5.9p1-30 + 0.9.3-1

make sftp's libedit interface marginally multibyte aware (#841771 )
5.9p1-29 + 0.9.3-1
2013-06-20 11:02:48 +02:00 · 2013-06-20 10:47:09 +02:00 · 2013-02-08 16:02:30 +01:00 · 2013-02-08 16:01:23 +01:00 · 2012-11-26 16:51:43 +01:00 · 2012-11-26 16:18:50 +01:00
9 changed files with 420 additions and 250 deletions
--- a/openssh-5.8p1-gssapi-canohost.patch
+++ b/openssh-5.8p1-gssapi-canohost.patch
@ -1,24 +0,0 @@
-diff -up openssh-5.8p1/sshconnect2.c.canohost openssh-5.8p1/sshconnect2.c
--- openssh-5.8p1/sshconnect2.c.canohost	2011-02-14 15:15:15.000000000 +0100
-+++ openssh-5.8p1/sshconnect2.c	2011-02-14 15:21:45.000000000 +0100
-@@ -697,14 +697,17 @@ userauth_gssapi(Authctxt *authctxt)
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-	const char *gss_host;
-+	const char *gss_host = NULL;
- 
- 	if (options.gss_server_identity)
- 		gss_host = options.gss_server_identity;
- 	else if (options.gss_trust_dns)
- 		gss_host = get_canonical_hostname(1);
-	else
-		gss_host = authctxt->host;
-+	else {
-+		gss_host = get_canonical_hostname(1);
-+		if ( strcmp( gss_host, "UNKNOWN" )  == 0 )
-+			gss_host = authctxt->host;
-+	}
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
--- a/openssh-5.9p1-change-max-startups.patch
+++ b/openssh-5.9p1-change-max-startups.patch
@ -0,0 +1,42 @@
+diff -up openssh-5.9p1/servconf.c.max-startups openssh-5.9p1/servconf.c
+--- openssh-5.9p1/servconf.c.max-startups	2013-02-08 15:59:09.785709477 +0100
+++ openssh-5.9p1/servconf.c	2013-02-08 15:59:09.792709448 +0100
+@@ -265,11 +265,11 @@ fill_default_server_options(ServerOption
+ 	if (options->gateway_ports == -1)
+ 		options->gateway_ports = 0;
+ 	if (options->max_startups == -1)
+-		options->max_startups = 10;
+		options->max_startups = 100;
+ 	if (options->max_startups_rate == -1)
+-		options->max_startups_rate = 100;		/* 100% */
+		options->max_startups_rate = 30;		/* 30% */
+ 	if (options->max_startups_begin == -1)
+-		options->max_startups_begin = options->max_startups;
+		options->max_startups_begin = 10;
+ 	if (options->max_authtries == -1)
+ 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ 	if (options->max_sessions == -1)
+diff -up openssh-5.9p1/sshd_config.5.max-startups openssh-5.9p1/sshd_config.5
+--- openssh-5.9p1/sshd_config.5.max-startups	2013-02-08 15:59:09.786709473 +0100
+++ openssh-5.9p1/sshd_config.5	2013-02-08 15:59:09.793709444 +0100
+@@ -796,7 +796,7 @@ SSH daemon.
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
+The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
+diff -up openssh-5.9p1/sshd_config.max-startups openssh-5.9p1/sshd_config
+--- openssh-5.9p1/sshd_config.max-startups	2013-02-08 15:59:09.000000000 +0100
+++ openssh-5.9p1/sshd_config	2013-02-08 16:00:03.784485797 +0100
+@@ -120,7 +120,7 @@ X11Forwarding yes
+ #ShowPatchLevel no
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
+#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ 
--- a/openssh-5.9p1-gssapi-canohost.patch
+++ b/openssh-5.9p1-gssapi-canohost.patch
@ -0,0 +1,21 @@
+diff -up openssh-5.9p1/sshconnect2.c.canohost openssh-5.9p1/sshconnect2.c
+--- openssh-5.9p1/sshconnect2.c.canohost	2012-10-31 16:42:37.598288999 +0100
+++ openssh-5.9p1/sshconnect2.c	2012-10-31 16:47:40.963288964 +0100
+@@ -699,12 +699,15 @@ userauth_gssapi(Authctxt *authctxt)
+ 	static u_int mech = 0;
+ 	OM_uint32 min;
+ 	int ok = 0;
+-	const char *gss_host;
+	const char *gss_host = NULL;
+ 
+ 	if (options.gss_server_identity)
+ 		gss_host = options.gss_server_identity;
+-	else if (options.gss_trust_dns)
+	else if (options.gss_trust_dns) {
+ 		gss_host = get_canonical_hostname(1);
+		if ( strcmp( gss_host, "UNKNOWN" )  == 0 )
+			gss_host = authctxt->host;
+	}
+ 	else
+ 		gss_host = authctxt->host;
+ 
--- a/openssh-5.9p1-ipqos.patch
+++ b/openssh-5.9p1-ipqos.patch
@ -0,0 +1,12 @@
+diff -up openssh-5.9p1/packet.c.ipqos openssh-5.9p1/packet.c
+--- openssh-5.9p1/packet.c.ipqos	2012-11-26 16:15:50.664604385 +0100
+++ openssh-5.9p1/packet.c	2012-11-26 16:15:50.793603960 +0100
+@@ -435,8 +435,6 @@ packet_connection_af(void)
+ 	if (getsockname(active_state->connection_out, (struct sockaddr *)&to,
+ 	    &tolen) < 0)
+ 		return 0;
+-	if (to.ss_family == AF_INET)
+-		return 1;
+ #ifdef IPV4_IN_IPV6
+ 	if (to.ss_family == AF_INET6 &&
+ 	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
--- a/openssh-5.9p1-man-moduli.patch
+++ b/openssh-5.9p1-man-moduli.patch
@ -0,0 +1,24 @@
+diff -up openssh-6.1p1/moduli.0.man-moduli openssh-6.1p1/moduli.0
+--- openssh-6.1p1/moduli.0.man-moduli	2012-11-06 09:42:13.677062887 +0100
+++ openssh-6.1p1/moduli.0	2012-11-06 09:42:58.693543381 +0100
+@@ -25,7 +25,7 @@ DESCRIPTION
+ 
+                         0     Unknown, not tested.
+                         2     "Safe" prime; (p-1)/2 is also prime.
+-                        4     Sophie Germain; (p+1)*2 is also prime.
+                        4     Sophie Germain; (p*2)+1 is also prime.
+ 
+                         Moduli candidates initially produced by ssh-keygen(1)
+                         are Sophie Germain primes (type 4).  Further primality
+diff -up openssh-6.1p1/moduli.5.man-moduli openssh-6.1p1/moduli.5
+--- openssh-6.1p1/moduli.5.man-moduli	2012-11-06 09:42:17.730035388 +0100
+++ openssh-6.1p1/moduli.5	2012-11-06 09:43:31.403180375 +0100
+@@ -61,7 +61,7 @@ Unknown, not tested.
+ .It 2
+ "Safe" prime; (p-1)/2 is also prime.
+ .It 4
+-Sophie Germain; (p+1)*2 is also prime.
+Sophie Germain; (p*2)+1 is also prime.
+ .El
+ .Pp
+ Moduli candidates initially produced by
--- a/openssh-5.9p1-required-authentications.patch
+++ b/openssh-5.9p1-required-authentications.patch
@ -1,128 +1,6 @@
-diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
--- openssh-5.9p1/auth.c.required-authentication	2012-07-27 12:21:41.181601972 +0200
-+++ openssh-5.9p1/auth.c	2012-07-27 12:21:41.203602020 +0200
-@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
- }
- 
- void
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
-+auth_log(Authctxt *authctxt, int authenticated, const char *method,
-+    const char *submethod, const char *info)
- {
- 	void (*authlog) (const char *fmt,...) = verbose;
- 	char *authmsg;
-@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
- 	else
- 		authmsg = authenticated ? "Accepted" : "Failed";
- 
-	authlog("%s %s for %s%.100s from %.200s port %d%s",
-+	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
- 	    authmsg,
- 	    method,
-+	    submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
- 	    authctxt->valid ? "" : "invalid user ",
- 	    authctxt->user,
- 	    get_remote_ipaddr(),
-@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
-  * Check whether root logins are disallowed.
-  */
- int
-auth_root_allowed(char *method)
-+auth_root_allowed(const char *method)
- {
- 	switch (options.permit_root_login) {
- 	case PERMIT_YES:
-@@ -694,3 +696,57 @@ fakepw(void)
- 
- 	return (&fake);
- }
-+
-+int
-+auth_method_in_list(const char *list, const char *method)
-+{
-+	char *cp;
-+
-+	cp = match_list(method, list, NULL);
-+	if (cp != NULL) {
-+		xfree(cp);
-+		return 1;
-+	}
-+
-+	return 0;
-+}
-+
-+#define	DELIM	","
-+int
-+auth_remove_from_list(char **list, const char *method)
-+{
-+	char *oldlist, *cp, *newlist = NULL;
-+	u_int len = 0, ret = 0;
-+
-+	if (list == NULL || *list == NULL)
-+		return (0);
-+
-+	oldlist = *list;
-+	len = strlen(oldlist) + 1;
-+	newlist = xmalloc(len);
-+	memset(newlist, '\0', len);
-+
-+	/* Remove method from list, if present */
-+	for (;;) {
-+		if ((cp = strsep(&oldlist, DELIM)) == NULL)
-+			break;
-+		if (*cp == '\0')
-+			continue;
-+		if (strcmp(cp, method) != 0) {
-+			if (*newlist != '\0')
-+				strlcat(newlist, DELIM, len);
-+			strlcat(newlist, cp, len);
-+		} else
-+			ret++;
-+	}
-+
-+	/* Return NULL instead of empty list */
-+	if (*newlist == '\0') {
-+		xfree(newlist);
-+		newlist = NULL;
-+	}
-+	xfree(*list);
-+	*list = newlist;
-+	
-+	return (ret);
-+}
-diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
--- openssh-5.9p1/auth.h.required-authentication	2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p1/auth.h	2012-07-27 12:21:41.204602022 +0200
-@@ -142,10 +142,11 @@ void disable_forwarding(void);
- void	do_authentication(Authctxt *);
- void	do_authentication2(Authctxt *);
- 
-void	auth_log(Authctxt *, int, char *, char *);
-void	userauth_finish(Authctxt *, int, char *);
-+void	auth_log(Authctxt *, int, const char *, const char *, const char *);
-+void	userauth_finish(Authctxt *, int, const char *, const char *);
-+int	auth_root_allowed(const char *);
-+
- void	userauth_send_banner(const char *);
-int	auth_root_allowed(char *);
- 
- char	*auth2_read_banner(void);
- 
-@@ -192,6 +193,11 @@ void	 auth_debug_send(void);
- void	 auth_debug_reset(void);
- 
- struct passwd *fakepw(void);
-+int	 auth_method_in_list(const char *, const char *);
-+int	 auth_remove_from_list(char **, const char *);
-+
-+int	 auth1_check_required(const char *);
-+int	 auth2_check_required(const char *);
- 
- int	 sys_auth_passwd(Authctxt *, const char *);
- 
 diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 --- openssh-5.9p1/auth1.c.required-authentication	2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.9p1/auth1.c	2012-07-27 12:50:50.708706675 +0200
+++ openssh-5.9p1/auth1.c	2012-11-26 15:36:02.138986418 +0100
@@ -98,6 +98,55 @@ static const struct AuthMethod1
 	return (NULL);
 }
@ -281,9 +159,22 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 
 		packet_start(SSH_SMSG_FAILURE);
 		packet_send();
+diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
+--- openssh-5.9p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
+++ openssh-5.9p1/auth2-chall.c	2012-11-26 15:36:02.138986418 +0100
+@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
+ 			auth2_challenge_start(authctxt);
+ 		}
+ 	}
+-	userauth_finish(authctxt, authenticated, method);
+	userauth_finish(authctxt, authenticated, "keyboard-interactive",
+	    authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
+ 	xfree(method);
+ }
+ 
 diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 --- openssh-5.9p1/auth2.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2.c	2012-07-27 12:51:59.048241612 +0200
+++ openssh-5.9p1/auth2.c	2012-11-26 15:36:02.138986418 +0100
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
 {
 	Authctxt *authctxt = ctxt;
@ -454,7 +345,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 +
 diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
 --- openssh-5.9p1/auth2-gss.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2-gss.c	2012-07-27 12:21:41.206602026 +0200
+++ openssh-5.9p1/auth2-gss.c	2012-11-26 15:36:02.138986418 +0100
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
 		}
 		authctxt->postponed = 0;
@ -482,22 +373,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
 }
 
 Authmethod method_gssapi = {
-diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
--- openssh-5.9p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
-+++ openssh-5.9p1/auth2-chall.c	2012-07-27 12:21:41.206602026 +0200
-@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
- 			auth2_challenge_start(authctxt);
- 		}
- 	}
-	userauth_finish(authctxt, authenticated, method);
-+	userauth_finish(authctxt, authenticated, "keyboard-interactive",
-+	    authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
- 	xfree(method);
- }
- 
 diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
 --- openssh-5.9p1/auth2-none.c.required-authentication	2010-06-26 02:01:33.000000000 +0200
-+++ openssh-5.9p1/auth2-none.c	2012-07-27 12:21:41.207602028 +0200
+++ openssh-5.9p1/auth2-none.c	2012-11-26 15:36:02.139986402 +0100
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
 {
 	none_enabled = 0;
@ -507,9 +385,131 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
 		return (PRIVSEP(auth_password(authctxt, "")));
 	return (0);
 }
+diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
+--- openssh-5.9p1/auth.c.required-authentication	2012-11-26 15:27:28.134216999 +0100
+++ openssh-5.9p1/auth.c	2012-11-26 15:36:02.137986437 +0100
+@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
+ }
+ 
+ void
+-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
+auth_log(Authctxt *authctxt, int authenticated, const char *method,
+    const char *submethod, const char *info)
+ {
+ 	void (*authlog) (const char *fmt,...) = verbose;
+ 	char *authmsg;
+@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
+ 	else
+ 		authmsg = authenticated ? "Accepted" : "Failed";
+ 
+-	authlog("%s %s for %s%.100s from %.200s port %d%s",
+	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
+ 	    authmsg,
+ 	    method,
+	    submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
+ 	    authctxt->valid ? "" : "invalid user ",
+ 	    authctxt->user,
+ 	    get_remote_ipaddr(),
+@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
+  * Check whether root logins are disallowed.
+  */
+ int
+-auth_root_allowed(char *method)
+auth_root_allowed(const char *method)
+ {
+ 	switch (options.permit_root_login) {
+ 	case PERMIT_YES:
+@@ -694,3 +696,57 @@ fakepw(void)
+ 
+ 	return (&fake);
+ }
+
+int
+auth_method_in_list(const char *list, const char *method)
+{
+	char *cp;
+
+	cp = match_list(method, list, NULL);
+	if (cp != NULL) {
+		xfree(cp);
+		return 1;
+	}
+
+	return 0;
+}
+
+#define	DELIM	","
+int
+auth_remove_from_list(char **list, const char *method)
+{
+	char *oldlist, *cp, *newlist = NULL;
+	u_int len = 0, ret = 0;
+
+	if (list == NULL || *list == NULL)
+		return (0);
+
+	oldlist = *list;
+	len = strlen(oldlist) + 1;
+	newlist = xmalloc(len);
+	memset(newlist, '\0', len);
+
+	/* Remove method from list, if present */
+	for (;;) {
+		if ((cp = strsep(&oldlist, DELIM)) == NULL)
+			break;
+		if (*cp == '\0')
+			continue;
+		if (strcmp(cp, method) != 0) {
+			if (*newlist != '\0')
+				strlcat(newlist, DELIM, len);
+			strlcat(newlist, cp, len);
+		} else
+			ret++;
+	}
+
+	/* Return NULL instead of empty list */
+	if (*newlist == '\0') {
+		xfree(newlist);
+		newlist = NULL;
+	}
+	xfree(*list);
+	*list = newlist;
+	
+	return (ret);
+}
+diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
+--- openssh-5.9p1/auth.h.required-authentication	2011-05-29 13:39:38.000000000 +0200
+++ openssh-5.9p1/auth.h	2012-11-26 15:36:02.138986418 +0100
+@@ -142,10 +142,11 @@ void disable_forwarding(void);
+ void	do_authentication(Authctxt *);
+ void	do_authentication2(Authctxt *);
+ 
+-void	auth_log(Authctxt *, int, char *, char *);
+-void	userauth_finish(Authctxt *, int, char *);
+void	auth_log(Authctxt *, int, const char *, const char *, const char *);
+void	userauth_finish(Authctxt *, int, const char *, const char *);
+int	auth_root_allowed(const char *);
+
+ void	userauth_send_banner(const char *);
+-int	auth_root_allowed(char *);
+ 
+ char	*auth2_read_banner(void);
+ 
+@@ -192,6 +193,11 @@ void	 auth_debug_send(void);
+ void	 auth_debug_reset(void);
+ 
+ struct passwd *fakepw(void);
+int	 auth_method_in_list(const char *, const char *);
+int	 auth_remove_from_list(char **, const char *);
+
+int	 auth1_check_required(const char *);
+int	 auth2_check_required(const char *);
+ 
+ int	 sys_auth_passwd(Authctxt *, const char *);
+ 
 diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.required-authentication	2012-07-27 12:21:41.161601930 +0200
-+++ openssh-5.9p1/monitor.c	2012-07-27 12:51:18.884927066 +0200
+--- openssh-5.9p1/monitor.c.required-authentication	2012-11-26 15:27:28.128217022 +0100
+++ openssh-5.9p1/monitor.c	2012-11-26 15:36:02.140986390 +0100
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
 static char *hostbased_cuser = NULL;
 static char *hostbased_chost = NULL;
@ -708,8 +708,8 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 }
 
 diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.required-authentication	2012-07-27 12:21:41.167601942 +0200
-+++ openssh-5.9p1/servconf.c	2012-07-27 12:21:41.209602032 +0200
+--- openssh-5.9p1/servconf.c.required-authentication	2012-11-26 15:27:28.129217018 +0100
+++ openssh-5.9p1/servconf.c	2012-11-26 15:36:02.140986390 +0100
@@ -42,6 +42,8 @@
 #include "key.h"
 #include "kex.h"
@ -745,56 +745,77 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
-@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
+@@ -1220,6 +1227,37 @@ process_server_config_line(ServerOptions
 			options->max_startups = options->max_startups_begin;
 		break;
 
 +
 +	case sRequiredAuthentications1:
-+		charptr = &options->required_auth1;
-+		arg = strdelim(&cp);
-+		if (!arg || *arg == '\0')
-+			fatal("%.200s line %d: Missing argument.",
-+			    filename, linenum);
-+		if (auth1_check_required(arg) != 0)
-+			fatal("%.200s line %d: Invalid required authentication "
-+			    "list", filename, linenum);
-+		if (*charptr == NULL)
-+			*charptr = xstrdup(arg);
-+		break;
+		if (*activep && options->required_auth1 == NULL) {
+			charptr = &options->required_auth1;
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%.200s line %d: Missing argument.",
+				    filename, linenum);
+			if (auth1_check_required(arg) != 0)
+				fatal("%.200s line %d: Invalid required authentication "
+				    "list", filename, linenum);
+			if (*charptr == NULL)
+				*charptr = xstrdup(arg);
+		}
+		return 0;
 +
 +	case sRequiredAuthentications2:
-+		charptr = &options->required_auth2;
-+		arg = strdelim(&cp);
-+		if (!arg || *arg == '\0')
-+			fatal("%.200s line %d: Missing argument.",
-+			    filename, linenum);
-+		if (auth2_check_required(arg) != 0)
-+			fatal("%.200s line %d: Invalid required authentication "
-+			    "list", filename, linenum);
-+		if (*charptr == NULL)
-+			*charptr = xstrdup(arg);
-+		break;
+		if (*activep && options->required_auth2 == NULL) {
+			charptr = &options->required_auth2;
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%.200s line %d: Missing argument.",
+				    filename, linenum);
+			if (auth2_check_required(arg) != 0)
+				fatal("%.200s line %d: Invalid required authentication "
+				    "list", filename, linenum);
+			if (*charptr == NULL)
+				*charptr = xstrdup(arg);
+		}
+		return 0;
 +
 	case sMaxAuthTries:
 		intptr = &options->max_authtries;
 		goto parse_int;
+@@ -1776,6 +1814,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
+ 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
+ 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
+	dump_cfg_string(sRequiredAuthentications2, o->required_auth2);
+ 
+ 	/* other arguments */
+ 	for (i = 0; i < o->num_subsystems; i++)
 diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
 --- openssh-5.9p1/servconf.h.required-authentication	2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.h	2012-07-27 12:21:41.210602035 +0200
+++ openssh-5.9p1/servconf.h	2012-11-26 15:40:11.694443938 +0100
@@ -154,6 +154,9 @@ typedef struct {
 	u_int num_authkeys_files;	/* Files containing public keys */
 	char   *authorized_keys_files[MAX_AUTHKEYS_FILES];
 
-+	char   *required_auth1; /* Required, but not sufficient */
+	char   *required_auth1;
 +	char   *required_auth2;
 +
 	char   *adm_forced_command;
 
 	int	use_pam;		/* Enable auth via PAM */
+@@ -180,6 +183,8 @@ typedef struct {
+ 		M_CP_STROPT(revoked_keys_file); \
+ 		M_CP_STROPT(authorized_principals_file); \
+ 		M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
+		M_CP_STROPT(required_auth1); \
+		M_CP_STROPT(required_auth2); \
+ 	} while (0)
+ 
+ void	 initialize_server_options(ServerOptions *);
 diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
 --- openssh-5.9p1/sshd_config.5.required-authentication	2011-08-05 22:17:33.000000000 +0200
-+++ openssh-5.9p1/sshd_config.5	2012-07-27 12:38:47.607222070 +0200
+++ openssh-5.9p1/sshd_config.5	2012-11-26 15:36:02.141986377 +0100
@@ -723,6 +723,8 @@ Available keywords are
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
@ -804,25 +825,36 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
 .Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
-@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
+@@ -920,6 +922,32 @@ Specifies a list of revoked public keys.
 Keys listed in this file will be refused for public key authentication.
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
 +.It Cm RequiredAuthentications[12]
-+ Specifies required methods of authentications that has to succeed before authorizing the connection.
-+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
-+
-+ RequiredAuthentications1 method[,method...] 
-+ RequiredAuthentications2 method[,method...]
-+
+Specifies required methods of authentications that has to succeed before 
+authorizing the connection. (RequiredAuthentication1 for Protocol version 1, 
+and RequiredAuthentication2 for v2)
+.Pp
+.Bl -item -offset indent -compact
+.It
+RequiredAuthentications1 method[,method...] 
+.It
+RequiredAuthentications2 method[,method...]
+.El
 +.Pp
 +Example 1:
-+
-+ RequiredAuthentications2 password,hostbased
-+
+.Bl -item -offset indent -compact
+RequiredAuthentications2 password,hostbased
+.El
 +Example 2:
-+ RequiredAuthentications2 publickey,password
-+
+.Bl -item -offset indent -compact
+RequiredAuthentications2 publickey,password
+.El
+.Pp
+Available methods:
+.Bl -item -offset indent -compact
+.It
+password, keyboard-interactive, publickey, hostbased, gssapi-keyex, gssapi-with-mic
+.El
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
--- a/openssh-5.9p1-sftp-chroot.patch
+++ b/openssh-5.9p1-sftp-chroot.patch
@ -1,14 +1,14 @@
-diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.c
--- openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot	2011-09-01 04:12:22.743024608 +0200
-+++ openssh-5.9p0/openbsd-compat/port-linux.c	2011-09-01 04:12:23.069088065 +0200
-@@ -503,6 +503,23 @@ ssh_selinux_change_context(const char *n
+diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p1/openbsd-compat/port-linux.c
+--- openssh-5.9p1/openbsd-compat/port-linux.c.sftp-chroot	2012-11-05 16:32:23.932502573 +0100
+++ openssh-5.9p1/openbsd-compat/port-linux.c	2012-11-05 16:34:28.383235006 +0100
+@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
 	xfree(newctx);
 }
 
 +void
 +ssh_selinux_copy_context(void)
 +{
-+	char *ctx;
+	security_context_t *ctx;
 +
 +	if (!ssh_selinux_enabled())
 +		return;
@ -17,17 +17,19 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/ope
 +		logit("%s: getcon failed with %s", __func__, strerror (errno));
 +		return;
 +	}
-+	if (setcon(ctx) < 0)
-+		logit("%s: setcon failed with %s", __func__, strerror (errno));
-+	xfree(ctx);
+	if (ctx != NULL) {
+		if (setcon(ctx) < 0)
+			logit("%s: setcon failed with %s", __func__, strerror (errno));
+		freecon(ctx);
+	}
 +}
 +
 #endif /* WITH_SELINUX */
 
 #ifdef LINUX_OOM_ADJUST
-diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.h
--- openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot	2011-01-25 02:16:18.000000000 +0100
-+++ openssh-5.9p0/openbsd-compat/port-linux.h	2011-09-01 04:12:23.163088777 +0200
+diff -up openssh-5.9p1/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p1/openbsd-compat/port-linux.h
+--- openssh-5.9p1/openbsd-compat/port-linux.h.sftp-chroot	2011-01-25 02:16:18.000000000 +0100
+++ openssh-5.9p1/openbsd-compat/port-linux.h	2012-11-05 16:32:23.935502591 +0100
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 void ssh_selinux_setup_exec_context(char *);
@ -36,9 +38,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/ope
 void ssh_selinux_setfscreatecon(const char *);
 #endif
 
-diff -up openssh-5.9p0/session.c.sftp-chroot openssh-5.9p0/session.c
--- openssh-5.9p0/session.c.sftp-chroot	2011-09-01 04:12:19.698049195 +0200
-+++ openssh-5.9p0/session.c	2011-09-01 04:40:03.598148719 +0200
+diff -up openssh-5.9p1/session.c.sftp-chroot openssh-5.9p1/session.c
+--- openssh-5.9p1/session.c.sftp-chroot	2012-11-05 16:32:23.913502453 +0100
+++ openssh-5.9p1/session.c	2012-11-05 16:32:23.935502591 +0100
@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
 			    pw->pw_uid);
 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
--- a/openssh-5.9p1-sftp-multibyte.patch
+++ b/openssh-5.9p1-sftp-multibyte.patch
@ -0,0 +1,59 @@
+diff -U0 openssh-5.9p1/ChangeLog.sftp-multibyte openssh-5.9p1/ChangeLog
+--- openssh-5.9p1/ChangeLog.sftp-multibyte	2011-09-07 01:13:15.000000000 +0200
+++ openssh-5.9p1/ChangeLog	2013-06-20 10:46:26.236734807 +0200
+@@ -0,0 +1,8 @@
+20130605
+   - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
+     [sftp.c]
+     Make sftp's libedit interface marginally multibyte aware by building up
+     the quoted string by character instead of by byte.  Prevents failures
+     when linked against a libedit built with wide character support (bz#1990).
+     "looks ok" djm
+
+diff -up openssh-5.9p1/sftp.c.sftp-multibyte openssh-5.9p1/sftp.c
+--- openssh-5.9p1/sftp.c.sftp-multibyte	2013-06-20 10:46:26.050735604 +0200
+++ openssh-5.9p1/sftp.c	2013-06-20 10:46:26.237734803 +0200
+@@ -38,6 +38,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif
+#include <locale.h>
+ #ifdef USE_LIBEDIT
+ #include <histedit.h>
+ #else
+@@ -1692,8 +1693,9 @@ complete_match(EditLine *el, struct sftp
+     char *file, int remote, int lastarg, char quote, int terminated)
+ {
+ 	glob_t g;
+-	char *tmp, *tmp2, ins[3];
+	char *tmp, *tmp2, ins[8];
+ 	u_int i, hadglob, pwdlen, len, tmplen, filelen;
+	int clen;
+ 	const LineInfo *lf;
+ 	
+ 	/* Glob from "file" location */
+@@ -1749,10 +1751,13 @@ complete_match(EditLine *el, struct sftp
+ 		tmp2 = tmp + filelen;
+ 		len = strlen(tmp2); 
+ 		/* quote argument on way out */
+-		for (i = 0; i < len; i++) {
+		for (i = 0; i < len; i += clen) {
+			if ((clen = mblen(tmp2 + i, len - i)) < 0 ||
+			    (size_t)clen > sizeof(ins) - 2)
+				fatal("invalid multibyte character");
+ 			ins[0] = '\\';
+-			ins[1] = tmp2[i];
+-			ins[2] = '\0';
+			memcpy(ins + 1, tmp2 + i, clen);
+			ins[clen + 1] = '\0';
+ 			switch (tmp2[i]) {
+ 			case '\'':
+ 			case '"':
+@@ -2099,6 +2104,7 @@ main(int argc, char **argv)
+ 
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+	setlocale(LC_CTYPE, "");
+ 
+ 	__progname = ssh_get_progname(argv[0]);
+ 	memset(&args, '\0', sizeof(args));
--- a/openssh.spec
+++ b/openssh.spec
@ -15,10 +15,6 @@
 # Do we want to link against a static libcrypto? (1=yes 0=no)
 %define static_libcrypto 0

-# Do we want smartcard support (1=yes 0=no)
-#Smartcard support is broken from 5.4p1
-%define scard 0
-
 # Use GTK2 instead of GNOME in gnome-ssh-askpass
 %define gtk2 1

@ -57,10 +53,6 @@
 # rpm -ba|--rebuild --define "static_openssl 1"
 %{?static_openssl:%global static_libcrypto 1}

-# Options for Smartcard support: (needs libsectok and openssl-engine)
-# rpm -ba|--rebuild --define "smartcard 1"
-%{?smartcard:%global scard 1}
-
 # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
 %define rescue 0
 %{?build_rescue:%global rescue 1}
@ -75,7 +67,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.9p1
-%define openssh_rel 26
+%define openssh_rel 30
 %define pam_ssh_agent_ver 0.9.3
 %define pam_ssh_agent_rel 1

@ -217,14 +209,18 @@ Patch800: openssh-5.9p1-gsskex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-5.8p2-force_krb.patch

-#?
-Patch900: openssh-5.8p1-gssapi-canohost.patch
+Patch900: openssh-5.9p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
 Patch901: openssh-5.9p1-kuserok.patch
-#---
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
-# sctp
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1873 => https://bugzilla.redhat.com/show_bug.cgi?id=668993
+#https://bugzilla.redhat.com/show_bug.cgi?id=841065
+Patch902: openssh-5.9p1-man-moduli.patch
+#https://bugzilla.redhat.com/show_bug.cgi?id=861818
+Patch903: openssh-5.9p1-ipqos.patch
+# change default value of MaxStartups - CVE-2010-5107 - #908707
+Patch904: openssh-5.9p1-change-max-startups.patch
+# make sftp's libedit interface marginally multibyte aware (#841771)
+Patch908: openssh-5.9p1-sftp-multibyte.patch
+

 License: BSD
 Group: Applications/Internet
@ -242,9 +238,6 @@ BuildRequires: gnome-libs-devel
 %endif
 %endif

-%if %{scard}
-BuildRequires: sharutils
-%endif
 %if %{ldap}
 BuildRequires: openldap-devel
 %endif
@ -469,6 +462,10 @@ popd

 %patch900 -p1 -b .canohost
 %patch901 -p1 -b .kuserok
+%patch902 -p1 -b .man-moduli
+%patch903 -p1 -b .ipqos
+%patch904 -p1 -b .max-startups
+%patch908 -p1 -b .sftp-multibyte

 %if 0
 # Nothing here yet
@ -520,8 +517,8 @@ fi
 	--libexecdir=%{_libexecdir}/openssh \
 	--datadir=%{_datadir}/openssh \
 	--with-tcp-wrappers \
-	--with-default-path=/usr/local/bin:/bin:/usr/bin \
-	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
+	--with-default-path=/usr/local/bin:/usr/bin \
+	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
 	--with-privsep-path=%{_var}/empty/sshd \
 	--enable-vendor-patchlevel="FC-%{version}-%{release}" \
 	--disable-strip \
@ -529,9 +526,6 @@ fi
 	--with-ssl-engine \
 	--with-authorized-keys-command \
 	--with-ipaddr-display \
-%if %{scard}
-	--with-smartcard \
-%endif
 %if %{ldap}
 	--with-ldap \
 %endif
@ -631,10 +625,6 @@ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
 %endif

-%if ! %{scard}
-	rm -f $RPM_BUILD_ROOT%{_datadir}/openssh/Ssh.bin
-%endif
-
 %if ! %{no_gnome_askpass}
 ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@ -716,10 +706,6 @@ fi
 %attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
 %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
 %endif
-%if %{scard}
-%attr(0755,root,root) %dir %{_datadir}/openssh
-%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
-%endif

 %files clients
 %defattr(-,root,root)
@ -807,6 +793,22 @@ fi
 %endif

 %changelog
+* Thu Jun 20 2013 Petr Lautrbach <plautrba@redhat.com> 5.9p1-30 + 0.9.3-1
+- make sftp's libedit interface marginally multibyte aware (#841771)
+
+* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 5.9p1-29 + 0.9.3-1
+- change default value of MaxStartups - CVE-2010-5107 (#908707)
+
+* Mon Nov 26 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-28 + 0.9.3-1
+- avoid xfree(NULL) in ssh_selinux_copy_context() (#789502)
+- fix the man moduli page (#841065)
+- fix the required authentications patch (#872608)
+- fix IPQoS not being set on non-mapped v4-in-v6 addressed connections (#861818)
+
+* Wed Oct 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-27 + 0.9.3-1
+- don't use /bin and /sbin paths (#856590)
+- fix gssapi canohost patch (#863350)
+
 * Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-26 + 0.9.3-1
 - change SELinux context also for root user (#827109)
Author	SHA1	Message	Date
Petr Lautrbach	1385c62c25	5.9p1-30 + 0.9.3-1	2013-06-20 11:02:48 +02:00
Petr Lautrbach	adc15bb688	make sftp's libedit interface marginally multibyte aware (#841771 )	2013-06-20 10:47:09 +02:00
Petr Lautrbach	33f98c4937	5.9p1-29 + 0.9.3-1	2013-02-08 16:02:30 +01:00
Petr Lautrbach	43a679b047	change default value of MaxStartups - CVE-2010-5107 - #908707	2013-02-08 16:01:23 +01:00
Petr Lautrbach	86d8dd4628	5.9p1-28 + 0.9.3-1	2012-11-26 16:51:43 +01:00
Petr Lautrbach	a09799e377	Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections (#861818 )	2012-11-26 16:18:50 +01:00
Petr Lautrbach	460af950e1	fix the required authentications patch (#872608 )	2012-11-26 15:44:45 +01:00
Petr Lautrbach	5442ee7f31	fix the man moduli page (#841065 )	2012-11-06 10:07:54 +01:00
Petr Lautrbach	9c823ca43b	avoid xfree(NULL) in ssh_selinux_copy_context() (#789502 )	2012-11-05 16:37:05 +01:00
Petr Lautrbach	466615c721	5.9p1-27 + 0.9.3-1	2012-10-31 16:59:51 +01:00
Petr Lautrbach	5c5980005f	fix gssapi canohost patch (#863350 )	2012-10-31 16:48:51 +01:00
Petr Lautrbach	20d52ca62c	smartcard support is replaced with PKCS#11 support already in 5.4p1 https://bugzilla.mindrot.org/show_bug.cgi?id=1371	2012-10-31 16:39:43 +01:00
Petr Lautrbach	ffc52de0e8	don't use /bin and /sbin paths (#856590 )	2012-10-31 16:38:43 +01:00