + char *chost) + { + Buffer b; +- char *p; ++ char *p, *r; + u_int len; + int fail = 0; + +@@ -1154,6 +1176,8 @@ monitor_valid_hostbasedblob(u_char *data + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + fail++; + p = buffer_get_string(&b, NULL); ++ if ((r = strchr(p, '/')) != NULL) ++ *r = '\0'; + if (strcmp(authctxt->user, p) != 0) { + logit("wrong user name passed to monitor: expected %s != %.100s", + authctxt->user, p); diff --git a/openssh-4.7p1-vendor.patch b/openssh-5.1p1-vendor.patch similarity index 51% rename from openssh-4.7p1-vendor.patch rename to openssh-5.1p1-vendor.patch index eff213a..826a1df 100644 --- a/openssh-4.7p1-vendor.patch +++ b/openssh-5.1p1-vendor.patch @@ -1,7 +1,7 @@ -diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/configure.ac 2007-09-06 16:27:47.000000000 +0200 -@@ -3792,6 +3792,12 @@ AC_ARG_WITH(lastlog, +diff -up openssh-5.1p1/configure.ac.vendor openssh-5.1p1/configure.ac +--- openssh-5.1p1/configure.ac.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/configure.ac 2008-07-23 14:13:22.000000000 +0200 +@@ -3890,6 +3890,12 @@ AC_ARG_WITH(lastlog, fi ] ) @@ -14,7 +14,7 @@ diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac dnl lastlog, [uw]tmpx? detection dnl NOTE: set the paths in the platform section to avoid the -@@ -4041,6 +4047,7 @@ echo " IP address in \$DISPLAY hac +@@ -4146,6 +4152,7 @@ echo " IP address in \$DISPLAY hac echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" @@ -22,47 +22,47 @@ diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac if test ! -z "$USE_RAND_HELPER" ; then echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" fi -diff -up openssh-4.7p1/sshd_config.5.vendor openssh-4.7p1/sshd_config.5 ---- openssh-4.7p1/sshd_config.5.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:27:47.000000000 +0200 -@@ -725,6 +725,14 @@ This option applies to protocol version +diff -up openssh-5.1p1/sshd_config.5.vendor openssh-5.1p1/sshd_config.5 +--- openssh-5.1p1/sshd_config.5.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config.5 2008-07-23 14:19:23.000000000 +0200 +@@ -812,6 +812,14 @@ This option applies to protocol version .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. - The minimum value is 512, and the default is 768. -+.It Cm ShowPatchLevel -+Specifies whether -+.Nm sshd -+will display the patch level of the binary in the identification string. -+The patch level is set at compile-time. -+The default is -+.Dq no . -+This option applies to protocol version 1 only. + The minimum value is 512, and the default is 1024. ++.It Cm ShowPatchLevel ++Specifies whether ++.Nm sshd ++will display the patch level of the binary in the identification string. ++The patch level is set at compile-time. ++The default is ++.Dq no . ++This option applies to protocol version 1 only. .It Cm StrictModes Specifies whether .Xr sshd 8 -diff -up openssh-4.7p1/servconf.h.vendor openssh-4.7p1/servconf.h ---- openssh-4.7p1/servconf.h.vendor 2007-02-19 12:25:38.000000000 +0100 -+++ openssh-4.7p1/servconf.h 2007-09-06 16:27:47.000000000 +0200 -@@ -120,6 +120,7 @@ typedef struct { - int max_startups; +diff -up openssh-5.1p1/servconf.h.vendor openssh-5.1p1/servconf.h +--- openssh-5.1p1/servconf.h.vendor 2008-06-10 15:01:51.000000000 +0200 ++++ openssh-5.1p1/servconf.h 2008-07-23 14:13:22.000000000 +0200 +@@ -126,6 +126,7 @@ typedef struct { int max_authtries; + int max_sessions; char *banner; /* SSH-2 banner message */ + int show_patchlevel; /* Show vendor patch level to clients */ int use_dns; int client_alive_interval; /* * poke the client this often to -diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c ---- openssh-4.7p1/servconf.c.vendor 2007-05-20 07:03:16.000000000 +0200 -+++ openssh-4.7p1/servconf.c 2007-09-06 16:29:11.000000000 +0200 -@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions - options->max_startups = -1; +diff -up openssh-5.1p1/servconf.c.vendor openssh-5.1p1/servconf.c +--- openssh-5.1p1/servconf.c.vendor 2008-07-04 05:51:12.000000000 +0200 ++++ openssh-5.1p1/servconf.c 2008-07-23 14:32:27.000000000 +0200 +@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions options->max_authtries = -1; + options->max_sessions = -1; options->banner = NULL; + options->show_patchlevel = -1; options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; -@@ -250,6 +251,9 @@ fill_default_server_options(ServerOption +@@ -259,6 +260,9 @@ fill_default_server_options(ServerOption if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; @@ -72,23 +72,24 @@ diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; -@@ -293,6 +297,7 @@ typedef enum { +@@ -296,7 +300,7 @@ typedef enum { + sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, + sMaxStartups, sMaxAuthTries, sMaxSessions, +- sBanner, sUseDNS, sHostbasedAuthentication, ++ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, - sUsePrivilegeSeparation, -+ sShowPatchLevel, - sDeprecated, sUnsupported - } ServerOpCodes; - -@@ -390,6 +395,7 @@ static struct { - { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, - { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, +@@ -401,6 +405,7 @@ static struct { + { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, + { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, + { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, -@@ -1005,6 +1011,10 @@ parse_flag: +@@ -1020,6 +1025,10 @@ process_server_config_line(ServerOptions intptr = &use_privsep; goto parse_flag; @@ -99,12 +100,20 @@ diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) -diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0 ---- openssh-4.7p1/sshd_config.0.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:27:47.000000000 +0200 -@@ -418,6 +418,11 @@ DESCRIPTION +@@ -1584,6 +1593,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sUseLogin, o->use_login); + dump_cfg_fmtint(sCompression, o->compression); + dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); ++ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); + dump_cfg_fmtint(sUseDNS, o->use_dns); + dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); + dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); +diff -up openssh-5.1p1/sshd_config.0.vendor openssh-5.1p1/sshd_config.0 +--- openssh-5.1p1/sshd_config.0.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config.0 2008-07-23 14:13:22.000000000 +0200 +@@ -466,6 +466,11 @@ DESCRIPTION Defines the number of bits in the ephemeral protocol version 1 - server key. The minimum value is 512, and the default is 768. + server key. The minimum value is 512, and the default is 1024. + ShowPatchLevel + Specifies whether sshd will display the specific patch level of @@ -114,10 +123,10 @@ diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0 StrictModes Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. -diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config ---- openssh-4.7p1/sshd_config.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config 2007-09-06 16:27:47.000000000 +0200 -@@ -109,6 +109,7 @@ X11Forwarding yes +diff -up openssh-5.1p1/sshd_config.vendor openssh-5.1p1/sshd_config +--- openssh-5.1p1/sshd_config.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config 2008-07-23 14:13:22.000000000 +0200 +@@ -112,6 +112,7 @@ X11Forwarding yes #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 @@ -125,20 +134,19 @@ diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 -diff -up openssh-4.7p1/sshd.c.vendor openssh-4.7p1/sshd.c ---- openssh-4.7p1/sshd.c.vendor 2007-06-05 10:22:32.000000000 +0200 -+++ openssh-4.7p1/sshd.c 2007-09-06 16:27:47.000000000 +0200 -@@ -419,7 +419,8 @@ sshd_exchange_identification(int sock_in - major = PROTOCOL_MAJOR_1; +diff -up openssh-5.1p1/sshd.c.vendor openssh-5.1p1/sshd.c +--- openssh-5.1p1/sshd.c.vendor 2008-07-11 09:36:49.000000000 +0200 ++++ openssh-5.1p1/sshd.c 2008-07-23 14:35:43.000000000 +0200 +@@ -416,7 +416,7 @@ sshd_exchange_identification(int sock_in minor = PROTOCOL_MINOR_1; } -- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); -+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION); + snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, +- SSH_VERSION, newline); ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline); server_version_string = xstrdup(buf); /* Send our protocol version identification. */ -@@ -1434,7 +1435,8 @@ main(int ac, char **av) +@@ -1484,7 +1484,8 @@ main(int ac, char **av) exit(1); } diff --git a/openssh.spec b/openssh.spec index 2849676..3555ade 100644 --- a/openssh.spec +++ b/openssh.spec @@ -62,8 +62,8 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh -Version: 5.0p1 -Release: 3%{?dist}%{?rescue_rel} +Version: 5.1p1 +Release: 1%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -74,17 +74,17 @@ Source0: openssh-%{version}-noacss.tar.bz2 Source1: openssh-nukeacss.sh Source2: sshd.pam Source3: sshd.init -Patch0: openssh-4.7p1-redhat.patch +Patch0: openssh-5.1p1-redhat.patch Patch2: openssh-3.8.1p1-skip-initial.patch Patch3: openssh-3.8.1p1-krb5-config.patch -Patch4: openssh-4.7p1-vendor.patch -Patch12: openssh-4.7p1-selinux.patch +Patch4: openssh-5.1p1-vendor.patch +Patch12: openssh-5.1p1-selinux.patch Patch13: openssh-4.7p1-mls.patch Patch16: openssh-4.7p1-audit.patch Patch17: openssh-4.3p2-cve-2007-3102.patch Patch22: openssh-3.9p1-askpass-keep-above.patch Patch24: openssh-4.3p1-fromto-remote.patch -Patch27: openssh-4.7p1-log-in-chroot.patch +Patch27: openssh-5.1p1-log-in-chroot.patch Patch30: openssh-4.0p1-exit-deadlock.patch Patch35: openssh-4.2p1-askpass-progress.patch Patch38: openssh-4.3p2-askpass-grab-info.patch @@ -93,11 +93,8 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch Patch49: openssh-4.3p2-gssapi-canohost.patch Patch51: openssh-4.7p1-nss-keys.patch Patch54: openssh-4.7p1-gssapi-role.patch -Patch55: openssh-4.7p1-cloexec.patch -Patch58: openssh-4.5p1-controlcleanup.patch -Patch59: openssh-4.7p1-master-race.patch +Patch55: openssh-5.1p1-cloexec.patch Patch60: openssh-5.0p1-pam_selinux.patch -Patch61: openssh-5.0p1-unbreakalive.patch Patch62: openssh-3.9p1-scp-manpage.patch License: BSD @@ -229,10 +226,7 @@ an X11 passphrase dialog for OpenSSH. %patch51 -p1 -b .nss-keys %patch54 -p0 -b .gssapi-role %patch55 -p1 -b .cloexec -%patch58 -p1 -b .controlcleanup -%patch59 -p1 -b .master-race %patch60 -p1 -b .pam_selinux -%patch61 -p0 -b .unbreakalive %patch62 -p0 -b .manpage autoreconf @@ -423,7 +417,7 @@ fi %files %defattr(-,root,root) -%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README* TODO WARNING* %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %if ! %{rescue} @@ -468,6 +462,7 @@ fi %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config @@ -484,6 +479,11 @@ fi %endif %changelog +* Wed Jul 23 2008 Tomas Mraz - 5.1p1-1 +- upgrade to new upstream release +- fixed a problem with public key authentication and explicitely + specified SELinux role + * Wed May 21 2008 Tomas Mraz - 5.0p1-3 - pass the connection socket to ssh-keysign (#447680) diff --git a/sources b/sources index dcc3173..eda40d2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e39c15a5fb9036bd64256c78a6fbf394 openssh-5.0p1-noacss.tar.bz2 +5273579190b10f53baaf87f3c6eb0d73 openssh-5.1p1-noacss.tar.bz2