commit openssh for openSUSE:12.1:Update:Test

Hello community, here is the log from the commit of package openssh for openSUSE:12.1:Update:Test checked in at 2012-02-20 18:11:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/openssh (Old) and /work/SRC/openSUSE:12.1:Update:Test/.openssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssh", Maintainer is "PCerny@suse.com" Changes: -------- New Changes file: --- /dev/null 2010-08-26 16:28:41.000000000 +0200 +++ /work/SRC/openSUSE:12.1:Update:Test/.openssh.new/openssh-askpass-gnome.changes 2012-02-20 18:11:52.000000000 +0100 @@ -0,0 +1,137 @@ +------------------------------------------------------------------- +Fri Feb 4 11:19:14 UTC 2011 - lchiquitto@novell.com + +- Update to 5.8p1 + +------------------------------------------------------------------- +Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com + +- Update to 5.7p1 + +------------------------------------------------------------------- +Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz + +- Removed relics of no more implemented opensc support. + +------------------------------------------------------------------- +Tue Aug 24 15:50:17 CEST 2010 - anicka@suse.cz + +- update to 5.6p1 + +------------------------------------------------------------------- +Fri Mar 26 11:04:59 CET 2010 - anicka@suse.cz + +- update to 5.4p1 +- remove -pam-fix4.diff (in upstream now) + +------------------------------------------------------------------- +Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz + +- update to 5.2p1 + +------------------------------------------------------------------- +Wed Apr 9 14:35:42 CEST 2008 - anicka@suse.cz + +- update to 5.0p1 + +------------------------------------------------------------------- +Wed Apr 2 15:06:01 CEST 2008 - anicka@suse.cz + +- update to 4.9p1 + +------------------------------------------------------------------- +Wed Dec 5 10:56:07 CET 2007 - anicka@suse.cz + +- - update to 4.7p1 + * Add "-K" flag for ssh to set GSSAPIAuthentication=yes and + GSSAPIDelegateCredentials=yes. This is symmetric with -k + * make scp try to skip FIFOs rather than blocking when nothing is + listening. + * increase default channel windows + * put the MAC list into a display + * many bugfixes + +------------------------------------------------------------------- +Tue Dec 12 14:44:41 CET 2006 - anicka@suse.cz + +- update to 4.5p1 + * Use privsep_pw if we have it, but only require it if we + absolutely need it. + * Correctly check for bad signatures in the monitor, otherwise + the monitor and the unpriv process can get out of sync. + * Clear errno before calling the strtol functions. + * exit instead of doing a blocking tcp send if we detect + a client/server timeout, since the tcp sendqueue might + be already full (of alive requests) + * include signal.h, errno.h, sys/in.h + * some more bugfixes + +------------------------------------------------------------------- +Wed Oct 4 12:56:40 CEST 2006 - postadal@suse.cz + +- updated to version 4.4p1 [#208662] + * fixed pre-authentication DoS, that would cause sshd(8) to spin + until the login grace time expired + * fixed unsafe signal hander, which was vulnerable to a race condition + that could be exploited to perform a pre-authentication DoS + * fixed a GSSAPI authentication abort that could be used to determine + the validity of usernames on some platforms + * implemented conditional configuration in sshd_config(5) using the + "Match" directive + * added support for Diffie-Hellman group exchange key agreement with a + final hash of SHA256 + * added a "ForceCommand", "PermitOpen" directive to sshd_config(5) + * added optional logging of transactions to sftp-server(8) + * ssh(1) will now record port numbers for hosts stored in + ~/.ssh/authorized_keys when a non-standard port has been requested + * added an "ExitOnForwardFailure" option to cause ssh(1) to exit (with + a non-zero exit code) when requested port forwardings could not be + established + * extended sshd_config(5) "SubSystem" declarations to allow the + specification of command-line arguments +- removed obsoleted patches: autoconf-fix.patch + +------------------------------------------------------------------- +Tue Jul 25 13:40:10 CEST 2006 - schwab@suse.de + +- Fix syntax error in configure script. + +------------------------------------------------------------------- +Wed Jan 25 21:39:06 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Tue Jan 3 15:54:49 CET 2006 - postadal@suse.cz + +- updated to version 4.2p1 +- removed obsoleted patches: upstream_fixes.diff, gssapi-secfix.patch + +------------------------------------------------------------------- +Thu Sep 8 16:20:06 CEST 2005 - postadal@suse.cz + +- don't strip + +------------------------------------------------------------------- +Thu Aug 4 11:30:18 CEST 2005 - uli@suse.de + +- parallelize build + +------------------------------------------------------------------- +Fri Jun 10 16:24:22 CEST 2005 - postadal@suse.cz + +- updated to version 4.1p1 +- removed obsoleted patches: restore_terminal, pam-returnfromsession, + timing-attacks-fix, krb5ccname, gssapi-pam, logdenysource, + sendenv-fix, documentation-fix + +------------------------------------------------------------------- +Wed Jan 19 18:25:29 CET 2005 - postadal@suse.cz + +- renamed askpass-gnome package to openssh-askpass-gnome + +------------------------------------------------------------------- +Wed Jan 19 15:58:07 CET 2005 - postadal@suse.cz + +- splited spec file to decreas number of build dependencies + New Changes file: --- /dev/null 2010-08-26 16:28:41.000000000 +0200 +++ /work/SRC/openSUSE:12.1:Update:Test/.openssh.new/openssh.changes 2012-02-20 18:11:52.000000000 +0100 @@ -0,0 +1,1702 @@ +------------------------------------------------------------------- +Fri Sep 16 09:43:47 UTC 2011 - jengelh@medozas.de + +- Avoid overriding libexecdir with %_lib (bnc#712025) +- Clean up the specfile by request of Minh Ngo, details entail: +* remove norootforbuild comments, redundant %clean section +* run spec-beautifier over it +- Add PIEFLAGS to compilation of askpass; fails otherwise + +------------------------------------------------------------------- +Mon Aug 29 23:47:58 UTC 2011 - crrodriguez@opensuse.org + +- Update to verison 5.8p2 +* Fixed vuln in systems without dev/random, we arenot affected +* Fixes problems building with selinux enabled +- Fix build with as-needed and no-add-needed + +------------------------------------------------------------------- +Sat Aug 13 20:46:17 UTC 2011 - crrodriguez@opensuse.org + +- Enable libedit/autocompletion support in sftp + +------------------------------------------------------------------- +Tue May 10 15:08:17 UTC 2011 - meissner@novell.com + +- Change default keysizes of rsa and dsa from 1024 to 2048 + to match ssh-keygen manpage recommendations. + +------------------------------------------------------------------- +Fri Feb 4 11:19:25 UTC 2011 - lchiquitto@novell.com + +- Update to 5.8p1 + * Fix vulnerability in legacy certificate signing introduced in + OpenSSH-5.6 and found by Mateusz Kocielski. + * Fix compilation failure when enableing SELinux support. + * Do not attempt to call SELinux functions when SELinux is + disabled. +- Remove patch that is now upstream: + * openssh-5.7p1-selinux.diff + +------------------------------------------------------------------- +Thu Feb 3 16:42:01 UTC 2011 - pcerny@novell.com + +- specfile/patches cleanup + +------------------------------------------------------------------- +Mon Jan 24 11:24:59 UTC 2011 - lchiquitto@novell.com + +- Update to 5.7p1 + * Implement Elliptic Curve Cryptography modes for key exchange (ECDH) + and host/user keys (ECDSA) as specified by RFC5656. + * sftp(1)/sftp-server(8): add a protocol extension to support a hard + link operation. + * scp(1): Add a new -3 option to scp: Copies between two remote hosts + are transferred through the local host. + * ssh(1): automatically order the hostkeys requested by the client + based on which hostkeys are already recorded in known_hosts. + * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary + TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. + * sftp(1): the sftp client is now significantly faster at performing + directory listings, using OpenBSD glob(3) extensions to preserve + the results of stat(3) operations performed in the course of its + execution rather than performing expensive round trips to fetch + them again afterwards. + * ssh(1): "atomically" create the listening mux socket by binding it on + a temporary name and then linking it into position after listen() has + succeeded. + * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server + configuration to allow selection of which key exchange methods are + used by ssh(1) and sshd(8) and their order of preference. + * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into + a generic bandwidth limiter that can be attached using the atomicio + callback mechanism and use it to add a bandwidth limit option to + sftp(1). + * Support building against openssl-1.0.0a. + * Bug fixes. +- Remove patches that are now upstream: + * openssh-5.6p1-tmpdir.diff + * openssh-linux-new-oomkill.patch +- Add upstream patch to fix build with SELinux enabled. + +------------------------------------------------------------------- +Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz + +- Removed relics of no more implemented opensc support. + +------------------------------------------------------------------- +Thu Nov 18 12:20:59 UTC 2010 - lnussel@suse.de + +- add pam_lastlog to show failed login attempts +- remove permissions handling, no special handling needed + +------------------------------------------------------------------- +Tue Nov 16 14:45:14 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use upstream oom_adj is deprecated patch + +------------------------------------------------------------------- +Tue Nov 2 13:25:19 UTC 2010 - coolo@novell.com + +- remove the code trying to patch X11 paths - which was broken + for a very long time and was useless anyway as the Makefiles + do this correctly themselves + +------------------------------------------------------------------- +Sun Oct 31 12:37:02 UTC 2010 - jengelh@medozas.de + +- Use %_smp_mflags + +------------------------------------------------------------------- +Thu Oct 14 16:00:19 UTC 2010 - crrodriguez@opensuse.org + +- Fix warning "oom_adj is deprecated use oom_score_adj instead" + +------------------------------------------------------------------- +Mon Sep 13 14:47:10 CEST 2010 - anicka@suse.cz + +- actualize README.SuSE (bnc#638893) + +------------------------------------------------------------------- +Tue Aug 24 15:43:08 CEST 2010 - anicka@suse.cz + +- update to 5.6p1 + * Added a ControlPersist option to ssh_config(5) that automatically + starts a background ssh(1) multiplex master when connecting. + * Hostbased authentication may now use certificate host keys. + * ssh-keygen(1) now supports signing certificate using a CA key that + has been stored in a PKCS#11 token. + * ssh(1) will now log the hostname and address that we connected to at + LogLevel=verbose after authentication is successful to mitigate + "phishing" attacks by servers with trusted keys that accept + authentication silently and automatically before presenting fake + password/passphrase prompts. + * Expand %h to the hostname in ssh_config Hostname options. + * Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8 + keys in addition to RFC4716 (SSH.COM) encodings via a new -m option + * sshd(8) will now queue debug messages for bad ownership or + permissions on the user's keyfiles encountered during authentication + and will send them after authentication has successfully completed. + * ssh(1) connection multiplexing now supports remote forwarding with + dynamic port allocation and can report the allocated port back to + the user + * sshd(8) now supports indirection in matching of principal names + listed in certificates. + * sshd(8) now has a new AuthorizedPrincipalsFile option to specify a + file containing a list of names that may be accepted in place of the + username when authorizing a certificate trusted via the + sshd_config(5) TrustedCAKeys option. + * Additional sshd_config(5) options are now valid inside Match blocks + * Revised the format of certificate keys. + * bugfixes +- removed -forward patch (SSH_MAX_FORWARDS_PER_DIRECTION not hard-coded + any more), removed memory leak fix (fixed in upstream) + +------------------------------------------------------------------- +Fri Aug 20 13:00:43 CEST 2010 - anicka@suse.cz + +- hint user how to remove offending keys (bnc#625552) + +------------------------------------------------------------------- +Thu Jul 22 17:58:09 CEST 2010 - anicka@suse.cz + +- update to 5.5p1 + +------------------------------------------------------------------- +Tue Jul 20 17:19:24 CEST 2010 - anicka@suse.cz + +- update to 5.5p1 + * Allow ChrootDirectory to work in SELinux platforms. + * bugfixes + +------------------------------------------------------------------- +Wed Jun 30 16:01:30 CEST 2010 - meissner@suse.de + +- Disable visual hostkey support again, after discussion on + its usefulness. + +------------------------------------------------------------------- +Mon May 17 18:11:33 UTC 2010 - cristian.rodriguez@opensuse.org + +- Hardware crypto is supported and patched but never + enabled, need to use --with-ssl-engine explicitely + +------------------------------------------------------------------- +Fri May 14 16:03:17 CEST 2010 - anicka@suse.cz + +- fixed memory leak in sftp (bnc#604274) + +------------------------------------------------------------------- +Fri Apr 23 12:01:50 CEST 2010 - anicka@suse.cz + +- honour /etc/nologin (bnc#530885) + +------------------------------------------------------------------- +Thu Mar 25 11:00:00 CET 2010 - meissner@suse.de + +- Enable VisualHostKey (ascii art of the hostkey fingerprint) and ++++ 1505 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update:Test/.openssh.new/openssh.changes New: ---- README.SuSE README.kerberos _link converter-linking.patch converter.tar.bz2 openssh-5.8p1-askpass-fix.diff openssh-5.8p1-audit.patch openssh-5.8p1-blocksigalrm.diff openssh-5.8p1-default-protocol.diff openssh-5.8p1-eal3.diff openssh-5.8p1-engines.diff openssh-5.8p1-gssapimitm.patch openssh-5.8p1-homechroot.patch openssh-5.8p1-host_ident.diff openssh-5.8p1-pam-fix2.diff openssh-5.8p1-pam-fix3.diff openssh-5.8p1-pts.diff openssh-5.8p1-saveargv-fix.diff openssh-5.8p1-send_locale.diff openssh-5.8p1-sshconfig-knownhostschanges.diff openssh-5.8p1-sshd_config.diff openssh-5.8p1-xauth.diff openssh-5.8p1-xauthlocalhostname.diff openssh-5.8p2.tar.bz2 openssh-SuSE.tar.bz2 openssh-askpass-gnome.changes openssh-askpass-gnome.spec openssh.changes openssh.spec ssh-askpass ssh.reg sshd.fw sshd.pamd x11-ssh-askpass-1.2.4.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ # # spec file for package openssh-askpass-gnome # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: openssh-askpass-gnome BuildRequires: gtk2-devel krb5-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files License: BSD3c(or similar) Group: Productivity/Networking/SSH Version: 5.8p2 Release: 1 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH URL: http://www.openssh.com/ %define _name openssh Source: %{_name}-%{version}.tar.bz2 Patch: %{_name}-5.8p1-sshd_config.diff Patch1: %{_name}-5.8p1-pam-fix2.diff Patch2: %{_name}-5.8p1-saveargv-fix.diff Patch3: %{_name}-5.8p1-pam-fix3.diff Patch4: %{_name}-5.8p1-gssapimitm.patch Patch5: %{_name}-5.8p1-eal3.diff Patch6: %{_name}-5.8p1-engines.diff Patch7: %{_name}-5.8p1-blocksigalrm.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description SSH (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. This package contains a GNOME-based passphrase dialog for OpenSSH. %prep %setup -q -n %{_name}-%{version} %patch %patch1 %patch2 %patch3 %patch4 %patch5 -p1 %patch6 -p1 %patch7 %build %{?suse_update_config:%{suse_update_config}} aclocal autoheader autoconf %configure \ --sysconfdir=%_sysconfdir/ssh \ --libexecdir=%_libexecdir/ssh \ --with-tcp-wrappers \ --with-pam \ --with-kerberos5=/usr \ --with-privsep-path=/var/lib/empty \ --disable-strip \ --target=%{_target_cpu}-suse-linux cd contrib make %{?_smp_mflags} gnome-ssh-askpass2 mv gnome-ssh-askpass2 gnome-ssh-askpass %install install -d -m 755 %buildroot/%_libexecdir/ssh/ install contrib/gnome-ssh-askpass %buildroot/%_libexecdir/ssh/gnome-ssh-askpass %files %defattr(-,root,root) %dir %_libexecdir/ssh %attr(0755,root,root) %_libexecdir/ssh/gnome-ssh-askpass %changelog ++++++ openssh.spec ++++++ # # spec file for package openssh # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: openssh %define _fwdefdir %_sysconfdir/sysconfig/SuSEfirewall2.d/services %define _appdefdir %{_prefix}/share/X11/app-defaults BuildRequires: audit-devel krb5-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel BuildRequires: libselinux-devel BuildRequires: libedit-devel License: BSD3c(or similar) ; MIT License (or similar) Group: Productivity/Networking/SSH Requires: /bin/netstat PreReq: pwdutils %insserv_prereq %fillup_prereq coreutils Conflicts: nonfreessh Version: 5.8p2 Release: 1 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) URL: http://www.openssh.com/ Source: %{name}-%{version}.tar.bz2 Source1: %{name}-SuSE.tar.bz2 Source2: sshd.pamd Source3: x11-ssh-askpass-%{xversion}.tar.bz2 Source4: README.SuSE Source5: converter.tar.bz2 Source6: README.kerberos Source7: ssh.reg Source8: ssh-askpass Source9: sshd.fw Patch: %{name}-5.8p1-sshd_config.diff Patch1: %{name}-5.8p1-askpass-fix.diff Patch2: %{name}-5.8p1-pam-fix2.diff Patch3: %{name}-5.8p1-saveargv-fix.diff Patch4: %{name}-5.8p1-pam-fix3.diff Patch5: %{name}-5.8p1-gssapimitm.patch Patch6: %{name}-5.8p1-eal3.diff Patch7: %{name}-5.8p1-engines.diff Patch8: %{name}-5.8p1-blocksigalrm.diff Patch9: %{name}-5.8p1-send_locale.diff Patch10: %{name}-5.8p1-xauthlocalhostname.diff Patch12: %{name}-5.8p1-xauth.diff Patch14: %{name}-5.8p1-default-protocol.diff Patch15: %{name}-5.8p1-audit.patch Patch16: %{name}-5.8p1-pts.diff Patch17: %{name}-5.8p1-homechroot.patch Patch18: %{name}-5.8p1-sshconfig-knownhostschanges.diff Patch19: %{name}-5.8p1-host_ident.diff Patch20: converter-linking.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass License: BSD3c(or similar) ; MIT License (or similar) Summary: A passphrase dialog for OpenSSH and the X Window System Requires: openssh = %{version} Provides: openssh:%_libexecdir/ssh/ssh-askpass Group: Productivity/Networking/SSH %description SSH (Secure Shell) is a program for logging into and executing commands on a remote machine. It is intended to replace rsh (rlogin and rsh) and provides openssl (secure encrypted communication) between two untrusted hosts over an insecure network. xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. %description askpass Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. This package contains an X Window System passphrase dialog for OpenSSH. %prep %setup -q -b 3 -a 1 -a 5 %patch %patch2 %patch3 %patch4 %patch5 %patch6 -p1 %patch7 -p1 %patch8 %patch9 %patch10 %patch12 %patch14 %patch15 -p1 %patch16 %patch17 %patch18 %patch19 -p1 %patch20 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion} %patch1 %build autoreconf -fiv %ifarch s390 s390x %sparc PIEFLAGS="-fPIE" %else PIEFLAGS="-fpie" %endif %configure --with-ssl-engine \ CFLAGS="%optflags $PIEFLAGS -fstack-protector" \ CXXFLAGS="%optflags $PIEFLAGS -fstack-protector" \ LDFLAGS="-pie" \ %if 0%{suse_version} >= 1140 --with-libedit \ %endif --sysconfdir=%_sysconfdir/ssh \ --libexecdir=%_libexecdir/ssh \ --with-tcp-wrappers \ --with-selinux \ --with-pam \ --with-kerberos5=/usr \ --with-privsep-path=/var/lib/empty \ --disable-strip \ --with-linux-audit \ --with-xauth=%{_prefix}/bin/xauth \ --target=%{_target_cpu}-suse-linux # --with-afs=/usr \ make %{?_smp_mflags} (cd converter; make %{?_smp_mflags}) cd contrib cd ../../x11-ssh-askpass-%{xversion} %configure \ --libexecdir=%_libdir/ssh xmkmf make includes USRLIBDIR=%_libdir make %{?_smp_mflags} USRLIBDIR=%_libdir CCOPTIONS="%optflags" %install make DESTDIR=%buildroot/ install install -d -m 755 %buildroot%_sysconfdir/pam.d install -d -m 755 %buildroot/var/lib/sshd install -m 644 %{S:2} %buildroot%_sysconfdir/pam.d/sshd install -d -m 755 %buildroot%_sysconfdir/slp.reg.d/ install -m 644 %{S:7} %buildroot%_sysconfdir/slp.reg.d/ cp -a SuSE/* %buildroot # install shell script to automate the process of adding your public key to a remote machine install -m 755 contrib/ssh-copy-id %buildroot%_bindir install -m 644 contrib/ssh-copy-id.1 %buildroot/%_mandir/man1 (cd converter; make install DESTDIR=%buildroot/) cd ../x11-ssh-askpass-%xversion make BINDIR=%_libexecdir/ssh DESTDIR=%buildroot install install.man rm -rf %buildroot/%_libexecdir/ssh/ssh-askpass sed -e "s@usr/lib/ssh@usr/%_lib/ssh@" < %{S:8} > %buildroot/%_libexecdir/ssh/ssh-askpass rm -f %buildroot%_datadir/Ssh.bin sed -i -e s@/usr/libexec@%_libexecdir@g %buildroot%_sysconfdir/ssh/sshd_config #install firewall definitions format is described here: #%_datadir/SuSEfirewall2/services/TEMPLATE mkdir -p %buildroot/%{_fwdefdir} install -m 644 %{S:9} %buildroot/%{_fwdefdir}/sshd %pre getent group sshd >/dev/null || %_sbindir/groupadd -o -r sshd getent passwd sshd >/dev/null || %_sbindir/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd %post %{fillup_and_insserv -n ssh sshd} %preun %stop_on_removal sshd %postun %restart_on_update sshd %{insserv_cleanup} %files %defattr(-,root,root) %dir %attr(755,root,root) /var/lib/sshd %doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS %attr(0755,root,root) %dir %_sysconfdir/ssh %attr(0600,root,root) %config(noreplace) %_sysconfdir/ssh/moduli %attr(0644,root,root) %config(noreplace) %_sysconfdir/ssh/ssh_config %attr(0640,root,root) %config(noreplace) %_sysconfdir/ssh/sshd_config %attr(0644,root,root) %config %_sysconfdir/pam.d/sshd %attr(0755,root,root) %config %_initddir/sshd %attr(0755,root,root) %_bindir/ssh %_bindir/scp %_bindir/sftp %_bindir/slogin %_bindir/ssh-* %_sbindir/* %attr(444,root,root) %doc %{_mandir}/man1/scp.1.gz %attr(444,root,root) %doc %{_mandir}/man1/ssh-keygen.1.gz %attr(444,root,root) %doc %_mandir/man1/ssh-keyconverter.1.gz %attr(444,root,root) %doc %{_mandir}/man1/ssh.1.gz %attr(444,root,root) %doc %{_mandir}/man1/slogin.1.gz %attr(444,root,root) %doc %{_mandir}/man1/ssh-agent.1* %attr(444,root,root) %doc %{_mandir}/man1/ssh-add.1* %attr(444,root,root) %doc %{_mandir}/man1/ssh-keyscan.1* %attr(444,root,root) %doc %{_mandir}/man1/sftp.1* %attr(444,root,root) %doc %{_mandir}/man1/ssh-copy-id.1* %attr(444,root,root) %doc %{_mandir}/man5/* %attr(444,root,root) %doc %{_mandir}/man8/* %attr(0755,root,root) %dir %_libexecdir/ssh %attr(0755,root,root) %_libexecdir/ssh/sftp-server %attr(0755,root,root) %_libexecdir/ssh/ssh-keysign %attr(0755,root,root) %_libexecdir/ssh/ssh-pkcs11-helper %dir %_sysconfdir/slp.reg.d %config %_sysconfdir/slp.reg.d/ssh.reg /var/adm/fillup-templates/sysconfig.ssh %config %{_fwdefdir}/sshd %files askpass %defattr(-,root,root) %attr(0755,root,root) %_libexecdir/ssh/ssh-askpass %attr(0755,root,root) %_libexecdir/ssh/x11-ssh-askpass %doc %_mandir/man1/ssh-askpass.1x.gz %doc %_mandir/man1/x11-ssh-askpass.1x.gz %_appdefdir/SshAskpass %changelog ++++++ README.SuSE ++++++ This is OpenSSH version 5.6p1. There are following changes in default settings of ssh client: * Accepting and sending of locale environment variables in protocol 2 is enabled. * New host keys will be hashed to and them unusable for malicious people or software trying to use known_hosts to find further hops. * Tunneled clear text passwords are disabled. * PAM authentication is enabled. * Only support for protocol 2 is enabled. ++++++ README.kerberos ++++++ This version of the Kerbros/GSSAPI support avoids DNS lookups for Kerberos-related names. These DNS lookups were problematic for dialup users because they would lead to excessive delays if DNS was not reachable. In order to disable these lookups, I had to change the default configuration, disabling GSSAPI authentication. If you do use Kerberos, please make sure you edit the server and client configuration files as follows: /etc/ssh/sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes /etc/ssh/ssh_config: Host * ... lots of other options ... GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ++++++ _link ++++++ <link project="openSUSE:12.1" package="openssh" baserev="b18b2e4a94a36c08aca651471c7ca6da"> <patches> <branch/> </patches> </link> ++++++ converter-linking.patch ++++++ --- converter/Makefile.orig +++ converter/Makefile @@ -8,7 +8,7 @@ ssh-keyconverter.o: ssh-keyconverter.c . gcc $(RPM_OPT_FLAGS) -c -I../ $< -o $@ ssh-keyconverter: ssh-keyconverter.o ../libssh.a ../openbsd-compat/libopenbsd-compat.a - gcc $< -L../ -L../openbsd-compat/ -lssh -lopenbsd-compat -lssh -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@ + gcc -Wl,--no-as-needed $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ $< -lssl -lcrypto -lssh -lopenbsd-compat -lssl -lssh -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -o $@ install: ssh-keyconverter ssh-keyconverter.1 if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755 $(DESTDIR)$(bindir); fi ++++++ openssh-5.8p1-askpass-fix.diff ++++++ Index: x11-ssh-askpass.c =================================================================== --- x11-ssh-askpass.c.orig +++ x11-ssh-askpass.c @@ -1301,7 +1301,7 @@ void handleKeyPress(AppInfo *app, XEvent } } -Bool eventIsInsideButton(AppInfo *app, XEvent *event, ButtonInfo button) +Bool eventIsInsideButton(AppInfo *app, ButtonInfo button, XEvent *event) { /* 'gcc -Wall' complains about 'app' being an unused parameter. * Tough. We might want to use it later, and then we don't have @@ -1343,11 +1343,11 @@ void handleButtonPress(AppInfo *app, XEv return; } if (ButtonPress == event->type) { - if (eventIsInsideButton(app, event, d->okButton)) { + if (eventIsInsideButton(app, d->okButton, event)) { d->pressedButton = OK_BUTTON; d->okButton.pressed = True; paintButton(app, d->dialogWindow, d->okButton); - } else if (eventIsInsideButton(app, event, d->cancelButton)) { + } else if (eventIsInsideButton(app, d->cancelButton, event)) { d->pressedButton = CANCEL_BUTTON; d->cancelButton.pressed = True; paintButton(app, d->dialogWindow, d->cancelButton); @@ -1356,7 +1356,7 @@ void handleButtonPress(AppInfo *app, XEv } } else if (ButtonRelease == event->type) { if (OK_BUTTON == d->pressedButton) { - if (eventIsInsideButton(app, event, d->okButton)) { + if (eventIsInsideButton(app, d->okButton, event)) { acceptAction(app); } else { if (d->okButton.pressed) { @@ -1365,7 +1365,7 @@ void handleButtonPress(AppInfo *app, XEv } } } else if (CANCEL_BUTTON == d->pressedButton) { - if (eventIsInsideButton(app, event, d->cancelButton)) { + if (eventIsInsideButton(app, d->cancelButton, event)) { cancelAction(app); } else { if (d->cancelButton.pressed) { @@ -1385,7 +1385,7 @@ void handlePointerMotion(AppInfo *app, X if (NO_BUTTON == d->pressedButton) { return; } else if (OK_BUTTON == d->pressedButton) { - if (eventIsInsideButton(app, event, d->okButton)) { + if (eventIsInsideButton(app, d->okButton, event)) { if (!(d->okButton.pressed)) { d->okButton.pressed = True; paintButton(app, d->dialogWindow, d->okButton); @@ -1397,7 +1397,7 @@ void handlePointerMotion(AppInfo *app, X } } } else if (CANCEL_BUTTON == d->pressedButton) { - if (eventIsInsideButton(app, event, d->cancelButton)) { + if (eventIsInsideButton(app, d->cancelButton, event)) { if (!(d->cancelButton.pressed)) { d->cancelButton.pressed = True; paintButton(app, d->dialogWindow, d->cancelButton); Index: x11-ssh-askpass.h =================================================================== --- x11-ssh-askpass.h.orig +++ x11-ssh-askpass.h @@ -258,7 +258,7 @@ void erasePassphrase(AppInfo *app); void addToPassphrase(AppInfo *app, char c); void handleKeyPress(AppInfo *app, XEvent *event); -Bool eventIsInsideButton(AppInfo *app, XEvent *event, ButtonInfo button); +Bool eventIsInsideButton(AppInfo *app, ButtonInfo button, XEvent *event); void handleButtonPress(AppInfo *app, XEvent *event); void handlePointerMotion(AppInfo *app, XEvent *event); ++++++ openssh-5.8p1-audit.patch ++++++ # add support for Linux audit (FATE #120269) ================================================================================ Index: openssh-5.8p1/Makefile.in =================================================================== --- openssh-5.8p1.orig/Makefile.in +++ openssh-5.8p1/Makefile.in @@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ SSHLIBS=@SSHLIBS@ +LIBAUDIT=@LIBAUDIT@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ AR=@AR@ @@ -146,7 +147,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) Index: openssh-5.8p1/auth.c =================================================================== --- openssh-5.8p1.orig/auth.c +++ openssh-5.8p1/auth.c @@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif #endif +#if HAVE_LINUX_AUDIT + if (authenticated == 0 && !authctxt->postponed) { + linux_audit_record_event(-1, authctxt->user, NULL, + get_remote_ipaddr(), "sshd", 0); + } +#endif #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); @@ -592,6 +598,10 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif +#ifdef HAVE_LINUX_AUDIT + linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), + "sshd", 0); +#endif #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ Index: openssh-5.8p1/config.h.in =================================================================== --- openssh-5.8p1.orig/config.h.in +++ openssh-5.8p1/config.h.in @@ -1460,6 +1460,9 @@ /* Define if you want SELinux support. */ #undef WITH_SELINUX +/* Define if you want Linux audit support. */ +#undef HAVE_LINUX_AUDIT + /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN Index: openssh-5.8p1/configure.ac =================================================================== --- openssh-5.8p1.orig/configure.ac +++ openssh-5.8p1/configure.ac @@ -3522,6 +3522,20 @@ AC_ARG_WITH(selinux, AC_SUBST(SSHLIBS) AC_SUBST(SSHDLIBS) +# Check whether user wants Linux audit support +LINUX_AUDIT_MSG="no" +LIBAUDIT="" +AC_ARG_WITH(linux-audit, + [ --with-linux-audit Enable Linux audit support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) + LINUX_AUDIT_MSG="yes" + AC_CHECK_HEADERS(libaudit.h) + LIBAUDIT="-laudit" + fi + ]) +AC_SUBST(LIBAUDIT) + # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, @@ -4316,6 +4330,7 @@ echo " PAM support echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" +echo " Linux audit support: $LINUX_AUDIT_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" Index: openssh-5.8p1/loginrec.c =================================================================== --- openssh-5.8p1.orig/loginrec.c +++ openssh-5.8p1/loginrec.c @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" +#ifdef HAVE_LINUX_AUDIT +# include +#endif + #ifdef HAVE_UTIL_H # include #endif @@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l int utmpx_write_entry(struct logininfo *li); int wtmp_write_entry(struct logininfo *li); int wtmpx_write_entry(struct logininfo *li); +#ifdef HAVE_LINUX_AUDIT +int linux_audit_write_entry(struct logininfo *li); +#endif int lastlog_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li); @@ -442,6 +449,10 @@ login_write(struct logininfo *li) /* set the timestamp */ login_set_current_time(li); +#ifdef HAVE_LINUX_AUDIT + if (linux_audit_write_entry(li) == 0) + fatal("linux_audit_write_entry failed: %s", strerror(errno)); +#endif #ifdef USE_LOGIN syslogin_write_entry(li); #endif @@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li) } #endif /* USE_WTMPX */ +#ifdef HAVE_LINUX_AUDIT +static void +_audit_hexscape(const char *what, char *where, unsigned int size) +{ + const char *ptr = what; + const char *hex = "0123456789ABCDEF"; + + while (*ptr) { + if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) { + unsigned int i; + ptr = what; + for (i = 0; *ptr && i+2 < size; i += 2) { + where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */ + where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */ + ptr++; + } + where[i] = '\0'; + return; + } + ptr++; + } + where[0] = '"'; + if ((unsigned)(ptr - what) < size - 3) + { + size = ptr - what + 3; + } + strncpy(where + 1, what, size - 3); + where[size-2] = '"'; + where[size-1] = '\0'; +} + +#define AUDIT_LOG_SIZE 128 +#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8) + +int +linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success) +{ + char buf[AUDIT_LOG_SIZE]; + int audit_fd, rc; + + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return 1; /* No audit support in kernel */ + else + return 0; /* Must prevent login */ + } + if (username == NULL) + snprintf(buf, sizeof(buf), "uid=%d", uid); + else { + char encoded[AUDIT_ACCT_SIZE]; + _audit_hexscape(username, encoded, sizeof(encoded)); + snprintf(buf, sizeof(buf), "acct=%s", encoded); + } + rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, + buf, hostname, ip, ttyn, success); + close(audit_fd); + if (rc >= 0) + return 1; + else + return 0; +} + +int +linux_audit_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (linux_audit_record_event(li->uid, NULL, li->hostname, + NULL, li->line, 1)); + case LTYPE_LOGOUT: + return (1); /* We only care about logins */ + default: + logit("%s: invalid type field", __func__); + return (0); + } +} +#endif /* HAVE_LINUX_AUDIT */ + /** ** Low-level libutil login() functions **/ Index: openssh-5.8p1/loginrec.h =================================================================== --- openssh-5.8p1.orig/loginrec.h +++ openssh-5.8p1/loginrec.h @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch char *line_abbrevname(char *dst, const char *src, int dstsize); void record_failed_login(const char *, const char *, const char *); +#ifdef HAVE_LINUX_AUDIT +int linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success); +#endif /* HAVE_LINUX_AUDIT */ #endif /* _HAVE_LOGINREC_H_ */ ++++++ openssh-5.8p1-blocksigalrm.diff ++++++ Index: log.c =================================================================== --- log.c.orig +++ log.c @@ -51,6 +51,7 @@ #include "xmalloc.h" #include "log.h" +#include static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; @@ -336,6 +337,7 @@ do_log(LogLevel level, const char *fmt, char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; + sigset_t nset, oset; int saved_errno = errno; if (level > log_level) @@ -387,6 +389,14 @@ do_log(LogLevel level, const char *fmt, snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { + /* Prevent a race between the grace_alarm + * which writes a log message and terminates + * and main sshd code that leads to deadlock + * as syslog is not async safe. + */ + sigemptyset(&nset); + sigaddset(&nset, SIGALRM); + sigprocmask(SIG_BLOCK, &nset, &oset); #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); syslog_r(pri, &sdata, "%.500s", fmtbuf); @@ -396,6 +406,7 @@ do_log(LogLevel level, const char *fmt, syslog(pri, "%.500s", fmtbuf); closelog(); #endif + sigprocmask(SIG_SETMASK, &oset, NULL); } errno = saved_errno; } ++++++ openssh-5.8p1-default-protocol.diff ++++++ Index: ssh_config =================================================================== --- ssh_config.orig +++ ssh_config @@ -46,7 +46,7 @@ ForwardX11Trusted yes # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 -# Protocol 2,1 + Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 ++++++ openssh-5.8p1-eal3.diff ++++++ Index: openssh-5.8p1/sshd.8 =================================================================== --- openssh-5.8p1.orig/sshd.8 +++ openssh-5.8p1/sshd.8 @@ -855,7 +855,7 @@ Contains Diffie-Hellman groups used for The file format is described in .Xr moduli 5 . .Pp -.It Pa /etc/motd +.It Pa /etc/lib/motd See .Xr motd 5 . .Pp @@ -868,7 +868,7 @@ are displayed to anyone trying to log in refused. The file should be world-readable. .Pp -.It Pa /etc/shosts.equiv +.It Pa /etc/ssh/shosts.equiv This file is used in exactly the same way as .Pa hosts.equiv , but allows host-based authentication without permitting login with @@ -947,8 +947,7 @@ The content of this file is not sensitiv .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , -.Xr login.conf 5 , -.Xr moduli 5 , +.Xr login.defs 5 , .Xr sshd_config 5 , .Xr inetd 8 , .Xr sftp-server 8 Index: openssh-5.8p1/sshd_config.5 =================================================================== --- openssh-5.8p1.orig/sshd_config.5 +++ openssh-5.8p1/sshd_config.5 @@ -497,7 +497,7 @@ or .Pp .Pa /etc/hosts.equiv and -.Pa /etc/shosts.equiv +.Pa /etc/ssh/shosts.equiv are still used. The default is .Dq yes . ++++++ openssh-5.8p1-engines.diff ++++++ Index: openssh-5.8p1/ssh-add.c =================================================================== --- openssh-5.8p1.orig/ssh-add.c +++ openssh-5.8p1/ssh-add.c @@ -43,6 +43,7 @@ #include #include "openbsd-compat/openssl-compat.h" +#include #include #include @@ -377,6 +378,10 @@ main(int argc, char **argv) OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); if (ac == NULL) { Index: openssh-5.8p1/ssh-agent.c =================================================================== --- openssh-5.8p1.orig/ssh-agent.c +++ openssh-5.8p1/ssh-agent.c @@ -52,6 +52,7 @@ #include #include #include "openbsd-compat/openssl-compat.h" +#include #include #include @@ -1153,6 +1154,10 @@ main(int ac, char **av) OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); Index: openssh-5.8p1/ssh-keygen.c =================================================================== --- openssh-5.8p1.orig/ssh-keygen.c +++ openssh-5.8p1/ssh-keygen.c @@ -22,6 +22,7 @@ #include #include #include "openbsd-compat/openssl-compat.h" +#include #include #include @@ -1815,6 +1816,11 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); OpenSSL_add_all_algorithms(); + + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); init_rng(); Index: openssh-5.8p1/ssh-keysign.c =================================================================== --- openssh-5.8p1.orig/ssh-keysign.c +++ openssh-5.8p1/ssh-keysign.c @@ -38,6 +38,7 @@ #include #include #include +#include #include "xmalloc.h" #include "log.h" @@ -195,6 +196,11 @@ main(int argc, char **argv) fatal("could not open any host key"); OpenSSL_add_all_algorithms(); + + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); Index: openssh-5.8p1/ssh.c =================================================================== --- openssh-5.8p1.orig/ssh.c +++ openssh-5.8p1/ssh.c @@ -75,6 +75,7 @@ #include #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" +#include #include "xmalloc.h" #include "ssh.h" @@ -601,6 +602,10 @@ main(int ac, char **av) OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + /* Initialize the command to execute on remote host. */ buffer_init(&command); Index: openssh-5.8p1/sshd.c =================================================================== --- openssh-5.8p1.orig/sshd.c +++ openssh-5.8p1/sshd.c @@ -77,6 +77,7 @@ #include #include #include "openbsd-compat/openssl-compat.h" +#include #ifdef HAVE_SECUREWARE #include @@ -1474,6 +1475,10 @@ main(int ac, char **av) OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) ++++++ openssh-5.8p1-gssapimitm.patch ++++++ The patch below adds support for the deprecated 'gssapi' authentication mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included in this release. The use of 'gssapi' is deprecated due to the presence of potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling, backwards compatibility may be obtained by supplying the 'GssapiEnableMitmAttack yes' option to either the client or server. It should be noted that this patch is being made available purely as a means of easing the process of moving to OpenSSH 3.8p1. Any new installations are recommended to use the 'gssapi-with-mic' mechanism. Existing installations are encouraged to upgrade as soon as possible. Index: auth2-gss.c =================================================================== --- auth2-gss.c.orig +++ auth2-gss.c @@ -177,6 +177,15 @@ input_gssapi_token(int type, u_int32_t p dispatch_set( SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, &input_gssapi_exchange_complete); + + /* + * Old style 'gssapi' didn't have the GSSAPI_MIC + * and went straight to sending exchange_complete + */ + if (options.gss_enable_mitm) + dispatch_set( + SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, + &input_gssapi_exchange_complete); } } @@ -298,4 +307,10 @@ Authmethod method_gssapi = { &options.gss_authentication }; +Authmethod method_gssapi_old = { + "gssapi", + userauth_gssapi, + &options.gss_enable_mitm +}; + #endif /* GSSAPI */ Index: auth2.c =================================================================== --- auth2.c.orig +++ auth2.c @@ -70,6 +70,7 @@ extern Authmethod method_kbdint; extern Authmethod method_hostbased; #ifdef GSSAPI extern Authmethod method_gssapi; +extern Authmethod method_gssapi_old; #endif #ifdef JPAKE extern Authmethod method_jpake; @@ -80,6 +81,7 @@ Authmethod *authmethods[] = { &method_pubkey, #ifdef GSSAPI &method_gssapi, + &method_gssapi_old, #endif #ifdef JPAKE &method_jpake, Index: readconf.c =================================================================== --- readconf.c.orig +++ readconf.c @@ -128,7 +128,7 @@ typedef enum { oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, @@ -170,9 +170,11 @@ static struct { #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, + { "gssapienablemitmattack", oGssEnableMITM }, #else { "gssapiauthentication", oUnsupported }, { "gssapidelegatecredentials", oUnsupported }, + { "gssapienablemitmattack", oUnsupported }, #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, @@ -483,6 +485,10 @@ parse_flag: intptr = &options->gss_deleg_creds; goto parse_flag; + case oGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; + case oBatchMode: intptr = &options->batch_mode; goto parse_flag; @@ -1093,6 +1099,7 @@ initialize_options(Options * options) options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; + options->gss_enable_mitm = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -1195,6 +1202,8 @@ fill_default_options(Options * options) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; + if (options->gss_enable_mitm == -1) + options->gss_enable_mitm = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) Index: readconf.h =================================================================== --- readconf.h.orig +++ readconf.h @@ -47,6 +47,7 @@ typedef struct { /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ + int gss_enable_mitm; /* Enable old style gssapi auth */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ Index: servconf.c =================================================================== --- servconf.c.orig +++ servconf.c @@ -98,6 +98,7 @@ initialize_server_options(ServerOptions options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; + options->gss_enable_mitm = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -228,6 +229,8 @@ fill_default_server_options(ServerOption options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; + if (options->gss_enable_mitm == -1) + options->gss_enable_mitm = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -322,7 +325,7 @@ typedef enum { sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, @@ -386,9 +389,11 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, + { "gssapienablemitmattack", sGssEnableMITM }, #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, + { "gssapienablemitmattack", sUnsupported }, #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, @@ -948,6 +953,10 @@ process_server_config_line(ServerOptions intptr = &options->gss_cleanup_creds; goto parse_flag; + case sGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; + case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; Index: servconf.h =================================================================== --- servconf.h.orig +++ servconf.h @@ -98,6 +98,7 @@ typedef struct { * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + int gss_enable_mitm; /* If true, enable old style GSSAPI */ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ Index: ssh_config =================================================================== --- ssh_config.orig +++ ssh_config @@ -54,5 +54,15 @@ ForwardX11Trusted yes # Tunnel no # TunnelDevice any:any # PermitLocalCommand no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no + +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included +# in this release. The use of 'gssapi' is deprecated due to the presence of +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. +# GSSAPIEnableMITMAttack no + +>>>>>>> # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com Index: sshconnect2.c =================================================================== --- sshconnect2.c.orig +++ sshconnect2.c @@ -324,6 +324,10 @@ Authmethod authmethods[] = { NULL, &options.gss_authentication, NULL}, + {"gssapi", + userauth_gssapi, + &options.gss_enable_mitm, + NULL}, #endif {"hostbased", userauth_hostbased, @@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf if (status == GSS_S_COMPLETE) { /* send either complete or MIC, depending on mechanism */ - if (!(flags & GSS_C_INTEG_FLAG)) { + + if (strcmp(authctxt->method->name,"gssapi")==0 || + (!(flags & GSS_C_INTEG_FLAG))) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); packet_send(); } else { Index: sshd_config =================================================================== --- sshd_config.orig +++ sshd_config @@ -73,6 +73,12 @@ PasswordAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included +# in this release. The use of 'gssapi' is deprecated due to the presence of +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. +#GSSAPIEnableMITMAttack no + # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and ++++++ openssh-5.8p1-homechroot.patch ++++++ Index: chrootenv.h =================================================================== --- /dev/null +++ chrootenv.h @@ -0,0 +1,32 @@ +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ + +/* + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef CHROOTENV_H +#define CHROOTENV_H + +extern int chroot_no_tree; + +#endif + Index: session.c =================================================================== --- session.c.orig +++ session.c @@ -120,6 +120,8 @@ void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); +int chroot_no_tree = 0; + static void do_authenticated1(Authctxt *); static void do_authenticated2(Authctxt *); @@ -808,6 +810,11 @@ do_exec(Session *s, const char *command) debug("Forced command (key option) '%.900s'", command); } + if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) { + logit("You aren't welcomed, go away!"); + exit (1); + } + #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); @@ -1421,6 +1428,63 @@ do_nologin(struct passwd *pw) } /* + * Test if filesystem is mounted nosuid and nodev + */ + +static void +test_nosuid (char * path, dev_t fs) +{ + FILE *f; + struct stat st; + char buf[4096], *s, *on, *mountpoint, *opt; + int nodev, nosuid; + + if (!(f = popen ("/bin/mount", "r"))) + fatal ("%s: popen(\"/bin/mount\", \"r\"): %s", + __func__, strerror (errno)); + for (;;) { + s = fgets (buf, sizeof (buf), f); + if (ferror (f)) + fatal ("%s: read from popen: %s", __func__, + strerror (errno)); + if (!s) { + pclose (f); + fatal ("cannot found filesystem with the chroot directory"); + } + (void) strtok (buf, " "); + on = strtok (NULL, " "); + if (strcmp (on, "on")) { + pclose (f); + fatal ("bad format of mount output"); + } + mountpoint = strtok (NULL, " "); + if (memcmp (path, mountpoint, strlen (mountpoint))) + continue; + if (stat(mountpoint, &st) != 0) { + pclose (f); + fatal("%s: stat(\"%s\"): %s", __func__, + mountpoint, strerror(errno)); + } + if (fs != st.st_dev) + continue; + nodev = nosuid = 0; + for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) { + if (!strcmp (opt, "nodev")) + nodev = 1; + else if (!strcmp (opt, "nosuid")) + nosuid = 1; + else if (!strcmp (opt, "noexec")) + nosuid = 1; + if (nodev && nosuid) { + pclose (f); + return; + } + } + fatal ("chroot into directory without nodev or nosuid"); + } +} + +/* * Chroot into a directory after checking it for safety: all path components * must be root-owned directories with strict permissions. */ @@ -1430,6 +1494,7 @@ safely_chroot(const char *path, uid_t ui const char *cp; char component[MAXPATHLEN]; struct stat st; + int last; if (*path != '/') fatal("chroot path does not begin at root"); @@ -1441,7 +1506,7 @@ safely_chroot(const char *path, uid_t ui * root-owned directory with strict permissions. */ for (cp = path; cp != NULL;) { - if ((cp = strchr(cp, '/')) == NULL) + if (((last = ((cp = strchr(cp, '/')) == NULL)))) strlcpy(component, path, sizeof(component)); else { cp++; @@ -1454,14 +1519,20 @@ safely_chroot(const char *path, uid_t ui if (stat(component, &st) != 0) fatal("%s: stat(\"%s\"): %s", __func__, component, strerror(errno)); - if (st.st_uid != 0 || (st.st_mode & 022) != 0) + if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid)) fatal("bad ownership or modes for chroot " "directory %s\"%s\"", cp == NULL ? "" : "component ", component); if (!S_ISDIR(st.st_mode)) fatal("chroot path %s\"%s\" is not a directory", cp == NULL ? "" : "component ", component); + } + setenv ("TZ", "/etc/localtime", 0); + tzset (); + if (st.st_uid) { + test_nosuid (path, st.st_dev); + ++chroot_no_tree; } if (chdir(path) == -1) @@ -1472,6 +1543,10 @@ safely_chroot(const char *path, uid_t ui if (chdir("/") == -1) fatal("%s: chdir(/) after chroot: %s", __func__, strerror(errno)); + + if (access ("/etc/localtime", R_OK) < 0) + ++chroot_no_tree; + verbose("Changed root directory to \"%s\"", path); } Index: sftp.c =================================================================== --- sftp.c.orig +++ sftp.c @@ -106,6 +106,8 @@ int remote_glob(struct sftp_conn *, cons extern char *__progname; +int chroot_no_tree = 0; + /* Separators for interactive commands */ #define WHITESPACE " \t\r\n" Index: sftp-common.c =================================================================== --- sftp-common.c.orig +++ sftp-common.c @@ -43,6 +43,7 @@ #include "xmalloc.h" #include "buffer.h" #include "log.h" +#include "chrootenv.h" #include "sftp.h" #include "sftp-common.h" @@ -196,13 +197,13 @@ ls_file(const char *name, const struct s char sbuf[FMT_SCALED_STRSIZE]; strmode(st->st_mode, mode); - if (!remote) { + if (!remote && !chroot_no_tree) { user = user_from_uid(st->st_uid, 0); } else { snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid); user = ubuf; } - if (!remote) { + if (!remote && !chroot_no_tree) { group = group_from_gid(st->st_gid, 0); } else { snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); Index: sftp-server-main.c =================================================================== --- sftp-server-main.c.orig +++ sftp-server-main.c @@ -22,11 +22,14 @@ #include #include #include +#include #include "log.h" #include "sftp.h" #include "misc.h" +int chroot_no_tree = 0; + void cleanup_exit(int i) { Index: sshd_config.0 =================================================================== --- sshd_config.0.orig +++ sshd_config.0 @@ -143,6 +143,14 @@ DESCRIPTION though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details). + In the special case when only sftp is used, not ssh nor scp, it + is possible to use ChrootDirectory %h or ChrootDirectory + /some/path/%u. The file system containing this directory must be + mounted with options nodev and either nosuid or noexec. The owner + of the directory should be the user. The ownership of the other + components of the path must fulfill the usual conditions. No adi- + tional files are required to be present in the directory. + The default is not to chroot(2). Ciphers Index: sshd_config.5 =================================================================== --- sshd_config.5.orig +++ sshd_config.5 @@ -268,6 +268,17 @@ inside the chroot directory (see .Xr sftp-server 8 for details). .Pp +In the special case when only sftp is used, not ssh nor scp, +it is possible to use +.Cm ChrootDirectory +%h or +.Cm ChrootDirectory +/some/path/%u. The file system containing this directory must be +mounted with options nodev and either nosuid or noexec. The owner of the +directory should be the user. The ownership of the other components of the path +must fulfill the usual conditions. No aditional files are required to be present +in the directory. +.Pp The default is not to .Xr chroot 2 . .It Cm Ciphers ++++++ openssh-5.8p1-host_ident.diff ++++++ Index: openssh-5.7p1/sshconnect.c =================================================================== --- openssh-5.7p1.orig/sshconnect.c +++ openssh-5.7p1/sshconnect.c @@ -958,6 +958,11 @@ check_host_key(char *hostname, struct so user_hostfile); error("Offending %s key in %s:%lu", key_type(host_found->key), host_found->file, host_found->line); + error("You can use following command to remove all keys for this IP:"); + if (host_found->file) + error("ssh-keygen -R %s -f %s", hostname, host_found->file); + else + error("ssh-keygen -R %s", hostname); /* * If strict host key checking is in use, the user will have ++++++ openssh-5.8p1-pam-fix2.diff ++++++ Index: sshd_config =================================================================== --- sshd_config.orig +++ sshd_config @@ -57,7 +57,7 @@ #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords @@ -82,7 +82,7 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -#UsePAM no +UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes ++++++ openssh-5.8p1-pam-fix3.diff ++++++ Index: auth-pam.c =================================================================== --- auth-pam.c.orig +++ auth-pam.c @@ -786,7 +786,9 @@ sshpam_query(void *ctx, char **name, cha fatal("Internal error: PAM auth " "succeeded when it should have " "failed"); - import_environments(&buffer); +#ifndef USE_POSIX_THREADS + import_environments(&buffer); +#endif *num = 0; **echo_on = 0; ctxt->pam_done = 1; ++++++ openssh-5.8p1-pts.diff ++++++ Index: loginrec.c =================================================================== --- loginrec.c.orig +++ loginrec.c @@ -555,7 +555,7 @@ getlast_entry(struct logininfo *li) * 1. The full filename (including '/dev') * 2. The stripped name (excluding '/dev') * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 - * /dev/pts/1 -> ts/1 ) + * /dev/pts/1 -> /1 ) * * Form 3 is used on some systems to identify a .tmp.? entry when * attempting to remove it. Typically both addition and removal is @@ -616,6 +616,10 @@ line_abbrevname(char *dst, const char *s if (strncmp(src, "tty", 3) == 0) src += 3; #endif + if (strncmp(src, "pts/", 4) == 0) { + src += 3; + if (strlen(src) > 4) src++; + } len = strlen(src); ++++++ openssh-5.8p1-saveargv-fix.diff ++++++ Index: sshd.c =================================================================== --- sshd.c.orig +++ sshd.c @@ -306,6 +306,7 @@ sighup_handler(int sig) static void sighup_restart(void) { + int i; logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); @@ -1319,7 +1320,11 @@ main(int ac, char **av) #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ compat_init_setproctitle(ac, av); - av = saved_argv; + + av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1)); + for (i = 0; i < saved_argc; i++) + av[i] = xstrdup(saved_argv[i]); + av[i] = NULL; #endif if (geteuid() == 0 && setgroups(0, NULL) == -1) ++++++ openssh-5.8p1-send_locale.diff ++++++ Index: ssh_config =================================================================== --- ssh_config.orig +++ ssh_config @@ -63,6 +63,9 @@ ForwardX11Trusted yes # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. # GSSAPIEnableMITMAttack no ->>>>>>> +# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). +SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +SendEnv LC_IDENTIFICATION LC_ALL # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com Index: sshd_config =================================================================== --- sshd_config.orig +++ sshd_config @@ -117,6 +117,11 @@ X11Forwarding yes # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server +# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no ++++++ openssh-5.8p1-sshconfig-knownhostschanges.diff ++++++ Index: ssh_config =================================================================== --- ssh_config.orig +++ ssh_config @@ -67,5 +67,13 @@ ForwardX11Trusted yes SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL -# VisualHostKey no + +# This will print the fingerprint of the host key in "visual" form +# this should make it easier to also recognize bad things +VisualHostKey no + +# This will hash new host keys and make them so unusable for malicious +# people or software trying to use known_hosts to find further hops. +HashKnownHosts yes + # ProxyCommand ssh -q -W %h:%p gateway.example.com ++++++ openssh-5.8p1-sshd_config.diff ++++++ Index: ssh_config =================================================================== --- ssh_config.orig +++ ssh_config @@ -17,9 +17,20 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. -# Host * +Host * # ForwardAgent no # ForwardX11 no + +# If you do not trust your remote host (or its administrator), you +# should not forward X11 connections to your local X11-display for +# security reasons: Someone stealing the authentification data on the +# remote side (the "spoofed" X-server by the remote sshd) can read your +# keystrokes as you type, just like any other X11 client could do. +# Set this to "no" here for global effect or in your own ~/.ssh/config +# file if you want to have the remote X11 authentification data to +# expire after two minutes after remote login. +ForwardX11Trusted yes + # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes Index: sshd_config =================================================================== --- sshd_config.orig +++ sshd_config @@ -87,7 +87,7 @@ #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes Index: sshlogin.c =================================================================== --- sshlogin.c.orig +++ sshlogin.c @@ -133,6 +133,7 @@ record_login(pid_t pid, const char *tty, li = login_alloc_entry(pid, user, host, tty); login_set_addr(li, addr, addrlen); + li->uid=uid; login_login(li); login_free_entry(li); } ++++++ openssh-5.8p1-xauth.diff ++++++ Index: session.c =================================================================== --- session.c.orig +++ session.c @@ -2463,8 +2463,40 @@ void session_close(Session *s) { u_int i; + int do_xauth; debug("session_close: session %d pid %ld", s->self, (long)s->pid); + + do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; + if (do_xauth && options.xauth_location != NULL) { + pid_t pid; + FILE *f; + char cmd[1024]; + struct passwd * pw = s->pw; + + if (!(pid = fork())) { + permanently_set_uid(pw); + + /* Remove authority data from .Xauthority if appropriate. */ + debug("Running %.500s remove %.100s\n", + options.xauth_location, s->auth_display); + + snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -", + s->pw->pw_dir, options.xauth_location); + f = popen(cmd, "w"); + if (f) { + fprintf(f, "remove %s\n", s->auth_display); + pclose(f); + } else + error("Could not run %s\n", cmd); + exit(0); + } else if (pid > 0) { + int status; + + waitpid(pid, &status, 0); + } + } + if (s->ttyfd != -1) session_pty_cleanup(s); if (s->term) ++++++ openssh-5.8p1-xauthlocalhostname.diff ++++++ Index: session.c =================================================================== --- session.c.orig +++ session.c @@ -1116,7 +1116,7 @@ copy_environment(char **source, char *** } static char ** -do_setup_env(Session *s, const char *shell) +do_setup_env(Session *s, const char *shell, int *env_size) { char buf[256]; u_int i, envsize; @@ -1303,6 +1303,8 @@ do_setup_env(Session *s, const char *she for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } + + *env_size = envsize; return env; } @@ -1311,7 +1313,7 @@ do_setup_env(Session *s, const char *she * first in this order). */ static void -do_rc_files(Session *s, const char *shell) +do_rc_files(Session *s, const char *shell, char **env, int *env_size) { FILE *f = NULL; char cmd[1024]; @@ -1365,12 +1367,20 @@ do_rc_files(Session *s, const char *shel options.xauth_location); f = popen(cmd, "w"); if (f) { + char hostname[MAXHOSTNAMELEN]; + fprintf(f, "remove %s\n", s->auth_display); fprintf(f, "add %s %s %s\n", s->auth_display, s->auth_proto, s->auth_data); pclose(f); + if (gethostname(hostname,sizeof(hostname)) >= 0) + child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME", + hostname); + else + debug("Cannot set up XAUTHLOCALHOSTNAME %s\n", + strerror(errno)); } else { fprintf(stderr, "Could not run %s\n", cmd); @@ -1608,6 +1618,7 @@ do_child(Session *s, const char *command { extern char **environ; char **env; + int env_size; char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; @@ -1674,7 +1685,7 @@ do_child(Session *s, const char *command * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ - env = do_setup_env(s, shell); + env = do_setup_env(s, shell, &env_size); #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); @@ -1743,7 +1754,7 @@ do_child(Session *s, const char *command closefrom(STDERR_FILENO + 1); if (!options.use_login) - do_rc_files(s, shell); + do_rc_files(s, shell, env, &env_size); /* restore SIGPIPE for child */ signal(SIGPIPE, SIG_DFL); ++++++ ssh-askpass ++++++ #!/bin/bash SESSION= case "$DESKTOP_SESSION" in kde) SESSION=kde ;; gnome) SESSION=gnome ;; esac if [ -z "$SESSION" ] ; then WM="${WINDOWMANAGER##*/}" case "$WM" in *kde*) SESSION=kde ;; *gnome*) SESSION=gnome ;; esac fi if [ -z "$SESSION" ] ; then if [ -n "$KDE_FULL_SESSION" ] ; then SESSION=kde fi if [ -n "$GNOME_DESKTOP_SESSION_ID" ] ; then SESSION=gnome fi fi GNOME_SSH_ASKPASS="/usr/lib/ssh/gnome-ssh-askpass" KDE_SSH_ASKPASS="/usr/lib/ssh/ksshaskpass" X11_SSH_ASKPASS="/usr/lib/ssh/x11-ssh-askpass" case "$SESSION" in gnome) if [ -f $GNOME_SSH_ASKPASS ]; then exec $GNOME_SSH_ASKPASS ${1+"$@"} else exec $X11_SSH_ASKPASS ${1+"$@"} fi ;; kde) if [ -f $KDE_SSH_ASKPASS ]; then exec $KDE_SSH_ASKPASS ${1+"$@"} else exec $X11_SSH_ASKPASS ${1+"$@"} fi ;; *) exec $X11_SSH_ASKPASS ${1+"$@"} ;; esac ++++++ ssh.reg ++++++ ############################################################################# # # OpenSLP registration file # # register SSH daemon # ############################################################################# # Register the usual sshd, if it is running service:ssh://$HOSTNAME:22,en,65535 tcp-port=22 description=Secure Shell Daemon # ssh can get used to copy files with konqueror using the fish:/ protocol service:fish://$HOSTNAME:22,en,65535 tcp-port=22 description=KDE file transfer via SSH ++++++ sshd.fw ++++++ ## Name: Secure Shell Server ## Description: Open ports for Secure Shell Server # space separated list of allowed TCP ports TCP="ssh" ++++++ sshd.pamd ++++++ #%PAM-1.0 auth requisite pam_nologin.so auth include common-auth account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_lastlog.so silent noupdate showfailed -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org