Hello community,
here is the log from the commit of package openssh for openSUSE:Factory
checked in at Tue Feb 1 15:14:06 CET 2011.
--------
--- openssh/openssh-askpass-gnome.changes 2011-01-12 13:39:34.000000000 +0100
+++ /mounts/work_src_done/STABLE/openssh/openssh-askpass-gnome.changes 2011-01-25 12:04:54.000000000 +0100
@@ -1,0 +2,5 @@
+Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com
+
+- Update to 5.7p1
+
+-------------------------------------------------------------------
--- openssh/openssh.changes 2011-01-12 13:39:35.000000000 +0100
+++ /mounts/work_src_done/STABLE/openssh/openssh.changes 2011-01-25 11:29:04.000000000 +0100
@@ -1,0 +2,36 @@
+Mon Jan 24 11:24:59 UTC 2011 - lchiquitto@novell.com
+
+- Update to 5.7p1
+ * Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
+ and host/user keys (ECDSA) as specified by RFC5656.
+ * sftp(1)/sftp-server(8): add a protocol extension to support a hard
+ link operation.
+ * scp(1): Add a new -3 option to scp: Copies between two remote hosts
+ are transferred through the local host.
+ * ssh(1): automatically order the hostkeys requested by the client
+ based on which hostkeys are already recorded in known_hosts.
+ * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary
+ TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
+ * sftp(1): the sftp client is now significantly faster at performing
+ directory listings, using OpenBSD glob(3) extensions to preserve
+ the results of stat(3) operations performed in the course of its
+ execution rather than performing expensive round trips to fetch
+ them again afterwards.
+ * ssh(1): "atomically" create the listening mux socket by binding it on
+ a temporary name and then linking it into position after listen() has
+ succeeded.
+ * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
+ configuration to allow selection of which key exchange methods are
+ used by ssh(1) and sshd(8) and their order of preference.
+ * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into
+ a generic bandwidth limiter that can be attached using the atomicio
+ callback mechanism and use it to add a bandwidth limit option to
+ sftp(1).
+ * Support building against openssl-1.0.0a.
+ * Bug fixes.
+- Remove patches that are now upstream:
+ * openssh-5.6p1-tmpdir.diff
+ * openssh-linux-new-oomkill.patch
+- Add upstream patch to fix build with SELinux enabled.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
openssh-5.6p1-askpass-fix.diff
openssh-5.6p1-audit.patch
openssh-5.6p1-blocksigalrm.diff
openssh-5.6p1-default-protocol.diff
openssh-5.6p1.dif
openssh-5.6p1-eal3.diff
openssh-5.6p1-engines.diff
openssh-5.6p1-gssapimitm.patch
openssh-5.6p1-homechroot.patch
openssh-5.6p1-host_ident.diff
openssh-5.6p1-pam-fix2.diff
openssh-5.6p1-pam-fix3.diff
openssh-5.6p1-pts.diff
openssh-5.6p1-saveargv-fix.diff
openssh-5.6p1-send_locale.diff
openssh-5.6p1-sshconfig-knownhostschanges.diff
openssh-5.6p1.tar.bz2
openssh-5.6p1-tmpdir.diff
openssh-5.6p1-xauth.diff
openssh-5.6p1-xauthlocalhostname.diff
openssh-linux-new-oomkill.patch
New:
----
openssh-5.7p1-askpass-fix.diff
openssh-5.7p1-audit.patch
openssh-5.7p1-blocksigalrm.diff
openssh-5.7p1-default-protocol.diff
openssh-5.7p1.dif
openssh-5.7p1-eal3.diff
openssh-5.7p1-engines.diff
openssh-5.7p1-gssapimitm.patch
openssh-5.7p1-homechroot.patch
openssh-5.7p1-host_ident.diff
openssh-5.7p1-pam-fix2.diff
openssh-5.7p1-pam-fix3.diff
openssh-5.7p1-pts.diff
openssh-5.7p1-saveargv-fix.diff
openssh-5.7p1-selinux.diff
openssh-5.7p1-send_locale.diff
openssh-5.7p1-sshconfig-knownhostschanges.diff
openssh-5.7p1.tar.bz2
openssh-5.7p1-xauth.diff
openssh-5.7p1-xauthlocalhostname.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.jy15Tc/_old 2011-02-01 15:11:50.000000000 +0100
+++ /var/tmp/diff_new_pack.jy15Tc/_new 2011-02-01 15:11:50.000000000 +0100
@@ -1,5 +1,5 @@
#
-# spec file for package openssh-askpass-gnome (Version 5.6p1)
+# spec file for package openssh-askpass-gnome
#
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -22,8 +22,8 @@
BuildRequires: gtk2-devel krb5-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: BSD3c(or similar)
Group: Productivity/Networking/SSH
-Version: 5.6p1
-Release: 8
+Version: 5.7p1
+Release: 1
Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.jy15Tc/_old 2011-02-01 15:11:50.000000000 +0100
+++ /var/tmp/diff_new_pack.jy15Tc/_new 2011-02-01 15:11:50.000000000 +0100
@@ -1,5 +1,5 @@
#
-# spec file for package openssh (Version 5.6p1)
+# spec file for package openssh
#
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -29,8 +29,8 @@
PreReq: pwdutils %insserv_prereq %fillup_prereq coreutils
Conflicts: nonfreessh
AutoReqProv: on
-Version: 5.6p1
-Release: 8
+Version: 5.7p1
+Release: 1
%define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program)
Url: http://www.openssh.com/
@@ -55,7 +55,6 @@
Patch8: %{name}-%{version}-blocksigalrm.diff
Patch9: %{name}-%{version}-send_locale.diff
Patch10: %{name}-%{version}-xauthlocalhostname.diff
-Patch11: %{name}-%{version}-tmpdir.diff
Patch12: %{name}-%{version}-xauth.diff
Patch14: %{name}-%{version}-default-protocol.diff
Patch15: %{name}-%{version}-audit.patch
@@ -63,7 +62,7 @@
Patch17: %{name}-%{version}-homechroot.patch
Patch18: %{name}-%{version}-sshconfig-knownhostschanges.diff
Patch19: %{name}-%{version}-host_ident.diff
-Patch20: openssh-linux-new-oomkill.patch
+Patch20: %{name}-%{version}-selinux.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%package askpass
@@ -101,7 +100,6 @@
%patch8
%patch9
%patch10
-%patch11
%patch12
%patch14
%patch15 -p1
@@ -109,7 +107,7 @@
%patch17
%patch18
%patch19 -p1
-%patch20
+%patch20 -p1
cp -v %{SOURCE4} .
cp -v %{SOURCE6} .
cd ../x11-ssh-askpass-%{xversion}
++++++ openssh-5.6p1-askpass-fix.diff -> openssh-5.7p1-askpass-fix.diff ++++++
--- openssh/openssh-5.6p1-askpass-fix.diff 2010-08-24 15:52:51.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-askpass-fix.diff 2011-01-25 11:29:00.000000000 +0100
@@ -1,6 +1,8 @@
---- x11-ssh-askpass.c
+Index: x11-ssh-askpass.c
+===================================================================
+--- x11-ssh-askpass.c.orig
+++ x11-ssh-askpass.c
-@@ -1301,7 +1301,7 @@
+@@ -1301,7 +1301,7 @@ void handleKeyPress(AppInfo *app, XEvent
}
}
@@ -9,7 +11,7 @@
{
/* 'gcc -Wall' complains about 'app' being an unused parameter.
* Tough. We might want to use it later, and then we don't have
-@@ -1343,11 +1343,11 @@
+@@ -1343,11 +1343,11 @@ void handleButtonPress(AppInfo *app, XEv
return;
}
if (ButtonPress == event->type) {
@@ -23,7 +25,7 @@
d->pressedButton = CANCEL_BUTTON;
d->cancelButton.pressed = True;
paintButton(app, d->dialogWindow, d->cancelButton);
-@@ -1356,7 +1356,7 @@
+@@ -1356,7 +1356,7 @@ void handleButtonPress(AppInfo *app, XEv
}
} else if (ButtonRelease == event->type) {
if (OK_BUTTON == d->pressedButton) {
@@ -32,7 +34,7 @@
acceptAction(app);
} else {
if (d->okButton.pressed) {
-@@ -1365,7 +1365,7 @@
+@@ -1365,7 +1365,7 @@ void handleButtonPress(AppInfo *app, XEv
}
}
} else if (CANCEL_BUTTON == d->pressedButton) {
@@ -41,7 +43,7 @@
cancelAction(app);
} else {
if (d->cancelButton.pressed) {
-@@ -1385,7 +1385,7 @@
+@@ -1385,7 +1385,7 @@ void handlePointerMotion(AppInfo *app, X
if (NO_BUTTON == d->pressedButton) {
return;
} else if (OK_BUTTON == d->pressedButton) {
@@ -50,7 +52,7 @@
if (!(d->okButton.pressed)) {
d->okButton.pressed = True;
paintButton(app, d->dialogWindow, d->okButton);
-@@ -1397,7 +1397,7 @@
+@@ -1397,7 +1397,7 @@ void handlePointerMotion(AppInfo *app, X
}
}
} else if (CANCEL_BUTTON == d->pressedButton) {
@@ -59,9 +61,11 @@
if (!(d->cancelButton.pressed)) {
d->cancelButton.pressed = True;
paintButton(app, d->dialogWindow, d->cancelButton);
---- x11-ssh-askpass.h
+Index: x11-ssh-askpass.h
+===================================================================
+--- x11-ssh-askpass.h.orig
+++ x11-ssh-askpass.h
-@@ -258,7 +258,7 @@
+@@ -258,7 +258,7 @@ void erasePassphrase(AppInfo *app);
void addToPassphrase(AppInfo *app, char c);
void handleKeyPress(AppInfo *app, XEvent *event);
++++++ openssh-5.6p1-audit.patch -> openssh-5.7p1-audit.patch ++++++
--- openssh/openssh-5.6p1-audit.patch 2010-08-24 15:52:52.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-audit.patch 2011-01-24 12:48:01.000000000 +0100
@@ -1,9 +1,9 @@
# add support for Linux audit (FATE #120269)
================================================================================
-Index: openssh-5.6p1/Makefile.in
+Index: openssh-5.7p1/Makefile.in
===================================================================
---- openssh-5.6p1.orig/Makefile.in
-+++ openssh-5.6p1/Makefile.in
+--- openssh-5.7p1.orig/Makefile.in
++++ openssh-5.7p1/Makefile.in
@@ -46,6 +46,7 @@ LD=@LD@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@@ -12,7 +12,7 @@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
AR=@AR@
-@@ -142,7 +143,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
+@@ -145,7 +146,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
@@ -21,10 +21,10 @@
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-Index: openssh-5.6p1/auth.c
+Index: openssh-5.7p1/auth.c
===================================================================
---- openssh-5.6p1.orig/auth.c
-+++ openssh-5.6p1/auth.c
+--- openssh-5.7p1.orig/auth.c
++++ openssh-5.7p1/auth.c
@@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
@@ -38,7 +38,7 @@
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
-@@ -586,6 +592,10 @@ getpwnamallow(const char *user)
+@@ -592,6 +598,10 @@ getpwnamallow(const char *user)
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
@@ -49,11 +49,11 @@
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
-Index: openssh-5.6p1/config.h.in
+Index: openssh-5.7p1/config.h.in
===================================================================
---- openssh-5.6p1.orig/config.h.in
-+++ openssh-5.6p1/config.h.in
-@@ -1424,6 +1424,9 @@
+--- openssh-5.7p1.orig/config.h.in
++++ openssh-5.7p1/config.h.in
+@@ -1460,6 +1460,9 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
@@ -63,11 +63,11 @@
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN
-Index: openssh-5.6p1/configure.ac
+Index: openssh-5.7p1/configure.ac
===================================================================
---- openssh-5.6p1.orig/configure.ac
-+++ openssh-5.6p1/configure.ac
-@@ -3393,6 +3393,20 @@ AC_ARG_WITH(selinux,
+--- openssh-5.7p1.orig/configure.ac
++++ openssh-5.7p1/configure.ac
+@@ -3521,6 +3521,20 @@ AC_ARG_WITH(selinux,
fi ]
)
@@ -88,7 +88,7 @@
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
-@@ -4185,6 +4199,7 @@ echo " PAM support
+@@ -4315,6 +4329,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
@@ -96,10 +96,10 @@
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
-Index: openssh-5.6p1/loginrec.c
+Index: openssh-5.7p1/loginrec.c
===================================================================
---- openssh-5.6p1.orig/loginrec.c
-+++ openssh-5.6p1/loginrec.c
+--- openssh-5.7p1.orig/loginrec.c
++++ openssh-5.7p1/loginrec.c
@@ -176,6 +176,10 @@
#include "auth.h"
#include "buffer.h"
@@ -121,7 +121,7 @@
int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li);
-@@ -441,6 +448,10 @@ login_write(struct logininfo *li)
+@@ -442,6 +449,10 @@ login_write(struct logininfo *li)
/* set the timestamp */
login_set_current_time(li);
@@ -132,7 +132,7 @@
#ifdef USE_LOGIN
syslogin_write_entry(li);
#endif
-@@ -1399,6 +1410,87 @@ wtmpx_get_entry(struct logininfo *li)
+@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li)
}
#endif /* USE_WTMPX */
@@ -220,10 +220,10 @@
/**
** Low-level libutil login() functions
**/
-Index: openssh-5.6p1/loginrec.h
+Index: openssh-5.7p1/loginrec.h
===================================================================
---- openssh-5.6p1.orig/loginrec.h
-+++ openssh-5.6p1/loginrec.h
+--- openssh-5.7p1.orig/loginrec.h
++++ openssh-5.7p1/loginrec.h
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
char *line_abbrevname(char *dst, const char *src, int dstsize);
++++++ openssh-5.6p1-blocksigalrm.diff -> openssh-5.7p1-blocksigalrm.diff ++++++
--- openssh/openssh-5.6p1-blocksigalrm.diff 2010-08-24 15:52:52.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-blocksigalrm.diff 2011-01-24 12:48:02.000000000 +0100
@@ -1,4 +1,6 @@
---- log.c
+Index: log.c
+===================================================================
+--- log.c.orig
+++ log.c
@@ -51,6 +51,7 @@
@@ -8,7 +10,7 @@
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
-@@ -336,6 +337,7 @@
+@@ -336,6 +337,7 @@ do_log(LogLevel level, const char *fmt,
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
@@ -16,22 +18,22 @@
int saved_errno = errno;
if (level > log_level)
-@@ -387,6 +389,14 @@
+@@ -387,6 +389,14 @@ do_log(LogLevel level, const char *fmt,
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
} else {
+ /* Prevent a race between the grace_alarm
+ * which writes a log message and terminates
-+ * and main sshd code that leads to deadlock
++ * and main sshd code that leads to deadlock
+ * as syslog is not async safe.
-+ */
++ */
+ sigemptyset(&nset);
+ sigaddset(&nset, SIGALRM);
+ sigprocmask(SIG_BLOCK, &nset, &oset);
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf);
-@@ -396,6 +406,7 @@
+@@ -396,6 +406,7 @@ do_log(LogLevel level, const char *fmt,
syslog(pri, "%.500s", fmtbuf);
closelog();
#endif
++++++ openssh-5.6p1-default-protocol.diff -> openssh-5.7p1-default-protocol.diff ++++++
++++++ openssh-5.6p1.dif -> openssh-5.7p1.dif ++++++
--- openssh/openssh-5.6p1.dif 2010-08-24 15:52:58.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1.dif 2011-01-24 12:48:19.000000000 +0100
@@ -17,7 +17,7 @@
+# remote side (the "spoofed" X-server by the remote sshd) can read your
+# keystrokes as you type, just like any other X11 client could do.
+# Set this to "no" here for global effect or in your own ~/.ssh/config
-+# file if you want to have the remote X11 authentification data to
++# file if you want to have the remote X11 authentification data to
+# expire after two minutes after remote login.
+ForwardX11Trusted yes
+
@@ -28,12 +28,12 @@
===================================================================
--- sshd_config.orig
+++ sshd_config
-@@ -86,7 +86,7 @@
+@@ -87,7 +87,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
-+X11Forwarding yes
++X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
++++++ openssh-5.6p1-eal3.diff -> openssh-5.7p1-eal3.diff ++++++
--- openssh/openssh-5.6p1-eal3.diff 2010-08-24 15:52:53.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-eal3.diff 2011-01-24 12:48:04.000000000 +0100
@@ -1,26 +1,26 @@
-Index: openssh-5.6p1/sshd.8
+Index: openssh-5.7p1/sshd.8
===================================================================
---- openssh-5.6p1.orig/sshd.8
-+++ openssh-5.6p1/sshd.8
-@@ -850,7 +850,7 @@ Contains Diffie-Hellman groups used for
+--- openssh-5.7p1.orig/sshd.8
++++ openssh-5.7p1/sshd.8
+@@ -855,7 +855,7 @@ Contains Diffie-Hellman groups used for
The file format is described in
.Xr moduli 5 .
.Pp
--.It /etc/motd
-+.It /etc/lib/motd
+-.It Pa /etc/motd
++.It Pa /etc/lib/motd
See
.Xr motd 5 .
.Pp
-@@ -863,7 +863,7 @@ are displayed to anyone trying to log in
+@@ -868,7 +868,7 @@ are displayed to anyone trying to log in
refused.
The file should be world-readable.
.Pp
--.It /etc/shosts.equiv
-+.It /etc/ssh/shosts.equiv
+-.It Pa /etc/shosts.equiv
++.It Pa /etc/ssh/shosts.equiv
This file is used in exactly the same way as
.Pa hosts.equiv ,
but allows host-based authentication without permitting login with
-@@ -940,8 +940,7 @@ The content of this file is not sensitiv
+@@ -947,8 +947,7 @@ The content of this file is not sensitiv
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
@@ -30,11 +30,11 @@
.Xr sshd_config 5 ,
.Xr inetd 8 ,
.Xr sftp-server 8
-Index: openssh-5.6p1/sshd_config.5
+Index: openssh-5.7p1/sshd_config.5
===================================================================
---- openssh-5.6p1.orig/sshd_config.5
-+++ openssh-5.6p1/sshd_config.5
-@@ -496,7 +496,7 @@ or
+--- openssh-5.7p1.orig/sshd_config.5
++++ openssh-5.7p1/sshd_config.5
+@@ -497,7 +497,7 @@ or
.Pp
.Pa /etc/hosts.equiv
and
++++++ openssh-5.6p1-engines.diff -> openssh-5.7p1-engines.diff ++++++
--- openssh/openssh-5.6p1-engines.diff 2010-08-24 15:52:53.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-engines.diff 2011-01-24 12:48:05.000000000 +0100
@@ -1,7 +1,7 @@
-Index: openssh-5.6p1/ssh-add.c
+Index: openssh-5.7p1/ssh-add.c
===================================================================
---- openssh-5.6p1.orig/ssh-add.c
-+++ openssh-5.6p1/ssh-add.c
+--- openssh-5.7p1.orig/ssh-add.c
++++ openssh-5.7p1/ssh-add.c
@@ -43,6 +43,7 @@
#include
@@ -10,9 +10,9 @@
#include
#include
-@@ -374,6 +375,10 @@ main(int argc, char **argv)
+@@ -377,6 +378,10 @@ main(int argc, char **argv)
- SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
@@ -21,10 +21,10 @@
/* At first, get a connection to the authentication agent. */
ac = ssh_get_authentication_connection();
if (ac == NULL) {
-Index: openssh-5.6p1/ssh-agent.c
+Index: openssh-5.7p1/ssh-agent.c
===================================================================
---- openssh-5.6p1.orig/ssh-agent.c
-+++ openssh-5.6p1/ssh-agent.c
+--- openssh-5.7p1.orig/ssh-agent.c
++++ openssh-5.7p1/ssh-agent.c
@@ -52,6 +52,7 @@
#include
#include
@@ -33,9 +33,9 @@
#include
#include
-@@ -1094,6 +1095,10 @@ main(int ac, char **av)
+@@ -1153,6 +1154,10 @@ main(int ac, char **av)
- SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
@@ -44,10 +44,10 @@
__progname = ssh_get_progname(av[0]);
init_rng();
seed_rng();
-Index: openssh-5.6p1/ssh-keygen.c
+Index: openssh-5.7p1/ssh-keygen.c
===================================================================
---- openssh-5.6p1.orig/ssh-keygen.c
-+++ openssh-5.6p1/ssh-keygen.c
+--- openssh-5.7p1.orig/ssh-keygen.c
++++ openssh-5.7p1/ssh-keygen.c
@@ -22,6 +22,7 @@
#include
#include
@@ -56,10 +56,10 @@
#include
#include
-@@ -1782,6 +1783,11 @@ main(int argc, char **argv)
+@@ -1815,6 +1816,11 @@ main(int argc, char **argv)
__progname = ssh_get_progname(argv[0]);
- SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
@@ -68,10 +68,10 @@
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
init_rng();
-Index: openssh-5.6p1/ssh-keysign.c
+Index: openssh-5.7p1/ssh-keysign.c
===================================================================
---- openssh-5.6p1.orig/ssh-keysign.c
-+++ openssh-5.6p1/ssh-keysign.c
+--- openssh-5.7p1.orig/ssh-keysign.c
++++ openssh-5.7p1/ssh-keysign.c
@@ -38,6 +38,7 @@
#include
#include
@@ -83,7 +83,7 @@
@@ -195,6 +196,11 @@ main(int argc, char **argv)
fatal("could not open any host key");
- SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
@@ -92,11 +92,11 @@
for (i = 0; i < 256; i++)
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
-Index: openssh-5.6p1/ssh.c
+Index: openssh-5.7p1/ssh.c
===================================================================
---- openssh-5.6p1.orig/ssh.c
-+++ openssh-5.6p1/ssh.c
-@@ -74,6 +74,7 @@
+--- openssh-5.7p1.orig/ssh.c
++++ openssh-5.7p1/ssh.c
+@@ -75,6 +75,7 @@
#include
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -104,8 +104,8 @@
#include "xmalloc.h"
#include "ssh.h"
-@@ -602,6 +603,10 @@ main(int ac, char **av)
- SSLeay_add_all_algorithms();
+@@ -601,6 +602,10 @@ main(int ac, char **av)
+ OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
+ /* Init available hardware crypto engines. */
@@ -115,10 +115,10 @@
/* Initialize the command to execute on remote host. */
buffer_init(&command);
-Index: openssh-5.6p1/sshd.c
+Index: openssh-5.7p1/sshd.c
===================================================================
---- openssh-5.6p1.orig/sshd.c
-+++ openssh-5.6p1/sshd.c
+--- openssh-5.7p1.orig/sshd.c
++++ openssh-5.7p1/sshd.c
@@ -77,6 +77,7 @@
#include
#include
@@ -127,9 +127,9 @@
#ifdef HAVE_SECUREWARE
#include
-@@ -1471,6 +1472,10 @@ main(int ac, char **av)
+@@ -1474,6 +1475,10 @@ main(int ac, char **av)
- SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+ /* Init available hardware crypto engines. */
+ ENGINE_load_builtin_engines();
++++++ openssh-5.6p1-gssapimitm.patch -> openssh-5.7p1-gssapimitm.patch ++++++
--- openssh/openssh-5.6p1-gssapimitm.patch 2010-08-24 15:52:53.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-gssapimitm.patch 2011-01-24 12:48:07.000000000 +0100
@@ -22,9 +22,9 @@
SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
&input_gssapi_exchange_complete);
+
-+ /*
-+ * Old style 'gssapi' didn't have the GSSAPI_MIC
-+ * and went straight to sending exchange_complete
++ /*
++ * Old style 'gssapi' didn't have the GSSAPI_MIC
++ * and went straight to sending exchange_complete
+ */
+ if (options.gss_enable_mitm)
+ dispatch_set(
@@ -68,7 +68,7 @@
===================================================================
--- readconf.c.orig
+++ readconf.c
-@@ -126,7 +126,7 @@ typedef enum {
+@@ -128,7 +128,7 @@ typedef enum {
oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -77,7 +77,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -167,9 +167,11 @@ static struct {
+@@ -170,9 +170,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -89,18 +89,18 @@
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -477,6 +479,10 @@ parse_flag:
- case oGssDelegateCreds:
+@@ -483,6 +485,10 @@ parse_flag:
intptr = &options->gss_deleg_creds;
goto parse_flag;
-+
+
+ case oGssEnableMITM:
+ intptr = &options->gss_enable_mitm;
+ goto parse_flag;
-
++
case oBatchMode:
intptr = &options->batch_mode;
-@@ -1059,6 +1065,7 @@ initialize_options(Options * options)
+ goto parse_flag;
+@@ -1093,6 +1099,7 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
@@ -108,7 +108,7 @@
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -1158,6 +1165,8 @@ fill_default_options(Options * options)
+@@ -1195,6 +1202,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@@ -133,7 +133,7 @@
===================================================================
--- servconf.c.orig
+++ servconf.c
-@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
+@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
options->gss_cleanup_creds = -1;
@@ -141,7 +141,7 @@
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
-@@ -217,6 +218,8 @@ fill_default_server_options(ServerOption
+@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption
options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
@@ -150,7 +150,7 @@
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -307,7 +310,7 @@ typedef enum {
+@@ -322,7 +325,7 @@ typedef enum {
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -159,7 +159,7 @@
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -370,9 +373,11 @@ static struct {
+@@ -386,9 +389,11 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -171,22 +171,22 @@
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -929,6 +934,10 @@ process_server_config_line(ServerOptions
- case sGssCleanupCreds:
+@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-+
+
+ case sGssEnableMITM:
+ intptr = &options->gss_enable_mitm;
+ goto parse_flag;
-
++
case sPasswordAuthentication:
intptr = &options->password_authentication;
+ goto parse_flag;
Index: servconf.h
===================================================================
--- servconf.h.orig
+++ servconf.h
-@@ -95,6 +95,7 @@ typedef struct {
+@@ -98,6 +98,7 @@ typedef struct {
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
@@ -203,11 +203,11 @@
# TunnelDevice any:any
# PermitLocalCommand no
+# GSSAPIAuthentication no
-+# GSSAPIDelegateCredentials no
++# GSSAPIDelegateCredentials no
+
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
-+# in this release. The use of 'gssapi' is deprecated due to the presence of
++# in this release. The use of 'gssapi' is deprecated due to the presence of
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
+# GSSAPIEnableMITMAttack no
+
@@ -218,7 +218,7 @@
===================================================================
--- sshconnect2.c.orig
+++ sshconnect2.c
-@@ -263,6 +263,10 @@ Authmethod authmethods[] = {
+@@ -324,6 +324,10 @@ Authmethod authmethods[] = {
NULL,
&options.gss_authentication,
NULL},
@@ -229,12 +229,12 @@
#endif
{"hostbased",
userauth_hostbased,
-@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf
+@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf
if (status == GSS_S_COMPLETE) {
/* send either complete or MIC, depending on mechanism */
- if (!(flags & GSS_C_INTEG_FLAG)) {
-+
++
+ if (strcmp(authctxt->method->name,"gssapi")==0 ||
+ (!(flags & GSS_C_INTEG_FLAG))) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
@@ -244,16 +244,15 @@
===================================================================
--- sshd_config.orig
+++ sshd_config
-@@ -72,6 +72,13 @@ PasswordAuthentication no
+@@ -73,6 +73,12 @@ PasswordAuthentication no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
-+# in this release. The use of 'gssapi' is deprecated due to the presence of
++# in this release. The use of 'gssapi' is deprecated due to the presence of
+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
+#GSSAPIEnableMITMAttack no
-+
+
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
++++++ openssh-5.6p1-homechroot.patch -> openssh-5.7p1-homechroot.patch ++++++
--- openssh/openssh-5.6p1-homechroot.patch 2010-08-24 15:52:54.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-homechroot.patch 2011-01-24 12:48:08.000000000 +0100
@@ -48,7 +48,7 @@
static void do_authenticated1(Authctxt *);
static void do_authenticated2(Authctxt *);
-@@ -806,6 +808,11 @@ do_exec(Session *s, const char *command)
+@@ -808,6 +810,11 @@ do_exec(Session *s, const char *command)
debug("Forced command (key option) '%.900s'", command);
}
@@ -60,7 +60,7 @@
#ifdef SSH_AUDIT_EVENTS
if (command != NULL)
PRIVSEP(audit_run_command(command));
-@@ -1419,6 +1426,63 @@ do_nologin(struct passwd *pw)
+@@ -1421,6 +1428,63 @@ do_nologin(struct passwd *pw)
}
/*
@@ -117,14 +117,14 @@
+ }
+ }
+ fatal ("chroot into directory without nodev or nosuid");
-+ }
++ }
+}
+
+/*
* Chroot into a directory after checking it for safety: all path components
* must be root-owned directories with strict permissions.
*/
-@@ -1428,6 +1492,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1430,6 +1494,7 @@ safely_chroot(const char *path, uid_t ui
const char *cp;
char component[MAXPATHLEN];
struct stat st;
@@ -132,7 +132,7 @@
if (*path != '/')
fatal("chroot path does not begin at root");
-@@ -1439,7 +1504,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1441,7 +1506,7 @@ safely_chroot(const char *path, uid_t ui
* root-owned directory with strict permissions.
*/
for (cp = path; cp != NULL;) {
@@ -141,7 +141,7 @@
strlcpy(component, path, sizeof(component));
else {
cp++;
-@@ -1452,14 +1517,20 @@ safely_chroot(const char *path, uid_t ui
+@@ -1454,14 +1519,20 @@ safely_chroot(const char *path, uid_t ui
if (stat(component, &st) != 0)
fatal("%s: stat(\"%s\"): %s", __func__,
component, strerror(errno));
@@ -163,7 +163,7 @@
}
if (chdir(path) == -1)
-@@ -1470,6 +1541,10 @@ safely_chroot(const char *path, uid_t ui
+@@ -1472,6 +1543,10 @@ safely_chroot(const char *path, uid_t ui
if (chdir("/") == -1)
fatal("%s: chdir(/) after chroot: %s",
__func__, strerror(errno));
@@ -257,7 +257,7 @@
===================================================================
--- sshd_config.5.orig
+++ sshd_config.5
-@@ -269,6 +269,17 @@ inside the chroot directory (see
+@@ -268,6 +268,17 @@ inside the chroot directory (see
.Xr sftp-server 8
for details).
.Pp
@@ -267,7 +267,7 @@
+%h or
+.Cm ChrootDirectory
+/some/path/%u. The file system containing this directory must be
-+mounted with options nodev and either nosuid or noexec. The owner of the
++mounted with options nodev and either nosuid or noexec. The owner of the
+directory should be the user. The ownership of the other components of the path
+must fulfill the usual conditions. No aditional files are required to be present
+in the directory.
++++++ openssh-5.6p1-host_ident.diff -> openssh-5.7p1-host_ident.diff ++++++
--- openssh/openssh-5.6p1-host_ident.diff 2010-08-24 15:52:54.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-host_ident.diff 2011-01-24 12:48:10.000000000 +0100
@@ -1,14 +1,14 @@
-Index: openssh-5.5p1/sshconnect.c
+Index: openssh-5.7p1/sshconnect.c
===================================================================
---- openssh-5.5p1.orig/sshconnect.c
-+++ openssh-5.5p1/sshconnect.c
-@@ -916,6 +916,11 @@ check_host_key(char *hostname, struct so
- error("Add correct host key in %.100s to get rid of this message.",
+--- openssh-5.7p1.orig/sshconnect.c
++++ openssh-5.7p1/sshconnect.c
+@@ -958,6 +958,11 @@ check_host_key(char *hostname, struct so
user_hostfile);
- error("Offending key in %s:%d", host_file, host_line);
+ error("Offending %s key in %s:%lu", key_type(host_found->key),
+ host_found->file, host_found->line);
+ error("You can use following command to remove all keys for this IP:");
-+ if (ip_file)
-+ error("ssh-keygen -R %s -f %s", hostname, ip_file);
++ if (host_found->file)
++ error("ssh-keygen -R %s -f %s", hostname, host_found->file);
+ else
+ error("ssh-keygen -R %s", hostname);
++++++ openssh-5.6p1-pam-fix2.diff -> openssh-5.7p1-pam-fix2.diff ++++++
--- openssh/openssh-5.6p1-pam-fix2.diff 2010-08-24 15:52:54.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-pam-fix2.diff 2011-01-24 12:48:11.000000000 +0100
@@ -2,7 +2,7 @@
===================================================================
--- sshd_config.orig
+++ sshd_config
-@@ -56,7 +56,7 @@
+@@ -57,7 +57,7 @@
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
@@ -11,7 +11,7 @@
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
-@@ -81,7 +81,7 @@
+@@ -82,7 +82,7 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
++++++ openssh-5.6p1-pam-fix2.diff -> openssh-5.7p1-pam-fix3.diff ++++++
--- openssh/openssh-5.6p1-pam-fix2.diff 2010-08-24 15:52:54.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-pam-fix3.diff 2011-01-24 12:48:12.000000000 +0100
@@ -1,22 +1,15 @@
-Index: sshd_config
+Index: auth-pam.c
===================================================================
---- sshd_config.orig
-+++ sshd_config
-@@ -56,7 +56,7 @@
- #IgnoreRhosts yes
-
- # To disable tunneled clear text passwords, change to no here!
--#PasswordAuthentication yes
-+PasswordAuthentication no
- #PermitEmptyPasswords no
-
- # Change to no to disable s/key passwords
-@@ -81,7 +81,7 @@
- # If you just want the PAM account and session checks to run without
- # PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
--#UsePAM no
-+UsePAM yes
-
- #AllowAgentForwarding yes
- #AllowTcpForwarding yes
+--- auth-pam.c.orig
++++ auth-pam.c
+@@ -786,7 +786,9 @@ sshpam_query(void *ctx, char **name, cha
+ fatal("Internal error: PAM auth "
+ "succeeded when it should have "
+ "failed");
+- import_environments(&buffer);
++#ifndef USE_POSIX_THREADS
++ import_environments(&buffer);
++#endif
+ *num = 0;
+ **echo_on = 0;
+ ctxt->pam_done = 1;
++++++ openssh-5.6p1-pts.diff -> openssh-5.7p1-pts.diff ++++++
--- openssh/openssh-5.6p1-pts.diff 2010-08-24 15:52:55.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-pts.diff 2011-01-24 12:48:13.000000000 +0100
@@ -2,7 +2,7 @@
===================================================================
--- loginrec.c.orig
+++ loginrec.c
-@@ -554,7 +554,7 @@ getlast_entry(struct logininfo *li)
+@@ -555,7 +555,7 @@ getlast_entry(struct logininfo *li)
* 1. The full filename (including '/dev')
* 2. The stripped name (excluding '/dev')
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
@@ -11,7 +11,7 @@
*
* Form 3 is used on some systems to identify a .tmp.? entry when
* attempting to remove it. Typically both addition and removal is
-@@ -615,6 +615,10 @@ line_abbrevname(char *dst, const char *s
+@@ -616,6 +616,10 @@ line_abbrevname(char *dst, const char *s
if (strncmp(src, "tty", 3) == 0)
src += 3;
#endif
++++++ openssh-5.6p1-saveargv-fix.diff -> openssh-5.7p1-saveargv-fix.diff ++++++
--- openssh/openssh-5.6p1-saveargv-fix.diff 2010-08-24 15:52:56.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-saveargv-fix.diff 2011-01-24 12:48:14.000000000 +0100
@@ -10,7 +10,7 @@
logit("Received SIGHUP; restarting.");
close_listen_socks();
close_startup_pipes();
-@@ -1316,7 +1317,11 @@ main(int ac, char **av)
+@@ -1319,7 +1320,11 @@ main(int ac, char **av)
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
compat_init_setproctitle(ac, av);
++++++ openssh-5.7p1-selinux.diff ++++++
Index: openssh-5.7p1/ChangeLog
===================================================================
--- openssh-5.7p1.orig/ChangeLog
+++ openssh-5.7p1/ChangeLog
@@ -1,3 +1,10 @@
+20110125
+ - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
+ openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
+ port-linux.c to avoid compilation errors. Add -lselinux to ssh when
+ building with SELinux support to avoid linking failure; report from
+ amk AT spamfence.net; ok dtucker
+
20110122
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add
RSA_get_default_method() for the benefit of openssl versions that don't
Index: openssh-5.7p1/configure.ac
===================================================================
--- openssh-5.7p1.orig/configure.ac
+++ openssh-5.7p1/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.469 2011/01/21 22:37:05 dtucker Exp $
+# $Id: configure.ac,v 1.470 2011/01/25 01:16:17 djm Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.469 $)
+AC_REVISION($Revision: 1.470 $)
AC_CONFIG_SRCDIR([ssh.c])
# local macros
@@ -737,7 +737,6 @@ mips-sony-bsd|mips-sony-newsos4)
[ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
[Define if you have Solaris process contracts])
SSHDLIBS="$SSHDLIBS -lcontract"
- AC_SUBST(SSHDLIBS)
SPC_MSG="yes" ], )
],
)
@@ -748,7 +747,6 @@ mips-sony-bsd|mips-sony-newsos4)
[ AC_DEFINE(USE_SOLARIS_PROJECTS, 1,
[Define if you have Solaris projects])
SSHDLIBS="$SSHDLIBS -lproject"
- AC_SUBST(SSHDLIBS)
SP_MSG="yes" ], )
],
)
@@ -3515,11 +3513,14 @@ AC_ARG_WITH(selinux,
LIBS="$LIBS -lselinux"
],
AC_MSG_ERROR(SELinux support requires libselinux library))
+ SSHLIBS="$SSHLIBS $LIBSELINUX"
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
LIBS="$save_LIBS"
fi ]
)
+AC_SUBST(SSHLIBS)
+AC_SUBST(SSHDLIBS)
# Check whether user wants Linux audit support
LINUX_AUDIT_MSG="no"
@@ -4356,6 +4357,9 @@ echo " Libraries: ${LIBS}"
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
+if test ! -z "${SSHLIBS}"; then
+echo " +for ssh: ${SSHLIBS}"
+fi
echo ""
Index: openssh-5.7p1/Makefile.in
===================================================================
--- openssh-5.7p1.orig/Makefile.in
+++ openssh-5.7p1/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $
+# $Id: Makefile.in,v 1.321 2011/01/25 01:16:16 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
LIBAUDIT=@LIBAUDIT@
+SSHLIBS=@SSHLIBS@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
AR=@AR@
@@ -143,7 +144,7 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT)
Index: openssh-5.7p1/openbsd-compat/port-linux.c
===================================================================
--- openssh-5.7p1.orig/openbsd-compat/port-linux.c
+++ openssh-5.7p1/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.11 2011/01/17 07:50:24 dtucker Exp $ */
+/* $Id: port-linux.c,v 1.12 2011/01/25 01:16:18 djm Exp $ */
/*
* Copyright (c) 2005 Daniel Walsh
@@ -205,6 +205,20 @@ ssh_selinux_change_context(const char *n
xfree(oldctx);
xfree(newctx);
}
+
+void
+ssh_selinux_setfscreatecon(const char *path)
+{
+ security_context_t context;
+
+ if (path == NULL) {
+ setfscreatecon(NULL);
+ return;
+ }
+ matchpathcon(path, 0700, &context);
+ setfscreatecon(context);
+}
+
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
Index: openssh-5.7p1/openbsd-compat/port-linux.h
===================================================================
--- openssh-5.7p1.orig/openbsd-compat/port-linux.h
+++ openssh-5.7p1/openbsd-compat/port-linux.h
@@ -1,4 +1,4 @@
-/* $Id: port-linux.h,v 1.4 2009/12/08 02:39:48 dtucker Exp $ */
+/* $Id: port-linux.h,v 1.5 2011/01/25 01:16:18 djm Exp $ */
/*
* Copyright (c) 2006 Damien Miller
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
+void ssh_selinux_setfscreatecon(const char *);
#endif
#ifdef LINUX_OOM_ADJUST
Index: openssh-5.7p1/ssh.c
===================================================================
--- openssh-5.7p1.orig/ssh.c
+++ openssh-5.7p1/ssh.c
@@ -857,15 +857,12 @@ main(int ac, char **av)
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
#ifdef WITH_SELINUX
- char *scon;
-
- matchpathcon(buf, 0700, &scon);
- setfscreatecon(scon);
+ ssh_selinux_setfscreatecon(buf);
#endif
if (mkdir(buf, 0700) < 0)
error("Could not create directory '%.200s'.", buf);
#ifdef WITH_SELINUX
- setfscreatecon(NULL);
+ ssh_selinux_setfscreatecon(NULL);
#endif
}
/* load options.identity_files */
++++++ openssh-5.6p1-send_locale.diff -> openssh-5.7p1-send_locale.diff ++++++
--- openssh/openssh-5.6p1-send_locale.diff 2010-08-24 15:52:56.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-send_locale.diff 2011-01-24 12:48:15.000000000 +0100
@@ -8,8 +8,8 @@
->>>>>>>
+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
-+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
++SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
++SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+SendEnv LC_IDENTIFICATION LC_ALL
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
@@ -22,8 +22,8 @@
Subsystem sftp /usr/libexec/sftp-server
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
-+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
# Example of overriding settings on a per-user basis
++++++ openssh-5.6p1-sshconfig-knownhostschanges.diff -> openssh-5.7p1-sshconfig-knownhostschanges.diff ++++++
--- openssh/openssh-5.6p1-sshconfig-knownhostschanges.diff 2010-08-24 15:52:57.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-sshconfig-knownhostschanges.diff 2011-01-25 11:29:02.000000000 +0100
@@ -2,11 +2,12 @@
===================================================================
--- ssh_config.orig
+++ ssh_config
-@@ -67,5 +67,12 @@ ForwardX11Trusted yes
- SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+@@ -67,5 +67,13 @@ ForwardX11Trusted yes
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
-# VisualHostKey no
++
+# This will print the fingerprint of the host key in "visual" form
+# this should make it easier to also recognize bad things
+VisualHostKey no
++++++ openssh-5.6p1.tar.bz2 -> openssh-5.7p1.tar.bz2 ++++++
++++ 19167 lines of diff (skipped)
++++++ openssh-5.6p1-xauth.diff -> openssh-5.7p1-xauth.diff ++++++
--- openssh/openssh-5.6p1-xauth.diff 2010-08-24 15:52:57.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-xauth.diff 2011-01-24 12:48:17.000000000 +0100
@@ -2,7 +2,7 @@
===================================================================
--- session.c.orig
+++ session.c
-@@ -2525,8 +2525,41 @@ void
+@@ -2463,8 +2463,41 @@ void
session_close(Session *s)
{
u_int i;
++++++ openssh-5.6p1-xauthlocalhostname.diff -> openssh-5.7p1-xauthlocalhostname.diff ++++++
--- openssh/openssh-5.6p1-xauthlocalhostname.diff 2010-08-24 15:52:58.000000000 +0200
+++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-xauthlocalhostname.diff 2011-01-24 12:48:18.000000000 +0100
@@ -2,7 +2,7 @@
===================================================================
--- session.c.orig
+++ session.c
-@@ -1114,7 +1114,7 @@ copy_environment(char **source, char ***
+@@ -1116,7 +1116,7 @@ copy_environment(char **source, char ***
}
static char **
@@ -11,7 +11,7 @@
{
char buf[256];
u_int i, envsize;
-@@ -1301,6 +1301,8 @@ do_setup_env(Session *s, const char *she
+@@ -1303,6 +1303,8 @@ do_setup_env(Session *s, const char *she
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
@@ -20,7 +20,7 @@
return env;
}
-@@ -1309,7 +1311,7 @@ do_setup_env(Session *s, const char *she
+@@ -1311,7 +1313,7 @@ do_setup_env(Session *s, const char *she
* first in this order).
*/
static void
@@ -29,12 +29,12 @@
{
FILE *f = NULL;
char cmd[1024];
-@@ -1363,12 +1365,20 @@ do_rc_files(Session *s, const char *shel
+@@ -1365,12 +1367,20 @@ do_rc_files(Session *s, const char *shel
options.xauth_location);
f = popen(cmd, "w");
if (f) {
+ char hostname[MAXHOSTNAMELEN];
-+
++
fprintf(f, "remove %s\n",
s->auth_display);
fprintf(f, "add %s %s %s\n",
@@ -50,7 +50,7 @@
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
-@@ -1670,6 +1680,7 @@ do_child(Session *s, const char *command
+@@ -1608,6 +1618,7 @@ do_child(Session *s, const char *command
{
extern char **environ;
char **env;
@@ -58,7 +58,7 @@
char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw;
-@@ -1736,7 +1747,7 @@ do_child(Session *s, const char *command
+@@ -1674,7 +1685,7 @@ do_child(Session *s, const char *command
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
@@ -67,7 +67,7 @@
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1805,7 +1816,7 @@ do_child(Session *s, const char *command
+@@ -1743,7 +1754,7 @@ do_child(Session *s, const char *command
closefrom(STDERR_FILENO + 1);
if (!options.use_login)
++++++ openssh-SuSE.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSE/etc/init.d/sshd new/SuSE/etc/init.d/sshd
--- old/SuSE/etc/init.d/sshd 2009-07-12 21:42:53.000000000 +0200
+++ new/SuSE/etc/init.d/sshd 2011-01-25 11:54:41.000000000 +0100
@@ -56,6 +56,10 @@
echo Generating /etc/ssh/ssh_host_rsa_key.
ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
fi
+ if ! test -f /etc/ssh/ssh_host_ecdsa_key ; then
+ echo Generating /etc/ssh/ssh_host_ecdsa_key.
+ ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_key -N ''
+ fi
fi
echo -n "Starting SSH daemon"
## Start daemon with startproc(8). If this fails
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org