Compare commits
15 Commits
master
...
private-ma
Author | SHA1 | Date | |
---|---|---|---|
|
4876dc6ab0 | ||
|
0448100670 | ||
|
5954d73faa | ||
|
b37b826145 | ||
|
3ca3052f06 | ||
|
ad6603eba2 | ||
|
127005d32c | ||
|
ec4f6e20cd | ||
|
882868f701 | ||
|
ae736694aa | ||
|
17e5a39640 | ||
|
523b551229 | ||
|
ac82bdc72a | ||
|
5188d21f8c | ||
|
842f17a54e |
162
openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch
Normal file
162
openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch
Normal file
@ -0,0 +1,162 @@
|
|||||||
|
From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Damien Miller <djm@mindrot.org>
|
||||||
|
Date: Sun, 20 Apr 2014 13:44:47 +1000
|
||||||
|
Subject: [PATCH] - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c
|
||||||
|
version.h] OpenSSH 6.5 and 6.6 sometimes encode a value used in the
|
||||||
|
curve25519 key exchange incorrectly, causing connection failures about
|
||||||
|
0.2% of the time when this method is used against a peer that implements
|
||||||
|
the method properly.
|
||||||
|
|
||||||
|
Fix the problem and disable the curve25519 KEX when speaking to
|
||||||
|
OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
|
||||||
|
to enable the compatability code.
|
||||||
|
---
|
||||||
|
ChangeLog | 11 +++++++++++
|
||||||
|
bufaux.c | 5 ++++-
|
||||||
|
compat.c | 17 ++++++++++++++++-
|
||||||
|
compat.h | 2 ++
|
||||||
|
sshconnect2.c | 2 ++
|
||||||
|
sshd.c | 3 +++
|
||||||
|
version.h | 2 +-
|
||||||
|
7 files changed, 39 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ChangeLog b/ChangeLog
|
||||||
|
index 9c59cc4..60f181a 100644
|
||||||
|
--- a/ChangeLog
|
||||||
|
+++ b/ChangeLog
|
||||||
|
@@ -1,3 +1,14 @@
|
||||||
|
+20140420
|
||||||
|
+ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
|
||||||
|
+ OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
|
||||||
|
+ key exchange incorrectly, causing connection failures about 0.2% of
|
||||||
|
+ the time when this method is used against a peer that implements
|
||||||
|
+ the method properly.
|
||||||
|
+
|
||||||
|
+ Fix the problem and disable the curve25519 KEX when speaking to
|
||||||
|
+ OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
|
||||||
|
+ to enable the compatability code.
|
||||||
|
+
|
||||||
|
20140313
|
||||||
|
- (djm) Release OpenSSH 6.6
|
||||||
|
|
||||||
|
diff --git a/bufaux.c b/bufaux.c
|
||||||
|
index e24b5fc..f6a6f2a 100644
|
||||||
|
--- a/bufaux.c
|
||||||
|
+++ b/bufaux.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
|
||||||
|
+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
|
||||||
|
/*
|
||||||
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
|
||||||
|
|
||||||
|
if (l > 8 * 1024)
|
||||||
|
fatal("%s: length %u too long", __func__, l);
|
||||||
|
+ /* Skip leading zero bytes */
|
||||||
|
+ for (; l > 0 && *s == 0; l--, s++)
|
||||||
|
+ ;
|
||||||
|
p = buf = xmalloc(l + 1);
|
||||||
|
/*
|
||||||
|
* If most significant bit is set then prepend a zero byte to
|
||||||
|
diff --git a/compat.c b/compat.c
|
||||||
|
index 9d9fabe..2709dc5 100644
|
||||||
|
--- a/compat.c
|
||||||
|
+++ b/compat.c
|
||||||
|
@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
|
||||||
|
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
|
||||||
|
{ "OpenSSH_4*", 0 },
|
||||||
|
{ "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
|
||||||
|
+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
|
||||||
|
+ { "OpenSSH_6.5*,"
|
||||||
|
+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
|
||||||
|
{ "OpenSSH*", SSH_NEW_OPENSSH },
|
||||||
|
{ "*MindTerm*", 0 },
|
||||||
|
{ "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
|
||||||
|
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
|
||||||
|
return cipher_prop;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
char *
|
||||||
|
compat_pkalg_proposal(char *pkalg_prop)
|
||||||
|
{
|
||||||
|
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
|
||||||
|
return pkalg_prop;
|
||||||
|
}
|
||||||
|
|
||||||
|
+char *
|
||||||
|
+compat_kex_proposal(char *kex_prop)
|
||||||
|
+{
|
||||||
|
+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
|
||||||
|
+ return kex_prop;
|
||||||
|
+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
|
||||||
|
+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
|
||||||
|
+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
|
||||||
|
+ if (*kex_prop == '\0')
|
||||||
|
+ fatal("No supported key exchange algorithms found");
|
||||||
|
+ return kex_prop;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
diff --git a/compat.h b/compat.h
|
||||||
|
index b174fa1..a6c3f3d 100644
|
||||||
|
--- a/compat.h
|
||||||
|
+++ b/compat.h
|
||||||
|
@@ -59,6 +59,7 @@
|
||||||
|
#define SSH_BUG_RFWD_ADDR 0x02000000
|
||||||
|
#define SSH_NEW_OPENSSH 0x04000000
|
||||||
|
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
||||||
|
+#define SSH_BUG_CURVE25519PAD 0x10000000
|
||||||
|
|
||||||
|
void enable_compat13(void);
|
||||||
|
void enable_compat20(void);
|
||||||
|
@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
|
||||||
|
int proto_spec(const char *);
|
||||||
|
char *compat_cipher_proposal(char *);
|
||||||
|
char *compat_pkalg_proposal(char *);
|
||||||
|
+char *compat_kex_proposal(char *);
|
||||||
|
|
||||||
|
extern int compat13;
|
||||||
|
extern int compat20;
|
||||||
|
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||||
|
index 7f4ff41..ec3ad6a 100644
|
||||||
|
--- a/sshconnect2.c
|
||||||
|
+++ b/sshconnect2.c
|
||||||
|
@@ -195,6 +195,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
|
}
|
||||||
|
if (options.kex_algorithms != NULL)
|
||||||
|
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||||
|
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
|
||||||
|
+ myproposal[PROPOSAL_KEX_ALGS]);
|
||||||
|
|
||||||
|
if (options.rekey_limit || options.rekey_interval)
|
||||||
|
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
|
||||||
|
diff --git a/sshd.c b/sshd.c
|
||||||
|
index 7523de9..e9084b7 100644
|
||||||
|
--- a/sshd.c
|
||||||
|
+++ b/sshd.c
|
||||||
|
@@ -2462,6 +2462,9 @@ do_ssh2_kex(void)
|
||||||
|
if (options.kex_algorithms != NULL)
|
||||||
|
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||||
|
|
||||||
|
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
|
||||||
|
+ myproposal[PROPOSAL_KEX_ALGS]);
|
||||||
|
+
|
||||||
|
if (options.rekey_limit || options.rekey_interval)
|
||||||
|
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
|
||||||
|
(time_t)options.rekey_interval);
|
||||||
|
diff --git a/version.h b/version.h
|
||||||
|
index a1579ac..a33e77c 100644
|
||||||
|
--- a/version.h
|
||||||
|
+++ b/version.h
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
|
||||||
|
|
||||||
|
-#define SSH_VERSION "OpenSSH_6.6"
|
||||||
|
+#define SSH_VERSION "OpenSSH_6.6.1"
|
||||||
|
|
||||||
|
#define SSH_PORTABLE "p1"
|
||||||
|
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
400
openssh.spec
400
openssh.spec
@ -1,10 +1,3 @@
|
|||||||
# Do we want SELinux & Audit
|
|
||||||
%if 0%{?!noselinux:1}
|
|
||||||
%define WITH_SELINUX 1
|
|
||||||
%else
|
|
||||||
%define WITH_SELINUX 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# OpenSSH privilege separation requires a user & group ID
|
# OpenSSH privilege separation requires a user & group ID
|
||||||
%define sshd_uid 74
|
%define sshd_uid 74
|
||||||
%define sshd_gid 74
|
%define sshd_gid 74
|
||||||
@ -12,74 +5,31 @@
|
|||||||
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
||||||
%define no_gnome_askpass 0
|
%define no_gnome_askpass 0
|
||||||
|
|
||||||
# Do we want to link against a static libcrypto? (1=yes 0=no)
|
|
||||||
%define static_libcrypto 0
|
|
||||||
|
|
||||||
# Use GTK2 instead of GNOME in gnome-ssh-askpass
|
# Use GTK2 instead of GNOME in gnome-ssh-askpass
|
||||||
%define gtk2 1
|
%define gtk2 1
|
||||||
|
|
||||||
# Build position-independent executables (requires toolchain support)?
|
|
||||||
%define pie 1
|
|
||||||
|
|
||||||
# Do we want kerberos5 support (1=yes 0=no)
|
|
||||||
%define kerberos5 1
|
|
||||||
|
|
||||||
# Do we want libedit support
|
# Do we want libedit support
|
||||||
%define libedit 1
|
%define libedit 1
|
||||||
|
|
||||||
# Do we want LDAP support
|
|
||||||
%define ldap 1
|
|
||||||
|
|
||||||
# Whether to build pam_ssh_agent_auth
|
|
||||||
%if 0%{?!nopam:1}
|
|
||||||
%define pam_ssh_agent 1
|
|
||||||
%else
|
|
||||||
%define pam_ssh_agent 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Reserve options to override askpass settings with:
|
# Reserve options to override askpass settings with:
|
||||||
# rpm -ba|--rebuild --define 'skip_xxx 1'
|
# rpm -ba|--rebuild --define 'skip_xxx 1'
|
||||||
%{?skip_gnome_askpass:%global no_gnome_askpass 1}
|
%{?skip_gnome_askpass:%global no_gnome_askpass 1}
|
||||||
|
|
||||||
# Add option to build without GTK2 for older platforms with only GTK+.
|
%define openssh_ver 6.9p1
|
||||||
# Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples.
|
%define openssh_rel 0
|
||||||
# rpm -ba|--rebuild --define 'no_gtk2 1'
|
%define snap 20150617
|
||||||
%{?no_gtk2:%global gtk2 0}
|
|
||||||
|
|
||||||
# Options for static OpenSSL link:
|
|
||||||
# rpm -ba|--rebuild --define "static_openssl 1"
|
|
||||||
%{?static_openssl:%global static_libcrypto 1}
|
|
||||||
|
|
||||||
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
|
|
||||||
%define rescue 0
|
|
||||||
%{?build_rescue:%global rescue 1}
|
|
||||||
%{?build_rescue:%global rescue_rel rescue}
|
|
||||||
|
|
||||||
# Turn off some stuff for resuce builds
|
|
||||||
%if %{rescue}
|
|
||||||
%define kerberos5 0
|
|
||||||
%define libedit 0
|
|
||||||
%define pam_ssh_agent 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
|
||||||
%define openssh_ver 6.4p1
|
|
||||||
%define openssh_rel 3
|
|
||||||
%define pam_ssh_agent_ver 0.9.3
|
|
||||||
%define pam_ssh_agent_rel 1
|
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: %{openssh_ver}
|
Version: %{openssh_ver}
|
||||||
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
|
Release: %{openssh_rel}.%{snap}%{?dist}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#URL1: http://pamsshagentauth.sourceforge.net
|
#URL1: http://pamsshagentauth.sourceforge.net
|
||||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
|
Source0: http://www.mindrot.org/openssh_snap/openssh-SNAP-%{snap}.tar.gz
|
||||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||||
Source2: sshd.pam
|
Source2: sshd.pam
|
||||||
Source3: sshd.init
|
Source3: sshd.init
|
||||||
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
|
|
||||||
Source5: pam_ssh_agent-rmheaders
|
|
||||||
Source6: ssh-keycat.pam
|
Source6: ssh-keycat.pam
|
||||||
Source7: sshd.sysconfig
|
Source7: sshd.sysconfig
|
||||||
Source9: sshd@.service
|
Source9: sshd@.service
|
||||||
@ -87,112 +37,10 @@ Source10: sshd.socket
|
|||||||
Source11: sshd.service
|
Source11: sshd.service
|
||||||
Source12: sshd-keygen.service
|
Source12: sshd-keygen.service
|
||||||
Source13: sshd-keygen
|
Source13: sshd-keygen
|
||||||
|
Source14: sshd_config
|
||||||
# Internal debug
|
|
||||||
Patch0: openssh-5.9p1-wIm.patch
|
|
||||||
|
|
||||||
#?
|
|
||||||
Patch100: openssh-6.3p1-coverity.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
|
|
||||||
Patch101: openssh-6.3p1-fingerprint.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
|
||||||
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
|
||||||
Patch102: openssh-5.8p1-getaddrinfo.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
|
||||||
Patch103: openssh-5.8p1-packet.patch
|
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
|
||||||
Patch200: openssh-6.4p1-audit.patch
|
|
||||||
|
|
||||||
# --- pam_ssh-agent ---
|
|
||||||
# make it build reusing the openssh sources
|
|
||||||
Patch300: pam_ssh_agent_auth-0.9.3-build.patch
|
|
||||||
# check return value of seteuid()
|
|
||||||
Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
|
|
||||||
# explicitly make pam callbacks visible
|
|
||||||
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
|
||||||
# don't use xfree (#1024965)
|
|
||||||
Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
|
||||||
Patch400: openssh-6.3p1-role-mls.patch
|
|
||||||
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
|
||||||
Patch404: openssh-6.3p1-privsep-selinux.patch
|
|
||||||
|
|
||||||
#?-- unwanted child :(
|
|
||||||
Patch501: openssh-6.3p1-ldap.patch
|
|
||||||
#?
|
|
||||||
Patch502: openssh-6.3p1-keycat.patch
|
|
||||||
|
|
||||||
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
|
|
||||||
Patch601: openssh-5.2p1-allow-ip-opts.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701
|
|
||||||
Patch602: openssh-5.9p1-randclean.patch
|
|
||||||
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
|
|
||||||
Patch603: openssh-5.8p1-glob.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893
|
|
||||||
Patch604: openssh-5.8p1-keyperm.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
|
|
||||||
Patch605: openssh-5.8p2-remove-stale-control-socket.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1925
|
|
||||||
Patch606: openssh-5.9p1-ipv6man.patch
|
|
||||||
#?
|
|
||||||
Patch607: openssh-5.8p2-sigpipe.patch
|
|
||||||
#?
|
|
||||||
Patch608: openssh-6.1p1-askpass-ld.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
|
|
||||||
Patch609: openssh-5.5p1-x11.patch
|
|
||||||
|
|
||||||
#?
|
|
||||||
Patch700: openssh-6.3p1-fips.patch
|
|
||||||
#?
|
|
||||||
Patch701: openssh-5.6p1-exit-deadlock.patch
|
|
||||||
#?
|
|
||||||
Patch702: openssh-5.1p1-askpass-progress.patch
|
|
||||||
#?
|
|
||||||
Patch703: openssh-4.3p2-askpass-grab-info.patch
|
|
||||||
#?
|
|
||||||
Patch704: openssh-5.9p1-edns.patch
|
|
||||||
#?
|
|
||||||
Patch705: openssh-5.1p1-scp-manpage.patch
|
|
||||||
#?
|
|
||||||
Patch706: openssh-5.8p1-localdomain.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
|
||||||
Patch707: openssh-6.3p1-redhat.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
|
||||||
Patch708: openssh-6.2p1-entropy.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
|
||||||
Patch709: openssh-6.2p1-vendor.patch
|
|
||||||
# warn users for unsupported UsePAM=no (#757545)
|
|
||||||
Patch711: openssh-6.1p1-log-usepam-no.patch
|
|
||||||
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
|
||||||
Patch712: openssh-6.3p1-ctr-evp-fast.patch
|
|
||||||
# add cavs test binary for the aes-ctr
|
|
||||||
Patch713: openssh-6.3p1-ctr-cavstest.patch
|
|
||||||
|
|
||||||
|
|
||||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
|
||||||
#changed cache storage type - #848228
|
|
||||||
Patch800: openssh-6.3p1-gsskex.patch
|
|
||||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
|
||||||
Patch801: openssh-6.3p1-force_krb.patch
|
|
||||||
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
|
||||||
Patch901: openssh-6.3p1-kuserok.patch
|
|
||||||
# use default_ccache_name from /etc/krb5.conf (#991186)
|
|
||||||
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
|
|
||||||
# increase the size of the Diffie-Hellman groups (#1010607)
|
|
||||||
Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch
|
|
||||||
# FIPS mode - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#1001748)
|
|
||||||
Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch
|
|
||||||
# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375
|
|
||||||
Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
|
|
||||||
# Use tty allocation for a remote scp (#985650)
|
|
||||||
Patch906: openssh-6.4p1-fromto-remote.patch
|
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
Obsoletes: openssh-clients-fips, openssh-server-fips
|
Obsoletes: openssh-clients-fips, openssh-server-fips
|
||||||
|
|
||||||
@ -205,32 +53,22 @@ BuildRequires: gnome-libs-devel
|
|||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
BuildRequires: openldap-devel
|
|
||||||
%endif
|
|
||||||
BuildRequires: autoconf, automake, perl, zlib-devel
|
BuildRequires: autoconf, automake, perl, zlib-devel
|
||||||
BuildRequires: audit-libs-devel >= 2.0.5
|
BuildRequires: audit-libs-devel >= 2.0.5
|
||||||
BuildRequires: util-linux, groff
|
BuildRequires: util-linux, groff
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: tcp_wrappers-devel
|
BuildRequires: tcp_wrappers-devel
|
||||||
BuildRequires: fipscheck-devel >= 1.3.0
|
|
||||||
BuildRequires: openssl-devel >= 0.9.8j
|
BuildRequires: openssl-devel >= 0.9.8j
|
||||||
BuildRequires: perl-podlators
|
|
||||||
|
|
||||||
%if %{kerberos5}
|
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{libedit}
|
%if %{libedit}
|
||||||
BuildRequires: libedit-devel ncurses-devel
|
BuildRequires: libedit-devel ncurses-devel
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{WITH_SELINUX}
|
|
||||||
Requires: libselinux >= 1.27.7
|
Requires: libselinux >= 1.27.7
|
||||||
BuildRequires: libselinux-devel >= 1.27.7
|
BuildRequires: libselinux-devel >= 1.27.7
|
||||||
Requires: audit-libs >= 1.0.8
|
Requires: audit-libs >= 1.0.8
|
||||||
BuildRequires: audit-libs >= 1.0.8
|
BuildRequires: audit-libs >= 1.0.8
|
||||||
%endif
|
|
||||||
|
|
||||||
BuildRequires: xauth
|
BuildRequires: xauth
|
||||||
|
|
||||||
@ -238,7 +76,6 @@ BuildRequires: xauth
|
|||||||
Summary: An open source SSH client applications
|
Summary: An open source SSH client applications
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
|
||||||
|
|
||||||
%package server
|
%package server
|
||||||
Summary: An open source SSH server daemon
|
Summary: An open source SSH server daemon
|
||||||
@ -246,34 +83,19 @@ Group: System Environment/Daemons
|
|||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Requires(pre): /usr/sbin/useradd
|
Requires(pre): /usr/sbin/useradd
|
||||||
Requires: pam >= 1.0.1-3
|
Requires: pam >= 1.0.1-3
|
||||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
%if 0%{?fedora}
|
||||||
|
%if 0%{?rhel} > 6
|
||||||
Requires(post): systemd-units
|
Requires(post): systemd-units
|
||||||
Requires(preun): systemd-units
|
Requires(preun): systemd-units
|
||||||
Requires(postun): systemd-units
|
Requires(postun): systemd-units
|
||||||
|
%endif
|
||||||
# Not yet ready
|
%endif
|
||||||
# %package server-ondemand
|
|
||||||
# Summary: Systemd unit file to run an ondemand OpenSSH server
|
|
||||||
# Group: System Environment/Daemons
|
|
||||||
# Requires: %{name}-server%{?_isa} = %{version}-%{release}
|
|
||||||
|
|
||||||
%package server-sysvinit
|
%package server-sysvinit
|
||||||
Summary: The SysV initscript to manage the OpenSSH server.
|
Summary: The SysV initscript to manage the OpenSSH server.
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Requires: %{name}-server%{?_isa} = %{version}-%{release}
|
Requires: %{name}-server%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
%package ldap
|
|
||||||
Summary: A LDAP support for open source SSH server daemon
|
|
||||||
Requires: openssh = %{version}-%{release}
|
|
||||||
Group: System Environment/Daemons
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%package keycat
|
|
||||||
Summary: A mls keycat backend for openssh
|
|
||||||
Requires: openssh = %{version}-%{release}
|
|
||||||
Group: System Environment/Daemons
|
|
||||||
|
|
||||||
%package askpass
|
%package askpass
|
||||||
Summary: A passphrase dialog for OpenSSH and X
|
Summary: A passphrase dialog for OpenSSH and X
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
@ -281,13 +103,6 @@ Requires: openssh = %{version}-%{release}
|
|||||||
Obsoletes: openssh-askpass-gnome
|
Obsoletes: openssh-askpass-gnome
|
||||||
Provides: openssh-askpass-gnome
|
Provides: openssh-askpass-gnome
|
||||||
|
|
||||||
%package -n pam_ssh_agent_auth
|
|
||||||
Summary: PAM module for authentication with ssh-agent
|
|
||||||
Group: System Environment/Base
|
|
||||||
Version: %{pam_ssh_agent_ver}
|
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
|
|
||||||
License: BSD
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
SSH (Secure SHell) is a program for logging into and executing
|
SSH (Secure SHell) is a program for logging into and executing
|
||||||
commands on a remote machine. SSH is intended to replace rlogin and
|
commands on a remote machine. SSH is intended to replace rlogin and
|
||||||
@ -321,116 +136,18 @@ SysV-compatible init system.
|
|||||||
|
|
||||||
It is not required when the init system used is systemd.
|
It is not required when the init system used is systemd.
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
%description ldap
|
|
||||||
OpenSSH LDAP backend is a way how to distribute the authorized tokens
|
|
||||||
among the servers in the network.
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%description keycat
|
|
||||||
OpenSSH mls keycat is backend for using the authorized keys in the
|
|
||||||
openssh in the mls mode.
|
|
||||||
|
|
||||||
%description askpass
|
%description askpass
|
||||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||||
into and executing commands on a remote machine. This package contains
|
into and executing commands on a remote machine. This package contains
|
||||||
an X11 passphrase dialog for OpenSSH.
|
an X11 passphrase dialog for OpenSSH.
|
||||||
|
|
||||||
%description -n pam_ssh_agent_auth
|
|
||||||
This package contains a PAM module which can be used to authenticate
|
|
||||||
users using ssh keys stored in a ssh-agent. Through the use of the
|
|
||||||
forwarding of ssh-agent connection it also allows to authenticate with
|
|
||||||
remote ssh-agent instance.
|
|
||||||
|
|
||||||
The module is most useful for su and sudo service stacks.
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -a 4
|
%setup -q -n openssh
|
||||||
#Do not enable by default
|
|
||||||
%if 0
|
|
||||||
%patch0 -p1 -b .wIm
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%patch100 -p1 -b .coverity
|
|
||||||
%patch101 -p1 -b .fingerprint
|
|
||||||
%patch102 -p1 -b .getaddrinfo
|
|
||||||
%patch103 -p1 -b .packet
|
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
|
||||||
%patch300 -p1 -b .psaa-build
|
|
||||||
%patch301 -p1 -b .psaa-seteuid
|
|
||||||
%patch302 -p1 -b .psaa-visibility
|
|
||||||
%patch303 -p1 -b .psaa-xfree
|
|
||||||
# Remove duplicate headers
|
|
||||||
rm -f $(cat %{SOURCE5})
|
|
||||||
popd
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{WITH_SELINUX}
|
|
||||||
%patch400 -p1 -b .role-mls
|
|
||||||
%patch404 -p1 -b .privsep-selinux
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
%patch501 -p1 -b .ldap
|
|
||||||
%endif
|
|
||||||
%patch502 -p1 -b .keycat
|
|
||||||
|
|
||||||
%patch601 -p1 -b .ip-opts
|
|
||||||
%patch602 -p1 -b .randclean
|
|
||||||
%patch603 -p1 -b .glob
|
|
||||||
%patch604 -p1 -b .keyperm
|
|
||||||
%patch605 -p1 -b .remove_stale
|
|
||||||
%patch606 -p1 -b .ipv6man
|
|
||||||
%patch607 -p1 -b .sigpipe
|
|
||||||
%patch608 -p1 -b .askpass-ld
|
|
||||||
%patch609 -p1 -b .x11
|
|
||||||
|
|
||||||
%patch700 -p1 -b .fips
|
|
||||||
%patch701 -p1 -b .exit-deadlock
|
|
||||||
%patch702 -p1 -b .progress
|
|
||||||
%patch703 -p1 -b .grab-info
|
|
||||||
%patch704 -p1 -b .edns
|
|
||||||
%patch705 -p1 -b .manpage
|
|
||||||
%patch706 -p1 -b .localdomain
|
|
||||||
%patch707 -p1 -b .redhat
|
|
||||||
%patch708 -p1 -b .entropy
|
|
||||||
%patch709 -p1 -b .vendor
|
|
||||||
%patch711 -p1 -b .log-usepam-no
|
|
||||||
%patch712 -p1 -b .evp-ctr
|
|
||||||
%patch713 -p1 -b .ctr-cavs
|
|
||||||
|
|
||||||
%patch800 -p1 -b .gsskex
|
|
||||||
%patch801 -p1 -b .force_krb
|
|
||||||
|
|
||||||
%patch900 -p1 -b .canohost
|
|
||||||
%patch901 -p1 -b .kuserok
|
|
||||||
%patch902 -p1 -b .ccache_name
|
|
||||||
%patch903 -p1 -b .dh
|
|
||||||
%patch904 -p1 -b .SP800-131A
|
|
||||||
%patch905 -p1 -b .legacy-ssh-copy-id
|
|
||||||
%patch906 -p1 -b .fromto-remote
|
|
||||||
|
|
||||||
%if 0
|
|
||||||
# Nothing here yet
|
|
||||||
%endif
|
|
||||||
|
|
||||||
autoreconf
|
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
|
||||||
autoreconf
|
|
||||||
popd
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
|
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
|
||||||
# and it makes the ssh build more clean and even optimized better
|
# and it makes the ssh build more clean and even optimized better
|
||||||
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
|
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
|
||||||
%if %{rescue}
|
|
||||||
CFLAGS="$CFLAGS -Os"
|
|
||||||
%endif
|
|
||||||
%if %{pie}
|
|
||||||
%ifarch s390 s390x sparc sparcv9 sparc64
|
%ifarch s390 s390x sparc sparcv9 sparc64
|
||||||
CFLAGS="$CFLAGS -fPIC"
|
CFLAGS="$CFLAGS -fPIC"
|
||||||
%else
|
%else
|
||||||
@ -442,8 +159,6 @@ LDFLAGS="$LDFLAGS -pie -z relro -z now"
|
|||||||
export CFLAGS
|
export CFLAGS
|
||||||
export LDFLAGS
|
export LDFLAGS
|
||||||
|
|
||||||
%endif
|
|
||||||
%if %{kerberos5}
|
|
||||||
if test -r /etc/profile.d/krb5-devel.sh ; then
|
if test -r /etc/profile.d/krb5-devel.sh ; then
|
||||||
source /etc/profile.d/krb5-devel.sh
|
source /etc/profile.d/krb5-devel.sh
|
||||||
fi
|
fi
|
||||||
@ -457,7 +172,6 @@ else
|
|||||||
CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS
|
CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS
|
||||||
CFLAGS="$CFLAGS -I%{_includedir}/gssapi"
|
CFLAGS="$CFLAGS -I%{_includedir}/gssapi"
|
||||||
fi
|
fi
|
||||||
%endif
|
|
||||||
|
|
||||||
%configure \
|
%configure \
|
||||||
--sysconfdir=%{_sysconfdir}/ssh \
|
--sysconfdir=%{_sysconfdir}/ssh \
|
||||||
@ -472,15 +186,7 @@ fi
|
|||||||
--without-zlib-version-check \
|
--without-zlib-version-check \
|
||||||
--with-ssl-engine \
|
--with-ssl-engine \
|
||||||
--with-ipaddr-display \
|
--with-ipaddr-display \
|
||||||
%if %{ldap}
|
|
||||||
--with-ldap \
|
|
||||||
%endif
|
|
||||||
%if %{rescue}
|
|
||||||
--without-pam \
|
|
||||||
%else
|
|
||||||
--with-pam \
|
--with-pam \
|
||||||
%endif
|
|
||||||
%if %{WITH_SELINUX}
|
|
||||||
--with-selinux --with-audit=linux \
|
--with-selinux --with-audit=linux \
|
||||||
%if 0
|
%if 0
|
||||||
#seccomp_filter cannot be build right now
|
#seccomp_filter cannot be build right now
|
||||||
@ -488,22 +194,13 @@ fi
|
|||||||
%else
|
%else
|
||||||
--with-sandbox=rlimit \
|
--with-sandbox=rlimit \
|
||||||
%endif
|
%endif
|
||||||
%endif
|
|
||||||
%if %{kerberos5}
|
|
||||||
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
|
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
|
||||||
%else
|
|
||||||
--without-kerberos5 \
|
|
||||||
%endif
|
|
||||||
%if %{libedit}
|
%if %{libedit}
|
||||||
--with-libedit
|
--with-libedit
|
||||||
%else
|
%else
|
||||||
--without-libedit
|
--without-libedit
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{static_libcrypto}
|
|
||||||
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
|
||||||
%endif
|
|
||||||
|
|
||||||
make
|
make
|
||||||
|
|
||||||
# Define a variable to toggle gnome1/gtk2 building. This is necessary
|
# Define a variable to toggle gnome1/gtk2 building. This is necessary
|
||||||
@ -526,20 +223,11 @@ fi
|
|||||||
popd
|
popd
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
|
||||||
LDFLAGS="$SAVE_LDFLAGS"
|
|
||||||
%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
|
|
||||||
make
|
|
||||||
popd
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Add generation of HMAC checksums of the final stripped binaries
|
# Add generation of HMAC checksums of the final stripped binaries
|
||||||
%define __spec_install_post \
|
%define __spec_install_post \
|
||||||
%{?__debug_package:%{__debug_install_post}} \
|
%{?__debug_package:%{__debug_install_post}} \
|
||||||
%{__arch_install_post} \
|
%{__arch_install_post} \
|
||||||
%{__os_install_post} \
|
%{__os_install_post} \
|
||||||
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
|
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
%check
|
%check
|
||||||
@ -560,17 +248,18 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/
|
|||||||
install -d $RPM_BUILD_ROOT/etc/sysconfig/
|
install -d $RPM_BUILD_ROOT/etc/sysconfig/
|
||||||
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
|
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
|
||||||
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||||
install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
|
|
||||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||||
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
|
||||||
install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
|
install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
|
||||||
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
||||||
|
install -m644 %{SOURCE14} $RPM_BUILD_ROOT/etc/ssh/sshd_config
|
||||||
install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
|
install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
|
||||||
|
%if 0%{?fedora} || 0%{?rhel} > 6
|
||||||
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
||||||
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
||||||
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
||||||
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
|
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
|
||||||
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
|
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
|
||||||
|
%endif
|
||||||
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
||||||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||||
|
|
||||||
@ -591,11 +280,6 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
|
|||||||
|
|
||||||
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
|
||||||
popd
|
|
||||||
%endif
|
|
||||||
%clean
|
%clean
|
||||||
rm -rf $RPM_BUILD_ROOT
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
@ -608,6 +292,7 @@ getent passwd sshd >/dev/null || \
|
|||||||
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
||||||
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
|
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
|
||||||
|
|
||||||
|
%if 0%{?fedora} || 0%{?rhel} > 6
|
||||||
%post server
|
%post server
|
||||||
%systemd_post sshd.service sshd.socket
|
%systemd_post sshd.service sshd.socket
|
||||||
|
|
||||||
@ -628,33 +313,29 @@ getent passwd sshd >/dev/null || \
|
|||||||
|
|
||||||
%triggerpostun -n openssh-server-sysvinit -- openssh-server < 5.8p2-12
|
%triggerpostun -n openssh-server-sysvinit -- openssh-server < 5.8p2-12
|
||||||
/sbin/chkconfig --add sshd >/dev/null 2>&1 || :
|
/sbin/chkconfig --add sshd >/dev/null 2>&1 || :
|
||||||
|
%endif
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||||
%if ! %{rescue}
|
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||||
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||||
%attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
%attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
|
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||||
%endif
|
|
||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%attr(0755,root,root) %{_bindir}/ssh
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
|
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
||||||
%attr(0755,root,root) %{_bindir}/scp
|
%attr(0755,root,root) %{_bindir}/scp
|
||||||
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||||
%attr(0755,root,root) %{_bindir}/slogin
|
%attr(-,root,root) %{_bindir}/slogin
|
||||||
%attr(0644,root,root) %{_mandir}/man1/slogin.1*
|
%attr(0644,root,root) %{_mandir}/man1/slogin.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
||||||
%if ! %{rescue}
|
|
||||||
%attr(2111,root,nobody) %{_bindir}/ssh-agent
|
%attr(2111,root,nobody) %{_bindir}/ssh-agent
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-add
|
%attr(0755,root,root) %{_bindir}/ssh-add
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||||
@ -667,15 +348,12 @@ getent passwd sshd >/dev/null || \
|
|||||||
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||||
%endif
|
|
||||||
|
|
||||||
%if ! %{rescue}
|
|
||||||
%files server
|
%files server
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
||||||
%attr(0755,root,root) %{_sbindir}/sshd
|
%attr(0755,root,root) %{_sbindir}/sshd
|
||||||
%attr(0755,root,root) %{_sbindir}/sshd-keygen
|
%attr(0755,root,root) %{_sbindir}/sshd-keygen
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||||
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
||||||
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
|
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
|
||||||
@ -684,31 +362,16 @@ getent passwd sshd >/dev/null || \
|
|||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||||
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
||||||
|
%if 0%{?fedora} || 0%{?rhel} > 6
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
|
||||||
|
%endif
|
||||||
|
|
||||||
%files server-sysvinit
|
%files server-sysvinit
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%attr(0755,root,root) /etc/rc.d/init.d/sshd
|
%attr(0755,root,root) /etc/rc.d/init.d/sshd
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
%files ldap
|
|
||||||
%defattr(-,root,root)
|
|
||||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
|
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
|
|
||||||
%attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5*
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%files keycat
|
|
||||||
%defattr(-,root,root)
|
|
||||||
%doc HOWTO.ssh-keycat
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
|
|
||||||
%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
|
|
||||||
|
|
||||||
%if ! %{no_gnome_askpass}
|
%if ! %{no_gnome_askpass}
|
||||||
%files askpass
|
%files askpass
|
||||||
@ -718,15 +381,22 @@ getent passwd sshd >/dev/null || \
|
|||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
|
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
|
||||||
%files -n pam_ssh_agent_auth
|
|
||||||
%defattr(-,root,root)
|
|
||||||
%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
|
|
||||||
%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
|
|
||||||
%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 16 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-0.20150617
|
||||||
|
- new SNAP of 6.9 version
|
||||||
|
|
||||||
|
* Tue Feb 24 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-1.20150224
|
||||||
|
- new SNAP of 6.8 version
|
||||||
|
|
||||||
|
* Thu Jan 08 2015 Petr Lautrbach <plautrba@redhat.com> 6.7p1-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Wed May 14 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-1
|
||||||
|
- backport fix of curve25519-sha256@libssh.org issue
|
||||||
|
|
||||||
|
* Tue Apr 08 2014 Petr Lautrbach <plautrba@redhat.com> 6.6p1-1
|
||||||
|
- new upstream release - vanilla version without Fedora patches
|
||||||
|
|
||||||
* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-3 + 0.9.3-1
|
* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-3 + 0.9.3-1
|
||||||
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
|
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
|
||||||
- use only rsa and ecdsa host keys by default
|
- use only rsa and ecdsa host keys by default
|
||||||
|
63
sshd-keygen
63
sshd-keygen
@ -4,7 +4,7 @@
|
|||||||
#
|
#
|
||||||
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
|
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
|
||||||
# variable.
|
# variable.
|
||||||
AUTOCREATE_SERVER_KEYS=NODSA
|
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
|
||||||
|
|
||||||
# source function library
|
# source function library
|
||||||
. /etc/rc.d/init.d/functions
|
. /etc/rc.d/init.d/functions
|
||||||
@ -15,6 +15,7 @@ RSA1_KEY=/etc/ssh/ssh_host_key
|
|||||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||||
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
|
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
|
||||||
|
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
# pull in sysconfig settings
|
# pull in sysconfig settings
|
||||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||||
@ -33,10 +34,10 @@ do_rsa1_keygen() {
|
|||||||
rm -f $RSA1_KEY
|
rm -f $RSA1_KEY
|
||||||
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||||
chgrp ssh_keys $RSA1_KEY
|
chgrp ssh_keys $RSA1_KEY
|
||||||
chmod 640 $RSA1_KEY
|
chmod 600 $RSA1_KEY
|
||||||
chmod 644 $RSA1_KEY.pub
|
chmod 644 $RSA1_KEY.pub
|
||||||
if [ -x /sbin/restorecon ]; then
|
if [ -x /sbin/restorecon ]; then
|
||||||
/sbin/restorecon $RSA1_KEY.pub
|
/sbin/restorecon $RSA1_KEY{,.pub}
|
||||||
fi
|
fi
|
||||||
success $"RSA1 key generation"
|
success $"RSA1 key generation"
|
||||||
echo
|
echo
|
||||||
@ -54,10 +55,10 @@ do_rsa_keygen() {
|
|||||||
rm -f $RSA_KEY
|
rm -f $RSA_KEY
|
||||||
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||||
chgrp ssh_keys $RSA_KEY
|
chgrp ssh_keys $RSA_KEY
|
||||||
chmod 640 $RSA_KEY
|
chmod 600 $RSA_KEY
|
||||||
chmod 644 $RSA_KEY.pub
|
chmod 644 $RSA_KEY.pub
|
||||||
if [ -x /sbin/restorecon ]; then
|
if [ -x /sbin/restorecon ]; then
|
||||||
/sbin/restorecon $RSA_KEY.pub
|
/sbin/restorecon $RSA_KEY{,.pub}
|
||||||
fi
|
fi
|
||||||
success $"RSA key generation"
|
success $"RSA key generation"
|
||||||
echo
|
echo
|
||||||
@ -75,10 +76,10 @@ do_dsa_keygen() {
|
|||||||
rm -f $DSA_KEY
|
rm -f $DSA_KEY
|
||||||
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||||
chgrp ssh_keys $DSA_KEY
|
chgrp ssh_keys $DSA_KEY
|
||||||
chmod 640 $DSA_KEY
|
chmod 600 $DSA_KEY
|
||||||
chmod 644 $DSA_KEY.pub
|
chmod 644 $DSA_KEY.pub
|
||||||
if [ -x /sbin/restorecon ]; then
|
if [ -x /sbin/restorecon ]; then
|
||||||
/sbin/restorecon $DSA_KEY.pub
|
/sbin/restorecon $DSA_KEY{,.pub}
|
||||||
fi
|
fi
|
||||||
success $"DSA key generation"
|
success $"DSA key generation"
|
||||||
echo
|
echo
|
||||||
@ -96,10 +97,10 @@ do_ecdsa_keygen() {
|
|||||||
rm -f $ECDSA_KEY
|
rm -f $ECDSA_KEY
|
||||||
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
|
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
|
||||||
chgrp ssh_keys $ECDSA_KEY
|
chgrp ssh_keys $ECDSA_KEY
|
||||||
chmod 640 $ECDSA_KEY
|
chmod 600 $ECDSA_KEY
|
||||||
chmod 644 $ECDSA_KEY.pub
|
chmod 644 $ECDSA_KEY.pub
|
||||||
if [ -x /sbin/restorecon ]; then
|
if [ -x /sbin/restorecon ]; then
|
||||||
/sbin/restorecon $ECDSA_KEY.pub
|
/sbin/restorecon $ECDSA_KEY{,.pub}
|
||||||
fi
|
fi
|
||||||
success $"ECDSA key generation"
|
success $"ECDSA key generation"
|
||||||
echo
|
echo
|
||||||
@ -111,13 +112,43 @@ do_ecdsa_keygen() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Create keys if necessary
|
do_ed25519_keygen() {
|
||||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
|
if [ ! -s $ED25519_KEY ]; then
|
||||||
do_rsa_keygen
|
echo -n $"Generating SSH2 ED25519 host key: "
|
||||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
|
rm -f $ED25519_KEY
|
||||||
do_ecdsa_keygen
|
if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
|
||||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNODSA ]; then
|
chgrp ssh_keys $ED25519_KEY
|
||||||
do_dsa_keygen
|
chmod 600 $ED25519_KEY
|
||||||
|
chmod 644 $ED25519_KEY.pub
|
||||||
|
if [ -x /sbin/restorecon ]; then
|
||||||
|
/sbin/restorecon $ED25519_KEY{,.pub}
|
||||||
|
fi
|
||||||
|
success $"ED25519 key generation"
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
failure $"ED25519 key generation"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
|
||||||
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# legacy options
|
||||||
|
case $AUTOCREATE_SERVER_KEYS in
|
||||||
|
NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
|
||||||
|
RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
|
||||||
|
YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
|
||||||
|
esac
|
||||||
|
|
||||||
|
for KEY in $AUTOCREATE_SERVER_KEYS; do
|
||||||
|
case $KEY in
|
||||||
|
DSA) do_dsa_keygen;;
|
||||||
|
RSA) do_rsa_keygen;;
|
||||||
|
ECDSA) do_ecdsa_keygen;;
|
||||||
|
ED25519) do_ed25519_keygen;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
@ -2,7 +2,10 @@
|
|||||||
Description=OpenSSH Server Key Generation
|
Description=OpenSSH Server Key Generation
|
||||||
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
|
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
|
||||||
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
|
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
|
||||||
|
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
|
||||||
|
PartOf=sshd.service sshd.socket
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/usr/sbin/sshd-keygen
|
ExecStart=/usr/sbin/sshd-keygen
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=OpenSSH server daemon
|
Description=OpenSSH server daemon
|
||||||
After=syslog.target network.target auditd.service
|
After=network.target sshd-keygen.service
|
||||||
|
Wants=sshd-keygen.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
EnvironmentFile=/etc/sysconfig/sshd
|
EnvironmentFile=/etc/sysconfig/sshd
|
||||||
ExecStartPre=/usr/sbin/sshd-keygen
|
|
||||||
ExecStart=/usr/sbin/sshd -D $OPTIONS
|
ExecStart=/usr/sbin/sshd -D $OPTIONS
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
KillMode=process
|
KillMode=process
|
||||||
|
@ -1,14 +1,12 @@
|
|||||||
# Configuration file for the sshd service.
|
# Configuration file for the sshd service.
|
||||||
|
|
||||||
# The server keys are automatically generated if they omitted
|
# The server keys are automatically generated if they are missing.
|
||||||
# to change the automatic creation uncomment the appropriate
|
# To change the automatic creation uncomment and change the appropriate
|
||||||
# line. The default is NODSA which means rsa and ecdsa keys are
|
# line. Accepted key types are: DSA RSA ECDSA ED25519.
|
||||||
# generated.
|
# The default is "RSA ECDSA ED25519"
|
||||||
|
|
||||||
# AUTOCREATE_SERVER_KEYS=NODSA
|
# AUTOCREATE_SERVER_KEYS=""
|
||||||
# AUTOCREATE_SERVER_KEYS=RSAONLY
|
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
|
||||||
# AUTOCREATE_SERVER_KEYS=NO
|
|
||||||
# AUTOCREATE_SERVER_KEYS=YES
|
|
||||||
|
|
||||||
# Do not change this option unless you have hardware random
|
# Do not change this option unless you have hardware random
|
||||||
# generator and you REALLY know what you are doing
|
# generator and you REALLY know what you are doing
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=OpenSSH per-connection server daemon
|
Description=OpenSSH per-connection server daemon
|
||||||
Wants=sshd-keygen.service
|
Wants=sshd-keygen.service
|
||||||
After=auditd.service sshd-keygen.service
|
After=sshd-keygen.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd
|
EnvironmentFile=-/etc/sysconfig/sshd
|
||||||
|
156
sshd_config
Normal file
156
sshd_config
Normal file
@ -0,0 +1,156 @@
|
|||||||
|
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
|
||||||
|
|
||||||
|
# This is the sshd server system-wide configuration file. See
|
||||||
|
# sshd_config(5) for more information.
|
||||||
|
|
||||||
|
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
||||||
|
|
||||||
|
# The strategy used for options in the default sshd_config shipped with
|
||||||
|
# OpenSSH is to specify options with their default value where
|
||||||
|
# possible, but leave them commented. Uncommented options override the
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
# If you want to change the port on a SELinux system, you have to tell
|
||||||
|
# SELinux about this change.
|
||||||
|
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||||
|
#
|
||||||
|
#Port 22
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
#ListenAddress ::
|
||||||
|
|
||||||
|
# The default requires explicit activation of protocol 1
|
||||||
|
#Protocol 2
|
||||||
|
|
||||||
|
# HostKey for protocol version 1
|
||||||
|
#HostKey /etc/ssh/ssh_host_key
|
||||||
|
# HostKeys for protocol version 2
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
# Lifetime and size of ephemeral version 1 server key
|
||||||
|
#KeyRegenerationInterval 1h
|
||||||
|
#ServerKeyBits 1024
|
||||||
|
|
||||||
|
# Ciphers and keying
|
||||||
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
# obsoletes QuietMode and FascistLogging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
SyslogFacility AUTHPRIV
|
||||||
|
#LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
|
||||||
|
#LoginGraceTime 2m
|
||||||
|
#PermitRootLogin yes
|
||||||
|
#StrictModes yes
|
||||||
|
#MaxAuthTries 6
|
||||||
|
#MaxSessions 10
|
||||||
|
|
||||||
|
#RSAAuthentication yes
|
||||||
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
#AuthorizedKeysCommand none
|
||||||
|
#AuthorizedKeysCommandUser nobody
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
#RhostsRSAAuthentication no
|
||||||
|
# similar for protocol version 2
|
||||||
|
#HostbasedAuthentication no
|
||||||
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
|
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||||
|
#IgnoreUserKnownHosts no
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
#PasswordAuthentication yes
|
||||||
|
#PermitEmptyPasswords no
|
||||||
|
PasswordAuthentication yes
|
||||||
|
|
||||||
|
# Change to no to disable s/key passwords
|
||||||
|
#ChallengeResponseAuthentication yes
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
# Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#KerberosTicketCleanup yes
|
||||||
|
#KerberosGetAFSToken no
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
#GSSAPIAuthentication no
|
||||||
|
GSSAPIAuthentication yes
|
||||||
|
#GSSAPICleanupCredentials yes
|
||||||
|
GSSAPICleanupCredentials no
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
||||||
|
# problems.
|
||||||
|
#UsePAM no
|
||||||
|
UsePAM yes
|
||||||
|
|
||||||
|
#AllowAgentForwarding yes
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
||||||
|
#X11Forwarding no
|
||||||
|
X11Forwarding yes
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
||||||
|
#PrintMotd yes
|
||||||
|
#PrintLastLog yes
|
||||||
|
#TCPKeepAlive yes
|
||||||
|
#UseLogin no
|
||||||
|
UsePrivilegeSeparation sandbox # Default for new installations.
|
||||||
|
#PermitUserEnvironment no
|
||||||
|
#Compression delayed
|
||||||
|
#ClientAliveInterval 0
|
||||||
|
#ClientAliveCountMax 3
|
||||||
|
#UseDNS yes
|
||||||
|
#PidFile /var/run/sshd.pid
|
||||||
|
#MaxStartups 10:30:100
|
||||||
|
#PermitTunnel no
|
||||||
|
#ChrootDirectory none
|
||||||
|
#VersionAddendum none
|
||||||
|
|
||||||
|
# no default banner path
|
||||||
|
#Banner none
|
||||||
|
|
||||||
|
# Accept locale-related environment variables
|
||||||
|
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
|
AcceptEnv XMODIFIERS
|
||||||
|
|
||||||
|
# override default of no subsystems
|
||||||
|
Subsystem sftp /usr/libexec/openssh/sftp-server
|
||||||
|
|
||||||
|
# Uncomment this if you want to use .local domain
|
||||||
|
#Host *.local
|
||||||
|
# CheckHostIP no
|
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
Loading…
Reference in New Issue
Block a user