Compare commits
18 Commits
Author | SHA1 | Date |
---|---|---|
|
08380efdf8 | |
|
b8bb5d9a09 | |
|
ee0729e302 | |
|
e9057845ed | |
|
b875abeb4b | |
|
1a6ae8b918 | |
|
f7459a97a6 | |
|
78630ed29a | |
|
b572a41569 | |
|
c905a284c1 | |
|
ff8c66b9a4 | |
|
fd9ff22aaf | |
|
d06a7f2dbe | |
|
c3b5d2ecc7 | |
|
c33ad09d93 | |
|
144c5153db | |
|
083417c440 | |
|
25b191d985 |
|
@ -89,10 +89,12 @@ diff -up openssh-5.8p2/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p2/op
|
|||
diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1
|
||||
--- openssh-5.8p2/ssh.1.entropy 2010-11-20 05:21:03.000000000 +0100
|
||||
+++ openssh-5.8p2/ssh.1 2011-05-28 21:15:27.375920967 +0200
|
||||
@@ -1250,6 +1250,20 @@ For more information, see the
|
||||
@@ -1250,6 +1250,23 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
|
@ -107,6 +109,7 @@ diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1
|
|||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
|
@ -137,7 +140,7 @@ diff -up openssh-5.8p2/ssh-add.1.entropy openssh-5.8p2/ssh-add.1
|
|||
diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1
|
||||
--- openssh-5.8p2/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
|
||||
+++ openssh-5.8p2/ssh-agent.1 2011-05-28 21:13:10.086864993 +0200
|
||||
@@ -198,6 +198,23 @@ sockets used to contain the connection t
|
||||
@@ -198,6 +198,24 @@ sockets used to contain the connection t
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
|
@ -158,13 +161,14 @@ diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1
|
|||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8
|
||||
--- openssh-5.8p2/sshd.8.entropy 2010-11-05 00:20:14.000000000 +0100
|
||||
+++ openssh-5.8p2/sshd.8 2011-05-28 21:13:10.241861760 +0200
|
||||
@@ -937,6 +937,23 @@ concurrently for different ports, this c
|
||||
@@ -937,6 +937,24 @@ concurrently for different ports, this c
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
|
@ -185,13 +189,14 @@ diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8
|
|||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr scp 1 ,
|
||||
.Xr sftp 1 ,
|
||||
diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1
|
||||
--- openssh-5.8p2/ssh-keygen.1.entropy 2010-11-05 00:20:14.000000000 +0100
|
||||
+++ openssh-5.8p2/ssh-keygen.1 2011-05-28 21:13:10.389856432 +0200
|
||||
@@ -655,6 +655,23 @@ Contains Diffie-Hellman groups used for
|
||||
@@ -655,6 +655,24 @@ Contains Diffie-Hellman groups used for
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
|
@ -212,13 +217,14 @@ diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1
|
|||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8
|
||||
--- openssh-5.8p2/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
|
||||
+++ openssh-5.8p2/ssh-keysign.8 2011-05-28 21:17:32.399856797 +0200
|
||||
@@ -78,6 +78,23 @@ must be set-uid root if host-based authe
|
||||
@@ -78,6 +78,24 @@ must be set-uid root if host-based authe
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
|
@ -239,6 +245,7 @@ diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8
|
|||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
|
|
|
@ -1,7 +1,20 @@
|
|||
diff -up openssh-5.8p1/sshconnect.c.getaddrinfo openssh-5.8p1/sshconnect.c
|
||||
--- openssh-5.8p1/sshconnect.c.getaddrinfo 2011-04-27 09:51:44.521384633 +0200
|
||||
+++ openssh-5.8p1/sshconnect.c 2011-04-27 09:53:21.224443308 +0200
|
||||
@@ -355,6 +355,7 @@ ssh_connect(const char *host, struct soc
|
||||
diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
|
||||
--- openssh-5.6p1/channels.c.getaddrinfo 2012-02-14 16:12:54.427852524 +0100
|
||||
+++ openssh-5.6p1/channels.c 2012-02-14 16:13:22.818928690 +0100
|
||||
@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
|
||||
+#ifdef AI_ADDRCONFIG
|
||||
+ hints.ai_flags |= AI_ADDRCONFIG;
|
||||
+#endif
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
snprintf(strport, sizeof strport, "%d", port);
|
||||
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
|
||||
diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
|
||||
--- openssh-5.6p1/sshconnect.c.getaddrinfo 2012-02-14 16:09:25.057964291 +0100
|
||||
+++ openssh-5.6p1/sshconnect.c 2012-02-14 16:09:25.106047007 +0100
|
||||
@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = family;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
diff -up openssh-5.8p1/session.c.sftpcontext openssh-5.8p1/session.c
|
||||
--- openssh-5.8p1/session.c.sftpcontext 2011-04-05 19:46:53.674654050 +0200
|
||||
+++ openssh-5.8p1/session.c 2011-04-05 19:48:32.942658237 +0200
|
||||
@@ -1520,6 +1520,10 @@ do_setusercontext(struct passwd *pw)
|
||||
free(chroot_path);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_change_context("sshd_sftpd_t");
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
|
||||
perror("unable to set user context (setuser)");
|
|
@ -0,0 +1,18 @@
|
|||
diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile
|
||||
--- openssh-5.8p2/contrib/Makefile.askpass-ld 2011-08-08 22:54:06.050546199 +0200
|
||||
+++ openssh-5.8p2/contrib/Makefile 2011-08-08 22:54:43.364420118 +0200
|
||||
@@ -2,12 +2,12 @@ all:
|
||||
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
|
||||
|
||||
gnome-ssh-askpass1: gnome-ssh-askpass1.c
|
||||
- $(CC) `gnome-config --cflags gnome gnomeui` \
|
||||
+ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
|
||||
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
|
||||
`gnome-config --libs gnome gnomeui`
|
||||
|
||||
gnome-ssh-askpass2: gnome-ssh-askpass2.c
|
||||
- $(CC) `pkg-config --cflags gtk+-2.0` \
|
||||
+ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
|
||||
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
|
||||
`pkg-config --libs gtk+-2.0 x11`
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
diff -up openssh-5.8p2/servconf.c.max-startups openssh-5.8p2/servconf.c
|
||||
--- openssh-5.8p2/servconf.c.max-startups 2013-02-08 16:54:23.003052391 +0100
|
||||
+++ openssh-5.8p2/servconf.c 2013-02-08 16:54:23.021052316 +0100
|
||||
@@ -262,11 +262,11 @@ fill_default_server_options(ServerOption
|
||||
if (options->gateway_ports == -1)
|
||||
options->gateway_ports = 0;
|
||||
if (options->max_startups == -1)
|
||||
- options->max_startups = 10;
|
||||
+ options->max_startups = 100;
|
||||
if (options->max_startups_rate == -1)
|
||||
- options->max_startups_rate = 100; /* 100% */
|
||||
+ options->max_startups_rate = 30; /* 30% */
|
||||
if (options->max_startups_begin == -1)
|
||||
- options->max_startups_begin = options->max_startups;
|
||||
+ options->max_startups_begin = 10;
|
||||
if (options->max_authtries == -1)
|
||||
options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
|
||||
if (options->max_sessions == -1)
|
||||
diff -up openssh-5.8p2/sshd_config.5.max-startups openssh-5.8p2/sshd_config.5
|
||||
--- openssh-5.8p2/sshd_config.5.max-startups 2013-02-08 16:54:23.004052387 +0100
|
||||
+++ openssh-5.8p2/sshd_config.5 2013-02-08 16:54:23.021052316 +0100
|
||||
@@ -778,7 +778,7 @@ SSH daemon.
|
||||
Additional connections will be dropped until authentication succeeds or the
|
||||
.Cm LoginGraceTime
|
||||
expires for a connection.
|
||||
-The default is 10.
|
||||
+The default is 10:30:100.
|
||||
.Pp
|
||||
Alternatively, random early drop can be enabled by specifying
|
||||
the three colon separated values
|
||||
diff -up openssh-5.8p2/sshd_config.max-startups openssh-5.8p2/sshd_config
|
||||
--- openssh-5.8p2/sshd_config.max-startups 2013-02-08 16:54:23.017052333 +0100
|
||||
+++ openssh-5.8p2/sshd_config 2013-02-08 16:54:23.021052316 +0100
|
||||
@@ -122,7 +122,7 @@ X11Forwarding yes
|
||||
#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
-#MaxStartups 10
|
||||
+#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
diff -up openssh-5.9p1/contrib/ssh-copy-id.restorecon openssh-5.9p1/contrib/ssh-copy-id
|
||||
--- openssh-5.9p1/contrib/ssh-copy-id.restorecon 2011-08-17 04:05:49.000000000 +0200
|
||||
+++ openssh-5.9p1/contrib/ssh-copy-id 2011-11-21 08:40:56.000000000 +0100
|
||||
@@ -41,7 +41,7 @@ fi
|
||||
# strip any trailing colon
|
||||
host=`echo $1 | sed 's/:$//'`
|
||||
|
||||
-{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
|
||||
+{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1
|
||||
|
||||
cat <<EOF
|
||||
Now try logging into the machine, with "ssh '$host'", and check in:
|
|
@ -14,9 +14,9 @@ diff -up openssh-5.8p2/sshd.8.ipv6man openssh-5.8p2/sshd.8
|
|||
--- openssh-5.8p2/sshd.8.ipv6man 2011-06-21 10:40:04.623457378 +0200
|
||||
+++ openssh-5.8p2/sshd.8 2011-06-21 10:40:05.289467631 +0200
|
||||
@@ -961,6 +961,8 @@ Minimum is 6 bytes.
|
||||
This setting is not recommended on the computers without the hardware
|
||||
random generator because insufficient entropy causes the connection to
|
||||
be blocked until enough entropy is available.
|
||||
.El
|
||||
+.Sh IPV6
|
||||
+IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
||||
.Sh SEE ALSO
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
diff --git a/sshd.c b/sshd.c
|
||||
index 8dcfdf2..95b63ad 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1592,6 +1592,10 @@ main(int ac, char **av)
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
&cfg, NULL, NULL, NULL);
|
||||
|
||||
+ /* 'UsePAM no' is not supported in Fedora */
|
||||
+ if (! options.use_pam)
|
||||
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
|
||||
+
|
||||
seed_rng();
|
||||
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 8c16754..9f28b04 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
||||
+# problems.
|
||||
#UsePAM no
|
||||
UsePAM yes
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
diff -up openssh-5.8p2/moduli.0.man-moduli openssh-5.8p2/moduli.0
|
||||
--- openssh-5.8p2/moduli.0.man-moduli 2011-05-05 03:58:10.000000000 +0200
|
||||
+++ openssh-5.8p2/moduli.0 2012-11-06 10:18:11.301710631 +0100
|
||||
@@ -25,7 +25,7 @@ DESCRIPTION
|
||||
|
||||
0 Unknown, not tested
|
||||
2 "Safe" prime; (p-1)/2 is also prime.
|
||||
- 4 Sophie Germain; (p+1)*2 is also prime.
|
||||
+ 4 Sophie Germain; (p*2)+1 is also prime.
|
||||
|
||||
Moduli candidates initially produced by ssh-keygen(1)
|
||||
are Sophie Germain primes (type 4). Futher primality
|
||||
diff -up openssh-5.8p2/moduli.5.man-moduli openssh-5.8p2/moduli.5
|
||||
--- openssh-5.8p2/moduli.5.man-moduli 2008-06-26 07:59:32.000000000 +0200
|
||||
+++ openssh-5.8p2/moduli.5 2012-11-06 10:16:40.320224142 +0100
|
||||
@@ -62,7 +62,7 @@ Unknown, not tested
|
||||
.It 2
|
||||
"Safe" prime; (p-1)/2 is also prime.
|
||||
.It 4
|
||||
-Sophie Germain; (p+1)*2 is also prime.
|
||||
+Sophie Germain; (p*2)+1 is also prime.
|
||||
.El
|
||||
.Pp
|
||||
Moduli candidates initially produced by
|
|
@ -0,0 +1,63 @@
|
|||
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.c
|
||||
--- openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot 2011-09-01 04:12:22.743024608 +0200
|
||||
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-09-01 04:12:23.069088065 +0200
|
||||
@@ -503,6 +503,23 @@ ssh_selinux_change_context(const char *n
|
||||
xfree(newctx);
|
||||
}
|
||||
|
||||
+void
|
||||
+ssh_selinux_copy_context(void)
|
||||
+{
|
||||
+ char *ctx;
|
||||
+
|
||||
+ if (!ssh_selinux_enabled())
|
||||
+ return;
|
||||
+
|
||||
+ if (getexeccon((security_context_t *)&ctx) < 0) {
|
||||
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ if (setcon(ctx) < 0)
|
||||
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
|
||||
+ xfree(ctx);
|
||||
+}
|
||||
+
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.h
|
||||
--- openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot 2011-01-25 02:16:18.000000000 +0100
|
||||
+++ openssh-5.9p0/openbsd-compat/port-linux.h 2011-09-01 04:12:23.163088777 +0200
|
||||
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
+void ssh_selinux_chopy_context(void);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
|
||||
diff -up openssh-5.9p0/session.c.sftp-chroot openssh-5.9p0/session.c
|
||||
--- openssh-5.9p0/session.c.sftp-chroot 2011-09-01 04:12:19.698049195 +0200
|
||||
+++ openssh-5.9p0/session.c 2011-09-01 04:40:03.598148719 +0200
|
||||
@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ ssh_selinux_change_context("chroot_user_t");
|
||||
+#endif
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1788,7 +1791,10 @@ do_child(Session *s, const char *command
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_change_context("sftpd_t");
|
||||
+ if (options.chroot_directory == NULL ||
|
||||
+ strcasecmp(options.chroot_directory, "none") == 0) {
|
||||
+ ssh_selinux_copy_context();
|
||||
+ }
|
||||
#endif
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
64
openssh.spec
64
openssh.spec
|
@ -79,7 +79,7 @@
|
|||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.8p2
|
||||
%define openssh_rel 16
|
||||
%define openssh_rel 26
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 31
|
||||
|
||||
|
@ -116,6 +116,7 @@ Patch100: openssh-5.8p1-fingerprint.patch
|
|||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1879
|
||||
Patch200: openssh-5.8p1-exit.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
||||
Patch300: openssh-5.8p1-getaddrinfo.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch8: openssh-5.8p1-audit0.patch
|
||||
|
@ -145,9 +146,8 @@ Patch23: openssh-5.8p1-selinux-role.patch
|
|||
Patch24: openssh-5.8p1-mls.patch
|
||||
# #https://bugzilla.mindrot.org/show_bug.cgi?id=1614
|
||||
# Patch25: openssh-5.6p1-selabel.patch
|
||||
#was https://bugzilla.mindrot.org/show_bug.cgi?id=1637
|
||||
#?
|
||||
Patch26: openssh-5.8p1-sftpcontext.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=782078
|
||||
Patch26: openssh-5.8p2-sftp-chroot.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1668
|
||||
Patch30: openssh-5.6p1-keygen.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
|
||||
|
@ -190,10 +190,21 @@ Patch63: openssh-5.8p2-force_krb.patch
|
|||
Patch64: openssh-5.8p2-kuserok.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
|
||||
Patch65: openssh-5.8p2-remove-stale-control-socket.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1919
|
||||
Patch66: openssh-5.8p2-ipv6man.patch
|
||||
#?
|
||||
Patch66: openssh-5.8p2-ipv6man.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1919
|
||||
Patch67: openssh-5.8p2-unconfined.patch
|
||||
#?
|
||||
Patch69: openssh-5.8p2-askpass-ld.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=739989
|
||||
Patch70: openssh-5.8p2-copy-id-restorecon.patch
|
||||
# warn users for unsupported UsePAM=no
|
||||
Patch71: openssh-5.8p2-log-usepam-no.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=841065
|
||||
Patch72: openssh-5.8p2-man-moduli.patch
|
||||
# change default value of MaxStartups - CVE-2010-5107 - #908707
|
||||
Patch73: openssh-5.8p2-change-max-startups.patch
|
||||
|
||||
#---
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
|
||||
# sctp
|
||||
|
@ -406,7 +417,7 @@ popd
|
|||
# %patch22 -p1 -b .selinux
|
||||
%patch23 -p1 -b .role
|
||||
%patch24 -p1 -b .mls
|
||||
%patch26 -p1 -b .sftpcontext
|
||||
%patch26 -p1 -b .sftp-chroot
|
||||
%endif
|
||||
%patch30 -p1 -b .keygen
|
||||
%patch31 -p1 -b .ip-opts
|
||||
|
@ -431,6 +442,11 @@ popd
|
|||
%patch65 -p1 -b .remove_stale
|
||||
%patch66 -p1 -b .ipv6man
|
||||
%patch67 -p1 -b .unconfined
|
||||
%patch69 -p1 -b .askpass-ld
|
||||
%patch70 -p1 -b .restorecon
|
||||
%patch71 -p1 -b .log-usepam-no
|
||||
%patch72 -p1 -b .man-moduli
|
||||
%patch73 -p1 -b .max-startups
|
||||
|
||||
autoreconf
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
|
@ -581,7 +597,7 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
|||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||
%endif
|
||||
|
||||
%if ! %{scard}
|
||||
|
@ -768,8 +784,38 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 5.8p2-26 + 0.9.2-31
|
||||
- change default value of MaxStartups - CVE-2010-5107 (#908707)
|
||||
|
||||
* Wed Feb 22 2012 Petr Lautrbach <plautrba@redhat.com> 5.8p2-25 + 0.9.2-31
|
||||
- Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo (#735889)
|
||||
|
||||
* Tue Jan 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.8p2-24 + 0.9.2-31
|
||||
- backport sftp+chroot+SELinux changes from Rawhide (#782078)
|
||||
|
||||
* Tue Dec 06 2011 Petr Lautrbach <plautrba@redhat.com> 5.8p2-23 + 0.9.2-31
|
||||
- warn about unsupported option UsePAM=no (#757545)
|
||||
|
||||
* Wed Nov 23 2011 Petr Lautrbach <plautrba@redhat.com> 5.8p2-22 + 0.9.2-31
|
||||
- add the restorecon call to ssh-copy-id - it might be needed on older
|
||||
distribution (#739989)
|
||||
- update openssh source file (#755531)
|
||||
|
||||
* Fri Nov 18 2011 Tomas Mraz <tmraz@redhat.com> - 5.8p2-21 + 0.9.2-31
|
||||
- still support /etc/sysconfig/sshd loading in sshd service (#754732)
|
||||
- fix incorrect key permissions generated by sshd-keygen script (#754779)
|
||||
|
||||
* Tue Aug 9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-20 + 0.9.2-31
|
||||
- save ssh-askpass's debuginfo
|
||||
|
||||
* Mon Aug 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-19 + 0.9.2-31
|
||||
- compile ssh-askpass with corect CFLAGS
|
||||
|
||||
* Mon Aug 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-17 + 0.9.2-31
|
||||
- repair broken man pages
|
||||
|
||||
* Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-16 + 0.9.2-31
|
||||
- rebuild
|
||||
- rebuild due to broken rpmbiild
|
||||
|
||||
* Thu Jul 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-15 + 0.9.2-31
|
||||
- Do not change context when run under unconfined_t
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
123003edd779504e12e1c8b58e7ce5dc openssh-5.8p2-noacss.tar.bz2
|
||||
5549d0b7b6bfadfd28eb90e63dd6f5f1 openssh-5.8p2-noacss.tar.bz2
|
||||
b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
|
|
|
@ -23,7 +23,7 @@ do_rsa1_keygen() {
|
|||
rm -f $RSA1_KEY
|
||||
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $RSA1_KEY
|
||||
chmod 640 $RSA1_KEY
|
||||
chmod 600 $RSA1_KEY
|
||||
chmod 644 $RSA1_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $RSA1_KEY.pub
|
||||
|
@ -44,7 +44,7 @@ do_rsa_keygen() {
|
|||
rm -f $RSA_KEY
|
||||
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $RSA_KEY
|
||||
chmod 640 $RSA_KEY
|
||||
chmod 600 $RSA_KEY
|
||||
chmod 644 $RSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $RSA_KEY.pub
|
||||
|
@ -65,7 +65,7 @@ do_dsa_keygen() {
|
|||
rm -f $DSA_KEY
|
||||
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $DSA_KEY
|
||||
chmod 640 $DSA_KEY
|
||||
chmod 600 $DSA_KEY
|
||||
chmod 644 $DSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $DSA_KEY.pub
|
||||
|
|
|
@ -5,6 +5,7 @@ Before=sshd.service
|
|||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=/etc/sysconfig/sshd
|
||||
ExecStart=/usr/sbin/sshd-keygen
|
||||
RemainAfterExit=yes
|
||||
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
[Unit]
|
||||
Description=OpenSSH server daemon.
|
||||
Description=OpenSSH server daemon
|
||||
After=syslog.target network.target auditd.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/sshd -D
|
||||
EnvironmentFile=/etc/sysconfig/sshd
|
||||
ExecStart=/usr/sbin/sshd -D $OPTIONS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
|
||||
[Install]
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
[Unit]
|
||||
Description=OpenSSH Server Socket
|
||||
Conflicts=sshd.service
|
||||
|
||||
[Socket]
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
[Unit]
|
||||
Description=OpenSSH per-connection server daemon.
|
||||
After=syslog.target
|
||||
Description=OpenSSH per-connection server daemon
|
||||
After=syslog.target auditd.service
|
||||
|
||||
[Service]
|
||||
ExecStart=-/usr/sbin/sshd -i
|
||||
EnvironmentFile=/etc/sysconfig/sshd
|
||||
ExecStart=-/usr/sbin/sshd -i $OPTIONS
|
||||
StandardInput=socket
|
||||
|
|
Loading…
Reference in New Issue