From c6801b909efbd44d76078aa8bda4ba250cc938f9 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Thu, 12 Aug 2010 07:41:58 +0200 Subject: [PATCH] - Rebased to openssh5.6p1 - Added -z relro -z now to LDFLAGS --- openssh-5.6p1-authorized-keys-command.patch | 78 +++++++++---------- ...redhat.patch => openssh-5.6p1-redhat.patch | 32 ++++---- openssh.spec | 10 ++- 3 files changed, 62 insertions(+), 58 deletions(-) rename openssh-5.4p1-redhat.patch => openssh-5.6p1-redhat.patch (75%) diff --git a/openssh-5.6p1-authorized-keys-command.patch b/openssh-5.6p1-authorized-keys-command.patch index 4c9b5b1..3075f34 100644 --- a/openssh-5.6p1-authorized-keys-command.patch +++ b/openssh-5.6p1-authorized-keys-command.patch @@ -1,6 +1,6 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c ---- openssh-5.6p1/auth2-pubkey.c.akc 2010-08-23 12:15:42.000000000 +0200 -+++ openssh-5.6p1/auth2-pubkey.c 2010-08-23 12:15:42.000000000 +0200 +--- openssh-5.6p1/auth2-pubkey.c.akc 2010-09-03 15:24:51.000000000 +0200 ++++ openssh-5.6p1/auth2-pubkey.c 2010-09-03 15:24:51.000000000 +0200 @@ -27,6 +27,7 @@ #include @@ -241,8 +241,8 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c return 0; if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac ---- openssh-5.6p1/configure.ac.akc 2010-08-23 12:15:42.000000000 +0200 -+++ openssh-5.6p1/configure.ac 2010-08-23 12:15:42.000000000 +0200 +--- openssh-5.6p1/configure.ac.akc 2010-09-03 15:24:51.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-09-03 15:24:51.000000000 +0200 @@ -1346,6 +1346,18 @@ AC_ARG_WITH(audit, esac ] ) @@ -271,8 +271,8 @@ diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c ---- openssh-5.6p1/servconf.c.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/servconf.c 2010-08-23 12:22:22.000000000 +0200 +--- openssh-5.6p1/servconf.c.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/servconf.c 2010-09-03 15:24:51.000000000 +0200 @@ -129,6 +129,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; @@ -344,8 +344,8 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h ---- openssh-5.6p1/servconf.h.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/servconf.h 2010-08-23 12:17:58.000000000 +0200 +--- openssh-5.6p1/servconf.h.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/servconf.h 2010-09-03 15:24:51.000000000 +0200 @@ -158,6 +158,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; @@ -356,9 +356,33 @@ diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h void initialize_server_options(ServerOptions *); diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0 ---- openssh-5.6p1/sshd_config.0.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/sshd_config.0 2010-08-23 12:25:18.000000000 +0200 -@@ -374,7 +374,8 @@ DESCRIPTION +--- openssh-5.6p1/sshd_config.0.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/sshd_config.0 2010-09-03 15:27:26.000000000 +0200 +@@ -71,6 +71,23 @@ DESCRIPTION + + See PATTERNS in ssh_config(5) for more information on patterns. + ++ AuthorizedKeysCommand ++ ++ Specifies a program to be used for lookup of the user's ++ public keys. The program will be invoked with its first ++ argument the name of the user being authorized, and should produce ++ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS ++ in sshd(8)). By default (or when set to the empty string) there is no ++ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully ++ authorize the user, authorization falls through to the ++ AuthorizedKeysFile. Note that this option has an effect ++ only with PubkeyAuthentication turned on. ++ ++ AuthorizedKeysCommandRunAs ++ Specifies the user under whose account the AuthorizedKeysCommand is run. ++ Empty string (the default value) means the user being authorized ++ is used. ++ + AuthorizedKeysFile + Specifies the file that contains the public keys that can be used + for user authentication. The format is described in the +@@ -375,7 +392,8 @@ DESCRIPTION Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AllowAgentForwarding, @@ -368,33 +392,9 @@ diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0 Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, -@@ -496,6 +497,23 @@ DESCRIPTION - this file is not readable, then public key authentication will be - refused for all users. - -+ AuthorizedKeysCommand -+ -+ Specifies a program to be used for lookup of the user's -+ public keys. The program will be invoked with its first -+ argument the name of the user being authorized, and should produce -+ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS -+ in sshd(8)). By default (or when set to the empty string) there is no -+ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully -+ authorize the user, authorization falls through to the -+ AuthorizedKeysFile. Note that this option has an effect -+ only with PubkeyAuthentication turned on. -+ -+ AuthorizedKeysCommandRunAs -+ Specifies the user under whose account the AuthorizedKeysCommand is run. -+ Empty string (the default value) means the user being authorized -+ is used. -+ - RhostsRSAAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication to- - gether with successful RSA host authentication is allowed. The diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5 ---- openssh-5.6p1/sshd_config.5.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/sshd_config.5 2010-08-23 12:25:46.000000000 +0200 +--- openssh-5.6p1/sshd_config.5.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/sshd_config.5 2010-09-03 15:24:51.000000000 +0200 @@ -654,6 +654,8 @@ Available keywords are .Cm AllowAgentForwarding , .Cm AllowTcpForwarding , @@ -434,8 +434,8 @@ diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5 Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. diff -up openssh-5.6p1/sshd_config.akc openssh-5.6p1/sshd_config ---- openssh-5.6p1/sshd_config.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/sshd_config 2010-08-23 12:15:42.000000000 +0200 +--- openssh-5.6p1/sshd_config.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/sshd_config 2010-09-03 15:24:51.000000000 +0200 @@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV #RSAAuthentication yes #PubkeyAuthentication yes diff --git a/openssh-5.4p1-redhat.patch b/openssh-5.6p1-redhat.patch similarity index 75% rename from openssh-5.4p1-redhat.patch rename to openssh-5.6p1-redhat.patch index bd2ad80..f4560a9 100644 --- a/openssh-5.4p1-redhat.patch +++ b/openssh-5.6p1-redhat.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config ---- openssh-5.4p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 -+++ openssh-5.4p1/ssh_config 2010-03-01 15:15:51.000000000 +0100 +diff -up openssh-5.6p1/ssh_config.redhat openssh-5.6p1/ssh_config +--- openssh-5.6p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 ++++ openssh-5.6p1/ssh_config 2010-09-03 15:21:17.000000000 +0200 @@ -45,3 +45,14 @@ # PermitLocalCommand no # VisualHostKey no @@ -16,26 +16,26 @@ diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS -diff -up openssh-5.4p1/sshd_config.0.redhat openssh-5.4p1/sshd_config.0 ---- openssh-5.4p1/sshd_config.0.redhat 2010-03-01 14:30:04.000000000 +0100 -+++ openssh-5.4p1/sshd_config.0 2010-03-01 15:14:13.000000000 +0100 -@@ -501,9 +501,9 @@ DESCRIPTION +diff -up openssh-5.6p1/sshd_config.0.redhat openssh-5.6p1/sshd_config.0 +--- openssh-5.6p1/sshd_config.0.redhat 2010-08-23 05:24:16.000000000 +0200 ++++ openssh-5.6p1/sshd_config.0 2010-09-03 15:23:20.000000000 +0200 +@@ -537,9 +537,9 @@ DESCRIPTION SyslogFacility Gives the facility code that is used when logging messages from - sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- -- fault is AUTH. +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The +- default is AUTH. + sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, + LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. TCPKeepAlive Specifies whether the system should send TCP keepalive messages -diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5 ---- openssh-5.4p1/sshd_config.5.redhat 2010-02-26 21:55:06.000000000 +0100 -+++ openssh-5.4p1/sshd_config.5 2010-03-01 15:14:14.000000000 +0100 -@@ -865,7 +865,7 @@ Note that this option applies to protoco +diff -up openssh-5.6p1/sshd_config.5.redhat openssh-5.6p1/sshd_config.5 +--- openssh-5.6p1/sshd_config.5.redhat 2010-07-02 05:37:17.000000000 +0200 ++++ openssh-5.6p1/sshd_config.5 2010-09-03 15:21:17.000000000 +0200 +@@ -919,7 +919,7 @@ Note that this option applies to protoco .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . @@ -44,9 +44,9 @@ diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. .It Cm TCPKeepAlive -diff -up openssh-5.4p1/sshd_config.redhat openssh-5.4p1/sshd_config ---- openssh-5.4p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200 -+++ openssh-5.4p1/sshd_config 2010-03-01 15:14:14.000000000 +0100 +diff -up openssh-5.6p1/sshd_config.redhat openssh-5.6p1/sshd_config +--- openssh-5.6p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200 ++++ openssh-5.6p1/sshd_config 2010-09-03 15:21:17.000000000 +0200 @@ -31,6 +31,7 @@ # Logging # obsoletes QuietMode and FascistLogging diff --git a/openssh.spec b/openssh.spec index 92d712b..68f38aa 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.6p1 -%define openssh_rel 1 +%define openssh_rel 2 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 27 @@ -93,7 +93,7 @@ Source3: sshd.init Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 Source5: pam_ssh_agent-rmheaders -Patch0: openssh-5.4p1-redhat.patch +Patch0: openssh-5.6p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 Patch4: openssh-5.2p1-vendor.patch Patch10: pam_ssh_agent_auth-0.9-build.patch @@ -317,7 +317,7 @@ CFLAGS="$CFLAGS -fpic" %endif export CFLAGS SAVE_LDFLAGS="$LDFLAGS" -LDFLAGS="$LDFLAGS -pie"; export LDFLAGS +LDFLAGS="$LDFLAGS -pie -z relro -z now"; export LDFLAGS %endif %if %{kerberos5} if test -r /etc/profile.d/krb5-devel.sh ; then @@ -579,6 +579,10 @@ fi %endif %changelog +* Fri Sep 3 2010 Jan F. Chadima - 5.6p1-1 + 0.9.2-27 +- Rebased to openssh5.6p1 +- Added -z relro -z now to LDFLAGS + * Wed Jul 7 2010 Jan F. Chadima - 5.5p1-18 + 0.9.2-26 - merged with newer bugzilla's version of authorized keys command patch