From a7cb7d2954be824d67284591d685aae794fb5dcc Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Thu, 28 Oct 2010 13:04:45 +0200 Subject: [PATCH] - reenable run sshd as non root user - renable rekeying --- openssh-5.6p1-audit1a.patch | 13 ++++++ openssh-5.6p1-audit2.patch | 39 ++++++++-------- openssh-5.6p1-audit3.patch | 93 ++++++++++++++++++++++--------------- openssh.spec | 16 +++++-- 4 files changed, 99 insertions(+), 62 deletions(-) create mode 100644 openssh-5.6p1-audit1a.patch diff --git a/openssh-5.6p1-audit1a.patch b/openssh-5.6p1-audit1a.patch new file mode 100644 index 0000000..bbb1ed2 --- /dev/null +++ b/openssh-5.6p1-audit1a.patch @@ -0,0 +1,13 @@ +diff -up openssh-5.6p1/audit-linux.c.audit1a openssh-5.6p1/audit-linux.c +--- openssh-5.6p1/audit-linux.c.audit1a 2010-12-10 21:47:03.000000000 +0100 ++++ openssh-5.6p1/audit-linux.c 2010-12-10 21:50:31.000000000 +0100 +@@ -59,7 +59,8 @@ linux_audit_record_event(int uid, const + saved_errno = errno; + close(audit_fd); + errno = saved_errno; +- return (rc >= 0); ++ /* do not report error if the error is EPERM and sshd is run as non root user */ ++ return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0)); + } + + /* Below is the sshd audit API code */ diff --git a/openssh-5.6p1-audit2.patch b/openssh-5.6p1-audit2.patch index 8b683cc..65f5a2b 100644 --- a/openssh-5.6p1-audit2.patch +++ b/openssh-5.6p1-audit2.patch @@ -1,6 +1,6 @@ diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c ---- openssh-5.6p1/audit-bsm.c.audit2 2010-11-05 15:41:17.000000000 +0100 -+++ openssh-5.6p1/audit-bsm.c 2010-11-05 15:45:28.000000000 +0100 +--- openssh-5.6p1/audit-bsm.c.audit2 2010-12-10 21:55:40.000000000 +0100 ++++ openssh-5.6p1/audit-bsm.c 2010-12-10 21:55:41.000000000 +0100 @@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li /* not implemented */ } @@ -15,8 +15,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c audit_event(ssh_audit_event_t event) { diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c ---- openssh-5.6p1/audit.c.audit2 2010-11-05 15:41:17.000000000 +0100 -+++ openssh-5.6p1/audit.c 2010-11-05 15:51:37.000000000 +0100 +--- openssh-5.6p1/audit.c.audit2 2010-12-10 21:55:40.000000000 +0100 ++++ openssh-5.6p1/audit.c 2010-12-10 21:55:41.000000000 +0100 @@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev) return(event_lookup[i].name); } @@ -70,8 +70,8 @@ diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h ---- openssh-5.6p1/audit.h.audit2 2010-11-05 15:41:17.000000000 +0100 -+++ openssh-5.6p1/audit.h 2010-11-05 15:41:18.000000000 +0100 +--- openssh-5.6p1/audit.h.audit2 2010-12-10 21:55:40.000000000 +0100 ++++ openssh-5.6p1/audit.h 2010-12-10 21:55:41.000000000 +0100 @@ -28,6 +28,7 @@ # define _SSH_AUDIT_H @@ -89,8 +89,8 @@ diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h #endif /* _SSH_AUDIT_H */ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c ---- openssh-5.6p1/audit-linux.c.audit2 2010-11-05 15:41:17.000000000 +0100 -+++ openssh-5.6p1/audit-linux.c 2010-11-05 15:41:18.000000000 +0100 +--- openssh-5.6p1/audit-linux.c.audit2 2010-12-10 21:55:41.000000000 +0100 ++++ openssh-5.6p1/audit-linux.c 2010-12-10 22:16:42.000000000 +0100 @@ -37,6 +37,8 @@ #include "audit.h" #include "canohost.h" @@ -100,8 +100,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c const char* audit_username(void); int -@@ -62,6 +64,36 @@ linux_audit_record_event(int uid, const - return (rc >= 0); +@@ -63,6 +65,37 @@ linux_audit_record_event(int uid, const + return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0)); } +int @@ -121,7 +121,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c + snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "hostbased" : "pubkey", get_remote_port()); + rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, + buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv); -+ if (rc < 0) ++ if ((rc < 0) && ((rc != -1) || (getuid() == 0))) + goto out; + snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d", + type, 8 * len, fp, get_remote_port()); @@ -131,7 +131,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c + saved_errno = errno; + audit_close(audit_fd); + errno = saved_errno; -+ return (rc >= 0); ++ /* do not report error if the error is EPERM and sshd is run as non root user */ ++ return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0)); +} + /* Below is the sshd audit API code */ @@ -139,7 +140,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c void diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c --- openssh-5.6p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200 -+++ openssh-5.6p1/auth2-hostbased.c 2010-11-05 15:41:18.000000000 +0100 ++++ openssh-5.6p1/auth2-hostbased.c 2010-12-10 21:55:41.000000000 +0100 @@ -136,6 +136,18 @@ done: return authenticated; } @@ -161,7 +162,7 @@ diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c --- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200 -+++ openssh-5.6p1/auth2-pubkey.c 2010-11-05 15:41:18.000000000 +0100 ++++ openssh-5.6p1/auth2-pubkey.c 2010-12-10 21:55:41.000000000 +0100 @@ -177,6 +177,18 @@ done: return authenticated; } @@ -183,7 +184,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c { diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h --- openssh-5.6p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200 -+++ openssh-5.6p1/auth.h 2010-11-05 15:41:18.000000000 +0100 ++++ openssh-5.6p1/auth.h 2010-12-10 21:55:41.000000000 +0100 @@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); @@ -202,7 +203,7 @@ diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c --- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200 -+++ openssh-5.6p1/auth-rsa.c 2010-11-05 15:41:18.000000000 +0100 ++++ openssh-5.6p1/auth-rsa.c 2010-12-10 21:55:41.000000000 +0100 @@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU { u_char buf[32], mdbuf[16]; @@ -241,8 +242,8 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c /* diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c --- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200 -+++ openssh-5.6p1/monitor.c 2010-11-05 15:41:18.000000000 +0100 -@@ -1235,7 +1235,19 @@ mm_answer_keyverify(int sock, Buffer *m) ++++ openssh-5.6p1/monitor.c 2010-12-10 21:55:41.000000000 +0100 +@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m) if (!valid_data) fatal("%s: bad signature data blob", __func__); @@ -253,8 +254,6 @@ diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c + break; + case MM_HOSTKEY: + verified = hostkey_key_verify(key, signature, signaturelen, data, datalen); -+ valid_data = monitor_valid_hostbasedblob(data, datalen, -+ hostbased_cuser, hostbased_chost); + break; + default: + verified = 0; diff --git a/openssh-5.6p1-audit3.patch b/openssh-5.6p1-audit3.patch index 61b5efb..a851ba6 100644 --- a/openssh-5.6p1-audit3.patch +++ b/openssh-5.6p1-audit3.patch @@ -1,6 +1,6 @@ diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c ---- openssh-5.6p1/audit-bsm.c.audit3 2010-11-05 15:54:35.000000000 +0100 -+++ openssh-5.6p1/audit-bsm.c 2010-11-05 15:54:35.000000000 +0100 +--- openssh-5.6p1/audit-bsm.c.audit3 2010-12-10 22:17:31.000000000 +0100 ++++ openssh-5.6p1/audit-bsm.c 2010-12-10 22:17:31.000000000 +0100 @@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event) debug("%s: unhandled event %d", __func__, event); } @@ -19,8 +19,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c +} #endif /* BSM */ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c ---- openssh-5.6p1/audit.c.audit3 2010-11-05 15:54:35.000000000 +0100 -+++ openssh-5.6p1/audit.c 2010-11-05 15:56:19.000000000 +0100 +--- openssh-5.6p1/audit.c.audit3 2010-12-10 22:17:31.000000000 +0100 ++++ openssh-5.6p1/audit.c 2010-12-10 22:17:31.000000000 +0100 @@ -36,6 +36,8 @@ #include "key.h" #include "hostfile.h" @@ -75,8 +75,8 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h ---- openssh-5.6p1/audit.h.audit3 2010-11-05 15:54:35.000000000 +0100 -+++ openssh-5.6p1/audit.h 2010-11-05 15:54:35.000000000 +0100 +--- openssh-5.6p1/audit.h.audit3 2010-12-10 22:17:31.000000000 +0100 ++++ openssh-5.6p1/audit.h 2010-12-10 22:17:31.000000000 +0100 @@ -56,5 +56,9 @@ void audit_run_command(const char *); ssh_audit_event_t audit_classify_auth(const char *); int audit_keyusage(int, const char *, unsigned, char *, int); @@ -88,8 +88,8 @@ diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h #endif /* _SSH_AUDIT_H */ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c ---- openssh-5.6p1/audit-linux.c.audit3 2010-11-05 15:54:35.000000000 +0100 -+++ openssh-5.6p1/audit-linux.c 2010-11-05 15:54:35.000000000 +0100 +--- openssh-5.6p1/audit-linux.c.audit3 2010-12-10 22:17:31.000000000 +0100 ++++ openssh-5.6p1/audit-linux.c 2010-12-10 22:20:00.000000000 +0100 @@ -36,6 +36,8 @@ #include "log.h" #include "audit.h" @@ -99,7 +99,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c #define AUDIT_LOG_SIZE 128 -@@ -149,4 +151,53 @@ audit_event(ssh_audit_event_t event) +@@ -151,4 +153,54 @@ audit_event(ssh_audit_event_t event) } } @@ -147,15 +147,16 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c + audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_SESSION, NULL, + buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1); + audit_close(audit_fd); -+ if (audit_ok < 0) ++ /* do not abort if the error is EPERM and sshd is run as non root user */ ++ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0))) + fatal("cannot write into audit"); /* Must prevent login */ +#endif +} + #endif /* USE_LINUX_AUDIT */ diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c ---- openssh-5.6p1/auditstub.c.audit3 2010-11-05 15:54:35.000000000 +0100 -+++ openssh-5.6p1/auditstub.c 2010-11-05 15:54:35.000000000 +0100 +--- openssh-5.6p1/auditstub.c.audit3 2010-12-10 22:17:32.000000000 +0100 ++++ openssh-5.6p1/auditstub.c 2010-12-10 22:17:32.000000000 +0100 @@ -0,0 +1,39 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -198,7 +199,7 @@ diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c + diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c --- openssh-5.6p1/cipher.c.audit3 2010-09-03 14:54:23.000000000 +0200 -+++ openssh-5.6p1/cipher.c 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/cipher.c 2010-12-10 22:17:32.000000000 +0100 @@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX extern const EVP_CIPHER *evp_aes_128_ctr(void); extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); @@ -218,7 +219,7 @@ diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h --- openssh-5.6p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100 -+++ openssh-5.6p1/cipher.h 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/cipher.h 2010-12-10 22:17:32.000000000 +0100 @@ -61,7 +61,16 @@ typedef struct Cipher Cipher; typedef struct CipherContext CipherContext; @@ -239,7 +240,7 @@ diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h EVP_CIPHER_CTX evp; diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c --- openssh-5.6p1/kex.c.audit3 2010-01-08 06:50:41.000000000 +0100 -+++ openssh-5.6p1/kex.c 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/kex.c 2010-12-10 22:17:32.000000000 +0100 @@ -49,6 +49,7 @@ #include "dispatch.h" #include "monitor.h" @@ -303,8 +304,8 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in ---- openssh-5.6p1/Makefile.in.audit3 2010-11-05 15:54:35.000000000 +0100 -+++ openssh-5.6p1/Makefile.in 2010-11-05 15:54:35.000000000 +0100 +--- openssh-5.6p1/Makefile.in.audit3 2010-12-10 22:17:31.000000000 +0100 ++++ openssh-5.6p1/Makefile.in 2010-12-10 22:17:32.000000000 +0100 @@ -74,7 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ @@ -315,8 +316,8 @@ diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c ---- openssh-5.6p1/monitor.c.audit3 2010-11-05 15:54:35.000000000 +0100 -+++ openssh-5.6p1/monitor.c 2010-11-05 15:54:35.000000000 +0100 +--- openssh-5.6p1/monitor.c.audit3 2010-12-10 22:17:31.000000000 +0100 ++++ openssh-5.6p1/monitor.c 2010-12-10 22:17:32.000000000 +0100 @@ -89,6 +89,7 @@ #include "ssh2.h" #include "jpake.h" @@ -334,25 +335,43 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c #endif static Authctxt *authctxt; -@@ -209,6 +212,8 @@ struct mon_table { - #define MON_PERMIT 0x1000 /* Request is permitted */ - - struct mon_table mon_dispatch_proto20[] = { +@@ -225,6 +228,8 @@ struct mon_table mon_dispatch_proto20[] + #endif + #ifdef SSH_AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, + {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, - {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, - {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, - {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, -@@ -266,6 +271,8 @@ struct mon_table mon_dispatch_postauth20 + #endif + #ifdef BSD_AUTH + {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, +@@ -261,6 +266,8 @@ struct mon_table mon_dispatch_postauth20 + #ifdef SSH_AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, ++ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, ++ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, + #endif + {0, 0, NULL} }; - - struct mon_table mon_dispatch_proto15[] = { +@@ -292,6 +299,8 @@ struct mon_table mon_dispatch_proto15[] + #endif + #ifdef SSH_AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, + {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, - {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, - {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, - {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -2207,3 +2214,40 @@ mm_answer_jpake_check_confirm(int sock, + #endif + {0, 0, NULL} + }; +@@ -303,6 +312,8 @@ struct mon_table mon_dispatch_postauth15 + #ifdef SSH_AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, ++ {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, ++ {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, + #endif + {0, 0, NULL} + }; +@@ -2205,3 +2216,40 @@ mm_answer_jpake_check_confirm(int sock, } #endif /* JPAKE */ @@ -395,7 +414,7 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c +#endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h --- openssh-5.6p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.6p1/monitor.h 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/monitor.h 2010-12-10 22:17:32.000000000 +0100 @@ -66,6 +66,8 @@ enum monitor_reqtype { MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, @@ -407,7 +426,7 @@ diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h struct mm_master; diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c --- openssh-5.6p1/monitor_wrap.c.audit3 2010-03-07 13:05:17.000000000 +0100 -+++ openssh-5.6p1/monitor_wrap.c 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/monitor_wrap.c 2010-12-10 22:17:32.000000000 +0100 @@ -1411,3 +1411,38 @@ mm_jpake_check_confirm(const BIGNUM *k, return success; } @@ -449,7 +468,7 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c +#endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h --- openssh-5.6p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100 -+++ openssh-5.6p1/monitor_wrap.h 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/monitor_wrap.h 2010-12-10 22:17:32.000000000 +0100 @@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *); #include "audit.h" void mm_audit_event(ssh_audit_event_t); @@ -461,7 +480,7 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h struct Session; diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c --- openssh-5.6p1/sshd.c.audit3 2010-04-16 07:56:22.000000000 +0200 -+++ openssh-5.6p1/sshd.c 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/sshd.c 2010-12-10 22:17:32.000000000 +0100 @@ -118,6 +118,7 @@ #endif #include "monitor_wrap.h" diff --git a/openssh.spec b/openssh.spec index 467bac8..e37f2f3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.6p1 -%define openssh_rel 20 +%define openssh_rel 21 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 29 @@ -96,8 +96,9 @@ Source5: pam_ssh_agent-rmheaders Patch0: openssh-5.6p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 Patch1: openssh-5.6p1-audit.patch -Patch2: openssh-5.6p1-audit2.patch -Patch3: openssh-5.6p1-audit3.patch +Patch2: openssh-5.6p1-audit1a.patch +Patch3: openssh-5.6p1-audit2.patch +Patch4: openssh-5.6p1-audit3.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 Patch5: openssh-5.2p1-vendor.patch Patch10: pam_ssh_agent_auth-0.9-build.patch @@ -273,8 +274,9 @@ The module is most useful for su and sudo service stacks. %setup -q -a 4 %patch0 -p1 -b .redhat %patch1 -p1 -b .audit -%patch2 -p1 -b .audit2 -%patch3 -p1 -b .audit3 +%patch2 -p1 -b .audit1a +%patch3 -p1 -b .audit2 +%patch4 -p1 -b .audit3 %patch5 -p1 -b .vendor %if %{pam_ssh_agent} @@ -594,6 +596,10 @@ fi %endif %changelog +* Fri Dec 10 2010 Jan F. Chadima - 5.6p1-21 + 0.9.2-29 +- reenable run sshd as non root user +- renable rekeying + * Wed Nov 24 2010 Jan F. Chadima - 5.6p1-20 + 0.9.2-29 - reapair clientloop crash (#627332) - properly restore euid in case connect to the ssh-agent socket fails