Compare commits

...

12 Commits
master ... f14

Author SHA1 Message Date
Peter Robinson
8cf949316e Fix compiling on ARM due to lack of relro and now support in gcc 4.5 for ARM 2011-06-16 10:10:31 +01:00
Jan F
62f437b225 - reapair clientloop crash (#627332) 2010-11-24 08:41:53 +01:00
Jan F. Chadima
e2350fc2db - update x11 patch (#648896) 2010-09-23 08:51:01 +02:00
Jan F
a172249c36 - update gsskex patch (#645389) 2010-10-22 16:12:33 +02:00
Jesse Keating
3fc381d95e Work around odd koji scenario by bumping release again 2010-10-05 20:22:50 -07:00
Jesse Keating
56d869f9b5 Fix the subpackage release 2010-10-05 17:58:50 -07:00
Jesse Keating
1f4b17f654 - Rebuilt for gcc bug 634757 2010-10-05 15:32:58 -07:00
Jan F
71a006277a - Add the GSSAPI kuserok switch to the kuserok patch 2010-09-15 20:04:07 +02:00
Jan F
a3a0ece415 - Tweaking selabel patch to work properly without selinux rules loaded. (#632914)
- enabling authorized keys command patch
2010-09-13 14:38:09 +02:00
Jan F
693899d1e8 - Tweaking selabel patch to work properly without selinux rules loaded. (#632914)
- enabling authorized keys command patch
2010-09-13 14:18:41 +02:00
Jan F
16464c8a37 - Tweaking selabel patch to work properly without selinux rules loaded. (#632914) 2010-09-13 13:42:47 +02:00
Jan F. Chadima
8b2dfaf7b9 - Added -z relro -z now to LDFLAGS 2010-08-12 08:21:22 +02:00
6 changed files with 166 additions and 72 deletions

View File

@ -33,7 +33,7 @@ diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -792,10 +793,15 @@ main(int ac, char **av)
@@ -792,10 +793,17 @@ main(int ac, char **av)
*/
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
@ -41,8 +41,10 @@ diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c
+ if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
+ char *scon;
+
+ matchpathcon(buf, 0700, &scon);
+ if (matchpathcon(buf, 0700, &scon) != -1) {
+ setfscreatecon(scon);
+ matchpathcon_fini();
+ }
if (mkdir(buf, 0700) < 0)
error("Could not create directory '%.200s'.", buf);
-

View File

@ -0,0 +1,12 @@
diff -up openssh-5.6p1/clientloop.c.clientloop openssh-5.6p1/clientloop.c
--- openssh-5.6p1/clientloop.c.clientloop 2010-11-24 08:18:10.000000000 +0100
+++ openssh-5.6p1/clientloop.c 2010-11-24 08:18:11.000000000 +0100
@@ -1944,7 +1944,7 @@ client_input_channel_req(int type, u_int
}
packet_check_eom();
}
- if (reply) {
+ if (reply && c != NULL) {
packet_start(success ?
SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
packet_put_int(c->remote_id);

View File

@ -1,6 +1,6 @@
diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c
--- openssh-5.5p1/auth2.c.gsskex 2010-05-13 15:59:50.000000000 +0200
+++ openssh-5.5p1/auth2.c 2010-05-13 15:59:58.000000000 +0200
--- openssh-5.5p1/auth2.c.gsskex 2010-10-22 15:58:56.000000000 +0200
+++ openssh-5.5p1/auth2.c 2010-10-22 15:58:58.000000000 +0200
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@ -36,8 +36,8 @@ diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c
--- openssh-5.5p1/auth2-gss.c.gsskex 2010-05-13 15:59:50.000000000 +0200
+++ openssh-5.5p1/auth2-gss.c 2010-05-13 15:59:58.000000000 +0200
--- openssh-5.5p1/auth2-gss.c.gsskex 2010-10-22 15:58:56.000000000 +0200
+++ openssh-5.5p1/auth2-gss.c 2010-10-22 15:58:58.000000000 +0200
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
@ -138,8 +138,8 @@ diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c
"gssapi-with-mic",
userauth_gssapi,
diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h
--- openssh-5.5p1/auth.h.gsskex 2010-05-13 15:59:50.000000000 +0200
+++ openssh-5.5p1/auth.h 2010-05-13 15:59:58.000000000 +0200
--- openssh-5.5p1/auth.h.gsskex 2010-10-22 15:58:56.000000000 +0200
+++ openssh-5.5p1/auth.h 2010-10-22 15:58:58.000000000 +0200
@@ -53,6 +53,7 @@ struct Authctxt {
int valid; /* user exists and is allowed to login */
int attempt;
@ -150,7 +150,7 @@ diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h
char *service;
diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c
--- openssh-5.5p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100
+++ openssh-5.5p1/auth-krb5.c 2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.5p1/auth-krb5.c 2010-10-22 15:58:58.000000000 +0200
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
@ -199,8 +199,8 @@ diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c
return (krb5_cc_resolve(ctx, ccname, ccache));
}
diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi
--- openssh-5.5p1/ChangeLog.gssapi.gsskex 2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.5p1/ChangeLog.gssapi 2010-05-13 15:59:58.000000000 +0200
--- openssh-5.5p1/ChangeLog.gssapi.gsskex 2010-10-22 15:58:58.000000000 +0200
+++ openssh-5.5p1/ChangeLog.gssapi 2010-10-22 15:58:58.000000000 +0200
@@ -0,0 +1,95 @@
+20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@ -299,7 +299,7 @@ diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi
+ <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c
--- openssh-5.5p1/clientloop.c.gsskex 2010-03-21 19:54:02.000000000 +0100
+++ openssh-5.5p1/clientloop.c 2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.5p1/clientloop.c 2010-10-22 15:58:58.000000000 +0200
@@ -111,6 +111,10 @@
#include "msg.h"
#include "roaming.h"
@ -326,8 +326,8 @@ diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c
debug("need rekeying");
xxx_kex->done = 0;
diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac
--- openssh-5.5p1/configure.ac.gsskex 2010-05-13 15:59:52.000000000 +0200
+++ openssh-5.5p1/configure.ac 2010-05-13 15:59:58.000000000 +0200
--- openssh-5.5p1/configure.ac.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/configure.ac 2010-10-22 15:58:59.000000000 +0200
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
@ -361,7 +361,7 @@ diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac
AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c
--- openssh-5.5p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.5p1/gss-genr.c 2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.5p1/gss-genr.c 2010-10-22 15:58:59.000000000 +0200
@@ -39,12 +39,167 @@
#include "buffer.h"
#include "log.h"
@ -702,7 +702,7 @@ diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c
#endif /* GSSAPI */
diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c
--- openssh-5.5p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
+++ openssh-5.5p1/gss-serv.c 2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.5p1/gss-serv.c 2010-10-22 15:58:59.000000000 +0200
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
@ -1018,7 +1018,7 @@ diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c
#endif
diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c
--- openssh-5.5p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.5p1/gss-serv-krb5.c 2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.5p1/gss-serv-krb5.c 2010-10-22 15:58:59.000000000 +0200
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1141,7 +1141,7 @@ diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c
#endif /* KRB5 */
diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c
--- openssh-5.5p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100
+++ openssh-5.5p1/kex.c 2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.5p1/kex.c 2010-10-22 15:58:59.000000000 +0200
@@ -50,6 +50,10 @@
#include "monitor.h"
#include "roaming.h"
@ -1175,8 +1175,8 @@ diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c
fatal("bad kex alg %s", k->name);
}
diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c
--- openssh-5.5p1/kexgssc.c.gsskex 2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.5p1/kexgssc.c 2010-05-13 15:59:59.000000000 +0200
--- openssh-5.5p1/kexgssc.c.gsskex 2010-10-22 15:58:59.000000000 +0200
+++ openssh-5.5p1/kexgssc.c 2010-10-22 15:58:59.000000000 +0200
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1513,8 +1513,8 @@ diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c
+
+#endif /* GSSAPI */
diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c
--- openssh-5.5p1/kexgsss.c.gsskex 2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.5p1/kexgsss.c 2010-05-13 15:59:59.000000000 +0200
--- openssh-5.5p1/kexgsss.c.gsskex 2010-10-22 15:58:59.000000000 +0200
+++ openssh-5.5p1/kexgsss.c 2010-10-22 15:58:59.000000000 +0200
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1806,7 +1806,7 @@ diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c
+#endif /* GSSAPI */
diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h
--- openssh-5.5p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.5p1/kex.h 2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.5p1/kex.h 2010-10-22 15:58:59.000000000 +0200
@@ -67,6 +67,9 @@ enum kex_exchange {
KEX_DH_GRP14_SHA1,
KEX_DH_GEX_SHA1,
@ -1844,7 +1844,7 @@ diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.5p1/key.c.gsskex openssh-5.5p1/key.c
--- openssh-5.5p1/key.c.gsskex 2010-03-21 19:58:24.000000000 +0100
+++ openssh-5.5p1/key.c 2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.5p1/key.c 2010-10-22 15:58:59.000000000 +0200
@@ -982,6 +982,8 @@ key_type_from_name(char *name)
return KEY_RSA_CERT;
} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
@ -1856,7 +1856,7 @@ diff -up openssh-5.5p1/key.c.gsskex openssh-5.5p1/key.c
return KEY_UNSPEC;
diff -up openssh-5.5p1/key.h.gsskex openssh-5.5p1/key.h
--- openssh-5.5p1/key.h.gsskex 2010-03-21 19:58:24.000000000 +0100
+++ openssh-5.5p1/key.h 2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.5p1/key.h 2010-10-22 15:58:59.000000000 +0200
@@ -37,6 +37,7 @@ enum types {
KEY_DSA,
KEY_RSA_CERT,
@ -1866,8 +1866,8 @@ diff -up openssh-5.5p1/key.h.gsskex openssh-5.5p1/key.h
};
enum fp_type {
diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in
--- openssh-5.5p1/Makefile.in.gsskex 2010-05-13 15:59:57.000000000 +0200
+++ openssh-5.5p1/Makefile.in 2010-05-13 16:01:34.000000000 +0200
--- openssh-5.5p1/Makefile.in.gsskex 2010-10-22 15:58:58.000000000 +0200
+++ openssh-5.5p1/Makefile.in 2010-10-22 15:58:59.000000000 +0200
@@ -76,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
@ -1892,8 +1892,8 @@ diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c
--- openssh-5.5p1/monitor.c.gsskex 2010-05-13 15:59:50.000000000 +0200
+++ openssh-5.5p1/monitor.c 2010-05-13 15:59:59.000000000 +0200
--- openssh-5.5p1/monitor.c.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/monitor.c 2010-10-22 15:58:59.000000000 +0200
@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
@ -2087,8 +2087,8 @@ diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c
#ifdef JPAKE
diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h
--- openssh-5.5p1/monitor.h.gsskex 2010-05-13 15:59:50.000000000 +0200
+++ openssh-5.5p1/monitor.h 2010-05-13 15:59:59.000000000 +0200
--- openssh-5.5p1/monitor.h.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/monitor.h 2010-10-22 15:58:59.000000000 +0200
@@ -56,6 +56,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2099,8 +2099,8 @@ diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c
--- openssh-5.5p1/monitor_wrap.c.gsskex 2010-05-13 15:59:51.000000000 +0200
+++ openssh-5.5p1/monitor_wrap.c 2010-05-13 15:59:59.000000000 +0200
--- openssh-5.5p1/monitor_wrap.c.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/monitor_wrap.c 2010-10-22 15:58:59.000000000 +0200
@@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
@ -2163,8 +2163,8 @@ diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c
#ifdef JPAKE
diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h
--- openssh-5.5p1/monitor_wrap.h.gsskex 2010-05-13 15:59:51.000000000 +0200
+++ openssh-5.5p1/monitor_wrap.h 2010-05-13 15:59:59.000000000 +0200
--- openssh-5.5p1/monitor_wrap.h.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/monitor_wrap.h 2010-10-22 15:58:59.000000000 +0200
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2179,7 +2179,7 @@ diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h
#ifdef USE_PAM
diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
--- openssh-5.5p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100
+++ openssh-5.5p1/readconf.c 2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.5p1/readconf.c 2010-10-22 15:58:59.000000000 +0200
@@ -127,6 +127,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -2263,7 +2263,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
if (options->kbd_interactive_authentication == -1)
diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h
--- openssh-5.5p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100
+++ openssh-5.5p1/readconf.h 2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.5p1/readconf.h 2010-10-22 15:58:59.000000000 +0200
@@ -44,7 +44,11 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@ -2277,8 +2277,8 @@ diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
--- openssh-5.5p1/servconf.c.gsskex 2010-05-13 15:59:54.000000000 +0200
+++ openssh-5.5p1/servconf.c 2010-05-13 16:00:00.000000000 +0200
--- openssh-5.5p1/servconf.c.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/servconf.c 2010-10-22 15:58:59.000000000 +0200
@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
@ -2356,8 +2356,8 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
intptr = &options->password_authentication;
goto parse_flag;
diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h
--- openssh-5.5p1/servconf.h.gsskex 2010-05-13 15:59:54.000000000 +0200
+++ openssh-5.5p1/servconf.h 2010-05-13 16:00:00.000000000 +0200
--- openssh-5.5p1/servconf.h.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/servconf.h 2010-10-22 15:58:59.000000000 +0200
@@ -94,7 +94,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
@ -2371,7 +2371,7 @@ diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h
int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5
--- openssh-5.5p1/ssh_config.5.gsskex 2010-03-26 02:09:13.000000000 +0100
+++ openssh-5.5p1/ssh_config.5 2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.5p1/ssh_config.5 2010-10-22 15:58:59.000000000 +0200
@@ -478,11 +478,38 @@ Specifies whether user authentication ba
The default is
.Dq no .
@ -2413,8 +2413,8 @@ diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5
Indicates that
.Xr ssh 1
diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config
--- openssh-5.5p1/ssh_config.gsskex 2010-05-13 15:59:48.000000000 +0200
+++ openssh-5.5p1/ssh_config 2010-05-13 16:00:00.000000000 +0200
--- openssh-5.5p1/ssh_config.gsskex 2010-10-22 15:58:56.000000000 +0200
+++ openssh-5.5p1/ssh_config 2010-10-22 15:58:59.000000000 +0200
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@ -2425,8 +2425,8 @@ diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config
# CheckHostIP yes
# AddressFamily any
diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c
--- openssh-5.5p1/sshconnect2.c.gsskex 2010-05-13 15:59:57.000000000 +0200
+++ openssh-5.5p1/sshconnect2.c 2010-05-13 16:00:00.000000000 +0200
--- openssh-5.5p1/sshconnect2.c.gsskex 2010-10-22 15:58:58.000000000 +0200
+++ openssh-5.5p1/sshconnect2.c 2010-10-22 16:01:19.000000000 +0200
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{
Kex *kex;
@ -2515,18 +2515,19 @@ diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c
#endif
void userauth(Authctxt *, char *);
@@ -268,6 +321,10 @@ static char *authmethods_get(void);
@@ -268,6 +321,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
+ {"gssapi-keyex",
+ userauth_gsskeyex,
+ NULL,
+ &options.gss_authentication,
+ NULL},
{"gssapi-with-mic",
userauth_gssapi,
NULL,
@@ -576,23 +633,35 @@ userauth_gssapi(Authctxt *authctxt)
@@ -576,23 +634,35 @@ userauth_gssapi(Authctxt *authctxt)
int ok = 0;
char* remotehost = NULL;
const char* canonicalhost = get_canonical_hostname(1);
@ -2564,7 +2565,7 @@ diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c
ok = 1; /* Mechanism works */
} else {
mech++;
@@ -689,8 +758,8 @@ input_gssapi_response(int type, u_int32_
@@ -689,8 +759,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@ -2575,7 +2576,7 @@ diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
@@ -800,6 +869,48 @@ input_gssapi_error(int type, u_int32_t p
@@ -800,6 +870,48 @@ input_gssapi_error(int type, u_int32_t p
xfree(msg);
xfree(lang);
}
@ -2625,8 +2626,8 @@ diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c
int
diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
--- openssh-5.5p1/sshd.c.gsskex 2010-05-13 15:59:57.000000000 +0200
+++ openssh-5.5p1/sshd.c 2010-05-13 16:00:00.000000000 +0200
--- openssh-5.5p1/sshd.c.gsskex 2010-10-22 15:58:58.000000000 +0200
+++ openssh-5.5p1/sshd.c 2010-10-22 15:58:59.000000000 +0200
@@ -129,6 +129,10 @@ int allow_severity;
int deny_severity;
#endif /* LIBWRAP */
@ -2776,8 +2777,8 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5
--- openssh-5.5p1/sshd_config.5.gsskex 2010-05-13 15:59:54.000000000 +0200
+++ openssh-5.5p1/sshd_config.5 2010-05-13 16:00:00.000000000 +0200
--- openssh-5.5p1/sshd_config.5.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/sshd_config.5 2010-10-22 15:58:59.000000000 +0200
@@ -379,12 +379,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
@ -2820,8 +2821,8 @@ diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config
--- openssh-5.5p1/sshd_config.gsskex 2010-05-13 15:59:54.000000000 +0200
+++ openssh-5.5p1/sshd_config 2010-05-13 16:00:00.000000000 +0200
--- openssh-5.5p1/sshd_config.gsskex 2010-10-22 15:58:57.000000000 +0200
+++ openssh-5.5p1/sshd_config 2010-10-22 15:58:59.000000000 +0200
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
@ -2833,7 +2834,7 @@ diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-5.5p1/ssh-gss.h.gsskex openssh-5.5p1/ssh-gss.h
--- openssh-5.5p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.5p1/ssh-gss.h 2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.5p1/ssh-gss.h 2010-10-22 15:58:59.000000000 +0200
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*

View File

@ -130,3 +130,39 @@ diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config
# GSSAPI options
#GSSAPIAuthentication no
diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c
--- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-09-15 15:39:48.000000000 +0200
+++ openssh-5.6p1/gss-serv-krb5.c 2010-09-15 15:49:43.000000000 +0200
@@ -97,13 +97,25 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
krb5_get_err_text(krb_context, retval));
return 0;
}
- if (krb5_kuserok(krb_context, princ, name)) {
- retval = 1;
- logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- name, (char *)client->displayname.value);
- } else
- retval = 0;
-
+ if (options.use_kuserok) {
+ if (krb5_kuserok(krb_context, princ, name)) {
+ retval = 1;
+ logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+ name, (char *)client->displayname.value);
+ } else
+ retval = 0;
+ } else {
+ char kuser[65];
+ if (krb5_aname_to_localname(krb_context, princ, sizeof(kuser), kuser))
+ retval = 0;
+ else if (strcmp(kuser, client))
+ retval = 0;
+ else {
+ retval = 1;
+ logit("Authorized to %s, krb5 principal %s (krb5)",
+ name, (char *)client->displayname.value);
+ }
+ }
krb5_free_principal(krb_context, princ);
return retval;
}

View File

@ -1,7 +1,7 @@
diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c
--- openssh-5.5p1/channels.c.x11 2010-06-30 15:22:45.000000000 +0200
+++ openssh-5.5p1/channels.c 2010-06-30 15:27:42.000000000 +0200
@@ -3332,7 +3332,7 @@ x11_create_display_inet(int x11_display_
diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
--- openssh-5.3p1/channels.c.bz595935 2010-08-12 14:19:28.000000000 +0200
+++ openssh-5.3p1/channels.c 2010-08-12 14:33:51.000000000 +0200
@@ -3185,7 +3185,7 @@ x11_create_display_inet(int x11_display_
}
static int
@ -10,20 +10,25 @@ diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c
{
int sock;
struct sockaddr_un addr;
@@ -3342,7 +3342,11 @@ connect_local_xsocket_path(const char *p
@@ -3195,11 +3195,14 @@ connect_local_xsocket_path(const char *p
error("socket: %.100s", strerror(errno));
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
- if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
+ if (len <= 0)
+ return -1;
+ if (len > sizeof addr.sun_path)
+ len = sizeof addr.sun_path;
+ memcpy(addr.sun_path, pathname , len);
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
+ memcpy(addr.sun_path, pathname, len);
+ if (connect(sock, (struct sockaddr *)&addr, sizeof addr - (sizeof addr.sun_path - len) ) == 0)
return sock;
close(sock);
@@ -3354,8 +3358,18 @@ static int
- error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
return -1;
}
@@ -3207,8 +3210,21 @@ static int
connect_local_xsocket(u_int dnr)
{
char buf[1024];
@ -40,7 +45,10 @@ diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c
+ if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0)
+ return ret;
+#endif
+ return connect_local_xsocket_path(buf + 1, len);
+ if ((ret = connect_local_xsocket_path(buf + 1, len)) >= 0)
+ return ret;
+ error("connect %.100s: %.100s", buf + 1, strerror(errno));
+ return -1;
}
int

View File

@ -70,7 +70,7 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_rel 18
%define openssh_rel 25
%define openssh_ver 5.5p1
%define pam_ssh_agent_rel 26
%define pam_ssh_agent_ver 0.9.2
@ -78,7 +78,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
Release: %{openssh_rel}%{?dist}%{?rescue_rel}.2
URL: http://www.openssh.com/portable.html
#URL1: http://pamsshagentauth.sourceforge.net
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -131,8 +131,11 @@ Patch74: openssh-5.3p1-randclean.patch
Patch76: openssh-5.5p1-staterr.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1750
Patch77: openssh-5.5p1-stderr.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch78: openssh-5.5p1-kuserok.patch
Patch79: openssh-5.5p1-x11.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1842
Patch81: openssh-5.5p1-clientloop.patch
License: BSD
Group: Applications/Internet
@ -218,7 +221,7 @@ Provides: openssh-askpass-gnome
Summary: PAM module for authentication with ssh-agent
Group: System Environment/Base
Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2
License: BSD
%description
@ -307,6 +310,7 @@ popd
%patch77 -p1 -b .stderr
%patch78 -p1 -b .kuserok
%patch79 -p1 -b .x11
%patch81 -p1 -b .clientloop
autoreconf
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -326,7 +330,13 @@ CFLAGS="$CFLAGS -fpic"
%endif
export CFLAGS
SAVE_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS -pie"; export LDFLAGS
%ifarch %{arm}
# This is needed to compile ARM woth gcc 4.5 as ARM doesn't support relro and now.
# Looks to be resolved in 4.6 thanks to Linaro work
LDFLAGS="$LDFLAGS -pie -Wl,-z,relro"; export LDFLAGS
%else
LDFLAGS="$LDFLAGS -pie -z relro -z now"; export LDFLAGS
%endif
%endif
%if %{kerberos5}
if test -r /etc/profile.d/krb5-devel.sh ; then
@ -356,7 +366,7 @@ fi
--disable-strip \
--without-zlib-version-check \
--with-ssl-engine \
--with-pka \
--with-authorized-keys-command \
%if %{nss}
--with-nss \
%endif
@ -588,6 +598,31 @@ fi
%endif
%changelog
* Thu Jun 16 2011 Peter Robinson <pbrobinson@gmail.com> - 5.5p1-25 + 0.9.2-26
- Fix compiling on ARM due to lack of relro and now support in gcc 4.5 for ARM
* Wed Nov 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-24 + 0.9.2-26
- reapair clientloop crash (#627332)
* Fri Nov 5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-23 + 0.9.2-26
- update x11 patch (#648896)
* Fri Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-22 + 0.9.2-26
- update gsskex patch (#645389)
* Tue Oct 05 2010 jkeating - 5.5p1-21.2
- Rebuilt for gcc bug 634757
* Wed Sep 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-21 + 0.9.2-26
- Add the GSSAPI kuserok switch to the kuserok patch
* Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-20 + 0.9.2-26
- Tweaking selabel patch to work properly without selinux rules loaded. (#632914)
- enabling authorized keys command patch
* Fri Sep 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-19 + 0.9.2-26
- Added -z relro -z now to LDFLAGS
* Wed Jul 7 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-18 + 0.9.2-26
- merged with newer bugzilla's version of authorized keys command patch