Compare commits

...

18 Commits
master ... f16

Author SHA1 Message Date
Petr Lautrbach
08380efdf8 5.8p2-26 + 0.9.2-31 2013-02-08 16:56:41 +01:00
Petr Lautrbach
b8bb5d9a09 change default value of MaxStartups - CVE-2010-5107 (#908707) 2013-02-08 16:55:36 +01:00
Petr Lautrbach
ee0729e302 fix the man moduli page (#841065) 2012-11-06 10:19:35 +01:00
Petr Lautrbach
e9057845ed 5.8p2-25 + 0.9.2-31 2012-02-22 08:56:44 +01:00
Petr Lautrbach
b875abeb4b Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo (#735889) 2012-02-14 17:58:42 +01:00
Petr Lautrbach
1a6ae8b918 5.8p2-24 + 0.9.2-31 2012-02-06 22:30:18 +01:00
Petr Lautrbach
f7459a97a6 backport sftp+chroot+SELinux changes from Rawhide (#782078) 2012-02-02 14:07:09 +01:00
Petr Lautrbach
78630ed29a remove openssh-5.8p1-sftpcontext.patch
sshd_sftpd_t type doesn't exist in F16 anymore
2012-02-02 14:04:32 +01:00
Petr Lautrbach
b572a41569 5.8p2-23 + 0.9.2-31 2011-12-06 17:59:14 +01:00
Petr Lautrbach
c905a284c1 warn about unsupported option UsePAM=no (#757545) 2011-12-06 17:58:49 +01:00
Petr Lautrbach
ff8c66b9a4 update openssh source file (#755531)
5.8p2-22 + 0.9.2-31
2011-11-23 18:09:10 +01:00
Tomas Mraz
fd9ff22aaf add the restorecon call to ssh-copy-id - it might be needed on older distributions (#739989) 2011-11-23 17:41:22 +01:00
Tomas Mraz
d06a7f2dbe Load also the /etc/sysconfig/sshd before the sshd-keygen script. 2011-11-18 10:04:59 +01:00
Tomas Mraz
c3b5d2ecc7 Fix permissions of sshd private keys created by sshd-keygen script (#754779) 2011-11-18 10:04:43 +01:00
Tomas Mraz
c33ad09d93 still support /etc/sysconfig/sshd loading in sshd service (#754732)
Conflicts:

	openssh.spec
2011-11-18 10:04:11 +01:00
Jan F. Chadima
144c5153db save ssh-askpass's debuginfo 2011-11-18 09:59:52 +01:00
Tomas Mraz
083417c440 compile ssh-askpass with corect CFLAGS
Conflicts:

	openssh.spec
2011-11-18 09:57:39 +01:00
Jan F. Chadima
25b191d985 repair broken man pages 2011-11-18 09:52:49 +01:00
17 changed files with 285 additions and 42 deletions

View File

@ -89,10 +89,12 @@ diff -up openssh-5.8p2/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p2/op
diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1 diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1
--- openssh-5.8p2/ssh.1.entropy 2010-11-20 05:21:03.000000000 +0100 --- openssh-5.8p2/ssh.1.entropy 2010-11-20 05:21:03.000000000 +0100
+++ openssh-5.8p2/ssh.1 2011-05-28 21:15:27.375920967 +0200 +++ openssh-5.8p2/ssh.1 2011-05-28 21:15:27.375920967 +0200
@@ -1250,6 +1250,20 @@ For more information, see the @@ -1250,6 +1250,23 @@ For more information, see the
.Cm PermitUserEnvironment .Cm PermitUserEnvironment
option in option in
.Xr sshd_config 5 . .Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG +.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from +The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom . +.Cm /dev/urandom .
@ -107,6 +109,7 @@ diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1
+This setting is not recommended on the computers without the hardware +This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to +random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available. +be blocked until enough entropy is available.
+.El
.Sh FILES .Sh FILES
.Bl -tag -width Ds -compact .Bl -tag -width Ds -compact
.It Pa ~/.rhosts .It Pa ~/.rhosts
@ -137,7 +140,7 @@ diff -up openssh-5.8p2/ssh-add.1.entropy openssh-5.8p2/ssh-add.1
diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1 diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1
--- openssh-5.8p2/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100 --- openssh-5.8p2/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
+++ openssh-5.8p2/ssh-agent.1 2011-05-28 21:13:10.086864993 +0200 +++ openssh-5.8p2/ssh-agent.1 2011-05-28 21:13:10.086864993 +0200
@@ -198,6 +198,23 @@ sockets used to contain the connection t @@ -198,6 +198,24 @@ sockets used to contain the connection t
These sockets should only be readable by the owner. These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits. The sockets should get automatically removed when the agent exits.
.El .El
@ -158,13 +161,14 @@ diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1
+This setting is not recommended on the computers without the hardware +This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to +random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available. +be blocked until enough entropy is available.
+.El
.Sh SEE ALSO .Sh SEE ALSO
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-add 1 , .Xr ssh-add 1 ,
diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8 diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8
--- openssh-5.8p2/sshd.8.entropy 2010-11-05 00:20:14.000000000 +0100 --- openssh-5.8p2/sshd.8.entropy 2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.8p2/sshd.8 2011-05-28 21:13:10.241861760 +0200 +++ openssh-5.8p2/sshd.8 2011-05-28 21:13:10.241861760 +0200
@@ -937,6 +937,23 @@ concurrently for different ports, this c @@ -937,6 +937,24 @@ concurrently for different ports, this c
started last). started last).
The content of this file is not sensitive; it can be world-readable. The content of this file is not sensitive; it can be world-readable.
.El .El
@ -185,13 +189,14 @@ diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8
+This setting is not recommended on the computers without the hardware +This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to +random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available. +be blocked until enough entropy is available.
+.El
.Sh SEE ALSO .Sh SEE ALSO
.Xr scp 1 , .Xr scp 1 ,
.Xr sftp 1 , .Xr sftp 1 ,
diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1 diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1
--- openssh-5.8p2/ssh-keygen.1.entropy 2010-11-05 00:20:14.000000000 +0100 --- openssh-5.8p2/ssh-keygen.1.entropy 2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.8p2/ssh-keygen.1 2011-05-28 21:13:10.389856432 +0200 +++ openssh-5.8p2/ssh-keygen.1 2011-05-28 21:13:10.389856432 +0200
@@ -655,6 +655,23 @@ Contains Diffie-Hellman groups used for @@ -655,6 +655,24 @@ Contains Diffie-Hellman groups used for
The file format is described in The file format is described in
.Xr moduli 5 . .Xr moduli 5 .
.El .El
@ -212,13 +217,14 @@ diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1
+This setting is not recommended on the computers without the hardware +This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to +random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available. +be blocked until enough entropy is available.
+.El
.Sh SEE ALSO .Sh SEE ALSO
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-add 1 , .Xr ssh-add 1 ,
diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8 diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8
--- openssh-5.8p2/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200 --- openssh-5.8p2/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
+++ openssh-5.8p2/ssh-keysign.8 2011-05-28 21:17:32.399856797 +0200 +++ openssh-5.8p2/ssh-keysign.8 2011-05-28 21:17:32.399856797 +0200
@@ -78,6 +78,23 @@ must be set-uid root if host-based authe @@ -78,6 +78,24 @@ must be set-uid root if host-based authe
If these files exist they are assumed to contain public certificate If these files exist they are assumed to contain public certificate
information corresponding with the private keys above. information corresponding with the private keys above.
.El .El
@ -239,6 +245,7 @@ diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8
+This setting is not recommended on the computers without the hardware +This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to +random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available. +be blocked until enough entropy is available.
+.El
.Sh SEE ALSO .Sh SEE ALSO
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-keygen 1 , .Xr ssh-keygen 1 ,

View File

@ -1,7 +1,20 @@
diff -up openssh-5.8p1/sshconnect.c.getaddrinfo openssh-5.8p1/sshconnect.c diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
--- openssh-5.8p1/sshconnect.c.getaddrinfo 2011-04-27 09:51:44.521384633 +0200 --- openssh-5.6p1/channels.c.getaddrinfo 2012-02-14 16:12:54.427852524 +0100
+++ openssh-5.8p1/sshconnect.c 2011-04-27 09:53:21.224443308 +0200 +++ openssh-5.6p1/channels.c 2012-02-14 16:13:22.818928690 +0100
@@ -355,6 +355,7 @@ ssh_connect(const char *host, struct soc @@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
+#ifdef AI_ADDRCONFIG
+ hints.ai_flags |= AI_ADDRCONFIG;
+#endif
hints.ai_socktype = SOCK_STREAM;
snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
--- openssh-5.6p1/sshconnect.c.getaddrinfo 2012-02-14 16:09:25.057964291 +0100
+++ openssh-5.6p1/sshconnect.c 2012-02-14 16:09:25.106047007 +0100
@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
memset(&hints, 0, sizeof(hints)); memset(&hints, 0, sizeof(hints));
hints.ai_family = family; hints.ai_family = family;
hints.ai_socktype = SOCK_STREAM; hints.ai_socktype = SOCK_STREAM;

View File

@ -1,14 +0,0 @@
diff -up openssh-5.8p1/session.c.sftpcontext openssh-5.8p1/session.c
--- openssh-5.8p1/session.c.sftpcontext 2011-04-05 19:46:53.674654050 +0200
+++ openssh-5.8p1/session.c 2011-04-05 19:48:32.942658237 +0200
@@ -1520,6 +1520,10 @@ do_setusercontext(struct passwd *pw)
free(chroot_path);
}
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("sshd_sftpd_t");
+#endif
+
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
perror("unable to set user context (setuser)");

View File

@ -0,0 +1,18 @@
diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile
--- openssh-5.8p2/contrib/Makefile.askpass-ld 2011-08-08 22:54:06.050546199 +0200
+++ openssh-5.8p2/contrib/Makefile 2011-08-08 22:54:43.364420118 +0200
@@ -2,12 +2,12 @@ all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
- $(CC) `gnome-config --cflags gnome gnomeui` \
+ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
- $(CC) `pkg-config --cflags gtk+-2.0` \
+ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`pkg-config --libs gtk+-2.0 x11`

View File

@ -0,0 +1,42 @@
diff -up openssh-5.8p2/servconf.c.max-startups openssh-5.8p2/servconf.c
--- openssh-5.8p2/servconf.c.max-startups 2013-02-08 16:54:23.003052391 +0100
+++ openssh-5.8p2/servconf.c 2013-02-08 16:54:23.021052316 +0100
@@ -262,11 +262,11 @@ fill_default_server_options(ServerOption
if (options->gateway_ports == -1)
options->gateway_ports = 0;
if (options->max_startups == -1)
- options->max_startups = 10;
+ options->max_startups = 100;
if (options->max_startups_rate == -1)
- options->max_startups_rate = 100; /* 100% */
+ options->max_startups_rate = 30; /* 30% */
if (options->max_startups_begin == -1)
- options->max_startups_begin = options->max_startups;
+ options->max_startups_begin = 10;
if (options->max_authtries == -1)
options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
if (options->max_sessions == -1)
diff -up openssh-5.8p2/sshd_config.5.max-startups openssh-5.8p2/sshd_config.5
--- openssh-5.8p2/sshd_config.5.max-startups 2013-02-08 16:54:23.004052387 +0100
+++ openssh-5.8p2/sshd_config.5 2013-02-08 16:54:23.021052316 +0100
@@ -778,7 +778,7 @@ SSH daemon.
Additional connections will be dropped until authentication succeeds or the
.Cm LoginGraceTime
expires for a connection.
-The default is 10.
+The default is 10:30:100.
.Pp
Alternatively, random early drop can be enabled by specifying
the three colon separated values
diff -up openssh-5.8p2/sshd_config.max-startups openssh-5.8p2/sshd_config
--- openssh-5.8p2/sshd_config.max-startups 2013-02-08 16:54:23.017052333 +0100
+++ openssh-5.8p2/sshd_config 2013-02-08 16:54:23.021052316 +0100
@@ -122,7 +122,7 @@ X11Forwarding yes
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

View File

@ -0,0 +1,12 @@
diff -up openssh-5.9p1/contrib/ssh-copy-id.restorecon openssh-5.9p1/contrib/ssh-copy-id
--- openssh-5.9p1/contrib/ssh-copy-id.restorecon 2011-08-17 04:05:49.000000000 +0200
+++ openssh-5.9p1/contrib/ssh-copy-id 2011-11-21 08:40:56.000000000 +0100
@@ -41,7 +41,7 @@ fi
# strip any trailing colon
host=`echo $1 | sed 's/:$//'`
-{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
+{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1
cat <<EOF
Now try logging into the machine, with "ssh '$host'", and check in:

View File

@ -14,9 +14,9 @@ diff -up openssh-5.8p2/sshd.8.ipv6man openssh-5.8p2/sshd.8
--- openssh-5.8p2/sshd.8.ipv6man 2011-06-21 10:40:04.623457378 +0200 --- openssh-5.8p2/sshd.8.ipv6man 2011-06-21 10:40:04.623457378 +0200
+++ openssh-5.8p2/sshd.8 2011-06-21 10:40:05.289467631 +0200 +++ openssh-5.8p2/sshd.8 2011-06-21 10:40:05.289467631 +0200
@@ -961,6 +961,8 @@ Minimum is 6 bytes. @@ -961,6 +961,8 @@ Minimum is 6 bytes.
This setting is not recommended on the computers without the hardware
random generator because insufficient entropy causes the connection to random generator because insufficient entropy causes the connection to
be blocked until enough entropy is available. be blocked until enough entropy is available.
.El
+.Sh IPV6 +.Sh IPV6
+IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell. +IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO .Sh SEE ALSO

View File

@ -0,0 +1,28 @@
diff --git a/sshd.c b/sshd.c
index 8dcfdf2..95b63ad 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1592,6 +1592,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
&cfg, NULL, NULL, NULL);
+ /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+
seed_rng();
/* Fill in default values for those options not explicitly set. */
diff --git a/sshd_config b/sshd_config
index 8c16754..9f28b04 100644
--- a/sshd_config
+++ b/sshd_config
@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
#UsePAM no
UsePAM yes

View File

@ -0,0 +1,24 @@
diff -up openssh-5.8p2/moduli.0.man-moduli openssh-5.8p2/moduli.0
--- openssh-5.8p2/moduli.0.man-moduli 2011-05-05 03:58:10.000000000 +0200
+++ openssh-5.8p2/moduli.0 2012-11-06 10:18:11.301710631 +0100
@@ -25,7 +25,7 @@ DESCRIPTION
0 Unknown, not tested
2 "Safe" prime; (p-1)/2 is also prime.
- 4 Sophie Germain; (p+1)*2 is also prime.
+ 4 Sophie Germain; (p*2)+1 is also prime.
Moduli candidates initially produced by ssh-keygen(1)
are Sophie Germain primes (type 4). Futher primality
diff -up openssh-5.8p2/moduli.5.man-moduli openssh-5.8p2/moduli.5
--- openssh-5.8p2/moduli.5.man-moduli 2008-06-26 07:59:32.000000000 +0200
+++ openssh-5.8p2/moduli.5 2012-11-06 10:16:40.320224142 +0100
@@ -62,7 +62,7 @@ Unknown, not tested
.It 2
"Safe" prime; (p-1)/2 is also prime.
.It 4
-Sophie Germain; (p+1)*2 is also prime.
+Sophie Germain; (p*2)+1 is also prime.
.El
.Pp
Moduli candidates initially produced by

View File

@ -0,0 +1,63 @@
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.c
--- openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot 2011-09-01 04:12:22.743024608 +0200
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-09-01 04:12:23.069088065 +0200
@@ -503,6 +503,23 @@ ssh_selinux_change_context(const char *n
xfree(newctx);
}
+void
+ssh_selinux_copy_context(void)
+{
+ char *ctx;
+
+ if (!ssh_selinux_enabled())
+ return;
+
+ if (getexeccon((security_context_t *)&ctx) < 0) {
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
+ return;
+ }
+ if (setcon(ctx) < 0)
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
+ xfree(ctx);
+}
+
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.h
--- openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot 2011-01-25 02:16:18.000000000 +0100
+++ openssh-5.9p0/openbsd-compat/port-linux.h 2011-09-01 04:12:23.163088777 +0200
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
+void ssh_selinux_chopy_context(void);
void ssh_selinux_setfscreatecon(const char *);
#endif
diff -up openssh-5.9p0/session.c.sftp-chroot openssh-5.9p0/session.c
--- openssh-5.9p0/session.c.sftp-chroot 2011-09-01 04:12:19.698049195 +0200
+++ openssh-5.9p0/session.c 2011-09-01 04:40:03.598148719 +0200
@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("chroot_user_t");
+#endif
safely_chroot(chroot_path, pw->pw_uid);
free(tmp);
free(chroot_path);
@@ -1788,7 +1791,10 @@ do_child(Session *s, const char *command
optind = optreset = 1;
__progname = argv[0];
#ifdef WITH_SELINUX
- ssh_selinux_change_context("sftpd_t");
+ if (options.chroot_directory == NULL ||
+ strcasecmp(options.chroot_directory, "none") == 0) {
+ ssh_selinux_copy_context();
+ }
#endif
exit(sftp_server_main(i, argv, s->pw));
}

View File

@ -79,7 +79,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.8p2 %define openssh_ver 5.8p2
%define openssh_rel 16 %define openssh_rel 26
%define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 31 %define pam_ssh_agent_rel 31
@ -116,6 +116,7 @@ Patch100: openssh-5.8p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1879 #https://bugzilla.mindrot.org/show_bug.cgi?id=1879
Patch200: openssh-5.8p1-exit.patch Patch200: openssh-5.8p1-exit.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894 #https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
Patch300: openssh-5.8p1-getaddrinfo.patch Patch300: openssh-5.8p1-getaddrinfo.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch8: openssh-5.8p1-audit0.patch Patch8: openssh-5.8p1-audit0.patch
@ -145,9 +146,8 @@ Patch23: openssh-5.8p1-selinux-role.patch
Patch24: openssh-5.8p1-mls.patch Patch24: openssh-5.8p1-mls.patch
# #https://bugzilla.mindrot.org/show_bug.cgi?id=1614 # #https://bugzilla.mindrot.org/show_bug.cgi?id=1614
# Patch25: openssh-5.6p1-selabel.patch # Patch25: openssh-5.6p1-selabel.patch
#was https://bugzilla.mindrot.org/show_bug.cgi?id=1637 #https://bugzilla.redhat.com/show_bug.cgi?id=782078
#? Patch26: openssh-5.8p2-sftp-chroot.patch
Patch26: openssh-5.8p1-sftpcontext.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1668 #https://bugzilla.mindrot.org/show_bug.cgi?id=1668
Patch30: openssh-5.6p1-keygen.patch Patch30: openssh-5.6p1-keygen.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644 #https://bugzilla.mindrot.org/show_bug.cgi?id=1644
@ -190,10 +190,21 @@ Patch63: openssh-5.8p2-force_krb.patch
Patch64: openssh-5.8p2-kuserok.patch Patch64: openssh-5.8p2-kuserok.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
Patch65: openssh-5.8p2-remove-stale-control-socket.patch Patch65: openssh-5.8p2-remove-stale-control-socket.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Patch66: openssh-5.8p2-ipv6man.patch
#? #?
Patch66: openssh-5.8p2-ipv6man.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1919
Patch67: openssh-5.8p2-unconfined.patch Patch67: openssh-5.8p2-unconfined.patch
#?
Patch69: openssh-5.8p2-askpass-ld.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=739989
Patch70: openssh-5.8p2-copy-id-restorecon.patch
# warn users for unsupported UsePAM=no
Patch71: openssh-5.8p2-log-usepam-no.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=841065
Patch72: openssh-5.8p2-man-moduli.patch
# change default value of MaxStartups - CVE-2010-5107 - #908707
Patch73: openssh-5.8p2-change-max-startups.patch
#--- #---
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604 #https://bugzilla.mindrot.org/show_bug.cgi?id=1604
# sctp # sctp
@ -406,7 +417,7 @@ popd
# %patch22 -p1 -b .selinux # %patch22 -p1 -b .selinux
%patch23 -p1 -b .role %patch23 -p1 -b .role
%patch24 -p1 -b .mls %patch24 -p1 -b .mls
%patch26 -p1 -b .sftpcontext %patch26 -p1 -b .sftp-chroot
%endif %endif
%patch30 -p1 -b .keygen %patch30 -p1 -b .keygen
%patch31 -p1 -b .ip-opts %patch31 -p1 -b .ip-opts
@ -431,6 +442,11 @@ popd
%patch65 -p1 -b .remove_stale %patch65 -p1 -b .remove_stale
%patch66 -p1 -b .ipv6man %patch66 -p1 -b .ipv6man
%patch67 -p1 -b .unconfined %patch67 -p1 -b .unconfined
%patch69 -p1 -b .askpass-ld
%patch70 -p1 -b .restorecon
%patch71 -p1 -b .log-usepam-no
%patch72 -p1 -b .man-moduli
%patch73 -p1 -b .max-startups
autoreconf autoreconf
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -581,7 +597,7 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
%if ! %{no_gnome_askpass} %if ! %{no_gnome_askpass}
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif %endif
%if ! %{scard} %if ! %{scard}
@ -768,8 +784,38 @@ fi
%endif %endif
%changelog %changelog
* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 5.8p2-26 + 0.9.2-31
- change default value of MaxStartups - CVE-2010-5107 (#908707)
* Wed Feb 22 2012 Petr Lautrbach <plautrba@redhat.com> 5.8p2-25 + 0.9.2-31
- Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo (#735889)
* Tue Jan 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.8p2-24 + 0.9.2-31
- backport sftp+chroot+SELinux changes from Rawhide (#782078)
* Tue Dec 06 2011 Petr Lautrbach <plautrba@redhat.com> 5.8p2-23 + 0.9.2-31
- warn about unsupported option UsePAM=no (#757545)
* Wed Nov 23 2011 Petr Lautrbach <plautrba@redhat.com> 5.8p2-22 + 0.9.2-31
- add the restorecon call to ssh-copy-id - it might be needed on older
distribution (#739989)
- update openssh source file (#755531)
* Fri Nov 18 2011 Tomas Mraz <tmraz@redhat.com> - 5.8p2-21 + 0.9.2-31
- still support /etc/sysconfig/sshd loading in sshd service (#754732)
- fix incorrect key permissions generated by sshd-keygen script (#754779)
* Tue Aug 9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-20 + 0.9.2-31
- save ssh-askpass's debuginfo
* Mon Aug 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-19 + 0.9.2-31
- compile ssh-askpass with corect CFLAGS
* Mon Aug 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-17 + 0.9.2-31
- repair broken man pages
* Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-16 + 0.9.2-31 * Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-16 + 0.9.2-31
- rebuild - rebuild due to broken rpmbiild
* Thu Jul 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-15 + 0.9.2-31 * Thu Jul 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-15 + 0.9.2-31
- Do not change context when run under unconfined_t - Do not change context when run under unconfined_t

View File

@ -1,2 +1,2 @@
123003edd779504e12e1c8b58e7ce5dc openssh-5.8p2-noacss.tar.bz2 5549d0b7b6bfadfd28eb90e63dd6f5f1 openssh-5.8p2-noacss.tar.bz2
b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2 b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2

View File

@ -23,7 +23,7 @@ do_rsa1_keygen() {
rm -f $RSA1_KEY rm -f $RSA1_KEY
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA1_KEY chgrp ssh_keys $RSA1_KEY
chmod 640 $RSA1_KEY chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA1_KEY.pub /sbin/restorecon $RSA1_KEY.pub
@ -44,7 +44,7 @@ do_rsa_keygen() {
rm -f $RSA_KEY rm -f $RSA_KEY
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA_KEY chgrp ssh_keys $RSA_KEY
chmod 640 $RSA_KEY chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA_KEY.pub /sbin/restorecon $RSA_KEY.pub
@ -65,7 +65,7 @@ do_dsa_keygen() {
rm -f $DSA_KEY rm -f $DSA_KEY
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $DSA_KEY chgrp ssh_keys $DSA_KEY
chmod 640 $DSA_KEY chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then if [ -x /sbin/restorecon ]; then
/sbin/restorecon $DSA_KEY.pub /sbin/restorecon $DSA_KEY.pub

View File

@ -5,6 +5,7 @@ Before=sshd.service
[Service] [Service]
Type=oneshot Type=oneshot
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd-keygen ExecStart=/usr/sbin/sshd-keygen
RemainAfterExit=yes RemainAfterExit=yes

View File

@ -1,9 +1,10 @@
[Unit] [Unit]
Description=OpenSSH server daemon. Description=OpenSSH server daemon
After=syslog.target network.target auditd.service After=syslog.target network.target auditd.service
[Service] [Service]
ExecStart=/usr/sbin/sshd -D EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
[Install] [Install]

View File

@ -1,4 +1,5 @@
[Unit] [Unit]
Description=OpenSSH Server Socket
Conflicts=sshd.service Conflicts=sshd.service
[Socket] [Socket]

View File

@ -1,7 +1,8 @@
[Unit] [Unit]
Description=OpenSSH per-connection server daemon. Description=OpenSSH per-connection server daemon
After=syslog.target After=syslog.target auditd.service
[Service] [Service]
ExecStart=-/usr/sbin/sshd -i EnvironmentFile=/etc/sysconfig/sshd
ExecStart=-/usr/sbin/sshd -i $OPTIONS
StandardInput=socket StandardInput=socket