Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at Tue Feb 1 15:14:06 CET 2011. -------- --- openssh/openssh-askpass-gnome.changes 2011-01-12 13:39:34.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssh/openssh-askpass-gnome.changes 2011-01-25 12:04:54.000000000 +0100 @@ -1,0 +2,5 @@ +Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com + +- Update to 5.7p1 + +------------------------------------------------------------------- --- openssh/openssh.changes 2011-01-12 13:39:35.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssh/openssh.changes 2011-01-25 11:29:04.000000000 +0100 @@ -1,0 +2,36 @@ +Mon Jan 24 11:24:59 UTC 2011 - lchiquitto@novell.com + +- Update to 5.7p1 + * Implement Elliptic Curve Cryptography modes for key exchange (ECDH) + and host/user keys (ECDSA) as specified by RFC5656. + * sftp(1)/sftp-server(8): add a protocol extension to support a hard + link operation. + * scp(1): Add a new -3 option to scp: Copies between two remote hosts + are transferred through the local host. + * ssh(1): automatically order the hostkeys requested by the client + based on which hostkeys are already recorded in known_hosts. + * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary + TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. + * sftp(1): the sftp client is now significantly faster at performing + directory listings, using OpenBSD glob(3) extensions to preserve + the results of stat(3) operations performed in the course of its + execution rather than performing expensive round trips to fetch + them again afterwards. + * ssh(1): "atomically" create the listening mux socket by binding it on + a temporary name and then linking it into position after listen() has + succeeded. + * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server + configuration to allow selection of which key exchange methods are + used by ssh(1) and sshd(8) and their order of preference. + * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into + a generic bandwidth limiter that can be attached using the atomicio + callback mechanism and use it to add a bandwidth limit option to + sftp(1). + * Support building against openssl-1.0.0a. + * Bug fixes. +- Remove patches that are now upstream: + * openssh-5.6p1-tmpdir.diff + * openssh-linux-new-oomkill.patch +- Add upstream patch to fix build with SELinux enabled. + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- openssh-5.6p1-askpass-fix.diff openssh-5.6p1-audit.patch openssh-5.6p1-blocksigalrm.diff openssh-5.6p1-default-protocol.diff openssh-5.6p1.dif openssh-5.6p1-eal3.diff openssh-5.6p1-engines.diff openssh-5.6p1-gssapimitm.patch openssh-5.6p1-homechroot.patch openssh-5.6p1-host_ident.diff openssh-5.6p1-pam-fix2.diff openssh-5.6p1-pam-fix3.diff openssh-5.6p1-pts.diff openssh-5.6p1-saveargv-fix.diff openssh-5.6p1-send_locale.diff openssh-5.6p1-sshconfig-knownhostschanges.diff openssh-5.6p1.tar.bz2 openssh-5.6p1-tmpdir.diff openssh-5.6p1-xauth.diff openssh-5.6p1-xauthlocalhostname.diff openssh-linux-new-oomkill.patch New: ---- openssh-5.7p1-askpass-fix.diff openssh-5.7p1-audit.patch openssh-5.7p1-blocksigalrm.diff openssh-5.7p1-default-protocol.diff openssh-5.7p1.dif openssh-5.7p1-eal3.diff openssh-5.7p1-engines.diff openssh-5.7p1-gssapimitm.patch openssh-5.7p1-homechroot.patch openssh-5.7p1-host_ident.diff openssh-5.7p1-pam-fix2.diff openssh-5.7p1-pam-fix3.diff openssh-5.7p1-pts.diff openssh-5.7p1-saveargv-fix.diff openssh-5.7p1-selinux.diff openssh-5.7p1-send_locale.diff openssh-5.7p1-sshconfig-knownhostschanges.diff openssh-5.7p1.tar.bz2 openssh-5.7p1-xauth.diff openssh-5.7p1-xauthlocalhostname.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.jy15Tc/_old 2011-02-01 15:11:50.000000000 +0100 +++ /var/tmp/diff_new_pack.jy15Tc/_new 2011-02-01 15:11:50.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package openssh-askpass-gnome (Version 5.6p1) +# spec file for package openssh-askpass-gnome # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,8 +22,8 @@ BuildRequires: gtk2-devel krb5-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files License: BSD3c(or similar) Group: Productivity/Networking/SSH -Version: 5.6p1 -Release: 8 +Version: 5.7p1 +Release: 1 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.jy15Tc/_old 2011-02-01 15:11:50.000000000 +0100 +++ /var/tmp/diff_new_pack.jy15Tc/_new 2011-02-01 15:11:50.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package openssh (Version 5.6p1) +# spec file for package openssh # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -29,8 +29,8 @@ PreReq: pwdutils %insserv_prereq %fillup_prereq coreutils Conflicts: nonfreessh AutoReqProv: on -Version: 5.6p1 -Release: 8 +Version: 5.7p1 +Release: 1 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -55,7 +55,6 @@ Patch8: %{name}-%{version}-blocksigalrm.diff Patch9: %{name}-%{version}-send_locale.diff Patch10: %{name}-%{version}-xauthlocalhostname.diff -Patch11: %{name}-%{version}-tmpdir.diff Patch12: %{name}-%{version}-xauth.diff Patch14: %{name}-%{version}-default-protocol.diff Patch15: %{name}-%{version}-audit.patch @@ -63,7 +62,7 @@ Patch17: %{name}-%{version}-homechroot.patch Patch18: %{name}-%{version}-sshconfig-knownhostschanges.diff Patch19: %{name}-%{version}-host_ident.diff -Patch20: openssh-linux-new-oomkill.patch +Patch20: %{name}-%{version}-selinux.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %package askpass @@ -101,7 +100,6 @@ %patch8 %patch9 %patch10 -%patch11 %patch12 %patch14 %patch15 -p1 @@ -109,7 +107,7 @@ %patch17 %patch18 %patch19 -p1 -%patch20 +%patch20 -p1 cp -v %{SOURCE4} . cp -v %{SOURCE6} . cd ../x11-ssh-askpass-%{xversion} ++++++ openssh-5.6p1-askpass-fix.diff -> openssh-5.7p1-askpass-fix.diff ++++++ --- openssh/openssh-5.6p1-askpass-fix.diff 2010-08-24 15:52:51.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-askpass-fix.diff 2011-01-25 11:29:00.000000000 +0100 @@ -1,6 +1,8 @@ ---- x11-ssh-askpass.c +Index: x11-ssh-askpass.c +=================================================================== +--- x11-ssh-askpass.c.orig +++ x11-ssh-askpass.c -@@ -1301,7 +1301,7 @@ +@@ -1301,7 +1301,7 @@ void handleKeyPress(AppInfo *app, XEvent } } @@ -9,7 +11,7 @@ { /* 'gcc -Wall' complains about 'app' being an unused parameter. * Tough. We might want to use it later, and then we don't have -@@ -1343,11 +1343,11 @@ +@@ -1343,11 +1343,11 @@ void handleButtonPress(AppInfo *app, XEv return; } if (ButtonPress == event->type) { @@ -23,7 +25,7 @@ d->pressedButton = CANCEL_BUTTON; d->cancelButton.pressed = True; paintButton(app, d->dialogWindow, d->cancelButton); -@@ -1356,7 +1356,7 @@ +@@ -1356,7 +1356,7 @@ void handleButtonPress(AppInfo *app, XEv } } else if (ButtonRelease == event->type) { if (OK_BUTTON == d->pressedButton) { @@ -32,7 +34,7 @@ acceptAction(app); } else { if (d->okButton.pressed) { -@@ -1365,7 +1365,7 @@ +@@ -1365,7 +1365,7 @@ void handleButtonPress(AppInfo *app, XEv } } } else if (CANCEL_BUTTON == d->pressedButton) { @@ -41,7 +43,7 @@ cancelAction(app); } else { if (d->cancelButton.pressed) { -@@ -1385,7 +1385,7 @@ +@@ -1385,7 +1385,7 @@ void handlePointerMotion(AppInfo *app, X if (NO_BUTTON == d->pressedButton) { return; } else if (OK_BUTTON == d->pressedButton) { @@ -50,7 +52,7 @@ if (!(d->okButton.pressed)) { d->okButton.pressed = True; paintButton(app, d->dialogWindow, d->okButton); -@@ -1397,7 +1397,7 @@ +@@ -1397,7 +1397,7 @@ void handlePointerMotion(AppInfo *app, X } } } else if (CANCEL_BUTTON == d->pressedButton) { @@ -59,9 +61,11 @@ if (!(d->cancelButton.pressed)) { d->cancelButton.pressed = True; paintButton(app, d->dialogWindow, d->cancelButton); ---- x11-ssh-askpass.h +Index: x11-ssh-askpass.h +=================================================================== +--- x11-ssh-askpass.h.orig +++ x11-ssh-askpass.h -@@ -258,7 +258,7 @@ +@@ -258,7 +258,7 @@ void erasePassphrase(AppInfo *app); void addToPassphrase(AppInfo *app, char c); void handleKeyPress(AppInfo *app, XEvent *event); ++++++ openssh-5.6p1-audit.patch -> openssh-5.7p1-audit.patch ++++++ --- openssh/openssh-5.6p1-audit.patch 2010-08-24 15:52:52.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-audit.patch 2011-01-24 12:48:01.000000000 +0100 @@ -1,9 +1,9 @@ # add support for Linux audit (FATE #120269) ================================================================================ -Index: openssh-5.6p1/Makefile.in +Index: openssh-5.7p1/Makefile.in =================================================================== ---- openssh-5.6p1.orig/Makefile.in -+++ openssh-5.6p1/Makefile.in +--- openssh-5.7p1.orig/Makefile.in ++++ openssh-5.7p1/Makefile.in @@ -46,6 +46,7 @@ LD=@LD@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ @@ -12,7 +12,7 @@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ AR=@AR@ -@@ -142,7 +143,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS +@@ -145,7 +146,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) @@ -21,10 +21,10 @@ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -Index: openssh-5.6p1/auth.c +Index: openssh-5.7p1/auth.c =================================================================== ---- openssh-5.6p1.orig/auth.c -+++ openssh-5.6p1/auth.c +--- openssh-5.7p1.orig/auth.c ++++ openssh-5.7p1/auth.c @@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif @@ -38,7 +38,7 @@ #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); -@@ -586,6 +592,10 @@ getpwnamallow(const char *user) +@@ -592,6 +598,10 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -49,11 +49,11 @@ #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ -Index: openssh-5.6p1/config.h.in +Index: openssh-5.7p1/config.h.in =================================================================== ---- openssh-5.6p1.orig/config.h.in -+++ openssh-5.6p1/config.h.in -@@ -1424,6 +1424,9 @@ +--- openssh-5.7p1.orig/config.h.in ++++ openssh-5.7p1/config.h.in +@@ -1460,6 +1460,9 @@ /* Define if you want SELinux support. */ #undef WITH_SELINUX @@ -63,11 +63,11 @@ /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN -Index: openssh-5.6p1/configure.ac +Index: openssh-5.7p1/configure.ac =================================================================== ---- openssh-5.6p1.orig/configure.ac -+++ openssh-5.6p1/configure.ac -@@ -3393,6 +3393,20 @@ AC_ARG_WITH(selinux, +--- openssh-5.7p1.orig/configure.ac ++++ openssh-5.7p1/configure.ac +@@ -3521,6 +3521,20 @@ AC_ARG_WITH(selinux, fi ] ) @@ -88,7 +88,7 @@ # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, -@@ -4185,6 +4199,7 @@ echo " PAM support +@@ -4315,6 +4329,7 @@ echo " PAM support echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" @@ -96,10 +96,10 @@ echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" -Index: openssh-5.6p1/loginrec.c +Index: openssh-5.7p1/loginrec.c =================================================================== ---- openssh-5.6p1.orig/loginrec.c -+++ openssh-5.6p1/loginrec.c +--- openssh-5.7p1.orig/loginrec.c ++++ openssh-5.7p1/loginrec.c @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" @@ -121,7 +121,7 @@ int lastlog_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li); -@@ -441,6 +448,10 @@ login_write(struct logininfo *li) +@@ -442,6 +449,10 @@ login_write(struct logininfo *li) /* set the timestamp */ login_set_current_time(li); @@ -132,7 +132,7 @@ #ifdef USE_LOGIN syslogin_write_entry(li); #endif -@@ -1399,6 +1410,87 @@ wtmpx_get_entry(struct logininfo *li) +@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li) } #endif /* USE_WTMPX */ @@ -220,10 +220,10 @@ /** ** Low-level libutil login() functions **/ -Index: openssh-5.6p1/loginrec.h +Index: openssh-5.7p1/loginrec.h =================================================================== ---- openssh-5.6p1.orig/loginrec.h -+++ openssh-5.6p1/loginrec.h +--- openssh-5.7p1.orig/loginrec.h ++++ openssh-5.7p1/loginrec.h @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch char *line_abbrevname(char *dst, const char *src, int dstsize); ++++++ openssh-5.6p1-blocksigalrm.diff -> openssh-5.7p1-blocksigalrm.diff ++++++ --- openssh/openssh-5.6p1-blocksigalrm.diff 2010-08-24 15:52:52.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-blocksigalrm.diff 2011-01-24 12:48:02.000000000 +0100 @@ -1,4 +1,6 @@ ---- log.c +Index: log.c +=================================================================== +--- log.c.orig +++ log.c @@ -51,6 +51,7 @@ @@ -8,7 +10,7 @@ static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; -@@ -336,6 +337,7 @@ +@@ -336,6 +337,7 @@ do_log(LogLevel level, const char *fmt, char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; @@ -16,22 +18,22 @@ int saved_errno = errno; if (level > log_level) -@@ -387,6 +389,14 @@ +@@ -387,6 +389,14 @@ do_log(LogLevel level, const char *fmt, snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { + /* Prevent a race between the grace_alarm + * which writes a log message and terminates -+ * and main sshd code that leads to deadlock ++ * and main sshd code that leads to deadlock + * as syslog is not async safe. -+ */ ++ */ + sigemptyset(&nset); + sigaddset(&nset, SIGALRM); + sigprocmask(SIG_BLOCK, &nset, &oset); #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); syslog_r(pri, &sdata, "%.500s", fmtbuf); -@@ -396,6 +406,7 @@ +@@ -396,6 +406,7 @@ do_log(LogLevel level, const char *fmt, syslog(pri, "%.500s", fmtbuf); closelog(); #endif ++++++ openssh-5.6p1-default-protocol.diff -> openssh-5.7p1-default-protocol.diff ++++++ ++++++ openssh-5.6p1.dif -> openssh-5.7p1.dif ++++++ --- openssh/openssh-5.6p1.dif 2010-08-24 15:52:58.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1.dif 2011-01-24 12:48:19.000000000 +0100 @@ -17,7 +17,7 @@ +# remote side (the "spoofed" X-server by the remote sshd) can read your +# keystrokes as you type, just like any other X11 client could do. +# Set this to "no" here for global effect or in your own ~/.ssh/config -+# file if you want to have the remote X11 authentification data to ++# file if you want to have the remote X11 authentification data to +# expire after two minutes after remote login. +ForwardX11Trusted yes + @@ -28,12 +28,12 @@ =================================================================== --- sshd_config.orig +++ sshd_config -@@ -86,7 +86,7 @@ +@@ -87,7 +87,7 @@ #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no -+X11Forwarding yes ++X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes ++++++ openssh-5.6p1-eal3.diff -> openssh-5.7p1-eal3.diff ++++++ --- openssh/openssh-5.6p1-eal3.diff 2010-08-24 15:52:53.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-eal3.diff 2011-01-24 12:48:04.000000000 +0100 @@ -1,26 +1,26 @@ -Index: openssh-5.6p1/sshd.8 +Index: openssh-5.7p1/sshd.8 =================================================================== ---- openssh-5.6p1.orig/sshd.8 -+++ openssh-5.6p1/sshd.8 -@@ -850,7 +850,7 @@ Contains Diffie-Hellman groups used for +--- openssh-5.7p1.orig/sshd.8 ++++ openssh-5.7p1/sshd.8 +@@ -855,7 +855,7 @@ Contains Diffie-Hellman groups used for The file format is described in .Xr moduli 5 . .Pp --.It /etc/motd -+.It /etc/lib/motd +-.It Pa /etc/motd ++.It Pa /etc/lib/motd See .Xr motd 5 . .Pp -@@ -863,7 +863,7 @@ are displayed to anyone trying to log in +@@ -868,7 +868,7 @@ are displayed to anyone trying to log in refused. The file should be world-readable. .Pp --.It /etc/shosts.equiv -+.It /etc/ssh/shosts.equiv +-.It Pa /etc/shosts.equiv ++.It Pa /etc/ssh/shosts.equiv This file is used in exactly the same way as .Pa hosts.equiv , but allows host-based authentication without permitting login with -@@ -940,8 +940,7 @@ The content of this file is not sensitiv +@@ -947,8 +947,7 @@ The content of this file is not sensitiv .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , @@ -30,11 +30,11 @@ .Xr sshd_config 5 , .Xr inetd 8 , .Xr sftp-server 8 -Index: openssh-5.6p1/sshd_config.5 +Index: openssh-5.7p1/sshd_config.5 =================================================================== ---- openssh-5.6p1.orig/sshd_config.5 -+++ openssh-5.6p1/sshd_config.5 -@@ -496,7 +496,7 @@ or +--- openssh-5.7p1.orig/sshd_config.5 ++++ openssh-5.7p1/sshd_config.5 +@@ -497,7 +497,7 @@ or .Pp .Pa /etc/hosts.equiv and ++++++ openssh-5.6p1-engines.diff -> openssh-5.7p1-engines.diff ++++++ --- openssh/openssh-5.6p1-engines.diff 2010-08-24 15:52:53.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-engines.diff 2011-01-24 12:48:05.000000000 +0100 @@ -1,7 +1,7 @@ -Index: openssh-5.6p1/ssh-add.c +Index: openssh-5.7p1/ssh-add.c =================================================================== ---- openssh-5.6p1.orig/ssh-add.c -+++ openssh-5.6p1/ssh-add.c +--- openssh-5.7p1.orig/ssh-add.c ++++ openssh-5.7p1/ssh-add.c @@ -43,6 +43,7 @@ #include <openssl/evp.h> @@ -10,9 +10,9 @@ #include <fcntl.h> #include <pwd.h> -@@ -374,6 +375,10 @@ main(int argc, char **argv) +@@ -377,6 +378,10 @@ main(int argc, char **argv) - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); @@ -21,10 +21,10 @@ /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); if (ac == NULL) { -Index: openssh-5.6p1/ssh-agent.c +Index: openssh-5.7p1/ssh-agent.c =================================================================== ---- openssh-5.6p1.orig/ssh-agent.c -+++ openssh-5.6p1/ssh-agent.c +--- openssh-5.7p1.orig/ssh-agent.c ++++ openssh-5.7p1/ssh-agent.c @@ -52,6 +52,7 @@ #include <openssl/evp.h> #include <openssl/md5.h> @@ -33,9 +33,9 @@ #include <errno.h> #include <fcntl.h> -@@ -1094,6 +1095,10 @@ main(int ac, char **av) +@@ -1153,6 +1154,10 @@ main(int ac, char **av) - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); @@ -44,10 +44,10 @@ __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); -Index: openssh-5.6p1/ssh-keygen.c +Index: openssh-5.7p1/ssh-keygen.c =================================================================== ---- openssh-5.6p1.orig/ssh-keygen.c -+++ openssh-5.6p1/ssh-keygen.c +--- openssh-5.7p1.orig/ssh-keygen.c ++++ openssh-5.7p1/ssh-keygen.c @@ -22,6 +22,7 @@ #include <openssl/evp.h> #include <openssl/pem.h> @@ -56,10 +56,10 @@ #include <errno.h> #include <fcntl.h> -@@ -1782,6 +1783,11 @@ main(int argc, char **argv) +@@ -1815,6 +1816,11 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); @@ -68,10 +68,10 @@ log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); init_rng(); -Index: openssh-5.6p1/ssh-keysign.c +Index: openssh-5.7p1/ssh-keysign.c =================================================================== ---- openssh-5.6p1.orig/ssh-keysign.c -+++ openssh-5.6p1/ssh-keysign.c +--- openssh-5.7p1.orig/ssh-keysign.c ++++ openssh-5.7p1/ssh-keysign.c @@ -38,6 +38,7 @@ #include <openssl/evp.h> #include <openssl/rand.h> @@ -83,7 +83,7 @@ @@ -195,6 +196,11 @@ main(int argc, char **argv) fatal("could not open any host key"); - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); @@ -92,11 +92,11 @@ for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); -Index: openssh-5.6p1/ssh.c +Index: openssh-5.7p1/ssh.c =================================================================== ---- openssh-5.6p1.orig/ssh.c -+++ openssh-5.6p1/ssh.c -@@ -74,6 +74,7 @@ +--- openssh-5.7p1.orig/ssh.c ++++ openssh-5.7p1/ssh.c +@@ -75,6 +75,7 @@ #include <openssl/err.h> #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" @@ -104,8 +104,8 @@ #include "xmalloc.h" #include "ssh.h" -@@ -602,6 +603,10 @@ main(int ac, char **av) - SSLeay_add_all_algorithms(); +@@ -601,6 +602,10 @@ main(int ac, char **av) + OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); + /* Init available hardware crypto engines. */ @@ -115,10 +115,10 @@ /* Initialize the command to execute on remote host. */ buffer_init(&command); -Index: openssh-5.6p1/sshd.c +Index: openssh-5.7p1/sshd.c =================================================================== ---- openssh-5.6p1.orig/sshd.c -+++ openssh-5.6p1/sshd.c +--- openssh-5.7p1.orig/sshd.c ++++ openssh-5.7p1/sshd.c @@ -77,6 +77,7 @@ #include <openssl/md5.h> #include <openssl/rand.h> @@ -127,9 +127,9 @@ #ifdef HAVE_SECUREWARE #include <sys/security.h> -@@ -1471,6 +1472,10 @@ main(int ac, char **av) +@@ -1474,6 +1475,10 @@ main(int ac, char **av) - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); ++++++ openssh-5.6p1-gssapimitm.patch -> openssh-5.7p1-gssapimitm.patch ++++++ --- openssh/openssh-5.6p1-gssapimitm.patch 2010-08-24 15:52:53.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-gssapimitm.patch 2011-01-24 12:48:07.000000000 +0100 @@ -22,9 +22,9 @@ SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, &input_gssapi_exchange_complete); + -+ /* -+ * Old style 'gssapi' didn't have the GSSAPI_MIC -+ * and went straight to sending exchange_complete ++ /* ++ * Old style 'gssapi' didn't have the GSSAPI_MIC ++ * and went straight to sending exchange_complete + */ + if (options.gss_enable_mitm) + dispatch_set( @@ -68,7 +68,7 @@ =================================================================== --- readconf.c.orig +++ readconf.c -@@ -126,7 +126,7 @@ typedef enum { +@@ -128,7 +128,7 @@ typedef enum { oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -77,7 +77,7 @@ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -167,9 +167,11 @@ static struct { +@@ -170,9 +170,11 @@ static struct { #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, @@ -89,18 +89,18 @@ #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -477,6 +479,10 @@ parse_flag: - case oGssDelegateCreds: +@@ -483,6 +485,10 @@ parse_flag: intptr = &options->gss_deleg_creds; goto parse_flag; -+ + + case oGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; - ++ case oBatchMode: intptr = &options->batch_mode; -@@ -1059,6 +1065,7 @@ initialize_options(Options * options) + goto parse_flag; +@@ -1093,6 +1099,7 @@ initialize_options(Options * options) options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; @@ -108,7 +108,7 @@ options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1158,6 +1165,8 @@ fill_default_options(Options * options) +@@ -1195,6 +1202,8 @@ fill_default_options(Options * options) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; @@ -133,7 +133,7 @@ =================================================================== --- servconf.c.orig +++ servconf.c -@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions +@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; @@ -141,7 +141,7 @@ options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -217,6 +218,8 @@ fill_default_server_options(ServerOption +@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; @@ -150,7 +150,7 @@ if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -307,7 +310,7 @@ typedef enum { +@@ -322,7 +325,7 @@ typedef enum { sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -159,7 +159,7 @@ sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -370,9 +373,11 @@ static struct { +@@ -386,9 +389,11 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -171,22 +171,22 @@ #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -929,6 +934,10 @@ process_server_config_line(ServerOptions - case sGssCleanupCreds: +@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions intptr = &options->gss_cleanup_creds; goto parse_flag; -+ + + case sGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; - ++ case sPasswordAuthentication: intptr = &options->password_authentication; + goto parse_flag; Index: servconf.h =================================================================== --- servconf.h.orig +++ servconf.h -@@ -95,6 +95,7 @@ typedef struct { +@@ -98,6 +98,7 @@ typedef struct { * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ @@ -203,11 +203,11 @@ # TunnelDevice any:any # PermitLocalCommand no +# GSSAPIAuthentication no -+# GSSAPIDelegateCredentials no ++# GSSAPIDelegateCredentials no + +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included -+# in this release. The use of 'gssapi' is deprecated due to the presence of ++# in this release. The use of 'gssapi' is deprecated due to the presence of +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. +# GSSAPIEnableMITMAttack no + @@ -218,7 +218,7 @@ =================================================================== --- sshconnect2.c.orig +++ sshconnect2.c -@@ -263,6 +263,10 @@ Authmethod authmethods[] = { +@@ -324,6 +324,10 @@ Authmethod authmethods[] = { NULL, &options.gss_authentication, NULL}, @@ -229,12 +229,12 @@ #endif {"hostbased", userauth_hostbased, -@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf if (status == GSS_S_COMPLETE) { /* send either complete or MIC, depending on mechanism */ - if (!(flags & GSS_C_INTEG_FLAG)) { -+ ++ + if (strcmp(authctxt->method->name,"gssapi")==0 || + (!(flags & GSS_C_INTEG_FLAG))) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); @@ -244,16 +244,15 @@ =================================================================== --- sshd_config.orig +++ sshd_config -@@ -72,6 +72,13 @@ PasswordAuthentication no +@@ -73,6 +73,12 @@ PasswordAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included -+# in this release. The use of 'gssapi' is deprecated due to the presence of ++# in this release. The use of 'gssapi' is deprecated due to the presence of +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. +#GSSAPIEnableMITMAttack no -+ + # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will ++++++ openssh-5.6p1-homechroot.patch -> openssh-5.7p1-homechroot.patch ++++++ --- openssh/openssh-5.6p1-homechroot.patch 2010-08-24 15:52:54.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-homechroot.patch 2011-01-24 12:48:08.000000000 +0100 @@ -48,7 +48,7 @@ static void do_authenticated1(Authctxt *); static void do_authenticated2(Authctxt *); -@@ -806,6 +808,11 @@ do_exec(Session *s, const char *command) +@@ -808,6 +810,11 @@ do_exec(Session *s, const char *command) debug("Forced command (key option) '%.900s'", command); } @@ -60,7 +60,7 @@ #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); -@@ -1419,6 +1426,63 @@ do_nologin(struct passwd *pw) +@@ -1421,6 +1428,63 @@ do_nologin(struct passwd *pw) } /* @@ -117,14 +117,14 @@ + } + } + fatal ("chroot into directory without nodev or nosuid"); -+ } ++ } +} + +/* * Chroot into a directory after checking it for safety: all path components * must be root-owned directories with strict permissions. */ -@@ -1428,6 +1492,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1430,6 +1494,7 @@ safely_chroot(const char *path, uid_t ui const char *cp; char component[MAXPATHLEN]; struct stat st; @@ -132,7 +132,7 @@ if (*path != '/') fatal("chroot path does not begin at root"); -@@ -1439,7 +1504,7 @@ safely_chroot(const char *path, uid_t ui +@@ -1441,7 +1506,7 @@ safely_chroot(const char *path, uid_t ui * root-owned directory with strict permissions. */ for (cp = path; cp != NULL;) { @@ -141,7 +141,7 @@ strlcpy(component, path, sizeof(component)); else { cp++; -@@ -1452,14 +1517,20 @@ safely_chroot(const char *path, uid_t ui +@@ -1454,14 +1519,20 @@ safely_chroot(const char *path, uid_t ui if (stat(component, &st) != 0) fatal("%s: stat(\"%s\"): %s", __func__, component, strerror(errno)); @@ -163,7 +163,7 @@ } if (chdir(path) == -1) -@@ -1470,6 +1541,10 @@ safely_chroot(const char *path, uid_t ui +@@ -1472,6 +1543,10 @@ safely_chroot(const char *path, uid_t ui if (chdir("/") == -1) fatal("%s: chdir(/) after chroot: %s", __func__, strerror(errno)); @@ -257,7 +257,7 @@ =================================================================== --- sshd_config.5.orig +++ sshd_config.5 -@@ -269,6 +269,17 @@ inside the chroot directory (see +@@ -268,6 +268,17 @@ inside the chroot directory (see .Xr sftp-server 8 for details). .Pp @@ -267,7 +267,7 @@ +%h or +.Cm ChrootDirectory +/some/path/%u. The file system containing this directory must be -+mounted with options nodev and either nosuid or noexec. The owner of the ++mounted with options nodev and either nosuid or noexec. The owner of the +directory should be the user. The ownership of the other components of the path +must fulfill the usual conditions. No aditional files are required to be present +in the directory. ++++++ openssh-5.6p1-host_ident.diff -> openssh-5.7p1-host_ident.diff ++++++ --- openssh/openssh-5.6p1-host_ident.diff 2010-08-24 15:52:54.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-host_ident.diff 2011-01-24 12:48:10.000000000 +0100 @@ -1,14 +1,14 @@ -Index: openssh-5.5p1/sshconnect.c +Index: openssh-5.7p1/sshconnect.c =================================================================== ---- openssh-5.5p1.orig/sshconnect.c -+++ openssh-5.5p1/sshconnect.c -@@ -916,6 +916,11 @@ check_host_key(char *hostname, struct so - error("Add correct host key in %.100s to get rid of this message.", +--- openssh-5.7p1.orig/sshconnect.c ++++ openssh-5.7p1/sshconnect.c +@@ -958,6 +958,11 @@ check_host_key(char *hostname, struct so user_hostfile); - error("Offending key in %s:%d", host_file, host_line); + error("Offending %s key in %s:%lu", key_type(host_found->key), + host_found->file, host_found->line); + error("You can use following command to remove all keys for this IP:"); -+ if (ip_file) -+ error("ssh-keygen -R %s -f %s", hostname, ip_file); ++ if (host_found->file) ++ error("ssh-keygen -R %s -f %s", hostname, host_found->file); + else + error("ssh-keygen -R %s", hostname); ++++++ openssh-5.6p1-pam-fix2.diff -> openssh-5.7p1-pam-fix2.diff ++++++ --- openssh/openssh-5.6p1-pam-fix2.diff 2010-08-24 15:52:54.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-pam-fix2.diff 2011-01-24 12:48:11.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- sshd_config.orig +++ sshd_config -@@ -56,7 +56,7 @@ +@@ -57,7 +57,7 @@ #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! @@ -11,7 +11,7 @@ #PermitEmptyPasswords no # Change to no to disable s/key passwords -@@ -81,7 +81,7 @@ +@@ -82,7 +82,7 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. ++++++ openssh-5.6p1-pam-fix2.diff -> openssh-5.7p1-pam-fix3.diff ++++++ --- openssh/openssh-5.6p1-pam-fix2.diff 2010-08-24 15:52:54.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-pam-fix3.diff 2011-01-24 12:48:12.000000000 +0100 @@ -1,22 +1,15 @@ -Index: sshd_config +Index: auth-pam.c =================================================================== ---- sshd_config.orig -+++ sshd_config -@@ -56,7 +56,7 @@ - #IgnoreRhosts yes - - # To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -81,7 +81,7 @@ - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. --#UsePAM no -+UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes +--- auth-pam.c.orig ++++ auth-pam.c +@@ -786,7 +786,9 @@ sshpam_query(void *ctx, char **name, cha + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); +- import_environments(&buffer); ++#ifndef USE_POSIX_THREADS ++ import_environments(&buffer); ++#endif + *num = 0; + **echo_on = 0; + ctxt->pam_done = 1; ++++++ openssh-5.6p1-pts.diff -> openssh-5.7p1-pts.diff ++++++ --- openssh/openssh-5.6p1-pts.diff 2010-08-24 15:52:55.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-pts.diff 2011-01-24 12:48:13.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- loginrec.c.orig +++ loginrec.c -@@ -554,7 +554,7 @@ getlast_entry(struct logininfo *li) +@@ -555,7 +555,7 @@ getlast_entry(struct logininfo *li) * 1. The full filename (including '/dev') * 2. The stripped name (excluding '/dev') * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 @@ -11,7 +11,7 @@ * * Form 3 is used on some systems to identify a .tmp.? entry when * attempting to remove it. Typically both addition and removal is -@@ -615,6 +615,10 @@ line_abbrevname(char *dst, const char *s +@@ -616,6 +616,10 @@ line_abbrevname(char *dst, const char *s if (strncmp(src, "tty", 3) == 0) src += 3; #endif ++++++ openssh-5.6p1-saveargv-fix.diff -> openssh-5.7p1-saveargv-fix.diff ++++++ --- openssh/openssh-5.6p1-saveargv-fix.diff 2010-08-24 15:52:56.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-saveargv-fix.diff 2011-01-24 12:48:14.000000000 +0100 @@ -10,7 +10,7 @@ logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); -@@ -1316,7 +1317,11 @@ main(int ac, char **av) +@@ -1319,7 +1320,11 @@ main(int ac, char **av) #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ compat_init_setproctitle(ac, av); ++++++ openssh-5.7p1-selinux.diff ++++++ Index: openssh-5.7p1/ChangeLog =================================================================== --- openssh-5.7p1.orig/ChangeLog +++ openssh-5.7p1/ChangeLog @@ -1,3 +1,10 @@ +20110125 + - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c + openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to + port-linux.c to avoid compilation errors. Add -lselinux to ssh when + building with SELinux support to avoid linking failure; report from + amk AT spamfence.net; ok dtucker + 20110122 - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add RSA_get_default_method() for the benefit of openssl versions that don't Index: openssh-5.7p1/configure.ac =================================================================== --- openssh-5.7p1.orig/configure.ac +++ openssh-5.7p1/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.469 2011/01/21 22:37:05 dtucker Exp $ +# $Id: configure.ac,v 1.470 2011/01/25 01:16:17 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.469 $) +AC_REVISION($Revision: 1.470 $) AC_CONFIG_SRCDIR([ssh.c]) # local macros @@ -737,7 +737,6 @@ mips-sony-bsd|mips-sony-newsos4) [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1, [Define if you have Solaris process contracts]) SSHDLIBS="$SSHDLIBS -lcontract" - AC_SUBST(SSHDLIBS) SPC_MSG="yes" ], ) ], ) @@ -748,7 +747,6 @@ mips-sony-bsd|mips-sony-newsos4) [ AC_DEFINE(USE_SOLARIS_PROJECTS, 1, [Define if you have Solaris projects]) SSHDLIBS="$SSHDLIBS -lproject" - AC_SUBST(SSHDLIBS) SP_MSG="yes" ], ) ], ) @@ -3515,11 +3513,14 @@ AC_ARG_WITH(selinux, LIBS="$LIBS -lselinux" ], AC_MSG_ERROR(SELinux support requires libselinux library)) + SSHLIBS="$SSHLIBS $LIBSELINUX" SSHDLIBS="$SSHDLIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) LIBS="$save_LIBS" fi ] ) +AC_SUBST(SSHLIBS) +AC_SUBST(SSHDLIBS) # Check whether user wants Linux audit support LINUX_AUDIT_MSG="no" @@ -4356,6 +4357,9 @@ echo " Libraries: ${LIBS}" if test ! -z "${SSHDLIBS}"; then echo " +for sshd: ${SSHDLIBS}" fi +if test ! -z "${SSHLIBS}"; then +echo " +for ssh: ${SSHLIBS}" +fi echo "" Index: openssh-5.7p1/Makefile.in =================================================================== --- openssh-5.7p1.orig/Makefile.in +++ openssh-5.7p1/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $ +# $Id: Makefile.in,v 1.321 2011/01/25 01:16:16 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ LIBAUDIT=@LIBAUDIT@ +SSHLIBS=@SSHLIBS@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ AR=@AR@ @@ -143,7 +144,7 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT) Index: openssh-5.7p1/openbsd-compat/port-linux.c =================================================================== --- openssh-5.7p1.orig/openbsd-compat/port-linux.c +++ openssh-5.7p1/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.11 2011/01/17 07:50:24 dtucker Exp $ */ +/* $Id: port-linux.c,v 1.12 2011/01/25 01:16:18 djm Exp $ */ /* * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> @@ -205,6 +205,20 @@ ssh_selinux_change_context(const char *n xfree(oldctx); xfree(newctx); } + +void +ssh_selinux_setfscreatecon(const char *path) +{ + security_context_t context; + + if (path == NULL) { + setfscreatecon(NULL); + return; + } + matchpathcon(path, 0700, &context); + setfscreatecon(context); +} + #endif /* WITH_SELINUX */ #ifdef LINUX_OOM_ADJUST Index: openssh-5.7p1/openbsd-compat/port-linux.h =================================================================== --- openssh-5.7p1.orig/openbsd-compat/port-linux.h +++ openssh-5.7p1/openbsd-compat/port-linux.h @@ -1,4 +1,4 @@ -/* $Id: port-linux.h,v 1.4 2009/12/08 02:39:48 dtucker Exp $ */ +/* $Id: port-linux.h,v 1.5 2011/01/25 01:16:18 djm Exp $ */ /* * Copyright (c) 2006 Damien Miller <djm@openbsd.org> @@ -24,6 +24,7 @@ int ssh_selinux_enabled(void); void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_exec_context(char *); void ssh_selinux_change_context(const char *); +void ssh_selinux_setfscreatecon(const char *); #endif #ifdef LINUX_OOM_ADJUST Index: openssh-5.7p1/ssh.c =================================================================== --- openssh-5.7p1.orig/ssh.c +++ openssh-5.7p1/ssh.c @@ -857,15 +857,12 @@ main(int ac, char **av) strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) { #ifdef WITH_SELINUX - char *scon; - - matchpathcon(buf, 0700, &scon); - setfscreatecon(scon); + ssh_selinux_setfscreatecon(buf); #endif if (mkdir(buf, 0700) < 0) error("Could not create directory '%.200s'.", buf); #ifdef WITH_SELINUX - setfscreatecon(NULL); + ssh_selinux_setfscreatecon(NULL); #endif } /* load options.identity_files */ ++++++ openssh-5.6p1-send_locale.diff -> openssh-5.7p1-send_locale.diff ++++++ --- openssh/openssh-5.6p1-send_locale.diff 2010-08-24 15:52:56.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-send_locale.diff 2011-01-24 12:48:15.000000000 +0100 @@ -8,8 +8,8 @@ ->>>>>>> +# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). -+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +SendEnv LC_IDENTIFICATION LC_ALL # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com @@ -22,8 +22,8 @@ Subsystem sftp /usr/libexec/sftp-server +# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL + # Example of overriding settings on a per-user basis ++++++ openssh-5.6p1-sshconfig-knownhostschanges.diff -> openssh-5.7p1-sshconfig-knownhostschanges.diff ++++++ --- openssh/openssh-5.6p1-sshconfig-knownhostschanges.diff 2010-08-24 15:52:57.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-sshconfig-knownhostschanges.diff 2011-01-25 11:29:02.000000000 +0100 @@ -2,11 +2,12 @@ =================================================================== --- ssh_config.orig +++ ssh_config -@@ -67,5 +67,12 @@ ForwardX11Trusted yes - SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES - SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +@@ -67,5 +67,13 @@ ForwardX11Trusted yes + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL -# VisualHostKey no ++ +# This will print the fingerprint of the host key in "visual" form +# this should make it easier to also recognize bad things +VisualHostKey no ++++++ openssh-5.6p1.tar.bz2 -> openssh-5.7p1.tar.bz2 ++++++ ++++ 19167 lines of diff (skipped) ++++++ openssh-5.6p1-xauth.diff -> openssh-5.7p1-xauth.diff ++++++ --- openssh/openssh-5.6p1-xauth.diff 2010-08-24 15:52:57.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-xauth.diff 2011-01-24 12:48:17.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- session.c.orig +++ session.c -@@ -2525,8 +2525,41 @@ void +@@ -2463,8 +2463,41 @@ void session_close(Session *s) { u_int i; ++++++ openssh-5.6p1-xauthlocalhostname.diff -> openssh-5.7p1-xauthlocalhostname.diff ++++++ --- openssh/openssh-5.6p1-xauthlocalhostname.diff 2010-08-24 15:52:58.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssh/openssh-5.7p1-xauthlocalhostname.diff 2011-01-24 12:48:18.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- session.c.orig +++ session.c -@@ -1114,7 +1114,7 @@ copy_environment(char **source, char *** +@@ -1116,7 +1116,7 @@ copy_environment(char **source, char *** } static char ** @@ -11,7 +11,7 @@ { char buf[256]; u_int i, envsize; -@@ -1301,6 +1301,8 @@ do_setup_env(Session *s, const char *she +@@ -1303,6 +1303,8 @@ do_setup_env(Session *s, const char *she for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -20,7 +20,7 @@ return env; } -@@ -1309,7 +1311,7 @@ do_setup_env(Session *s, const char *she +@@ -1311,7 +1313,7 @@ do_setup_env(Session *s, const char *she * first in this order). */ static void @@ -29,12 +29,12 @@ { FILE *f = NULL; char cmd[1024]; -@@ -1363,12 +1365,20 @@ do_rc_files(Session *s, const char *shel +@@ -1365,12 +1367,20 @@ do_rc_files(Session *s, const char *shel options.xauth_location); f = popen(cmd, "w"); if (f) { + char hostname[MAXHOSTNAMELEN]; -+ ++ fprintf(f, "remove %s\n", s->auth_display); fprintf(f, "add %s %s %s\n", @@ -50,7 +50,7 @@ } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1670,6 +1680,7 @@ do_child(Session *s, const char *command +@@ -1608,6 +1618,7 @@ do_child(Session *s, const char *command { extern char **environ; char **env; @@ -58,7 +58,7 @@ char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; -@@ -1736,7 +1747,7 @@ do_child(Session *s, const char *command +@@ -1674,7 +1685,7 @@ do_child(Session *s, const char *command * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -67,7 +67,7 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1805,7 +1816,7 @@ do_child(Session *s, const char *command +@@ -1743,7 +1754,7 @@ do_child(Session *s, const char *command closefrom(STDERR_FILENO + 1); if (!options.use_login) ++++++ openssh-SuSE.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSE/etc/init.d/sshd new/SuSE/etc/init.d/sshd --- old/SuSE/etc/init.d/sshd 2009-07-12 21:42:53.000000000 +0200 +++ new/SuSE/etc/init.d/sshd 2011-01-25 11:54:41.000000000 +0100 @@ -56,6 +56,10 @@ echo Generating /etc/ssh/ssh_host_rsa_key. ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N '' fi + if ! test -f /etc/ssh/ssh_host_ecdsa_key ; then + echo Generating /etc/ssh/ssh_host_ecdsa_key. + ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_key -N '' + fi fi echo -n "Starting SSH daemon" ## Start daemon with startproc(8). If this fails ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org