diff --git a/openssh-3.8.1p1-skip-initial.patch b/openssh-3.8.1p1-skip-initial.patch deleted file mode 100644 index 77be56e..0000000 --- a/openssh-3.8.1p1-skip-initial.patch +++ /dev/null @@ -1,26 +0,0 @@ -Skip the initial empty-password check if permit_empty_passwd is disabled. This -doesn't change the timing profiles of the host because the additional condition -check which can short-circuit the call to pam_authenticate() has no dependency -on the identity of the user who is being authenticated. ---- openssh-3.8p1/auth1.c 2004-02-26 21:05:25.000000000 -0500 -+++ openssh-3.8p1/auth1.c 2004-02-26 21:05:20.000000000 -0500 -@@ -76,7 +76,7 @@ - authctxt->valid ? "" : "illegal user ", authctxt->user); - - /* If the user has no password, accept authentication immediately. */ -- if (options.password_authentication && -+ if (options.permit_empty_passwd && options.password_authentication && - #ifdef KRB5 - (!options.kerberos_authentication || options.kerberos_or_local_passwd) && - #endif ---- openssh-3.8p1/auth2-none.c 2004-02-26 21:07:34.000000000 -0500 -+++ openssh-3.8p1/auth2-none.c 2004-02-26 21:07:28.000000000 -0500 -@@ -100,7 +100,7 @@ - if (check_nt_auth(1, authctxt->pw) == 0) - return(0); - #endif -- if (options.password_authentication) -+ if (options.permit_empty_passwd && options.password_authentication) - return (PRIVSEP(auth_password(authctxt, ""))); - return (0); - } diff --git a/openssh-5.1p1-skip-initial.patch b/openssh-5.1p1-skip-initial.patch new file mode 100644 index 0000000..be3204e --- /dev/null +++ b/openssh-5.1p1-skip-initial.patch @@ -0,0 +1,28 @@ +Skip the initial empty-password check if permit_empty_passwd is disabled. This +doesn't change the timing profiles of the host because the additional condition +check which can short-circuit the call to pam_authenticate() has no dependency +on the identity of the user who is being authenticated. +diff -up openssh-5.1p1/auth1.c.skip-initial openssh-5.1p1/auth1.c +--- openssh-5.1p1/auth1.c.skip-initial 2008-07-09 12:54:05.000000000 +0200 ++++ openssh-5.1p1/auth1.c 2008-07-23 18:26:01.000000000 +0200 +@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt) + authctxt->valid ? "" : "invalid user ", authctxt->user); + + /* If the user has no password, accept authentication immediately. */ +- if (options.password_authentication && ++ if (options.permit_empty_passwd && options.password_authentication && + #ifdef KRB5 + (!options.kerberos_authentication || options.kerberos_or_local_passwd) && + #endif +diff -up openssh-5.1p1/auth2-none.c.skip-initial openssh-5.1p1/auth2-none.c +--- openssh-5.1p1/auth2-none.c.skip-initial 2008-07-02 14:56:09.000000000 +0200 ++++ openssh-5.1p1/auth2-none.c 2008-07-23 18:26:01.000000000 +0200 +@@ -65,7 +65,7 @@ userauth_none(Authctxt *authctxt) + if (check_nt_auth(1, authctxt->pw) == 0) + return (0); + #endif +- if (options.password_authentication) ++ if (options.permit_empty_passwd && options.password_authentication) + return (PRIVSEP(auth_password(authctxt, ""))); + return (0); + } diff --git a/openssh.spec b/openssh.spec index 3555ade..3f5ee83 100644 --- a/openssh.spec +++ b/openssh.spec @@ -75,13 +75,14 @@ Source1: openssh-nukeacss.sh Source2: sshd.pam Source3: sshd.init Patch0: openssh-5.1p1-redhat.patch -Patch2: openssh-3.8.1p1-skip-initial.patch +Patch2: openssh-5.1p1-skip-initial.patch Patch3: openssh-3.8.1p1-krb5-config.patch Patch4: openssh-5.1p1-vendor.patch Patch12: openssh-5.1p1-selinux.patch Patch13: openssh-4.7p1-mls.patch Patch16: openssh-4.7p1-audit.patch Patch17: openssh-4.3p2-cve-2007-3102.patch +Patch18: openssh-5.0p1-pam_selinux.patch Patch22: openssh-3.9p1-askpass-keep-above.patch Patch24: openssh-4.3p1-fromto-remote.patch Patch27: openssh-5.1p1-log-in-chroot.patch @@ -94,7 +95,6 @@ Patch49: openssh-4.3p2-gssapi-canohost.patch Patch51: openssh-4.7p1-nss-keys.patch Patch54: openssh-4.7p1-gssapi-role.patch Patch55: openssh-5.1p1-cloexec.patch -Patch60: openssh-5.0p1-pam_selinux.patch Patch62: openssh-3.9p1-scp-manpage.patch License: BSD @@ -199,7 +199,6 @@ into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. %prep - %setup -q %patch0 -p1 -b .redhat %patch2 -p1 -b .skip-initial @@ -212,6 +211,7 @@ an X11 passphrase dialog for OpenSSH. %patch13 -p1 -b .mls %patch16 -p1 -b .audit %patch17 -p1 -b .inject-fix +%patch18 -p1 -b .pam_selinux %endif %patch22 -p1 -b .keep-above @@ -226,7 +226,6 @@ an X11 passphrase dialog for OpenSSH. %patch51 -p1 -b .nss-keys %patch54 -p0 -b .gssapi-role %patch55 -p1 -b .cloexec -%patch60 -p1 -b .pam_selinux %patch62 -p0 -b .manpage autoreconf