| |
| %if 0%{?!noselinux:1} |
| %global WITH_SELINUX 1 |
| %else |
| %global WITH_SELINUX 0 |
| %endif |
| |
| %global _hardened_build 1 |
| |
| |
| %global sshd_uid 74 |
| %global sshd_gid 74 |
| |
| |
| %global no_gnome_askpass 0 |
| |
| |
| %global static_libcrypto 0 |
| |
| |
| %global gtk2 1 |
| |
| |
| %global pie 1 |
| |
| |
| %global kerberos5 1 |
| |
| |
| %global libedit 1 |
| |
| |
| %global ldap 1 |
| |
| |
| %if 0%{?!nopam:1} |
| %global pam_ssh_agent 1 |
| %else |
| %global pam_ssh_agent 0 |
| %endif |
| |
| |
| |
| %{?skip_gnome_askpass:%global no_gnome_askpass 1} |
| |
| |
| |
| |
| %{?no_gtk2:%global gtk2 0} |
| |
| |
| |
| %{?static_openssl:%global static_libcrypto 1} |
| |
| |
| %global rescue 0 |
| %{?build_rescue:%global rescue 1} |
| %{?build_rescue:%global rescue_rel rescue} |
| |
| |
| %if %{rescue} |
| %global kerberos5 0 |
| %global libedit 0 |
| %global pam_ssh_agent 0 |
| %endif |
| |
| |
| %global openssh_ver 8.0p1 |
| %global openssh_rel 17 |
| %global pam_ssh_agent_ver 0.10.3 |
| %global pam_ssh_agent_rel 7 |
| |
| Summary: An open source implementation of SSH protocol version 2 |
| Name: openssh |
| Version: %{openssh_ver} |
| Release: %{openssh_rel}%{?dist}%{?rescue_rel} |
| URL: http://www.openssh.com/portable.html |
| |
| Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz |
| Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc |
| Source2: sshd.pam |
| Source3: DJM-GPG-KEY.gpg |
| Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 |
| Source5: pam_ssh_agent-rmheaders |
| Source6: ssh-keycat.pam |
| Source7: sshd.sysconfig |
| Source9: sshd@.service |
| Source10: sshd.socket |
| Source11: sshd.service |
| Source12: sshd-keygen@.service |
| Source13: sshd-keygen |
| Source14: sshd.tmpfiles |
| Source15: sshd-keygen.target |
| |
| |
| Patch100: openssh-6.7p1-coverity.patch |
| |
| |
| |
| |
| Patch200: openssh-7.6p1-audit.patch |
| |
| Patch201: openssh-7.1p2-audit-race-condition.patch |
| |
| |
| |
| Patch300: pam_ssh_agent_auth-0.9.3-build.patch |
| |
| |
| Patch301: pam_ssh_agent_auth-0.10.3-seteuid.patch |
| |
| Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch |
| |
| Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch |
| |
| Patch306: pam_ssh_agent_auth-0.10.2-compat.patch |
| |
| |
| Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch |
| |
| |
| Patch400: openssh-7.8p1-role-mls.patch |
| |
| Patch404: openssh-6.6p1-privsep-selinux.patch |
| |
| |
| Patch501: openssh-6.7p1-ldap.patch |
| |
| Patch502: openssh-6.6p1-keycat.patch |
| |
| |
| Patch601: openssh-6.6p1-allow-ip-opts.patch |
| |
| Patch604: openssh-6.6p1-keyperm.patch |
| |
| Patch606: openssh-5.9p1-ipv6man.patch |
| |
| Patch607: openssh-5.8p2-sigpipe.patch |
| |
| Patch609: openssh-7.2p2-x11.patch |
| |
| |
| Patch700: openssh-7.7p1-fips.patch |
| |
| Patch702: openssh-5.1p1-askpass-progress.patch |
| |
| Patch703: openssh-4.3p2-askpass-grab-info.patch |
| |
| Patch707: openssh-7.7p1-redhat.patch |
| |
| Patch711: openssh-7.8p1-UsePAM-warning.patch |
| |
| Patch712: openssh-6.3p1-ctr-evp-fast.patch |
| |
| Patch713: openssh-6.6p1-ctr-cavstest.patch |
| |
| Patch714: openssh-6.7p1-kdf-cavs.patch |
| |
| |
| |
| Patch800: openssh-8.0p1-gssapi-keyex.patch |
| |
| Patch801: openssh-6.6p1-force_krb.patch |
| |
| |
| Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch |
| |
| |
| Patch804: openssh-7.7p1-gssapi-new-unique.patch |
| |
| Patch805: openssh-7.2p2-k5login_directory.patch |
| |
| |
| |
| Patch901: openssh-6.6p1-kuserok.patch |
| |
| Patch906: openssh-6.4p1-fromto-remote.patch |
| |
| Patch916: openssh-6.6.1p1-selinux-contexts.patch |
| |
| Patch918: openssh-6.6.1p1-log-in-chroot.patch |
| |
| Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch |
| |
| Patch922: openssh-6.8p1-sshdT-output.patch |
| |
| Patch926: openssh-6.7p1-sftp-force-permission.patch |
| |
| Patch929: openssh-6.9p1-permit-root-login.patch |
| |
| Patch939: openssh-7.2p2-s390-closefrom.patch |
| |
| Patch944: openssh-7.3p1-x11-max-displays.patch |
| |
| Patch948: openssh-7.4p1-systemd.patch |
| |
| Patch949: openssh-7.6p1-cleanup-selinux.patch |
| |
| Patch950: openssh-7.5p1-sandbox.patch |
| |
| Patch951: openssh-8.0p1-pkcs11-uri.patch |
| |
| Patch953: openssh-7.8p1-scp-ipv6.patch |
| |
| |
| |
| Patch958: openssh-7.9p1-ssh-copy-id.patch |
| |
| |
| Patch961: openssh-8.0p1-scp-tests.patch |
| |
| Patch962: openssh-8.0p1-crypto-policies.patch |
| |
| Patch963: openssh-8.0p1-openssl-evp.patch |
| |
| Patch964: openssh-8.0p1-openssl-kdf.patch |
| |
| Patch965: openssh-8.0p1-openssl-pem.patch |
| |
| Patch966: openssh-8.0p1-entropy.patch |
| |
| Patch967: openssh-8.0p1-keyscan-rsa-sha2.patch |
| |
| Patch968: openssh-8.0p1-proxyjump-loops.patch |
| |
| Patch969: openssh-8.0p1-keygen-sha2.patch |
| |
| |
| Patch970: openssh-8.0p1-rdomain.patch |
| |
| |
| Patch971: openssh-8.0p1-x11-without-ipv6.patch |
| |
| Patch972: openssh-8.0p1-channel-limits.patch |
| |
| |
| Patch973: openssh-8.0p1-sftp-timespeccmp.patch |
| |
| Patch974: openssh-8.0p1-keygen-strip-doseol.patch |
| |
| Patch975: openssh-8.0p1-preserve-pam-errors.patch |
| |
| Patch976: openssh-8.0p1-restore-nonblock.patch |
| |
| Patch977: openssh-8.0p1-cve-2020-14145.patch |
| |
| Patch978: openssh-8.0p1-sshd_config.patch |
| |
| Patch980: openssh-8.7p1-upstream-cve-2021-41617.patch |
| |
| |
| |
| |
| |
| |
| Patch981: openssh-8.0p1-sshd_include.patch |
| |
| |
| |
| Patch982: openssh-8.0p1-client_alive_count_max.patch |
| |
| |
| |
| |
| |
| |
| Patch983: openssh-8.0p1-sftp-realpath.patch |
| |
| Patch984: openssh-8.0p1-crypto-policy-doc.patch |
| |
| |
| |
| |
| |
| Patch985: openssh-8.7p1-minimize-sha1-use.patch |
| |
| Patch986: openssh-9.1p1-sshbanner.patch |
| |
| Patch987: openssh-8.0p1-ipv6-process.patch |
| |
| License: BSD |
| Group: Applications/Internet |
| Requires: /sbin/nologin |
| Obsoletes: openssh-clients-fips, openssh-server-fips |
| Obsoletes: openssh-server-sysvinit |
| |
| %if ! %{no_gnome_askpass} |
| %if %{gtk2} |
| BuildRequires: gtk2-devel |
| BuildRequires: libX11-devel |
| %else |
| BuildRequires: gnome-libs-devel |
| %endif |
| %endif |
| |
| %if %{ldap} |
| BuildRequires: openldap-devel |
| %endif |
| BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel |
| BuildRequires: audit-libs-devel >= 2.0.5 |
| BuildRequires: util-linux, groff |
| BuildRequires: pam-devel |
| BuildRequires: openssl-devel >= 0.9.8j |
| BuildRequires: perl-podlators |
| BuildRequires: systemd-devel |
| BuildRequires: gcc |
| BuildRequires: p11-kit-devel |
| Recommends: p11-kit |
| |
| %if %{kerberos5} |
| BuildRequires: krb5-devel |
| %endif |
| |
| %if %{libedit} |
| BuildRequires: libedit-devel ncurses-devel |
| %endif |
| |
| %if %{WITH_SELINUX} |
| Requires: libselinux >= 2.3-5 |
| BuildRequires: libselinux-devel >= 2.3-5 |
| Requires: audit-libs >= 1.0.8 |
| BuildRequires: audit-libs >= 1.0.8 |
| %endif |
| |
| BuildRequires: xauth |
| |
| BuildRequires: gnupg2 |
| |
| %package clients |
| Summary: An open source SSH client applications |
| Group: Applications/Internet |
| Requires: openssh = %{version}-%{release} |
| Requires: crypto-policies >= 20180306-1 |
| |
| %package server |
| Summary: An open source SSH server daemon |
| Group: System Environment/Daemons |
| Requires: openssh = %{version}-%{release} |
| Requires(pre): /usr/sbin/useradd |
| Requires: pam >= 1.0.1-3 |
| Requires: crypto-policies >= 20180306-1 |
| %{?systemd_requires} |
| |
| %if %{ldap} |
| %package ldap |
| Summary: A LDAP support for open source SSH server daemon |
| Requires: openssh = %{version}-%{release} |
| Group: System Environment/Daemons |
| %endif |
| |
| %package keycat |
| Summary: A mls keycat backend for openssh |
| Requires: openssh = %{version}-%{release} |
| Group: System Environment/Daemons |
| |
| %package askpass |
| Summary: A passphrase dialog for OpenSSH and X |
| Group: Applications/Internet |
| Requires: openssh = %{version}-%{release} |
| Obsoletes: openssh-askpass-gnome |
| Provides: openssh-askpass-gnome |
| |
| %package cavs |
| Summary: CAVS tests for FIPS validation |
| Group: Applications/Internet |
| Requires: openssh = %{version}-%{release} |
| |
| %package -n pam_ssh_agent_auth |
| Summary: PAM module for authentication with ssh-agent |
| Group: System Environment/Base |
| Version: %{pam_ssh_agent_ver} |
| Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} |
| License: BSD |
| |
| %description |
| SSH (Secure SHell) is a program for logging into and executing |
| commands on a remote machine. SSH is intended to replace rlogin and |
| rsh, and to provide secure encrypted communications between two |
| untrusted hosts over an insecure network. X11 connections and |
| arbitrary TCP/IP ports can also be forwarded over the secure channel. |
| |
| OpenSSH is OpenBSD's version of the last free version of SSH, bringing |
| it up to date in terms of security and features. |
| |
| This package includes the core files necessary for both the OpenSSH |
| client and server. To make this package useful, you should also |
| install openssh-clients, openssh-server, or both. |
| |
| %description clients |
| OpenSSH is a free version of SSH (Secure SHell), a program for logging |
| into and executing commands on a remote machine. This package includes |
| the clients necessary to make encrypted connections to SSH servers. |
| |
| %description server |
| OpenSSH is a free version of SSH (Secure SHell), a program for logging |
| into and executing commands on a remote machine. This package contains |
| the secure shell daemon (sshd). The sshd daemon allows SSH clients to |
| securely connect to your SSH server. |
| |
| %if %{ldap} |
| %description ldap |
| OpenSSH LDAP backend is a way how to distribute the authorized tokens |
| among the servers in the network. |
| %endif |
| |
| %description keycat |
| OpenSSH mls keycat is backend for using the authorized keys in the |
| openssh in the mls mode. |
| |
| %description askpass |
| OpenSSH is a free version of SSH (Secure SHell), a program for logging |
| into and executing commands on a remote machine. This package contains |
| an X11 passphrase dialog for OpenSSH. |
| |
| %description cavs |
| This package contains test binaries and scripts to make FIPS validation |
| easier. Now contains CTR and KDF CAVS test driver. |
| |
| %description -n pam_ssh_agent_auth |
| This package contains a PAM module which can be used to authenticate |
| users using ssh keys stored in a ssh-agent. Through the use of the |
| forwarding of ssh-agent connection it also allows to authenticate with |
| remote ssh-agent instance. |
| |
| The module is most useful for su and sudo service stacks. |
| |
| %prep |
| gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} |
| %setup -q -a 4 |
| |
| %if %{pam_ssh_agent} |
| pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} |
| %patch300 -p2 -b .psaa-build |
| %patch301 -p2 -b .psaa-seteuid |
| %patch302 -p2 -b .psaa-visibility |
| %patch306 -p2 -b .psaa-compat |
| %patch305 -p2 -b .psaa-agent |
| %patch307 -p2 -b .psaa-deref |
| |
| rm -f $(cat %{SOURCE5}) |
| popd |
| %endif |
| |
| %patch400 -p1 -b .role-mls |
| %patch404 -p1 -b .privsep-selinux |
| |
| %if %{ldap} |
| %patch501 -p1 -b .ldap |
| %endif |
| %patch502 -p1 -b .keycat |
| |
| %patch601 -p1 -b .ip-opts |
| %patch604 -p1 -b .keyperm |
| %patch606 -p1 -b .ipv6man |
| %patch607 -p1 -b .sigpipe |
| %patch609 -p1 -b .x11 |
| %patch702 -p1 -b .progress |
| %patch703 -p1 -b .grab-info |
| %patch707 -p1 -b .redhat |
| %patch711 -p1 -b .log-usepam-no |
| %patch712 -p1 -b .evp-ctr |
| %patch713 -p1 -b .ctr-cavs |
| %patch714 -p1 -b .kdf-cavs |
| |
| %patch800 -p1 -b .gsskex |
| %patch801 -p1 -b .force_krb |
| %patch804 -p1 -b .ccache_name |
| %patch805 -p1 -b .k5login |
| |
| %patch901 -p1 -b .kuserok |
| %patch906 -p1 -b .fromto-remote |
| %patch916 -p1 -b .contexts |
| %patch918 -p1 -b .log-in-chroot |
| %patch919 -p1 -b .scp |
| %patch802 -p1 -b .GSSAPIEnablek5users |
| %patch922 -p1 -b .sshdt |
| %patch926 -p1 -b .sftp-force-mode |
| %patch929 -p1 -b .root-login |
| %patch939 -p1 -b .s390-dev |
| %patch944 -p1 -b .x11max |
| %patch948 -p1 -b .systemd |
| %patch949 -p1 -b .refactor |
| %patch950 -p1 -b .sandbox |
| %patch951 -p1 -b .pkcs11-uri |
| %patch953 -p1 -b .scp-ipv6 |
| %patch958 -p1 -b .ssh-copy-id |
| %patch961 -p1 -b .scp-tests |
| %patch962 -p1 -b .crypto-policies |
| %patch963 -p1 -b .openssl-evp |
| %patch964 -p1 -b .openssl-kdf |
| %patch965 -p1 -b .openssl-pem |
| %patch966 -p1 -b .entropy |
| %patch967 -p1 -b .keyscan |
| %patch968 -p1 -b .proxyjump-loops |
| %patch969 -p1 -b .keygen-sha2 |
| %patch970 -p1 -b .rdomain |
| %patch971 -p1 -b .x11-ipv6 |
| %patch972 -p1 -b .channel-limits |
| %patch973 -p1 -b .sftp-timespeccmp |
| %patch974 -p1 -b .keygen-strip-doseol |
| %patch975 -p1 -b .preserve-pam-errors |
| %patch976 -p1 -b .restore-nonblock |
| %patch977 -p1 -b .cve-2020-14145 |
| %patch978 -p1 -b .sshd_config |
| %patch980 -p1 -b .cve-2021-41617 |
| %patch981 -p1 -b .sshdinclude |
| %patch982 -p1 -b .client_alive_count_max |
| %patch983 -p1 -b .sftp-realpath |
| %patch984 -p1 -b .crypto-policy-doc |
| %patch985 -p1 -b .minimize-sha1-use |
| %patch986 -p1 -b .banner |
| %patch987 -p1 -b .sftp_ipv6 |
| |
| %patch200 -p1 -b .audit |
| %patch201 -p1 -b .audit-race |
| %patch700 -p1 -b .fips |
| |
| %patch100 -p1 -b .coverity |
| |
| autoreconf |
| pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} |
| autoreconf |
| popd |
| |
| %build |
| |
| |
| CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS |
| %if %{rescue} |
| CFLAGS="$CFLAGS -Os" |
| %endif |
| %if %{pie} |
| %ifarch s390 s390x sparc sparcv9 sparc64 |
| CFLAGS="$CFLAGS -fPIC" |
| %else |
| CFLAGS="$CFLAGS -fpic" |
| %endif |
| SAVE_LDFLAGS="$LDFLAGS" |
| LDFLAGS="$LDFLAGS -pie -z relro -z now" |
| |
| export CFLAGS |
| export LDFLAGS |
| |
| %endif |
| %if %{kerberos5} |
| if test -r /etc/profile.d/krb5-devel.sh ; then |
| source /etc/profile.d/krb5-devel.sh |
| fi |
| krb5_prefix=`krb5-config --prefix` |
| if test "$krb5_prefix" != "%{_prefix}" ; then |
| CPPFLAGS="$CPPFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"; export CPPFLAGS |
| CFLAGS="$CFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi" |
| LDFLAGS="$LDFLAGS -L${krb5_prefix}/%{_lib}"; export LDFLAGS |
| else |
| krb5_prefix= |
| CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS |
| CFLAGS="$CFLAGS -I%{_includedir}/gssapi" |
| fi |
| %endif |
| |
| %configure \ |
| --sysconfdir=%{_sysconfdir}/ssh \ |
| --libexecdir=%{_libexecdir}/openssh \ |
| --datadir=%{_datadir}/openssh \ |
| --with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \ |
| --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ |
| --with-privsep-path=%{_var}/empty/sshd \ |
| --disable-strip \ |
| --without-zlib-version-check \ |
| --with-ssl-engine \ |
| --with-ipaddr-display \ |
| --with-pie=no \ |
| --without-hardening ` |
| --with-systemd \ |
| --with-default-pkcs11-provider=yes \ |
| %if %{ldap} |
| --with-ldap \ |
| %endif |
| %if %{rescue} |
| --without-pam \ |
| %else |
| --with-pam \ |
| %endif |
| %if %{WITH_SELINUX} |
| --with-selinux --with-audit=linux \ |
| --with-sandbox=seccomp_filter \ |
| %endif |
| %if %{kerberos5} |
| --with-kerberos5${krb5_prefix:+=${krb5_prefix}} \ |
| %else |
| --without-kerberos5 \ |
| %endif |
| %if %{libedit} |
| --with-libedit |
| %else |
| --without-libedit |
| %endif |
| |
| %if %{static_libcrypto} |
| perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile |
| %endif |
| |
| make |
| |
| |
| |
| %if %{gtk2} |
| gtk2=yes |
| %else |
| gtk2=no |
| %endif |
| |
| %if ! %{no_gnome_askpass} |
| pushd contrib |
| if [ $gtk2 = yes ] ; then |
| CFLAGS="$CFLAGS %{?__global_ldflags}" \ |
| make gnome-ssh-askpass2 |
| mv gnome-ssh-askpass2 gnome-ssh-askpass |
| else |
| CFLAGS="$CFLAGS %{?__global_ldflags}" |
| make gnome-ssh-askpass1 |
| mv gnome-ssh-askpass1 gnome-ssh-askpass |
| fi |
| popd |
| %endif |
| |
| %if %{pam_ssh_agent} |
| pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} |
| LDFLAGS="$SAVE_LDFLAGS" |
| %configure --with-selinux \ |
| --libexecdir=/%{_libdir}/security \ |
| --with-mantype=man \ |
| --without-openssl-header-check ` |
| make |
| popd |
| %endif |
| |
| %check |
| |
| %if %{?_with_check:1}%{!?_with_check:0} |
| make tests |
| %endif |
| |
| %install |
| rm -rf $RPM_BUILD_ROOT |
| mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh |
| mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d |
| mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh |
| mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd |
| make install DESTDIR=$RPM_BUILD_ROOT |
| rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf |
| |
| install -d $RPM_BUILD_ROOT/etc/pam.d/ |
| install -d $RPM_BUILD_ROOT/etc/sysconfig/ |
| install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh |
| install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd |
| install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat |
| install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd |
| install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf |
| install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} |
| install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service |
| install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket |
| install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service |
| install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service |
| install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target |
| install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen |
| install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ |
| install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ |
| install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf |
| |
| %if ! %{no_gnome_askpass} |
| install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass |
| %endif |
| |
| %if ! %{no_gnome_askpass} |
| ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass |
| install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ |
| install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ |
| install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ |
| %endif |
| |
| %if %{no_gnome_askpass} |
| rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.* |
| %endif |
| |
| perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* |
| |
| %if %{pam_ssh_agent} |
| pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} |
| make install DESTDIR=$RPM_BUILD_ROOT |
| popd |
| %endif |
| %pre |
| getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : |
| |
| %pre server |
| getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : |
| getent passwd sshd >/dev/null || \ |
| useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ |
| -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : |
| |
| %post server |
| %systemd_post sshd.service sshd.socket |
| |
| %preun server |
| %systemd_preun sshd.service sshd.socket |
| |
| %postun server |
| %systemd_postun_with_restart sshd.service |
| |
| %files |
| %license LICENCE |
| %doc CREDITS ChangeLog INSTALL OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO |
| %attr(0755,root,root) %dir %{_sysconfdir}/ssh |
| %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli |
| %if ! %{rescue} |
| %attr(0755,root,root) %{_bindir}/ssh-keygen |
| %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* |
| %attr(0755,root,root) %dir %{_libexecdir}/openssh |
| %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign |
| %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* |
| %endif |
| |
| %files clients |
| %attr(0755,root,root) %{_bindir}/ssh |
| %attr(0644,root,root) %{_mandir}/man1/ssh.1* |
| %attr(0755,root,root) %{_bindir}/scp |
| %attr(0644,root,root) %{_mandir}/man1/scp.1* |
| %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config |
| %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/ |
| %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf |
| %attr(0644,root,root) %{_mandir}/man5/ssh_config.5* |
| %if ! %{rescue} |
| %attr(0755,root,root) %{_bindir}/ssh-agent |
| %attr(0755,root,root) %{_bindir}/ssh-add |
| %attr(0755,root,root) %{_bindir}/ssh-keyscan |
| %attr(0755,root,root) %{_bindir}/sftp |
| %attr(0755,root,root) %{_bindir}/ssh-copy-id |
| %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper |
| %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* |
| %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* |
| %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* |
| %attr(0644,root,root) %{_mandir}/man1/sftp.1* |
| %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* |
| %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* |
| %endif |
| |
| %if ! %{rescue} |
| %files server |
| %dir %attr(0711,root,root) %{_var}/empty/sshd |
| %attr(0755,root,root) %{_sbindir}/sshd |
| %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server |
| %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen |
| %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* |
| %attr(0644,root,root) %{_mandir}/man5/moduli.5* |
| %attr(0644,root,root) %{_mandir}/man8/sshd.8* |
| %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* |
| %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config |
| %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd |
| %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd |
| %attr(0644,root,root) %{_unitdir}/sshd.service |
| %attr(0644,root,root) %{_unitdir}/sshd@.service |
| %attr(0644,root,root) %{_unitdir}/sshd.socket |
| %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service |
| %attr(0644,root,root) %{_unitdir}/sshd-keygen.target |
| %attr(0644,root,root) %{_tmpfilesdir}/openssh.conf |
| %endif |
| |
| %if %{ldap} |
| %files ldap |
| %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf |
| %doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif |
| %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper |
| %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper |
| %attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8* |
| %attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5* |
| %endif |
| |
| %files keycat |
| %doc HOWTO.ssh-keycat |
| %attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat |
| %attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat |
| |
| %if ! %{no_gnome_askpass} |
| %files askpass |
| %attr(0644,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.* |
| %attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass |
| %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass |
| %endif |
| |
| %files cavs |
| %attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest |
| %attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs |
| %attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl |
| |
| %if %{pam_ssh_agent} |
| %files -n pam_ssh_agent_auth |
| %license pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE |
| %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so |
| %attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8* |
| %endif |
| |
| %changelog |
| * Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17 |
| - Fix parsing of IPv6 IPs in sftp client ( |
| - Avoid ssh banner one-byte overflow ( |
| - Avoid crash of sshd when Include folder does not exist ( |
| |
| * Wed Jun 29 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-16 |
| - Omit client side from minimize-sha1-use.patch to prevent regression ( |
| |
| * Thu Jun 23 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-15 |
| - Fix new issues found by static analyzers |
| |
| * Wed Jun 01 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-14 |
| - Upstream: add a local implementation of BSD realpath() for sftp-server ( |
| - Change product name from Fedora to RHEL in openssh-7.8p1-UsePAM-warning.patch ( |
| - Include caveat for crypto-policy in sshd manpage ( |
| - Change log level of FIPS specific log message to verbose ( |
| - Clarify force_file_perms (-m) documentation in sftp-server manpage ( |
| - Minimize the use of SHA1 as a proof of possession for RSA key ( |
| |
| * Tue Oct 26 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-13 |
| - Upstream: ClientAliveCountMax=0 disable the connection killing behaviour ( |
| |
| * Wed Oct 20 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-12 |
| - Add support for "Include" directive in sshd_config file ( |
| |
| * Fri Oct 01 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-11 |
| - CVE-2021-41617 upstream fix ( |
| |
| * Mon Jun 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-10 |
| - sshd -T requires -C when "Match" is used in sshd_config ( |
| |
| * Wed Jun 02 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-9 |
| - CVE-2020-14145 openssh: Observable Discrepancy leading to an information |
| leak in the algorithm negotiation ( |
| - Hostbased ssh authentication fails if session ID contains a '/' ( |
| |
| * Mon Apr 26 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-8 |
| - ssh doesn't restore the blocking mode on standard output ( |
| |
| * Fri Apr 09 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-7 + 0.10.3-7 |
| - SFTP sort upon the modification time ( |
| - ssh-keygen printing fingerprint issue with Windows keys ( |
| - PIN is lost when iterating over tokens when adding pkcs11 keys to ssh-agent ( |
| - ssh-agent segfaults during ssh-add -s pkcs11 ( |
| - ssh-copy-id could not resolve ipv6 address ends with colon ( |
| - sshd provides PAM an incorrect error code ( |
| |
| * Tue Mar 16 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-6 + 0.10.3-7 |
| - Openssh client window fix ( |
| |
| * Tue Mar 24 2020 Jakub Jelen <jjelen@redhat.com> - 8.0p1-5 + 0.10.3-7 |
| - Do not print "no slots" warning by default ( |
| - Unbreak connecting using gssapi through proxy commands ( |
| - Document in manual pages that CASignatureAlgorithms are handled by crypto policies ( |
| - Use SHA2-based signature algorithms by default for signing certificates ( |
| - Prevent simple ProxyJump loops in configuration files ( |
| - Teach ssh-keyscan to use SHA2 RSA variants ( |
| - Do not fail hard if getrandom() is not available and no SSH_USE_STRONG_RNG is specified ( |
| - Improve wording of crypto policies references in manual pages ( |
| - Do not break X11 forwarding if IPv6 is disabled ( |
| - Enable SHA2-based GSSAPI key exchange algorithms by default ( |
| - Mark RDomain server configuration option unsupported in RHEL ( |
| - Clarify crypto policies defaults in manual pages ( |
| - Mention RSA SHA2 variants in ssh-keygen manual page ( |
| |
| * Wed Jan 08 2020 Jakub Jelen <jjelen@redhat.com> - 8.0p1-4 + 0.10.3-7 |
| - Restore entropy patch for CC certification ( |
| |
| * Tue Jul 23 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-3 + 0.10.3-7 |
| - Fix typos in manual pages ( |
| - Use the upstream support for PKCS |
| - Unbreak ssh-keygen -A in FIPS mode ( |
| - Add missing RSA certificate types to offered hostkey types in FIPS mode ( |
| |
| * Wed Jun 12 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-2 + 0.10.3-7 |
| - Allow specifying a pin-value in PKCS |
| - Whitelist another syscall variant for s390x cryptographic module (ibmca engine) ( |
| |
| * Tue May 14 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-1 + 0.10.3-7 |
| - New upstream release ( |
| - Remove support for unused VendorPatchLevel configuration option |
| - Fix kerberos cleanup procedures ( |
| - Do not negotiate arbitrary primes with DH GEX in FIPS ( |
| - Several GSSAPI key exchange improvements and sync with Debian |
| - Allow to use labels in PKCS |
| - Do not fall back to sshd_net_t SELinux context ( |
| - Use FIPS compliant high-level signature OpenSSL API and KDF |
| - Mention crypto-policies in manual pages |
| - Do not fail if non-FIPS approved algorithm is enabled in FIPS |
| - Generate the PEM files in new PKCS |
| |
| * Mon Nov 26 2018 Jakub Jelen <jjelen@redhat.com> - 7.8p1-4 + 0.10.3-5 |
| - Unbreak PKCS |
| - Allow to disable RSA signatures with SHA1 ( |
| - Dump missing GSS options from client configuration ( |
| - Minor fixes from Fedora related to GSSAPI and keberos |
| - Follow the system-wide PATH settings |
| |
| * Mon Sep 24 2018 Jakub Jelen <jjelen@redhat.com> - 7.8p1-3 + 0.10.3-5 |
| - Disable OpenSSH hardening flags and use the ones provided by system ( |
| - Ignore unknown parts of PKCS |
| - Do not fail with GSSAPI enabled in match blocks ( |
| - Fix the segfaulting cavs test ( |
| |
| * Fri Aug 31 2018 Jakub Jelen <jjelen@redhat.com> - 7.8p1-2 + 0.10.3-5 |
| - New upstream release fixing CVE 2018-15473 |
| - Remove unused patches |
| - Remove reference to unused enviornment variable SSH_USE_STRONG_RNG |
| - Address coverity issues |
| - Unbreak scp between two IPv6 hosts ( |
| - Unbreak GSSAPI key exchange ( |
| - Unbreak rekeying with GSSAPI key exchange ( |
| |
| * Thu Aug 09 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-6 + 0.10.3-4 |
| - Fix listing of kex algoritms in FIPS mode |
| - Allow aes-gcm cipher modes in FIPS mode |
| - Coverity fixes |
| |
| * Tue Jul 03 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-5 + 0.10.3-4 |
| - Disable manual printing of motd by default ( |
| |
| * Wed Jun 27 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-4 + 0.10.3-4 |
| - Better handling of kerberos tickets storage ( |
| - Add pam_motd to pam stack ( |
| |
| * Mon Apr 16 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-3 + 0.10.3-4 |
| - Fix tun devices and other issues fixed after release upstream ( |
| |
| * Thu Apr 12 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-2 + 0.10.3-4 |
| - Do not break quotes parsing in configuration file ( |
| |
| * Wed Apr 04 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-1 + 0.10.3-4 |
| - New upstream release ( |
| - Add support for ECDSA keys in PKCS |
| - Add support for PKCS |
| |
| * Tue Mar 06 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-7 + 0.10.3-3 |
| - Require crypto-policies version and new path |
| - Remove bogus NSS linking |
| |
| * Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.6p1-6.1 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild |
| |
| * Fri Jan 26 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-6 + 0.10.3-3 |
| - Rebuild for gcc bug on i386 ( |
| |
| * Thu Jan 25 2018 Florian Weimer <fweimer@redhat.com> - 7.6p1-5.2 |
| - Rebuild to work around gcc bug leading to sshd miscompilation ( |
| |
| * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 7.6p1-5.1.1 |
| - Rebuilt for switch to libxcrypt |
| |
| * Wed Jan 17 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-5 + 0.10.3-3 |
| - Drop support for TCP wrappers ( |
| - Do not pass hostnames to audit -- UseDNS is usually disabled ( |
| |
| * Thu Dec 14 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-4 + 0.10.3-3 |
| - Whitelist gettid() syscall in seccomp filter ( |
| |
| * Mon Dec 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-3 + 0.10.3-3 |
| - Do not segfault during audit cleanup ( |
| - Avoid gcc warnings about uninitialized variables |
| |
| * Wed Nov 22 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-2 + 0.10.3-3 |
| - Do not build everything against libldap |
| - Do not segfault for ECC keys in PKCS |
| |
| * Thu Oct 19 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-1 + 0.10.3-3 |
| - New upstream release OpenSSH 7.6 |
| - Addressing review remarks for OpenSSL 1.1.0 patch |
| - Fix PermitOpen bug in OpenSSH 7.6 |
| - Drop support for ExposeAuthenticationMethods option |
| |
| * Mon Sep 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-6 + 0.10.3-2 |
| - Do not export KRB5CCNAME if the default path is used ( |
| - Add enablement for openssl-ibmca and openssl-ibmpkcs11 ( |
| - Add new GSSAPI kex algorithms with SHA-2, but leave them disabled for now |
| - Enforce pam_sepermit for all logins in SSH ( |
| - Remove pam_reauthorize, since it is not needed by cockpit anymore ( |
| |
| * Mon Aug 14 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-5 + 0.10.3-2 |
| - Another less-intrusive approach to crypto policy ( |
| |
| * Tue Aug 01 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-4 + 0.10.3-2 |
| - Remove SSH-1 subpackage for Fedora 27 ( |
| - Follow system-wide crypto policy in server ( |
| |
| * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.5p1-3.1 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild |
| |
| * Fri Jun 30 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-2 + 0.10.3-2 |
| - Sync downstream patches with RHEL (FIPS) |
| - Resolve potential issues with OpenSSL 1.1.0 patch |
| |
| * Wed Mar 22 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-2 + 0.10.3-2 |
| - Fix various after-release typos including failed build in s390x ( |
| - Revert chroot magic with SELinux |
| |
| * Mon Mar 20 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-1 + 0.10.3-2 |
| - New upstream release |
| |
| * Fri Mar 03 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-4 + 0.10.3-1 |
| - Avoid sending the SD_NOTIFY messages from wrong processes ( |
| - Address reports by coverity |
| |
| * Mon Feb 20 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-3 + 0.10.3-1 |
| - Properly report errors from included files ( |
| - New pam_ssh_agent_auth 0.10.3 release |
| - Switch to SD_NOTIFY to make systemd happy |
| |
| * Mon Feb 06 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-2 + 0.10.2-5 |
| - Fix ssh-agent cert signing error ( |
| - Fix wrong path to crypto policies |
| - Attempt to resolve issue with systemd |
| |
| * Tue Jan 03 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-1 + 0.10.2-5 |
| - New upstream release ( |
| - Cache supported OIDs for GSSAPI key exchange ( |
| - Fix typo causing heap corruption (use-after-free) ( |
| - Prevent hangs with long MOTD |
| |
| * Thu Dec 08 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-7 + 0.10.2-4 |
| - Properly deserialize received RSA certificates in ssh-agent ( |
| - Move MAX_DISPLAYS to a configuration option |
| |
| * Wed Nov 16 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-6 + 0.10.2-4 |
| - GSSAPI requires futex syscall in privsep child ( |
| |
| * Thu Oct 27 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-5 + 0.10.2-4 |
| - Build against OpenSSL 1.1.0 with compat changes |
| - Recommend crypto-policies |
| - Fix chroot dropping capabilities ( |
| |
| * Thu Sep 29 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-4 + 0.10.2-4 |
| - Fix NULL dereference ( |
| - Include client Crypto Policy ( |
| |
| * Mon Aug 15 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-3 + 0.10.2-4 |
| - Proper content of included configuration file |
| |
| * Tue Aug 09 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-2 + 0.10.2-4 |
| - Fix permissions on the include directory ( |
| |
| * Tue Aug 02 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-1 + 0.10.2-4 |
| - New upstream release ( |
| |
| * Tue Jul 26 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-11 + 0.10.2-3 |
| - Remove slogin and sshd-keygen ( |
| - Prevent guest_t from running sudo ( |
| |
| * Mon Jul 18 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-10 + 0.10.2-3 |
| - CVE-2016-6210: User enumeration via covert timing channel ( |
| - Expose more information about authentication to PAM |
| - Make closefrom() ignore softlinks to the /dev/ devices on s390 |
| |
| * Fri Jul 01 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-9 + 0.10.2-3 |
| - Fix wrong detection of UseLogin in server configuration ( |
| |
| * Fri Jun 24 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-8 + 0.10.2-3 |
| - Enable seccomp filter for MIPS architectures |
| - UseLogin=yes is not supported in Fedora |
| - SFTP server forced permissions should restore umask |
| - pam_ssh_agent_auth: Fix conflict bewteen two getpwuid() calls ( |
| |
| * Mon Jun 06 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-7 |
| - Fix regression in certificate-based authentication ( |
| - Check for real location of .k5login file ( |
| - Fix unchecked dereference in pam_ssh_agent_auth |
| - Clean up old patches |
| - Build with seccomp filter on ppc64(le) ( |
| |
| * Fri Apr 29 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-6 + 0.10.2-3 |
| - Add legacy sshd-keygen for anaconda ( |
| |
| * Fri Apr 22 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-5 + 0.10.2-3 |
| - CVE-2015-8325: ignore PAM environment vars when UseLogin=yes ( |
| - Fix typo in sysconfig/sshd ( |
| |
| * Fri Apr 15 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-4 + 0.10.2-3 |
| - Revise socket activation and services dependencies ( |
| - Drop unused init script |
| |
| * Wed Apr 13 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-3 + 0.10.2-3 |
| - Make sshd-keygen comply with packaging guidelines ( |
| - Soft-deny socket() syscall in seccomp sandbox ( |
| - Remove *sha1 Kex in FIPS mode ( |
| - Remove *gcm ciphers in FIPS mode ( |
| |
| * Wed Apr 06 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-2 + 0.10.2-3 |
| - Fix GSSAPI Key Exchange according to RFC ( |
| - Remove init.d/functions dependency from sshd-keygen ( |
| - Do not use MD5 in pam_ssh_agent_auth in FIPS mode |
| |
| * Thu Mar 10 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-1 + 0.10.2-3 |
| - New upstream (security) release ( |
| - Clean up audit patch |
| |
| * Thu Mar 03 2016 Jakub Jelen <jjelen@redhat.com> 7.2p1-2 + 0.10.2-2 |
| - Restore slogin symlinks to preserve backward compatibility |
| |
| * Mon Feb 29 2016 Jakub Jelen <jjelen@redhat.com> 7.2p1-1 + 0.10.2-2 |
| - New upstream release ( |
| |
| * Wed Feb 24 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-4.1 + 0.10.2-1 |
| - Fix race condition in auditing events when using multiplexing ( |
| - Fix X11 forwarding CVE according to upstream |
| - Fix problem when running without privsep ( |
| - Remove hard glob limit in SFTP |
| |
| * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 7.1p2-3.1 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild |
| |
| * Sat Jan 30 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-3 + 0.10.2-1 |
| - Fix segfaults with pam_ssh_agent_auth ( |
| - Silently disable X11 forwarding on problems |
| - Systemd service should be forking to detect immediate failures |
| |
| * Mon Jan 25 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-2 + 0.10.2-1 |
| - Rebased to recent version of pam_ssh_agent_auth |
| - Upstream fix for CVE-2016-1908 |
| - Remove useless defattr |
| |
| * Thu Jan 14 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-1 + 0.9.2-9 |
| - New security upstream release for CVE-2016-0777 |
| |
| * Tue Jan 12 2016 Jakub Jelen <jjelen@redhat.com> 7.1p1-7 + 0.9.2-8 |
| - Change RPM define macros to global according to packaging guidelines |
| - Fix wrong handling of SSH_COPY_ID_LEGACY environment variable |
| - Update ssh-agent and ssh-keysign permissions ( |
| - Fix few problems with alternative builds without GSSAPI or openSSL |
| - Fix condition to run sshd-keygen |
| |
| * Fri Dec 18 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-6 + 0.9.2-8 |
| - Preserve IUTF8 tty mode flag over ssh connections ( |
| - Do not require sysconfig file to start service ( |
| - Update ssh-copy-id to upstream version |
| - GSSAPI Key Exchange documentation improvements |
| - Remove unused patches |
| |
| * Wed Nov 04 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-5 + 0.9.2-8 |
| - Do not set user context too many times for root logins ( |
| |
| * Thu Oct 22 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-4 + 0.9.2-8 |
| - Review SELinux user context handling after authentication ( |
| - Handle root logins the same way as other users ( |
| - Audit implicit mac, if mac is covered in cipher ( |
| - Increase size limit for remote glob over sftp |
| |
| * Fri Sep 25 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-3 + 0.9.2-8 |
| - Fix FIPS mode for DH kex ( |
| - Provide full RELRO and PIE form askpass helper ( |
| - Fix gssapi key exchange on server and client ( |
| - Allow gss-keyex root login when without-password is set (upstream |
| - Fix obsolete usage of SELinux constants ( |
| |
| * Wed Sep 09 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-2 + 0.9.2-8 |
| - Fix warnings reported by gcc related to keysign and keyAlgorithms |
| |
| * Sat Aug 22 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-1 + 0.9.2-8 |
| - New upstream release |
| |
| * Wed Aug 19 2015 Jakub Jelen <jjelen@redhat.com> 7.0p1-2 + 0.9.3-7 |
| - Fix problem with DSA keys using pam_ssh_agent_auth ( |
| - Add GSSAPIKexAlgorithms option for server and client application |
| - Possibility to validate legacy systems by more fingerprints ( |
| |
| * Wed Aug 12 2015 Jakub Jelen <jjelen@redhat.com> 7.0p1-1 + 0.9.3-7 |
| - New upstream release ( |
| - Fix pam_ssh_agent_auth package ( |
| - Security: Use-after-free bug related to PAM support ( |
| - Security: Privilege separation weakness related to PAM support ( |
| - Security: Incorrectly set TTYs to be world-writable ( |
| |
| * Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-4 + 0.9.3-6 |
| - Handle terminal control characters in scp progressmeter ( |
| |
| * Thu Jul 23 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-3 + 0.9.3-6 |
| - CVE-2015-5600: only query each keyboard-interactive device once ( |
| |
| * Wed Jul 15 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-2 + 0.9.3-6 |
| - Enable SECCOMP filter for s390* architecture ( |
| - Fix race condition when multiplexing connection ( |
| |
| * Wed Jul 01 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-1 + 0.9.3-6 |
| - New upstream release ( |
| - Increase limitation number of files which can be listed using glob in sftp |
| - Correctly revert "PermitRootLogin no" option from upstream sources ( |
| |
| * Wed Jun 24 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-9 + 0.9.3-5 |
| - Allow socketcall(SYS_SHUTDOWN) for net_child on ix86 architecture |
| |
| * Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.8p1-8.1 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild |
| |
| * Mon Jun 08 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-8 + 0.9.3-5 |
| - Return stat syscall to seccomp filter ( |
| |
| * Wed Jun 03 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-7 + 0.9.3-5 |
| - Handle pam_ssh_agent_auth memory, buffers and variable sizes ( |
| |
| * Thu May 28 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-6 + 0.9.3-5 |
| - Resolve problem with pam_ssh_agent_auth after rebase ( |
| - ssh-copy-id: tcsh doesnt work with multiline strings |
| - Fix upstream memory problems |
| - Add missing options in testmode output and manual pages |
| - Provide LDIF version of LPK schema |
| - Document required selinux boolean for working ssh-ldap-helper |
| |
| * Mon Apr 20 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-5 + 0.9.3-5 |
| - Fix segfault on daemon exit caused by API change ( |
| |
| * Thu Apr 02 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-4 + 0.9.3-5 |
| - Fix audit_end_command to restore ControlPersist function ( |
| |
| * Tue Mar 31 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-3 + 0.9.3-5 |
| - Fixed issue with GSSAPI key exchange ( |
| - Add pam_namespace to sshd pam stack (based on |
| - Remove krb5-config workaround for |
| - Fix handling SELinux context in MLS systems |
| - Regression: solve sshd segfaults if other instance already running |
| |
| * Thu Mar 26 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-2 + 0.9.3-5 |
| - Update audit and gss patches after rebase |
| - Fix reintroduced upstrem bug |
| |
| * Tue Mar 24 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-1 + 0.9.3-5 |
| - new upstream release openssh-6.8p1 ( |
| - Resolve segfault with auditing commands ( |
| - Workaround krb5-config bug ( |
| |
| * Thu Mar 12 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-11 + 0.9.3-4 |
| - Ability to specify LDAP filter in ldap.conf for ssh-ldap-helper |
| - Fix auditing when using combination of ForceCommand and PTY |
| - Add sftp option to force mode of created files (from rhel) |
| - Fix tmpfiles.d entries to be more consistent ( |
| |
| * Mon Mar 02 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-10 + 0.9.3-4 |
| - Add tmpfiles.d entries ( |
| |
| * Fri Feb 27 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-9 + 0.9.3-4 |
| - Adjust seccomp filter for primary architectures and solve aarch64 issue ( |
| - Solve issue with ssh-copy-id and keys without trailing newline ( |
| |
| * Tue Feb 24 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-8 + 0.9.3-4 |
| - Add AArch64 support for seccomp_filter sandbox ( |
| |
| * Mon Feb 23 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-7 + 0.9.3-4 |
| - Fix seccomp filter on architectures without getuid32 |
| |
| * Mon Feb 23 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-6 + 0.9.3-4 |
| - Update seccomp filter to work on i686 architectures ( |
| - Fix previous failing build ( |
| |
| * Sun Feb 22 2015 Peter Robinson <pbrobinson@fedoraproject.org> 6.7p1-5 + 0.9.3-4 |
| - Only use seccomp for sandboxing on supported platforms |
| |
| * Fri Feb 20 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-4 + 0.9.3-4 |
| - Move cavs tests into subpackage -cavs ( |
| |
| * Wed Feb 18 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-3 + 0.9.3-4 |
| - update coverity patch |
| - make output of sshd -T more consistent ( |
| - enable seccomp for sandboxing instead of rlimit ( |
| - update hardening to compile on gcc5 |
| - Add SSH KDF CAVS test driver ( |
| - Fix ssh-copy-id on non-sh remote shells ( |
| |
| * Tue Jan 27 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-2 + 0.9.3-4 |
| - fixed audit patch after rebase |
| |
| * Tue Jan 20 2015 Petr Lautrbach <plautrba@redhat.com> 6.7p1-1 + 0.9.3-4 |
| - new upstream release openssh-6.7p1 |
| |
| * Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-11.1 + 0.9.3-3 |
| - error message if scp when directory doesn't exist ( |
| - parsing configuration file values ( |
| - documentation in service and socket files for systemd ( |
| - updated ldap patch ( |
| - fixed vendor-patchlevel |
| - add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 ( |
| |
| * Fri Dec 19 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-10 + 0.9.3-3 |
| - log via monitor in chroots without /dev/log |
| |
| * Wed Dec 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-9 + 0.9.3-3 |
| - the .local domain example should be in ssh_config, not in sshd_config |
| - use different values for DH for Cisco servers ( |
| |
| * Thu Nov 13 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-8 + 0.9.3-3 |
| - fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request ( |
| |
| * Fri Nov 07 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-7 + 0.9.3-3 |
| - correct the calculation of bytes for authctxt->krb5_ccname <ams@corefiling.com> ( |
| |
| * Tue Nov 04 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-6 + 0.9.3-3 |
| - privsep_preauth: use SELinux context from selinux-policy ( |
| - change audit trail for unknown users (mindrot |
| - fix kuserok patch which checked for the existence of .k5login |
| unconditionally and hence prevented other mechanisms to be used properly |
| - revert the default of KerberosUseKuserok back to yes ( |
| - ignore SIGXFSZ in postauth monitor (mindrot |
| - sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode |
| |
| * Mon Sep 08 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-5 + 0.9.3-3 |
| - set a client's address right after a connection is set (mindrot |
| - apply RFC3454 stringprep to banners when possible (mindrot |
| - don't consider a partial success as a failure (mindrot |
| |
| * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.6.1p1-4.1 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild |
| |
| * Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> 6.6.1p1-4 + 0.9.3-3 |
| - fix license handling (both) |
| |
| * Fri Jul 18 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-3 + 0.9.3-2 |
| - standardise on NI_MAXHOST for gethostname() string lengths ( |
| |
| * Mon Jul 14 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-2 + 0.9.3-2 |
| - add pam_reauthorize.so to sshd.pam ( |
| - spec file and patches clenup |
| |
| * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.6.1p1-1.1 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild |
| |
| * Tue Jun 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-1 + 0.9.3-2 |
| - disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6 |
| - add support for ED25519 keys to sshd-keygen and sshd.sysconfig |
| - drop openssh-server-sysvinit subpackage |
| - slightly change systemd units logic - use sshd-keygen.service ( |
| |
| * Tue Jun 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6p1-1 + 0.9.3-2 |
| - new upstream release openssh-6.6p1 |
| |
| * Thu May 15 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-4 + 0.9.3-1 |
| - use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode |
| - make /etc/ssh/moduli file public ( |
| - test existence of /etc/ssh/ssh_host_ecdsa_key in sshd-keygen.service |
| - don't clean up gssapi credentials by default ( |
| - ssh-agent - try CLOCK_BOOTTIME with fallback ( |
| - prevent a server from skipping SSHFP lookup - CVE-2014-2653 ( |
| - ignore environment variables with embedded '=' or '\0' characters - CVE-2014-2532 |
| ( |
| |
| * Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-3 + 0.9.3-1 |
| - sshd-keygen - use correct permissions on ecdsa host key ( |
| - use only rsa and ecdsa host keys by default |
| |
| * Tue Nov 26 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-2 + 0.9.3-1 |
| - fix fatal() cleanup in the audit patch ( |
| - fix parsing logic of ldap.conf file ( |
| |
| * Fri Nov 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-1 + 0.9.3-1 |
| - new upstream release |
| |
| * Fri Nov 01 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-5 + 0.9.3-7 |
| - adjust gss kex mechanism to the upstream changes ( |
| - don't use xfree in pam_ssh_agent_auth sources <geertj@gmail.com> ( |
| |
| * Fri Oct 25 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-4 + 0.9.3-6 |
| - rebuild with the openssl with the ECC support |
| |
| * Thu Oct 24 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-3 + 0.9.3-6 |
| - don't use SSH_FP_MD5 for fingerprints in FIPS mode |
| |
| * Wed Oct 23 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-2 + 0.9.3-6 |
| - use default_ccache_name from /etc/krb5.conf for a kerberos cache ( |
| - increase the size of the Diffie-Hellman groups ( |
| - sshd-keygen to generate ECDSA keys <i.grok@comcast.net> ( |
| |
| * Tue Oct 15 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-1.1 + 0.9.3-6 |
| - new upstream release ( |
| |
| * Tue Oct 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-9 + 0.9.3-5 |
| - use dracut-fips package to determine if a FIPS module is installed |
| - revert -fips subpackages and hmac files suffixes |
| |
| * Wed Sep 25 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-8 + 0.9.3-5 |
| - sshd-keygen: generate only RSA keys by default ( |
| - use dist tag in suffixes for hmac checksum files |
| |
| * Wed Sep 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-7 + 0.9.3-5 |
| - use hmac_suffix for ssh{,d} hmac checksums |
| - bump the minimum value of SSH_USE_STRONG_RNG to 14 according to SP800-131A |
| - automatically restart sshd.service on-failure after 42s interval |
| |
| * Thu Aug 29 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-6.1 + 0.9.3-5 |
| - add -fips subpackages that contains the FIPS module files |
| |
| * Wed Jul 31 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-5 + 0.9.3-5 |
| - gssapi credentials need to be stored before a pam session opened ( |
| |
| * Tue Jul 23 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-4 + 0.9.3-5 |
| - don't show Success for EAI_SYSTEM ( |
| - make sftp's libedit interface marginally multibyte aware ( |
| |
| * Mon Jun 17 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-3 + 0.9.3-5 |
| - move default gssapi cache to /run/user/<uid> ( |
| |
| * Tue May 21 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-2 + 0.9.3-5 |
| - add socket activated sshd units to the package ( |
| - fix the example in the HOWTO.ldap-keys |
| |
| * Mon May 20 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-1 + 0.9.3-5 |
| - new upstream release ( |
| |
| * Wed Apr 17 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-4 + 0.9.3-4 |
| - don't use export in sysconfig file ( |
| |
| * Tue Apr 16 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-3 + 0.9.3-4 |
| - sshd.service: use KillMode=process ( |
| - add latest config.{sub,guess} to support aarch64 ( |
| |
| * Tue Apr 09 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-2 + 0.9.3-4 |
| - keep track of which IndentityFile options were manually supplied and |
| which were default options, and don't warn if the latter are missing. |
| (mindrot |
| |
| * Tue Apr 09 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-1 + 0.9.3-4 |
| - new upstream release ( |
| |
| * Wed Mar 06 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-7 + 0.9.3-3 |
| - use SELinux type sshd_net_t for [net] childs ( |
| |
| * Thu Feb 14 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-6 + 0.9.3-3 |
| - fix AuthorizedKeysCommand option |
| |
| * Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-5 + 0.9.3-3 |
| - change default value of MaxStartups - CVE-2010-5107 ( |
| |
| * Mon Dec 03 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-4 + 0.9.3-3 |
| - fix segfault in openssh-5.8p2-force_krb.patch ( |
| |
| * Mon Dec 03 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-3 + 0.9.3-3 |
| - replace RequiredAuthentications2 with AuthenticationMethods based on upstream |
| - obsolete RequiredAuthentications[12] options |
| - fix openssh-6.1p1-privsep-selinux.patch |
| |
| * Fri Oct 26 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-2 |
| - add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port ( |
| - drop required chkconfig ( |
| - drop openssh-5.9p1-sftp-chroot.patch ( |
| |
| * Sat Sep 15 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-1 + 0.9.3-3 |
| - new upstream release ( |
| - use DIR: kerberos type cache ( |
| - don't use chroot_user_t for chrooted users ( |
| - replace scriptlets with systemd macros ( |
| - don't use /bin and /sbin paths ( |
| |
| * Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 6.0p1-1 + 0.9.3-2 |
| - new upstream release |
| |
| * Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-26 + 0.9.3-1 |
| - change SELinux context also for root user ( |
| |
| * Fri Jul 27 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-25 + 0.9.3-1 |
| - fix various issues in openssh-5.9p1-required-authentications.patch |
| |
| * Tue Jul 17 2012 Tomas Mraz <tmraz@redhat.com> 5.9p1-24 + 0.9.3-1 |
| - allow sha256 and sha512 hmacs in the FIPS mode |
| |
| * Fri Jun 22 2012 Tomas Mraz <tmraz@redhat.com> 5.9p1-23 + 0.9.3-1 |
| - fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent |
| is not running, most probably not exploitable |
| - update pam_ssh_agent_auth to 0.9.3 upstream version |
| |
| * Fri Apr 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-22 + 0.9.2-32 |
| - don't create RSA1 key in FIPS mode |
| - don't install sshd-keygen.service ( |
| |
| * Fri Mar 30 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-21 + 0.9.2-32 |
| - fix various issues in openssh-5.9p1-required-authentications.patch |
| |
| * Wed Mar 21 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-20 + 0.9.2-32 |
| - Fix dependencies in systemd units, don't enable sshd-keygen.service ( |
| |
| * Wed Feb 22 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-19 + 0.9.2-32 |
| - Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo ( |
| |
| * Mon Feb 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-18 + 0.9.2-32 |
| - replace TwoFactorAuth with RequiredAuthentications[12] |
| https://bugzilla.mindrot.org/show_bug.cgi?id=983 |
| |
| * Tue Jan 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-17 + 0.9.2-32 |
| - run privsep slave process as the users SELinux context ( |
| |
| * Tue Dec 13 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-16 + 0.9.2-32 |
| - add CAVS test driver for the aes-ctr ciphers |
| |
| * Sun Dec 11 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-15 + 0.9.2-32 |
| - enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI |
| |
| * Tue Dec 06 2011 Petr Lautrbach <plautrba@redhat.com> 5.9p1-14 + 0.9.2-32 |
| - warn about unsupported option UsePAM=no ( |
| |
| * Mon Nov 21 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-13 + 0.9.2-32 |
| - add back the restorecon call to ssh-copy-id - it might be needed on older |
| distributions ( |
| |
| * Fri Nov 18 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-12 + 0.9.2-32 |
| - still support /etc/sysconfig/sshd loading in sshd service ( |
| - fix incorrect key permissions generated by sshd-keygen script ( |
| |
| * Fri Oct 14 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-11 + 0.9.2-32 |
| - remove unnecessary requires on initscripts |
| - set VerifyHostKeyDNS to ask in the default configuration ( |
| |
| * Mon Sep 19 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-10 + 0.9.2-32 |
| - selinux sandbox rewrite |
| - two factor authentication tweaking |
| |
| * Wed Sep 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-9 + 0.9.2-32 |
| - coverity upgrade |
| - wipe off nonfunctional nss |
| - selinux sandbox tweaking |
| |
| * Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-8 + 0.9.2-32 |
| - coverity upgrade |
| - experimental selinux sandbox |
| |
| * Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-7 + 0.9.2-32 |
| - fully reanable auditing |
| |
| * Mon Sep 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-6 + 0.9.2-32 |
| - repair signedness in akc patch |
| |
| * Mon Sep 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-5 + 0.9.2-32 |
| - temporarily disable part of audit4 patch |
| |
| * Fri Sep 9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-3 + 0.9.2-32 |
| - Coverity second pass |
| - Reenable akc patch |
| |
| * Thu Sep 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-2 + 0.9.2-32 |
| - Coverity first pass |
| |
| * Wed Sep 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-1 + 0.9.2-32 |
| - Rebase to 5.9p1 |
| - Add chroot sftp patch |
| - Add two factor auth patch |
| |
| * Tue Aug 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-21 + 0.9.2-31 |
| - ignore SIGPIPE in ssh keyscan |
| |
| * Tue Aug 9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-20 + 0.9.2-31 |
| - save ssh-askpass's debuginfo |
| |
| * Mon Aug 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-19 + 0.9.2-31 |
| - compile ssh-askpass with corect CFLAGS |
| |
| * Mon Aug 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-18 + 0.9.2-31 |
| - improve selinux's change context log |
| |
| * Mon Aug 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-17 + 0.9.2-31 |
| - repair broken man pages |
| |
| * Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-16 + 0.9.2-31 |
| - rebuild due to broken rpmbiild |
| |
| * Thu Jul 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-15 + 0.9.2-31 |
| - Do not change context when run under unconfined_t |
| |
| * Thu Jul 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-14 + 0.9.2-31 |
| - Add postlogin to pam. ( |
| |
| * Tue Jun 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-12 + 0.9.2-31 |
| - Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> |
| - Split out the host keygen into their own command, to ease future migration |
| to systemd. Compatitbility with the init script was kept. |
| - Migrate the package to full native systemd unit files, according to the Fedora |
| packaging guidelines. |
| - Prepate the unit files for running an ondemand server. (do not add it actually) |
| |
| * Tue Jun 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-10 + 0.9.2-31 |
| - Mention IPv6 usage in man pages |
| |
| * Mon Jun 20 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-9 + 0.9.2-31 |
| - Improve init script |
| |
| * Thu Jun 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-7 + 0.9.2-31 |
| - Add possibility to compile openssh without downstream patches |
| |
| * Thu Jun 9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-6 + 0.9.2-31 |
| - remove stale control sockets ( |
| |
| * Tue May 31 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-5 + 0.9.2-31 |
| - improove entropy manuals |
| |
| * Fri May 27 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-4 + 0.9.2-31 |
| - improove entropy handling |
| - concat ldap patches |
| |
| * Tue May 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-3 + 0.9.2-31 |
| - improove ldap manuals |
| |
| * Mon May 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-2 + 0.9.2-31 |
| - add gssapi forced command |
| |
| * Tue May 3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-1 + 0.9.2-31 |
| - update the openssh version |
| |
| * Thu Apr 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-34 + 0.9.2-30 |
| - temporarily disabling systemd units |
| |
| * Wed Apr 27 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-33 + 0.9.2-30 |
| - add flags AI_V4MAPPED and AI_ADDRCONFIG to getaddrinfo |
| |
| * Tue Apr 26 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-32 + 0.9.2-30 |
| - update scriptlets |
| |
| * Fri Apr 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-30 + 0.9.2-30 |
| - add systemd units |
| |
| * Fri Apr 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-28 + 0.9.2-30 |
| - improving sshd -> passwd transation |
| - add template for .local domain to sshd_config |
| |
| * Thu Apr 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-27 + 0.9.2-30 |
| - the private keys may be 640 root:ssh_keys ssh_keysign is sgid |
| |
| * Wed Apr 20 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-26 + 0.9.2-30 |
| - improving sshd -> passwd transation |
| |
| * Tue Apr 5 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-25 + 0.9.2-30 |
| - the intermediate context is set to sshd_sftpd_t |
| - do not crash in packet.c if no connection |
| |
| * Thu Mar 31 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-24 + 0.9.2-30 |
| - resolve warnings in port_linux.c |
| |
| * Tue Mar 29 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-23 + 0.9.2-30 |
| - add /etc/sysconfig/sshd |
| |
| * Mon Mar 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-22 + 0.9.2-30 |
| - improve reseeding and seed source (documentation) |
| |
| * Tue Mar 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-20 + 0.9.2-30 |
| - use /dev/random or /dev/urandom for seeding prng |
| - improve periodical reseeding of random generator |
| |
| * Thu Mar 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-18 + 0.9.2-30 |
| - add periodical reseeding of random generator |
| - change selinux contex for internal sftp in do_usercontext |
| - exit(0) after sigterm |
| |
| * Thu Mar 10 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-17 + 0.9.2-30 |
| - improove ssh-ldap (documentation) |
| |
| * Tue Mar 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-16 + 0.9.2-30 |
| - improve session keys audit |
| |
| * Mon Mar 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30 |
| - CVE-2010-4755 |
| |
| * Fri Mar 4 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-14 + 0.9.2-30 |
| - improove ssh-keycat (documentation) |
| |
| * Thu Mar 3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-13 + 0.9.2-30 |
| - improve audit of logins and auths |
| |
| * Tue Mar 1 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-12 + 0.9.2-30 |
| - improove ssk-keycat |
| |
| * Mon Feb 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-11 + 0.9.2-30 |
| - add ssk-keycat |
| |
| * Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-10 + 0.9.2-30 |
| - reenable auth-keys ldap backend |
| |
| * Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-9 + 0.9.2-30 |
| - another audit improovements |
| |
| * Thu Feb 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-8 + 0.9.2-30 |
| - another audit improovements |
| - switchable fingerprint mode |
| |
| * Thu Feb 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-4 + 0.9.2-30 |
| - improve audit of server key management |
| |
| * Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-3 + 0.9.2-30 |
| - improve audit of logins and auths |
| |
| * Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30 |
| - bump openssh version to 5.8p1 |
| |
| * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6p1-30.1 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
| |
| * Mon Feb 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-30 + 0.9.2-29 |
| - clean the data structures in the non privileged process |
| - clean the data structures when roaming |
| |
| * Wed Feb 2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-28 + 0.9.2-29 |
| - clean the data structures in the privileged process |
| |
| * Tue Jan 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-25 + 0.9.2-29 |
| - clean the data structures before exit net process |
| |
| * Mon Jan 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-24 + 0.9.2-29 |
| - make audit compatible with the fips mode |
| |
| * Fri Jan 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-23 + 0.9.2-29 |
| - add audit of destruction the server keys |
| |
| * Wed Jan 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-22 + 0.9.2-29 |
| - add audit of destruction the session keys |
| |
| * Fri Dec 10 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-21 + 0.9.2-29 |
| - reenable run sshd as non root user |
| - renable rekeying |
| |
| * Wed Nov 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-20 + 0.9.2-29 |
| - reapair clientloop crash ( |
| - properly restore euid in case connect to the ssh-agent socket fails |
| |
| * Mon Nov 22 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-19 + 0.9.2-28 |
| - striped read permissions from suid and sgid binaries |
| |
| * Mon Nov 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-18 + 0.9.2-27 |
| - used upstream version of the biguid patch |
| |
| * Mon Nov 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-17 + 0.9.2-27 |
| - improoved kuserok patch |
| |
| * Fri Nov 5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-16 + 0.9.2-27 |
| - add auditing the host based key ussage |
| - repait X11 abstract layer socket ( |
| |
| * Wed Nov 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-15 + 0.9.2-27 |
| - add auditing the kex result |
| |
| * Tue Nov 2 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-14 + 0.9.2-27 |
| - add auditing the key ussage |
| |
| * Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-12 + 0.9.2-27 |
| - update gsskex patch ( |
| |
| * Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-11 + 0.9.2-27 |
| - rebase linux audit according to upstream |
| |
| * Fri Oct 1 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-10 + 0.9.2-27 |
| - add missing headers to linux audit |
| |
| * Wed Sep 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-9 + 0.9.2-27 |
| - audit module now uses openssh audit framevork |
| |
| * Wed Sep 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-8 + 0.9.2-27 |
| - Add the GSSAPI kuserok switch to the kuserok patch |
| |
| * Wed Sep 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-7 + 0.9.2-27 |
| - Repaired the kuserok patch |
| |
| * Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-6 + 0.9.2-27 |
| - Repaired the problem with puting entries with very big uid into lastlog |
| |
| * Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-5 + 0.9.2-27 |
| - Merging selabel patch with the upstream version. ( |
| |
| * Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-4 + 0.9.2-27 |
| - Tweaking selabel patch to work properly without selinux rules loaded. ( |
| |
| * Wed Sep 8 2010 Tomas Mraz <tmraz@redhat.com> - 5.6p1-3 + 0.9.2-27 |
| - Make fipscheck hmacs compliant with FHS - requires new fipscheck |
| |
| * Fri Sep 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-2 + 0.9.2-27 |
| - Added -z relro -z now to LDFLAGS |
| |
| * Fri Sep 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-1 + 0.9.2-27 |
| - Rebased to openssh5.6p1 |
| |
| * Wed Jul 7 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-18 + 0.9.2-26 |
| - merged with newer bugzilla's version of authorized keys command patch |
| |
| * Wed Jun 30 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-17 + 0.9.2-26 |
| - improved the x11 patch according to upstream ( |
| |
| * Fri Jun 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-16 + 0.9.2-26 |
| - improved the x11 patch ( |
| |
| * Thu Jun 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-15 + 0.9.2-26 |
| - changed _PATH_UNIX_X to unexistent file name ( |
| |
| * Wed Jun 23 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-14 + 0.9.2-26 |
| - sftp works in deviceless chroot again (broken from 5.5p1-3) |
| |
| * Tue Jun 8 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-13 + 0.9.2-26 |
| - add option to switch out krb5_kuserok |
| |
| * Fri May 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-12 + 0.9.2-26 |
| - synchronize uid and gid for the user sshd |
| |
| * Thu May 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-11 + 0.9.2-26 |
| - Typo in ssh-ldap.conf(5) and ssh-ladap-helper(8) |
| |
| * Fri May 14 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-10 + 0.9.2-26 |
| - Repair the reference in man ssh-ldap-helper(8) |
| - Repair the PubkeyAgent section in sshd_config(5) |
| - Provide example ldap.conf |
| |
| * Thu May 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-9 + 0.9.2-26 |
| - Make the Ldap configuration widely compatible |
| - create the aditional docs for LDAP support. |
| |
| * Thu May 6 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-8 + 0.9.2-26 |
| - Make LDAP config elements TLS_CACERT and TLS_REQCERT compatiple with pam_ldap ( |
| |
| * Thu May 6 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-7 + 0.9.2-26 |
| - Make LDAP config element tls_checkpeer compatiple with nss_ldap ( |
| |
| * Tue May 4 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-6 + 0.9.2-26 |
| - Comment spec.file |
| - Sync patches from upstream |
| |
| * Mon May 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-5 + 0.9.2-26 |
| - Create separate ldap package |
| - Tweak the ldap patch |
| - Rename stderr patch properly |
| |
| * Thu Apr 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-4 + 0.9.2-26 |
| - Added LDAP support |
| |
| * Mon Apr 26 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-3 + 0.9.2-26 |
| - Ignore .bashrc output to stderr in the subsystems |
| |
| * Tue Apr 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-2 + 0.9.2-26 |
| - Drop dependency on man |
| |
| * Fri Apr 16 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-1 + 0.9.2-26 |
| - Update to 5.5p1 |
| |
| * Fri Mar 12 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-3 + 0.9.2-25 |
| - repair configure script of pam_ssh_agent |
| - repair error mesage in ssh-keygen |
| |
| * Fri Mar 12 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-2 |
| - source krb5-devel profile script only if exists |
| |
| * Tue Mar 9 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-1 |
| - Update to 5.4p1 |
| - discontinued support for nss-keys |
| - discontinued support for scard |
| |
| * Wed Mar 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-0.snap20100302.1 |
| - Prepare update to 5.4p1 |
| |
| * Mon Feb 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-22 |
| - ImplicitDSOLinking ( |
| |
| * Fri Jan 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-21 |
| - Allow to use hardware crypto if awailable ( |
| |
| * Mon Jan 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-20 |
| - optimized FD_CLOEXEC on accept socket ( |
| |
| * Mon Jan 25 2010 Tomas Mraz <tmraz@redhat.com> - 5.3p1-19 |
| - updated pam_ssh_agent_auth to new version from upstream (just |
| a licence change) |
| |
| * Thu Jan 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-18 |
| - optimized RAND_cleanup patch ( |
| |
| * Wed Jan 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-17 |
| - add RAND_cleanup at the exit of each program using RAND ( |
| |
| * Tue Jan 19 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-16 |
| - set FD_CLOEXEC on accepted socket ( |
| |
| * Fri Jan 8 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-15 |
| - replaced define by global in macros |
| |
| * Tue Jan 5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-14 |
| - Update the pka patch |
| |
| * Mon Dec 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-13 |
| - Update the audit patch |
| |
| * Fri Dec 4 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-12 |
| - Add possibility to autocreate only RSA key into initscript ( |
| |
| * Fri Nov 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-11 |
| - Prepare NSS key patch for future SEC_ERROR_LOCKED_PASSWORD ( |
| |
| * Tue Nov 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-10 |
| - Update NSS key patch ( |
| |
| * Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-9 |
| - Add gssapi key exchange patch ( |
| |
| * Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-8 |
| - Add public key agent patch ( |
| |
| * Mon Nov 2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-7 |
| - Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy ( |
| |
| * Thu Oct 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-6 |
| - Modify the init script to prevent it to hang during generating the keys ( |
| |
| * Tue Oct 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-5 |
| - Add README.nss |
| |
| * Mon Oct 19 2009 Tomas Mraz <tmraz@redhat.com> - 5.3p1-4 |
| - Add pam_ssh_agent_auth module to a subpackage. |
| |
| * Fri Oct 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-3 |
| - Reenable audit. |
| |
| * Fri Oct 2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-2 |
| - Upgrade to new wersion 5.3p1 |
| |
| * Tue Sep 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-29 |
| - Resolve locking in ssh-add ( |
| |
| * Thu Sep 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-28 |
| - Repair initscript to be acord to guidelines ( |
| - Add bugzilla |
| |
| * Wed Sep 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-26 |
| - Changed pam stack to password-auth |
| |
| * Fri Sep 11 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-25 |
| - Dropped homechroot patch |
| |
| * Mon Sep 7 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-24 |
| - Add check for nosuid, nodev in homechroot |
| |
| * Tue Sep 1 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-23 |
| - add correct patch for ip-opts |
| |
| * Tue Sep 1 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-22 |
| - replace ip-opts patch by an upstream candidate version |
| |
| * Mon Aug 31 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-21 |
| - rearange selinux patch to be acceptable for upstream |
| - replace seftp patch by an upstream version |
| |
| * Fri Aug 28 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-20 |
| - merged xmodifiers to redhat patch |
| - merged gssapi-role to selinux patch |
| - merged cve-2007_3102 to audit patch |
| - sesftp patch only with WITH_SELINUX flag |
| - rearange sesftp patch according to upstream request |
| |
| * Wed Aug 26 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-19 |
| - minor change in sesftp patch |
| |
| * Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-18 |
| - rebuilt with new openssl |
| |
| * Thu Jul 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-17 |
| - Added dnssec support. ( |
| |
| * Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2p1-16 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild |
| |
| * Fri Jul 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-15 |
| - only INTERNAL_SFTP can be home-chrooted |
| - save _u and _r parts of context changing to sftpd_t |
| |
| * Fri Jul 17 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-14 |
| - changed internal-sftp context to sftpd_t |
| |
| * Fri Jul 3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-13 |
| - changed home length path patch to upstream version |
| |
| * Tue Jun 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-12 |
| - create '~/.ssh/known_hosts' within proper context |
| |
| * Mon Jun 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-11 |
| - length of home path in ssh now limited by PATH_MAX |
| - correct timezone with daylight processing |
| |
| * Sat Jun 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-10 |
| - final version chroot %%h (sftp only) |
| |
| * Tue Jun 23 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-9 |
| - repair broken ls in chroot %%h |
| |
| * Fri Jun 12 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-8 |
| - add XMODIFIERS to exported environment ( |
| |
| * Fri May 15 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-6 |
| - allow only protocol 2 in the FIPS mode |
| |
| * Thu Apr 30 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-5 |
| - do integrity verification only on binaries which are part |
| of the OpenSSH FIPS modules |
| |
| * Mon Apr 20 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-4 |
| - log if FIPS mode is initialized |
| - make aes-ctr cipher modes work in the FIPS mode |
| |
| * Fri Apr 3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-3 |
| - fix logging after chroot |
| - enable non root users to use chroot %%h in internal-sftp |
| |
| * Fri Mar 13 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-2 |
| - add AES-CTR ciphers to the FIPS mode proposal |
| |
| * Mon Mar 9 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-1 |
| - upgrade to new upstream release |
| |
| * Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.1p1-8 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
| |
| * Thu Feb 12 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-7 |
| - drop obsolete triggers |
| - add testing FIPS mode support |
| - LSBize the initscript ( |
| |
| * Fri Jan 30 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-6 |
| - enable use of ssl engines ( |
| |
| * Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-5 |
| - remove obsolete --with-rsh ( |
| - add pam_sepermit to allow blocking confined users in permissive mode |
| ( |
| - move system-auth after pam_selinux in the session stack |
| |
| * Thu Dec 11 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-4 |
| - set FD_CLOEXEC on channel sockets ( |
| - adjust summary |
| - adjust nss-keys patch so it is applicable without selinux patches ( |
| |
| * Fri Oct 17 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-3 |
| - fix compatibility with some servers ( |
| |
| * Thu Jul 31 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-2 |
| - fixed zero length banner problem ( |
| |
| * Wed Jul 23 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-1 |
| - upgrade to new upstream release |
| - fixed a problem with public key authentication and explicitely |
| specified SELinux role |
| |
| * Wed May 21 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-3 |
| - pass the connection socket to ssh-keysign ( |
| |
| * Mon May 19 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-2 |
| - add LANGUAGE to accepted/sent environment variables ( |
| - use pam_selinux to obtain the user context instead of doing it itself |
| - unbreak server keep alive settings (patch from upstream) |
| - small addition to scp manpage |
| |
| * Mon Apr 7 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-1 |
| - upgrade to new upstream ( |
| - prevent initscript from killing itself on halt with upstart ( |
| - initscript status should show that the daemon is running |
| only when the main daemon is still alive ( |
| |
| * Thu Mar 6 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-10 |
| - fix race on control master and cleanup stale control socket ( |
| patches by David Woodhouse |
| |
| * Fri Feb 29 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-9 |
| - set FD_CLOEXEC on client socket |
| - apply real fix for window size problem ( |
| - apply fix for the spurious failed bind from upstream |
| - apply open handle leak in sftp fix from upstream |
| |
| * Tue Feb 12 2008 Dennis Gilmore <dennis@ausil.us> - 4.7p1-8 |
| - we build for sparcv9 now and it needs -fPIE |
| |
| * Thu Jan 3 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-7 |
| - fix gssapi auth with explicit selinux role requested ( |
| by Nalin Dahyabhai |
| |
| * Tue Dec 4 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-6 |
| - explicitly source krb5-devel profile script |
| |
| * Tue Dec 04 2007 Release Engineering <rel-eng at fedoraproject dot org> - 4.7p1-5 |
| - Rebuild for openssl bump |
| |
| * Tue Nov 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-4 |
| - do not copy /etc/localtime into the chroot as it is not |
| necessary anymore ( |
| - call setkeycreatecon when selinux context is established |
| - test for NULL privk when freeing key ( |
| Pierre Ossman |
| |
| * Mon Sep 17 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-2 |
| - revert default window size adjustments ( |
| |
| * Thu Sep 6 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-1 |
| - upgrade to latest upstream |
| - use libedit in sftp ( |
| - fixed audit log injection problem (CVE-2007-3102) |
| |
| * Thu Aug 9 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-8 |
| - fix sftp client problems on write error ( |
| - allow disabling autocreation of server keys ( |
| |
| * Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7 |
| - experimental NSS keys support |
| - correctly setup context when empty level requested ( |
| |
| * Tue Mar 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-6 |
| - mls level check must be done with default role same as requested |
| |
| * Mon Mar 19 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-5 |
| - make profile.d/gnome-ssh-askpass.* regular files ( |
| |
| * Tue Feb 27 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-4 |
| - reject connection if requested mls range is not obtained ( |
| |
| * Thu Feb 22 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-3 |
| - improve Buildroot |
| - remove duplicate /etc/ssh from files |
| |
| * Tue Jan 16 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-2 |
| - support mls on labeled networks ( |
| - support mls level selection on unlabeled networks |
| - allow / in usernames in scp (only beginning /, ./, and ../ is special) |
| |
| * Thu Dec 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.5p1-1 |
| - update to 4.5p1 ( |
| |
| * Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-14 |
| - fix gssapi with DNS loadbalanced clusters ( |
| |
| * Tue Nov 28 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-13 |
| - improved pam_session patch so it doesn't regress, the patch is necessary |
| for the pam_session_close to be called correctly as uid 0 |
| |
| * Fri Nov 10 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-12 |
| - CVE-2006-5794 - properly detect failed key verify in monitor ( |
| |
| * Thu Nov 2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-11 |
| - merge sshd initscript patches |
| - kill all ssh sessions when stop is called in halt or reboot runlevel |
| - remove -TERM option from killproc so we don't race on sshd restart |
| |
| * Mon Oct 2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-10 |
| - improve gssapi-no-spnego patch ( |
| - CVE-2006-4924 - prevent DoS on deattack detector ( |
| - CVE-2006-5051 - don't call cleanups from signal handler ( |
| |
| * Wed Aug 23 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-9 |
| - don't report duplicate syslog messages, use correct local time ( |
| - don't allow spnego as gssapi mechanism (from upstream) |
| - fixed memleaks found by Coverity (from upstream) |
| - allow ip options except source routing ( |
| |
| * Tue Aug 8 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-8 |
| - drop the pam-session patch from the previous build ( |
| - don't set IPV6_V6ONLY sock opt when listening on wildcard addr ( |
| |
| * Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-7 |
| - dropped old ssh obsoletes |
| - call the pam_session_open/close from the monitor when privsep is |
| enabled so it is always called as root (patch by Darren Tucker) |
| |
| * Mon Jul 17 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-6 |
| - improve selinux patch (by Jan Kiszka) |
| - upstream patch for buffer append space error ( |
| - fixed typo in configure.ac ( |
| - added pam_keyinit to pam configuration ( |
| - improved error message when askpass dialog cannot grab |
| keyboard input ( |
| - buildrequires xauth instead of xorg-x11-xauth |
| - fixed a few rpmlint warnings |
| |
| * Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 4.3p2-5.1 |
| - rebuild |
| |
| * Fri Apr 14 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-5 |
| - don't request pseudoterminal allocation if stdin is not tty ( |
| |
| * Thu Mar 2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-4 |
| - allow access if audit is not compiled in kernel ( |
| |
| * Fri Feb 24 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-3 |
| - enable the subprocess in chroot to send messages to system log |
| - sshd should prevent login if audit call fails |
| |
| * Tue Feb 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-2 |
| - print error from scp if not remote (patch by Bjorn Augustsson |
| |
| * Mon Feb 13 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-1 |
| - new version |
| |
| * Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 4.3p1-2.1 |
| - bump again for double-long bug on ppc(64) |
| |
| * Mon Feb 6 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p1-2 |
| - fixed another place where syslog was called in signal handler |
| - pass locale environment variables to server, accept them there ( |
| |
| * Wed Feb 1 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p1-1 |
| - new version, dropped obsolete patches |
| |
| * Tue Dec 20 2005 Tomas Mraz <tmraz@redhat.com> - 4.2p1-10 |
| - hopefully make the askpass dialog less confusing ( |
| |
| * Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com> |
| - rebuilt |
| |
| * Tue Nov 22 2005 Tomas Mraz <tmraz@redhat.com> - 4.2p1-9 |
| - drop x11-ssh-askpass from the package |
| - drop old build_6x ifs from spec file |
| - improve gnome-ssh-askpass so it doesn't reveal number of passphrase |
| characters to person looking at the display |
| - less hackish fix for the __USE_GNU problem |
| |
| * Fri Nov 18 2005 Nalin Dahyabhai <nalin@redhat.com> - 4.2p1-8 |
| - work around missing gccmakedep by wrapping makedepend in a local script |
| - remove now-obsolete build dependency on "xauth" |
| |
| * Thu Nov 17 2005 Warren Togami <wtogami@redhat.com> - 4.2p1-7 |
| - xorg-x11-devel -> libXt-devel |
| - rebuild for new xauth location so X forwarding works |
| - buildreq audit-libs-devel |
| - buildreq automake for aclocal |
| - buildreq imake for xmkmf |
| - -D_GNU_SOURCE in flags in order to get it to build |
| Ugly hack to workaround openssh defining __USE_GNU which is |
| not allowed and causes problems according to Ulrich Drepper |
| fix this the correct way after FC5test1 |
| |
| * Wed Nov 9 2005 Jeremy Katz <katzj@redhat.com> - 4.2p1-6 |
| - rebuild against new openssl |
| |
| * Fri Oct 28 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-5 |
| - put back the possibility to skip SELinux patch |
| - add patch for user login auditing by Steve Grubb |
| |
| * Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 4.2p1-4 |
| - Change selinux patch to use get_default_context_with_rolelevel in libselinux. |
| |
| * Thu Oct 13 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-3 |
| - Update selinux patch to use getseuserbyname |
| |
| * Fri Oct 7 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-2 |
| - use include instead of pam_stack in pam config |
| - use fork+exec instead of system in scp - CVE-2006-0225 ( |
| - upstream patch for displaying authentication errors |
| |
| * Tue Sep 06 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-1 |
| - upgrade to a new upstream version |
| |
| * Tue Aug 16 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-5 |
| - use x11-ssh-askpass if openssh-askpass-gnome is not installed ( |
| - install ssh-copy-id from contrib ( |
| |
| * Wed Jul 27 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-4 |
| - don't deadlock on exit with multiple X forwarded channels ( |
| - don't use X11 port which can't be bound on all IP families ( |
| |
| * Wed Jun 29 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-3 |
| - fix small regression caused by the nologin patch ( |
| - fix race in getpeername error checking (mindrot |
| |
| * Thu Jun 9 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-2 |
| - use only pam_nologin for nologin testing |
| |
| * Mon Jun 6 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-1 |
| - upgrade to a new upstream version |
| - call pam_loginuid as a pam session module |
| |
| * Mon May 16 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-3 |
| - link libselinux only to sshd ( |
| |
| * Mon Apr 4 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-2 |
| - fixed Local/RemoteForward in ssh_config.5 manpage |
| - fix fatal when Local/RemoteForward is used and scp run ( |
| - don't leak user validity when using krb5 authentication |
| |
| * Thu Mar 24 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-1 |
| - upgrade to 4.0p1 |
| - remove obsolete groups patch |
| |
| * Wed Mar 16 2005 Elliot Lee <sopwith@redhat.com> |
| - rebuilt |
| |
| * Mon Feb 28 2005 Nalin Dahyabhai <nalin@redhat.com> 3.9p1-12 |
| - rebuild so that configure can detect that krb5_init_ets is gone now |
| |
| * Mon Feb 21 2005 Tomas Mraz <tmraz@redhat.com> 3.9p1-11 |
| - don't call syslog in signal handler |
| - allow password authentication when copying from remote |
| to remote machine ( |
| |
| * Wed Feb 9 2005 Tomas Mraz <tmraz@redhat.com> |
| - add spaces to messages in initscript ( |
| |
| * Tue Feb 8 2005 Tomas Mraz <tmraz@redhat.com> 3.9p1-10 |
| - enable trusted forwarding by default if X11 forwarding is |
| required by user ( |
| - disable protocol 1 support by default in sshd server config ( |
| - keep the gnome-askpass dialog above others ( |
| |
| * Fri Feb 4 2005 Tomas Mraz <tmraz@redhat.com> |
| - change permissions on pam.d/sshd to 0644 ( |
| - patch initscript so it doesn't kill opened sessions if |
| the sshd daemon isn't running anymore ( |
| |
| * Mon Jan 3 2005 Bill Nottingham <notting@redhat.com> 3.9p1-9 |
| - don't use initlog |
| |
| * Mon Nov 29 2004 Thomas Woerner <twoerner@redhat.com> 3.9p1-8.1 |
| - fixed PIE build for all architectures |
| |
| * Mon Oct 4 2004 Nalin Dahyabhai <nalin@redhat.com> 3.9p1-8 |
| - add a --enable-vendor-patchlevel option which allows a ShowPatchLevel option |
| to enable display of a vendor patch level during version exchange ( |
| - configure with --disable-strip to build useful debuginfo subpackages |
| |
| * Mon Sep 20 2004 Bill Nottingham <notting@redhat.com> 3.9p1-7 |
| - when using gtk2 for askpass, don't buildprereq gnome-libs-devel |
| |
| * Tue Sep 14 2004 Nalin Dahyabhai <nalin@redhat.com> 3.9p1-6 |
| - build |
| |
| * Mon Sep 13 2004 Nalin Dahyabhai <nalin@redhat.com> |
| - disable ACSS support |
| |
| * Thu Sep 2 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-5 |
| - Change selinux patch to use get_default_context_with_role in libselinux. |
| |
| * Thu Sep 2 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-4 |
| - Fix patch |
| * Bad debug statement. |
| * Handle root/sysadm_r:kerberos |
| |
| * Thu Sep 2 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-3 |
| - Modify Colin Walter's patch to allow specifying rule during connection |
| |
| * Tue Aug 31 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-2 |
| - Fix TTY handling for SELinux |
| |
| * Tue Aug 24 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-1 |
| - Update to upstream |
| |
| * Sun Aug 1 2004 Alan Cox <alan@redhat.com> 3.8.1p1-5 |
| - Apply buildreq fixup patch ( |
| |
| * Tue Jun 15 2004 Daniel Walsh <dwalsh@redhat.com> 3.8.1p1-4 |
| - Clean up patch for upstream submission. |
| |
| * Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com> |
| - rebuilt |
| |
| * Wed Jun 9 2004 Daniel Walsh <dwalsh@redhat.com> 3.8.1p1-2 |
| - Remove use of pam_selinux and patch selinux in directly. |
| |
| * Mon Jun 7 2004 Nalin Dahyabhai <nalin@redhat.com> 3.8.1p1-1 |
| - request gssapi-with-mic by default but not delegation (flag day for anyone |
| who used previous gssapi patches) |
| - no longer request x11 forwarding by default |
| |
| * Thu Jun 3 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-36 |
| - Change pam file to use open and close with pam_selinux |
| |
| * Tue Jun 1 2004 Nalin Dahyabhai <nalin@redhat.com> 3.8.1p1-0 |
| - update to 3.8.1p1 |
| - add workaround from CVS to reintroduce passwordauth using pam |
| |
| * Tue Jun 1 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-35 |
| - Remove CLOSEXEC on STDERR |
| |
| * Tue Mar 16 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-34 |
| |
| * Wed Mar 03 2004 Phil Knirsch <pknirsch@redhat.com> 3.6.1p2-33.30.1 |
| - Built RHLE3 U2 update package. |
| |
| * Wed Mar 3 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-33 |
| - Close file descriptors on exec |
| |
| * Mon Mar 1 2004 Thomas Woerner <twoerner@redhat.com> 3.6.1p2-32 |
| - fixed pie build |
| |
| * Thu Feb 26 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-31 |
| - Add restorecon to startup scripts |
| |
| * Thu Feb 26 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-30 |
| - Add multiple qualified to openssh |
| |
| * Mon Feb 23 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-29 |
| - Eliminate selinux code and use pam_selinux |
| |
| * Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> |
| - rebuilt |
| |
| * Mon Jan 26 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-27 |
| - turn off pie on ppc |
| |
| * Mon Jan 26 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-26 |
| - fix is_selinux_enabled |
| |
| * Wed Jan 14 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-25 |
| - Rebuild to grab shared libselinux |
| |
| * Wed Dec 3 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-24 |
| - turn on selinux |
| |
| * Tue Nov 18 2003 Nalin Dahyabhai <nalin@redhat.com> |
| - un |
| mode ( |
| |
| * Mon Nov 10 2003 Nalin Dahyabhai <nalin@redhat.com> |
| - add machinery to build with/without -fpie/-pie, default to doing so |
| |
| * Thu Nov 06 2003 David Woodhouse <dwmw2@redhat.com> 3.6.1p2-23 |
| - Don't whinge about getsockopt failing ( |
| |
| * Fri Oct 24 2003 Nalin Dahyabhai <nalin@redhat.com> |
| - add missing buildprereq on zlib-devel ( |
| |
| * Mon Oct 13 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-22 |
| - turn selinux off |
| |
| * Mon Oct 13 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-21.sel |
| - turn selinux on |
| |
| * Fri Sep 19 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-21 |
| - turn selinux off |
| |
| * Fri Sep 19 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-20.sel |
| - turn selinux on |
| |
| * Fri Sep 19 2003 Nalin Dahyabhai <nalin@redhat.com> |
| - additional fix for apparently-never-happens double-free in buffer_free() |
| - extend fix for |
| |
| * Wed Sep 17 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-19 |
| - rebuild |
| |
| * Wed Sep 17 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-18 |
| - additional buffer manipulation cleanups from Solar Designer |
| |
| * Wed Sep 17 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-17 |
| - turn selinux off |
| |
| * Wed Sep 17 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-16.sel |
| - turn selinux on |
| |
| * Tue Sep 16 2003 Bill Nottingham <notting@redhat.com> 3.6.1p2-15 |
| - rebuild |
| |
| * Tue Sep 16 2003 Bill Nottingham <notting@redhat.com> 3.6.1p2-14 |
| - additional buffer manipulation fixes (CAN-2003-0695) |
| |
| * Tue Sep 16 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-13.sel |
| - turn selinux on |
| |
| * Tue Sep 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-12 |
| - rebuild |
| |
| * Tue Sep 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-11 |
| - apply patch to store the correct buffer size in allocated buffers |
| (CAN-2003-0693) |
| - skip the initial PAM authentication attempt with an empty password if |
| empty passwords are not permitted in our configuration ( |
| |
| * Fri Sep 5 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-10 |
| - turn selinux off |
| |
| * Fri Sep 5 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-9.sel |
| - turn selinux on |
| |
| * Tue Aug 26 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-8 |
| - Add BuildPreReq gtk2-devel if gtk2 |
| |
| * Tue Aug 12 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-7 |
| - rebuild |
| |
| * Tue Aug 12 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-6 |
| - modify patch which clears the supplemental group list at startup to only |
| complain if setgroups() fails if sshd has euid == 0 |
| - handle krb5 installed in %%{_prefix} or elsewhere by using krb5-config |
| |
| * Mon Jul 28 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-5 |
| - Add SELinux patch |
| |
| * Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-4 |
| - rebuild |
| |
| * Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-3 |
| - rebuild |
| |
| * Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-2 |
| - rebuild |
| |
| * Thu Jun 5 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-1 |
| - update to 3.6.1p2 |
| |
| * Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com> |
| 6 rebuilt |
| |
| * Mon Mar 24 2003 Florian La Roche <Florian.LaRoche@redhat.de> |
| - add patch for getsockopt() call to work on bigendian 64bit archs |
| |
| * Fri Feb 14 2003 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-6 |
| - move scp to the -clients subpackage, because it directly depends on ssh |
| which is also in -clients ( |
| |
| * Mon Feb 10 2003 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-5 |
| - rebuild |
| |
| * Wed Jan 22 2003 Tim Powers <timp@redhat.com> |
| - rebuilt |
| |
| * Tue Jan 7 2003 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-3 |
| - rebuild |
| |
| * Tue Nov 12 2002 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-2 |
| - patch PAM configuration to use relative path names for the modules, allowing |
| us to not worry about which arch the modules are built for on multilib systems |
| |
| * Tue Oct 15 2002 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-1 |
| - update to 3.5p1, merging in filelist/perm changes from the upstream spec |
| |
| * Fri Oct 4 2002 Nalin Dahyabhai <nalin@redhat.com> 3.4p1-3 |
| - merge |
| |
| * Thu Sep 12 2002 Than Ngo <than@redhat.com> 3.4p1-2.1 |
| - fix to build on multilib systems |
| |
| * Thu Aug 29 2002 Curtis Zinzilieta <curtisz@redhat.com> 3.4p1-2gss |
| - added gssapi patches and uncommented patch here |
| |
| * Wed Aug 14 2002 Nalin Dahyabhai <nalin@redhat.com> 3.4p1-2 |
| - pull patch from CVS to fix too-early free in ssh-keysign ( |
| |
| * Thu Jun 27 2002 Nalin Dahyabhai <nalin@redhat.com> 3.4p1-1 |
| - 3.4p1 |
| - drop anon mmap patch |
| |
| * Tue Jun 25 2002 Nalin Dahyabhai <nalin@redhat.com> 3.3p1-2 |
| - rework the close-on-exit docs |
| - include configuration file man pages |
| - make use of nologin as the privsep shell optional |
| |
| * Mon Jun 24 2002 Nalin Dahyabhai <nalin@redhat.com> 3.3p1-1 |
| - update to 3.3p1 |
| - merge in spec file changes from upstream (remove setuid from ssh, ssh-keysign) |
| - disable gtk2 askpass |
| - require pam-devel by filename rather than by package for erratum |
| - include patch from Solar Designer to work around anonymous mmap failures |
| |
| * Fri Jun 21 2002 Tim Powers <timp@redhat.com> |
| - automated rebuild |
| |
| * Fri Jun 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-3 |
| - don't require autoconf any more |
| |
| * Fri May 31 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-2 |
| - build gnome-ssh-askpass with gtk2 |
| |
| * Tue May 28 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-1 |
| - update to 3.2.3p1 |
| - merge in spec file changes from upstream |
| |
| * Fri May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.2p1-1 |
| - update to 3.2.2p1 |
| |
| * Fri May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-4 |
| - drop buildreq on db1-devel |
| - require pam-devel by package name |
| - require autoconf instead of autoconf253 again |
| |
| * Tue Apr 2 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-3 |
| - pull patch from CVS to avoid printing error messages when some of the |
| default keys aren't available when running ssh-add |
| - refresh to current revisions of Simon's patches |
| |
| * Thu Mar 21 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2gss |
| - reintroduce Simon's gssapi patches |
| - add buildprereq for autoconf253, which is needed to regenerate configure |
| after applying the gssapi patches |
| - refresh to the latest version of Markus's patch to build properly with |
| older versions of OpenSSL |
| |
| * Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2 |
| - bump and grind (through the build system) |
| |
| * Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1 |
| - require sharutils for building (mindrot |
| - require db1-devel only when building for 6.x ( |
| work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck |
| - require pam-devel by file (not by package name) again |
| - add Markus's patch to compile with OpenSSL 0.9.5a (from |
| http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're |
| building for 6.x |
| |
| * Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0 |
| - update to 3.1p1 |
| |
| * Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305 |
| - update to SNAP-20020305 |
| - drop debug patch, fixed upstream |
| |
| * Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220 |
| - update to SNAP-20020220 for testing purposes (you've been warned, if there's |
| anything to be warned about, gss patches won't apply, I don't mind) |
| |
| * Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3 |
| - add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key |
| exchange, authentication, and named key support |
| |
| * Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2 |
| - remove dependency on db1-devel, which has just been swallowed up whole |
| by gnome-libs-devel |
| |
| * Sat Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - adjust build dependencies so that build6x actually works right (fix |
| from Hugo van der Kooij) |
| |
| * Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1 |
| - update to 3.0.2p1 |
| |
| * Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1 |
| - update to 3.0.1p1 |
| |
| * Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - update to current CVS (not for use in distribution) |
| |
| * Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1 |
| - merge some of Damien Miller <djm@mindrot.org> changes from the upstream |
| 3.0p1 spec file and init script |
| |
| * Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - update to 3.0p1 |
| - update to x11-ssh-askpass 1.2.4.1 |
| - change build dependency on a file from pam-devel to the pam-devel package |
| - replace primes with moduli |
| |
| * Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9 |
| - incorporate fix from Markus Friedl's advisory for IP-based authorization bugs |
| |
| * Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8 |
| - Merge changes to rescue build from current sysadmin survival cd |
| |
| * Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7 |
| - fix scp's server's reporting of file sizes, and build with the proper |
| preprocessor define to get large-file capable open(), stat(), etc. |
| (sftp has been doing this correctly all along) ( |
| - configure without --with-ipv4-default on RHL 7.x and newer ( |
| - pull cvs patch to fix support for /etc/nologin for non-PAM logins ( |
| - mark profile.d scriptlets as config files ( |
| - refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug |
| - change a couple of log() statements to debug() statements ( |
| - pull cvs patch to add -t flag to sshd ( |
| - clear fd_sets correctly (one bit per FD, not one byte per FD) ( |
| |
| * Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6 |
| - add db1-devel as a BuildPrerequisite (noted by Hans Ecke) |
| |
| * Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - pull cvs patch to fix remote port forwarding with protocol 2 |
| |
| * Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - pull cvs patch to add session initialization to no-pty sessions |
| - pull cvs patch to not cut off challengeresponse auth needlessly |
| - refuse to do X11 forwarding if xauth isn't there, handy if you enable |
| it by default on a system that doesn't have X installed ( |
| |
| * Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - don't apply patches to code we don't intend to build (spotted by Matt Galgoci) |
| |
| * Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - pass OPTIONS correctly to initlog ( |
| |
| * Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - switch to x11-ssh-askpass 1.2.2 |
| |
| * Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - rebuild in new environment |
| |
| * Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - disable the gssapi patch |
| |
| * Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - update to 2.9p2 |
| - refresh to a new version of the gssapi patch |
| |
| * Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - change Copyright: BSD to License: BSD |
| - add Markus Friedl's unverified patch for the cookie file deletion problem |
| so that we can verify it |
| - drop patch to check if xauth is present (was folded into cookie patch) |
| - don't apply gssapi patches for the errata candidate |
| - clear supplemental groups list at startup |
| |
| * Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - fix an error parsing the new default sshd_config |
| - add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not |
| dealing with comments right |
| |
| * Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - add in Simon Wilkinson's GSSAPI patch to give it some testing in-house, |
| to be removed before the next beta cycle because it's a big departure |
| from the upstream version |
| |
| * Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - finish marking strings in the init script for translation |
| - modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd |
| at startup (change merged from openssh.com init script, originally by |
| Pekka Savola) |
| - refuse to do X11 forwarding if xauth isn't there, handy if you enable |
| it by default on a system that doesn't have X installed |
| |
| * Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - update to 2.9 |
| - drop various patches that came from or went upstream or to or from CVS |
| |
| * Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - only require initscripts 5.00 on 6.2 (reported by Peter Bieringer) |
| |
| * Sun Apr 8 2001 Preston Brown <pbrown@redhat.com> |
| - remove explicit openssl requirement, fixes builddistro issue |
| - make initscript stop() function wait until sshd really dead to avoid |
| races in condrestart |
| |
| * Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - mention that challengereponse supports PAM, so disabling password doesn't |
| limit users to pubkey and rsa auth ( |
| - bypass the daemon() function in the init script and call initlog directly, |
| because daemon() won't start a daemon it detects is already running (like |
| open connections) |
| - require the version of openssl we had when we were built |
| |
| * Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - make do_pam_setcred() smart enough to know when to establish creds and |
| when to reinitialize them |
| - add in a couple of other fixes from Damien for inclusion in the errata |
| |
| * Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - update to 2.5.2p2 |
| - call setcred() again after initgroups, because the "creds" could actually |
| be group memberships |
| |
| * Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - update to 2.5.2p1 (includes endianness fixes in the rijndael implementation) |
| - don't enable challenge-response by default until we find a way to not |
| have too many userauth requests (we may make up to six pubkey and up to |
| three password attempts as it is) |
| - remove build dependency on rsh to match openssh.com's packages more closely |
| |
| * Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - remove dependency on openssl -- would need to be too precise |
| |
| * Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - rebuild in new environment |
| |
| * Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - Revert the patch to move pam_open_session. |
| - Init script and spec file changes from Pekka Savola. ( |
| - Patch sftp to recognize '-o protocol' arguments. ( |
| |
| * Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - Chuck the closing patch. |
| - Add a trigger to add host keys for protocol 2 to the config file, now that |
| configuration file syntax requires us to specify it with HostKey if we |
| specify any other HostKey values, which we do. |
| |
| * Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - Redo patch to move pam_open_session after the server setuid()s to the user. |
| - Rework the nopam patch to use be picked up by autoconf. |
| |
| * Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - Update for 2.5.1p1. |
| - Add init script mods from Pekka Savola. |
| - Tweak the init script to match the CVS contrib script more closely. |
| - Redo patch to ssh-add to try to adding both identity and id_dsa to also try |
| adding id_rsa. |
| |
| * Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - Update for 2.5.0p1. |
| - Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass |
| - Resync with parts of Damien Miller's openssh.spec from CVS, including |
| update of x11 askpass to 1.2.0. |
| - Only require openssl (don't prereq) because we generate keys in the init |
| script now. |
| |
| * Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - Don't open a PAM session until we've forked and become the user ( |
| - Apply Andrew Bartlett's patch for letting pam_authenticate() know which |
| host the user is attempting a login from. |
| - Resync with parts of Damien Miller's openssh.spec from CVS. |
| - Don't expose KbdInt responses in debug messages (from CVS). |
| - Detect and handle errors in rsa_{public,private}_decrypt (from CVS). |
| |
| * Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com> |
| - i18n-tweak to initscript. |
| |
| * Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - More gettextizing. |
| - Close all files after going into daemon mode (needs more testing). |
| - Extract patch from CVS to handle auth banners (in the client). |
| - Extract patch from CVS to handle compat weirdness. |
| |
| * Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - Finish with the gettextizing. |
| |
| * Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com> |
| - Fix a bug in auth2-pam.c ( |
| - Gettextize the init script. |
| |
| * Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Incorporate a switch for using PAM configs for 6.x, just in case. |
| |
| * Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Incorporate Bero's changes for a build specifically for rescue CDs. |
| |
| * Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Don't treat pam_setcred() failure as fatal unless pam_authenticate() has |
| succeeded, to allow public-key authentication after a failure with "none" |
| authentication. ( |
| |
| * Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to x11-askpass 1.1.1. ( |
| - Don't second-guess fixpaths, which causes paths to get fixed twice. ( |
| |
| * Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Merge multiple PAM text messages into subsequent prompts when possible when |
| doing keyboard-interactive authentication. |
| |
| * Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Disable the built-in MD5 password support. We're using PAM. |
| - Take a crack at doing keyboard-interactive authentication with PAM, and |
| enable use of it in the default client configuration so that the client |
| will try it when the server disallows password authentication. |
| - Build with debugging flags. Build root policies strip all binaries anyway. |
| |
| * Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Use DESTDIR instead of %%makeinstall. |
| - Remove /usr/X11R6/bin from the path-fixing patch. |
| |
| * Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Add the primes file from the latest snapshot to the main package ( |
| - Add the dev package to the prereq list ( |
| - Remove the default path and mimic login's behavior in the server itself. |
| |
| * Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Resync with conditional options in Damien Miller's .spec file for an errata. |
| - Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh. |
| |
| * Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to OpenSSH 2.3.0p1. |
| - Update to x11-askpass 1.1.0. |
| - Enable keyboard-interactive authentication. |
| |
| * Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to ssh-askpass-x11 1.0.3. |
| - Change authentication related messages to be private ( |
| |
| * Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Patch ssh-keygen to be able to list signatures for DSA public key files |
| it generates. |
| |
| * Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always |
| build PAM authentication in. |
| - Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. |
| - Clean out no-longer-used patches. |
| - Patch ssh-add to try to add both identity and id_dsa, and to error only |
| when neither exists. |
| |
| * Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update x11-askpass to 1.0.2. ( |
| - Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will |
| always find them in the right place. ( |
| - Set the default path to be the same as the one supplied by /bin/login, but |
| add /usr/X11R6/bin. ( |
| - Try to handle obsoletion of ssh-server more cleanly. Package names |
| are different, but init script name isn't. ( |
| |
| * Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to 2.2.0p1. ( |
| - Tweak the init script to allow proper restarting. ( |
| |
| * Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to 20000823 snapshot. |
| - Change subpackage requirements from %%{version} to %%{version}-%%{release} |
| - Back out the pipe patch. |
| |
| * Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to 2.1.1p4, which includes fixes for config file parsing problems. |
| - Move the init script back. |
| - Add Damien's quick fix for wackiness. |
| |
| * Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok(). |
| |
| * Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Move condrestart to server postun. |
| - Move key generation to init script. |
| - Actually use the right patch for moving the key generation to the init script. |
| - Clean up the init script a bit. |
| |
| * Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Fix X11 forwarding, from mail post by Chan Shih-Ping Richard. |
| |
| * Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to 2.1.1p2. |
| - Use of strtok() considered harmful. |
| |
| * Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Get the build root out of the man pages. |
| |
| * Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Add and use condrestart support in the init script. |
| - Add newer initscripts as a prereq. |
| |
| * Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Build in new environment (release 2) |
| - Move -clients subpackage to Applications/Internet group |
| |
| * Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Update to 2.2.1p1 |
| |
| * Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com> |
| - Patch to build with neither RSA nor RSAref. |
| - Miscellaneous FHS-compliance tweaks. |
| - Fix for possibly-compressed man pages. |
| |
| * Wed Mar 15 2000 Damien Miller <djm@ibs.com.au> |
| - Updated for new location |
| - Updated for new gnome-ssh-askpass build |
| |
| * Sun Dec 26 1999 Damien Miller <djm@mindrot.org> |
| - Added Jim Knoble's <jmknoble@pobox.com> askpass |
| |
| * Mon Nov 15 1999 Damien Miller <djm@mindrot.org> |
| - Split subpackages further based on patch from jim knoble <jmknoble@pobox.com> |
| |
| * Sat Nov 13 1999 Damien Miller <djm@mindrot.org> |
| - Added 'Obsoletes' directives |
| |
| * Tue Nov 09 1999 Damien Miller <djm@ibs.com.au> |
| - Use make install |
| - Subpackages |
| |
| * Mon Nov 08 1999 Damien Miller <djm@ibs.com.au> |
| - Added links for slogin |
| - Fixed perms on manpages |
| |
| * Sat Oct 30 1999 Damien Miller <djm@ibs.com.au> |
| - Renamed init script |
| |
| * Fri Oct 29 1999 Damien Miller <djm@ibs.com.au> |
| - Back to old binary names |
| |
| * Thu Oct 28 1999 Damien Miller <djm@ibs.com.au> |
| - Use autoconf |
| - New binary names |
| |
| * Wed Oct 27 1999 Damien Miller <djm@ibs.com.au> |
| - Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec. |