diff --git a/.cvsignore b/.cvsignore index f169a74..4d44afa 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssh-5.0p1-noacss.tar.bz2 +openssh-5.1p1-noacss.tar.bz2 diff --git a/openssh-4.5p1-controlcleanup.patch b/openssh-4.5p1-controlcleanup.patch deleted file mode 100644 index 23822c5..0000000 --- a/openssh-4.5p1-controlcleanup.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- openssh-4.5p1/ssh.c~ 2007-03-24 16:25:18.000000000 +0000 -+++ openssh-4.5p1/ssh.c 2007-03-24 16:31:06.000000000 +0000 -@@ -1347,7 +1347,11 @@ - } - if (errno == ENOENT) - debug("Control socket \"%.100s\" does not exist", path); -- else { -+ else if (errno == ECONNREFUSED) { -+ debug("Control socket connect(%.100s): %s", path, -+ strerror(errno)); -+ unlink(path); -+ } else { - error("Control socket connect(%.100s): %s", path, - strerror(errno)); - } diff --git a/openssh-4.7p1-cloexec.patch b/openssh-4.7p1-cloexec.patch deleted file mode 100644 index b1442bf..0000000 --- a/openssh-4.7p1-cloexec.patch +++ /dev/null @@ -1,43 +0,0 @@ -diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c ---- openssh-4.7p1/sshconnect2.c.cloexec 2008-03-06 15:58:03.000000000 +0100 -+++ openssh-4.7p1/sshconnect2.c 2008-05-21 09:27:06.000000000 +0200 -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - - #include "openbsd-compat/sys-queue.h" - -@@ -1257,6 +1258,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i - return -1; - } - if (pid == 0) { -+ fcntl(packet_get_connection_in(), F_SETFD, 0); /* keep the socket on exec */ - permanently_drop_suid(getuid()); - close(from[0]); - if (dup2(from[1], STDOUT_FILENO) < 0) -diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c ---- openssh-4.7p1/sshconnect.c.cloexec 2006-10-23 19:02:24.000000000 +0200 -+++ openssh-4.7p1/sshconnect.c 2008-03-06 15:58:03.000000000 +0100 -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - - #include "xmalloc.h" - #include "key.h" -@@ -189,8 +190,11 @@ ssh_create_socket(int privileged, struct - return sock; - } - sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); -- if (sock < 0) -+ if (sock < 0) { - error("socket: %.100s", strerror(errno)); -+ return -1; -+ } -+ fcntl(sock, F_SETFD, FD_CLOEXEC); - - /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL) diff --git a/openssh-4.7p1-log-in-chroot.patch b/openssh-4.7p1-log-in-chroot.patch deleted file mode 100644 index e510f58..0000000 --- a/openssh-4.7p1-log-in-chroot.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c ---- openssh-4.7p1/sshd.c.log-chroot 2007-09-06 17:24:13.000000000 +0200 -+++ openssh-4.7p1/sshd.c 2007-09-06 17:24:13.000000000 +0200 -@@ -596,6 +596,10 @@ privsep_preauth_child(void) - /* Demote the private keys to public keys. */ - demote_sensitive_data(); - -+ /* Open the syslog permanently so the chrooted process still -+ can write to syslog. */ -+ open_log(); -+ - /* Change our root directory */ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, -diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c ---- openssh-4.7p1/log.c.log-chroot 2007-05-20 07:08:16.000000000 +0200 -+++ openssh-4.7p1/log.c 2007-09-06 17:29:34.000000000 +0200 -@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL - static int log_on_stderr = 1; - static int log_facility = LOG_AUTH; - static char *argv0; -+static int log_fd_keep; - - extern char *__progname; - -@@ -370,10 +371,21 @@ do_log(LogLevel level, const char *fmt, - syslog_r(pri, &sdata, "%.500s", fmtbuf); - closelog_r(&sdata); - #else -+ if (!log_fd_keep) { - openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); -+ } - syslog(pri, "%.500s", fmtbuf); -+ if (!log_fd_keep) { - closelog(); -+ } - #endif - } - errno = saved_errno; - } -+ -+void -+open_log(void) -+{ -+ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility); -+ log_fd_keep = 1; -+} -diff -up openssh-4.7p1/log.h.log-chroot openssh-4.7p1/log.h ---- openssh-4.7p1/log.h.log-chroot 2006-08-18 16:32:21.000000000 +0200 -+++ openssh-4.7p1/log.h 2007-09-06 17:24:13.000000000 +0200 -@@ -62,4 +62,6 @@ void debug3(const char *, ...) __att - - void do_log(LogLevel, const char *, va_list); - void cleanup_exit(int) __dead; -+ -+void open_log(void); - #endif diff --git a/openssh-4.7p1-master-race.patch b/openssh-4.7p1-master-race.patch deleted file mode 100644 index 8662c43..0000000 --- a/openssh-4.7p1-master-race.patch +++ /dev/null @@ -1,85 +0,0 @@ ---- openssh-4.7p1/ssh.c.masterrace 2008-03-06 13:55:11.000000000 +0000 -+++ openssh-4.7p1/ssh.c 2008-03-06 13:55:19.000000000 +0000 -@@ -1065,7 +1065,7 @@ client_global_request_reply_fwd(int type - } - } - --static void -+static int - ssh_control_listener(void) - { - struct sockaddr_un addr; -@@ -1073,10 +1073,11 @@ ssh_control_listener(void) - int addr_len; - - if (options.control_path == NULL || -- options.control_master == SSHCTL_MASTER_NO) -- return; -+ options.control_master == SSHCTL_MASTER_NO || -+ control_fd != -1) -+ return 1; - -- debug("setting up multiplex master socket"); -+ debug("trying to set up multiplex master socket"); - - memset(&addr, '\0', sizeof(addr)); - addr.sun_family = AF_UNIX; -@@ -1093,11 +1094,9 @@ ssh_control_listener(void) - old_umask = umask(0177); - if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) { - control_fd = -1; -- if (errno == EINVAL || errno == EADDRINUSE) -- fatal("ControlSocket %s already exists", -- options.control_path); -- else -+ if (errno != EINVAL && errno != EADDRINUSE) - fatal("%s bind(): %s", __func__, strerror(errno)); -+ return 0; - } - umask(old_umask); - -@@ -1105,6 +1104,9 @@ ssh_control_listener(void) - fatal("%s listen(): %s", __func__, strerror(errno)); - - set_nonblock(control_fd); -+ -+ debug("control master listening on %s", options.control_path); -+ return 1; - } - - /* request pty/x11/agent/tcpfwd/shell for channel */ -@@ -1196,7 +1198,9 @@ ssh_session2(void) - ssh_init_forwarding(); - - /* Start listening for multiplex clients */ -- ssh_control_listener(); -+ if (!ssh_control_listener()) -+ fatal("control master socket %s already exists", -+ options.control_path); - - /* - * If we are the control master, and if control_persist is set, -@@ -1375,7 +1379,13 @@ control_client(const char *path) - switch (options.control_master) { - case SSHCTL_MASTER_AUTO: - case SSHCTL_MASTER_AUTO_ASK: -- debug("auto-mux: Trying existing master"); -+ /* see if we can create a control master socket -+ to avoid a race between two auto clients */ -+ if (mux_command == SSHMUX_COMMAND_OPEN && -+ ssh_control_listener()) -+ return; -+ debug("trying to connect to control master socket %s", -+ options.control_path); - /* FALLTHROUGH */ - case SSHCTL_MASTER_NO: - break; -@@ -1522,6 +1532,8 @@ control_client(const char *path) - signal(SIGTERM, control_client_sighandler); - signal(SIGWINCH, control_client_sigrelay); - -+ debug("connected to control master; waiting for exit"); -+ - if (tty_flag) - enter_raw_mode(); - diff --git a/openssh-4.7p1-redhat.patch b/openssh-4.7p1-redhat.patch deleted file mode 100644 index 1618a71..0000000 --- a/openssh-4.7p1-redhat.patch +++ /dev/null @@ -1,95 +0,0 @@ -diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config ---- openssh-4.7p1/sshd_config.redhat 2007-03-21 10:42:25.000000000 +0100 -+++ openssh-4.7p1/sshd_config 2007-09-06 16:23:58.000000000 +0200 -@@ -33,6 +33,7 @@ Protocol 2 - # Logging - # obsoletes QuietMode and FascistLogging - #SyslogFacility AUTH -+SyslogFacility AUTHPRIV - #LogLevel INFO - - # Authentication: -@@ -59,9 +60,11 @@ Protocol 2 - # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes - #PermitEmptyPasswords no -+PasswordAuthentication yes - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no -@@ -71,7 +74,9 @@ Protocol 2 - - # GSSAPI options - #GSSAPIAuthentication no -+GSSAPIAuthentication yes - #GSSAPICleanupCredentials yes -+GSSAPICleanupCredentials yes - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -83,10 +88,16 @@ Protocol 2 - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. - #UsePAM no -+UsePAM yes - -+# Accept locale-related environment variables -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE - #AllowTcpForwarding yes - #GatewayPorts no - #X11Forwarding no -+X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PrintMotd yes -diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config ---- openssh-4.7p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200 -+++ openssh-4.7p1/ssh_config 2007-09-06 16:21:49.000000000 +0200 -@@ -43,3 +43,13 @@ - # Tunnel no - # TunnelDevice any:any - # PermitLocalCommand no -+Host * -+ GSSAPIAuthentication yes -+# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 display. As virtually no X11 client supports the untrusted -+# mode correctly we set this to yes. -+ ForwardX11Trusted yes -+# Send locale-related environment variables -+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0 ---- openssh-4.7p1/sshd_config.0.redhat 2007-09-04 08:50:11.000000000 +0200 -+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:21:49.000000000 +0200 -@@ -435,9 +435,9 @@ DESCRIPTION - - SyslogFacility - Gives the facility code that is used when logging messages from -- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- -- fault is AUTH. -+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, -+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -+ The default is AUTH. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages -diff -up openssh-4.7p1/sshd_config.5.redhat openssh-4.7p1/sshd_config.5 ---- openssh-4.7p1/sshd_config.5.redhat 2007-06-11 06:07:13.000000000 +0200 -+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:21:49.000000000 +0200 -@@ -748,7 +748,7 @@ Note that this option applies to protoco - .It Cm SyslogFacility - Gives the facility code that is used when logging messages from - .Xr sshd 8 . --The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, - LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. - The default is AUTH. - .It Cm TCPKeepAlive diff --git a/openssh-4.7p1-selinux.patch b/openssh-4.7p1-selinux.patch deleted file mode 100644 index 4346660..0000000 --- a/openssh-4.7p1-selinux.patch +++ /dev/null @@ -1,254 +0,0 @@ -diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.selinux 2007-09-06 19:46:32.000000000 +0200 -+++ openssh-4.7p1/configure.ac 2007-09-06 19:52:23.000000000 +0200 -@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux, - AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], - AC_MSG_ERROR(SELinux support requires libselinux library)) - SSHDLIBS="$SSHDLIBS $LIBSELINUX" -+ LIBS="$LIBS $LIBSELINUX" - AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) - LIBS="$save_LIBS" - fi ] -diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c ---- openssh-4.7p1/auth1.c.selinux 2007-09-06 19:46:32.000000000 +0200 -+++ openssh-4.7p1/auth1.c 2007-09-06 19:46:32.000000000 +0200 -@@ -388,7 +388,7 @@ void - do_authentication(Authctxt *authctxt) - { - u_int ulen; -- char *user, *style = NULL; -+ char *user, *style = NULL, *role=NULL; - - /* Get the name of the user that we wish to log in as. */ - packet_read_expect(SSH_CMSG_USER); -@@ -397,11 +397,19 @@ do_authentication(Authctxt *authctxt) - user = packet_get_string(&ulen); - packet_check_eom(); - -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = '\0'; -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = '\0'; -+ else -+ if (role && (style = strchr(role, ':')) != NULL) -+ *style++ = '\0'; -+ - - authctxt->user = user; - authctxt->style = style; -+ authctxt->role = role; - - /* Verify that the user is a valid user. */ - if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h ---- openssh-4.7p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-4.7p1/monitor_wrap.h 2007-09-06 19:46:32.000000000 +0200 -@@ -41,6 +41,7 @@ int mm_is_monitor(void); - DH *mm_choose_dh(int, int, int); - int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); - void mm_inform_authserv(char *, char *); -+void mm_inform_authrole(char *); - struct passwd *mm_getpwnamallow(const char *); - char *mm_auth2_read_banner(void); - int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h ---- openssh-4.7p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 -+++ openssh-4.7p1/monitor.h 2007-09-06 19:46:32.000000000 +0200 -@@ -30,7 +30,7 @@ - - enum monitor_reqtype { - MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, -- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, -+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE, - MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, - MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, - MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, -diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c ---- openssh-4.7p1/monitor_wrap.c.selinux 2007-06-11 06:01:42.000000000 +0200 -+++ openssh-4.7p1/monitor_wrap.c 2007-09-06 19:46:32.000000000 +0200 -@@ -294,6 +294,23 @@ mm_inform_authserv(char *service, char * - buffer_free(&m); - } - -+/* Inform the privileged process about role */ -+ -+void -+mm_inform_authrole(char *role) -+{ -+ Buffer m; -+ -+ debug3("%s entering", __func__); -+ -+ buffer_init(&m); -+ buffer_put_cstring(&m, role ? role : ""); -+ -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); -+ -+ buffer_free(&m); -+} -+ - /* Do the password authentication */ - int - mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd-compat/port-linux.c ---- openssh-4.7p1/openbsd-compat/port-linux.c.selinux 2007-06-28 00:48:03.000000000 +0200 -+++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-09-06 19:46:32.000000000 +0200 -@@ -30,11 +30,16 @@ - #ifdef WITH_SELINUX - #include "log.h" - #include "port-linux.h" -+#include "key.h" -+#include "hostfile.h" -+#include "auth.h" - - #include - #include - #include - -+extern Authctxt *the_authctxt; -+ - /* Wrapper around is_selinux_enabled() to log its return value once only */ - static int - ssh_selinux_enabled(void) -@@ -53,23 +58,36 @@ ssh_selinux_enabled(void) - static security_context_t - ssh_selinux_getctxbyname(char *pwname) - { -- security_context_t sc; -- char *sename = NULL, *lvl = NULL; -- int r; -+ security_context_t sc = NULL; -+ char *sename, *lvl; -+ char *role = NULL; -+ int r = 0; - -+ if (the_authctxt) -+ role=the_authctxt->role; - #ifdef HAVE_GETSEUSERBYNAME -- if (getseuserbyname(pwname, &sename, &lvl) != 0) -- return NULL; -+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { -+ sename = NULL; -+ lvl = NULL; -+ } - #else - sename = pwname; - lvl = NULL; - #endif - -+ if (r == 0) { - #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL -- r = get_default_context_with_level(sename, lvl, NULL, &sc); -+ if (role != NULL && role[0]) -+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc); -+ else -+ r = get_default_context_with_level(sename, lvl, NULL, &sc); - #else -- r = get_default_context(sename, NULL, &sc); -+ if (role != NULL && role[0]) -+ r = get_default_context_with_role(sename, role, NULL, &sc); -+ else -+ r = get_default_context(sename, NULL, &sc); - #endif -+ } - - if (r != 0) { - switch (security_getenforce()) { -diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h ---- openssh-4.7p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200 -+++ openssh-4.7p1/auth.h 2007-09-06 19:46:32.000000000 +0200 -@@ -58,6 +58,7 @@ struct Authctxt { - char *service; - struct passwd *pw; /* set if 'valid' */ - char *style; -+ char *role; - void *kbdintctxt; - #ifdef BSD_AUTH - auth_session_t *as; -diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c ---- openssh-4.7p1/auth2.c.selinux 2007-05-20 06:58:41.000000000 +0200 -+++ openssh-4.7p1/auth2.c 2007-09-06 19:46:32.000000000 +0200 -@@ -141,7 +141,7 @@ input_userauth_request(int type, u_int32 - { - Authctxt *authctxt = ctxt; - Authmethod *m = NULL; -- char *user, *service, *method, *style = NULL; -+ char *user, *service, *method, *style = NULL, *role = NULL; - int authenticated = 0; - - if (authctxt == NULL) -@@ -153,6 +153,9 @@ input_userauth_request(int type, u_int32 - debug("userauth-request for user %s service %s method %s", user, service, method); - debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); - -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = 0; -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = 0; - -@@ -178,8 +181,11 @@ input_userauth_request(int type, u_int32 - use_privsep ? " [net]" : ""); - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; -- if (use_privsep) -+ authctxt->role = role ? xstrdup(role) : NULL; -+ if (use_privsep) { - mm_inform_authserv(service, style); -+ mm_inform_authrole(role); -+ } - } else if (strcmp(user, authctxt->user) != 0 || - strcmp(service, authctxt->service) != 0) { - packet_disconnect("Change of username or service not allowed: " -diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c ---- openssh-4.7p1/monitor.c.selinux 2007-05-20 07:10:16.000000000 +0200 -+++ openssh-4.7p1/monitor.c 2007-09-06 19:46:32.000000000 +0200 -@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *); - int mm_answer_pwnamallow(int, Buffer *); - int mm_answer_auth2_read_banner(int, Buffer *); - int mm_answer_authserv(int, Buffer *); -+int mm_answer_authrole(int, Buffer *); - int mm_answer_authpassword(int, Buffer *); - int mm_answer_bsdauthquery(int, Buffer *); - int mm_answer_bsdauthrespond(int, Buffer *); -@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] - {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, - {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, - {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, -+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, - {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, - {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, - #ifdef USE_PAM -@@ -657,6 +659,7 @@ mm_answer_pwnamallow(int sock, Buffer *m - else { - /* Allow service/style information on the auth context */ - monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); -+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); - } - -@@ -702,6 +705,23 @@ mm_answer_authserv(int sock, Buffer *m) - } - - int -+mm_answer_authrole(int sock, Buffer *m) -+{ -+ monitor_permit_authentications(1); -+ -+ authctxt->role = buffer_get_string(m, NULL); -+ debug3("%s: role=%s", -+ __func__, authctxt->role); -+ -+ if (strlen(authctxt->role) == 0) { -+ xfree(authctxt->role); -+ authctxt->role = NULL; -+ } -+ -+ return (0); -+} -+ -+int - mm_answer_authpassword(int sock, Buffer *m) - { - static int call_count; diff --git a/openssh-4.7p1-vendor.patch b/openssh-4.7p1-vendor.patch deleted file mode 100644 index eff213a..0000000 --- a/openssh-4.7p1-vendor.patch +++ /dev/null @@ -1,150 +0,0 @@ -diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac ---- openssh-4.7p1/configure.ac.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/configure.ac 2007-09-06 16:27:47.000000000 +0200 -@@ -3792,6 +3792,12 @@ AC_ARG_WITH(lastlog, - fi - ] - ) -+AC_ARG_ENABLE(vendor-patchlevel, -+ [ --enable-vendor-patchlevel=TAG specify a vendor patch level], -+ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.]) -+ SSH_VENDOR_PATCHLEVEL="$enableval"], -+ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.]) -+ SSH_VENDOR_PATCHLEVEL=none]) - - dnl lastlog, [uw]tmpx? detection - dnl NOTE: set the paths in the platform section to avoid the -@@ -4041,6 +4047,7 @@ echo " IP address in \$DISPLAY hac - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo " BSD Auth support: $BSD_AUTH_MSG" - echo " Random number source: $RAND_MSG" -+echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL" - if test ! -z "$USE_RAND_HELPER" ; then - echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" - fi -diff -up openssh-4.7p1/sshd_config.5.vendor openssh-4.7p1/sshd_config.5 ---- openssh-4.7p1/sshd_config.5.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:27:47.000000000 +0200 -@@ -725,6 +725,14 @@ This option applies to protocol version - .It Cm ServerKeyBits - Defines the number of bits in the ephemeral protocol version 1 server key. - The minimum value is 512, and the default is 768. -+.It Cm ShowPatchLevel -+Specifies whether -+.Nm sshd -+will display the patch level of the binary in the identification string. -+The patch level is set at compile-time. -+The default is -+.Dq no . -+This option applies to protocol version 1 only. - .It Cm StrictModes - Specifies whether - .Xr sshd 8 -diff -up openssh-4.7p1/servconf.h.vendor openssh-4.7p1/servconf.h ---- openssh-4.7p1/servconf.h.vendor 2007-02-19 12:25:38.000000000 +0100 -+++ openssh-4.7p1/servconf.h 2007-09-06 16:27:47.000000000 +0200 -@@ -120,6 +120,7 @@ typedef struct { - int max_startups; - int max_authtries; - char *banner; /* SSH-2 banner message */ -+ int show_patchlevel; /* Show vendor patch level to clients */ - int use_dns; - int client_alive_interval; /* - * poke the client this often to -diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c ---- openssh-4.7p1/servconf.c.vendor 2007-05-20 07:03:16.000000000 +0200 -+++ openssh-4.7p1/servconf.c 2007-09-06 16:29:11.000000000 +0200 -@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions - options->max_startups = -1; - options->max_authtries = -1; - options->banner = NULL; -+ options->show_patchlevel = -1; - options->use_dns = -1; - options->client_alive_interval = -1; - options->client_alive_count_max = -1; -@@ -250,6 +251,9 @@ fill_default_server_options(ServerOption - if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; - -+ if (options->show_patchlevel == -1) -+ options->show_patchlevel = 0; -+ - /* Turn privilege separation on by default */ - if (use_privsep == -1) - use_privsep = 1; -@@ -293,6 +297,7 @@ typedef enum { - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, - sUsePrivilegeSeparation, -+ sShowPatchLevel, - sDeprecated, sUnsupported - } ServerOpCodes; - -@@ -390,6 +395,7 @@ static struct { - { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, - { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, - { "banner", sBanner, SSHCFG_ALL }, -+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL }, - { "usedns", sUseDNS, SSHCFG_GLOBAL }, - { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, - { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, -@@ -1005,6 +1011,10 @@ parse_flag: - intptr = &use_privsep; - goto parse_flag; - -+ case sShowPatchLevel: -+ intptr = &options->show_patchlevel; -+ goto parse_flag; -+ - case sAllowUsers: - while ((arg = strdelim(&cp)) && *arg != '\0') { - if (options->num_allow_users >= MAX_ALLOW_USERS) -diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0 ---- openssh-4.7p1/sshd_config.0.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:27:47.000000000 +0200 -@@ -418,6 +418,11 @@ DESCRIPTION - Defines the number of bits in the ephemeral protocol version 1 - server key. The minimum value is 512, and the default is 768. - -+ ShowPatchLevel -+ Specifies whether sshd will display the specific patch level of -+ the binary in the server identification string. The patch level -+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^]. -+ - StrictModes - Specifies whether sshd(8) should check file modes and ownership - of the user's files and home directory before accepting login. -diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config ---- openssh-4.7p1/sshd_config.vendor 2007-09-06 16:27:47.000000000 +0200 -+++ openssh-4.7p1/sshd_config 2007-09-06 16:27:47.000000000 +0200 -@@ -109,6 +109,7 @@ X11Forwarding yes - #Compression delayed - #ClientAliveInterval 0 - #ClientAliveCountMax 3 -+#ShowPatchLevel no - #UseDNS yes - #PidFile /var/run/sshd.pid - #MaxStartups 10 -diff -up openssh-4.7p1/sshd.c.vendor openssh-4.7p1/sshd.c ---- openssh-4.7p1/sshd.c.vendor 2007-06-05 10:22:32.000000000 +0200 -+++ openssh-4.7p1/sshd.c 2007-09-06 16:27:47.000000000 +0200 -@@ -419,7 +419,8 @@ sshd_exchange_identification(int sock_in - major = PROTOCOL_MAJOR_1; - minor = PROTOCOL_MINOR_1; - } -- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); -+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION); - server_version_string = xstrdup(buf); - - /* Send our protocol version identification. */ -@@ -1434,7 +1435,8 @@ main(int ac, char **av) - exit(1); - } - -- debug("sshd version %.100s", SSH_RELEASE); -+ debug("sshd version %.100s", -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE); - - /* Store privilege separation user for later use if required. */ - if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { diff --git a/openssh-5.0p1-unbreakalive.patch b/openssh-5.0p1-unbreakalive.patch deleted file mode 100644 index b1dafa5..0000000 --- a/openssh-5.0p1-unbreakalive.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: packet.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/packet.c,v -retrieving revision 1.152 -diff -u -p packet.c ---- packet.c 8 May 2008 06:59:01 -0000 -+++ packet.c 19 May 2008 04:00:34 -0000 -@@ -1185,9 +1185,10 @@ packet_read_poll_seqnr(u_int32_t *seqnr_ - for (;;) { - if (compat20) { - type = packet_read_poll2(seqnr_p); -- keep_alive_timeouts = 0; -- if (type) -+ if (type) { -+ keep_alive_timeouts = 0; - DBG(debug("received packet type %d", type)); -+ } - switch (type) { - case SSH2_MSG_IGNORE: - debug3("Received SSH2_MSG_IGNORE"); diff --git a/openssh-5.1p1-cloexec.patch b/openssh-5.1p1-cloexec.patch new file mode 100644 index 0000000..5dbff42 --- /dev/null +++ b/openssh-5.1p1-cloexec.patch @@ -0,0 +1,43 @@ +diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c +--- openssh-5.1p1/sshconnect2.c.cloexec 2008-07-23 15:21:23.000000000 +0200 ++++ openssh-5.1p1/sshconnect2.c 2008-07-23 15:23:19.000000000 +0200 +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) + #include + #endif +@@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i + return -1; + } + if (pid == 0) { ++ fcntl(packet_get_connection_in(), F_SETFD, 0); /* keep the socket on exec */ + permanently_drop_suid(getuid()); + close(from[0]); + if (dup2(from[1], STDOUT_FILENO) < 0) +diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c +--- openssh-5.1p1/sshconnect.c.cloexec 2008-07-02 14:34:30.000000000 +0200 ++++ openssh-5.1p1/sshconnect.c 2008-07-23 15:21:23.000000000 +0200 +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + #include "xmalloc.h" + #include "key.h" +@@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct + return sock; + } + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); +- if (sock < 0) ++ if (sock < 0) { + error("socket: %.100s", strerror(errno)); ++ return -1; ++ } ++ fcntl(sock, F_SETFD, FD_CLOEXEC); + + /* Bind the socket to an alternative local IP address */ + if (options.bind_address == NULL) diff --git a/openssh-5.1p1-log-in-chroot.patch b/openssh-5.1p1-log-in-chroot.patch new file mode 100644 index 0000000..be1ed35 --- /dev/null +++ b/openssh-5.1p1-log-in-chroot.patch @@ -0,0 +1,57 @@ +diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c +--- openssh-5.1p1/sshd.c.log-chroot 2008-07-23 15:18:52.000000000 +0200 ++++ openssh-5.1p1/sshd.c 2008-07-23 15:18:52.000000000 +0200 +@@ -591,6 +591,10 @@ privsep_preauth_child(void) + /* Demote the private keys to public keys. */ + demote_sensitive_data(); + ++ /* Open the syslog permanently so the chrooted process still ++ can write to syslog. */ ++ open_log(); ++ + /* Change our root directory */ + if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) + fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, +diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c +--- openssh-5.1p1/log.c.log-chroot 2008-06-10 15:01:51.000000000 +0200 ++++ openssh-5.1p1/log.c 2008-07-23 15:18:52.000000000 +0200 +@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL + static int log_on_stderr = 1; + static int log_facility = LOG_AUTH; + static char *argv0; ++static int log_fd_keep; + + extern char *__progname; + +@@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt, + syslog_r(pri, &sdata, "%.500s", fmtbuf); + closelog_r(&sdata); + #else ++ if (!log_fd_keep) { + openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); ++ } + syslog(pri, "%.500s", fmtbuf); ++ if (!log_fd_keep) { + closelog(); ++ } + #endif + } + errno = saved_errno; + } ++ ++void ++open_log(void) ++{ ++ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility); ++ log_fd_keep = 1; ++} +diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h +--- openssh-5.1p1/log.h.log-chroot 2008-06-13 02:22:54.000000000 +0200 ++++ openssh-5.1p1/log.h 2008-07-23 15:20:11.000000000 +0200 +@@ -66,4 +66,6 @@ void debug3(const char *, ...) __att + + void do_log(LogLevel, const char *, va_list); + void cleanup_exit(int) __attribute__((noreturn)); ++ ++void open_log(void); + #endif diff --git a/openssh-5.1p1-redhat.patch b/openssh-5.1p1-redhat.patch new file mode 100644 index 0000000..d1479cb --- /dev/null +++ b/openssh-5.1p1-redhat.patch @@ -0,0 +1,97 @@ +diff -up openssh-5.1p1/sshd_config.redhat openssh-5.1p1/sshd_config +--- openssh-5.1p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200 ++++ openssh-5.1p1/sshd_config 2008-07-23 14:11:12.000000000 +0200 +@@ -33,6 +33,7 @@ Protocol 2 + # Logging + # obsoletes QuietMode and FascistLogging + #SyslogFacility AUTH ++SyslogFacility AUTHPRIV + #LogLevel INFO + + # Authentication: +@@ -60,9 +61,11 @@ Protocol 2 + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + #PermitEmptyPasswords no ++PasswordAuthentication yes + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes ++ChallengeResponseAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -72,7 +75,9 @@ Protocol 2 + + # GSSAPI options + #GSSAPIAuthentication no ++GSSAPIAuthentication yes + #GSSAPICleanupCredentials yes ++GSSAPICleanupCredentials yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +@@ -84,11 +89,18 @@ Protocol 2 + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. + #UsePAM no ++UsePAM yes ++ ++# Accept locale-related environment variables ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE + + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no + #X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PrintMotd yes +diff -up openssh-5.1p1/ssh_config.redhat openssh-5.1p1/ssh_config +--- openssh-5.1p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200 ++++ openssh-5.1p1/ssh_config 2008-07-23 14:07:29.000000000 +0200 +@@ -43,3 +43,13 @@ + # Tunnel no + # TunnelDevice any:any + # PermitLocalCommand no ++Host * ++ GSSAPIAuthentication yes ++# If this option is set to yes then remote X11 clients will have full access ++# to the original X11 display. As virtually no X11 client supports the untrusted ++# mode correctly we set this to yes. ++ ForwardX11Trusted yes ++# Send locale-related environment variables ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE +diff -up openssh-5.1p1/sshd_config.0.redhat openssh-5.1p1/sshd_config.0 +--- openssh-5.1p1/sshd_config.0.redhat 2008-07-21 10:30:51.000000000 +0200 ++++ openssh-5.1p1/sshd_config.0 2008-07-23 14:07:29.000000000 +0200 +@@ -490,9 +490,9 @@ DESCRIPTION + + SyslogFacility + Gives the facility code that is used when logging messages from +- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- +- fault is AUTH. ++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, ++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++ The default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages +diff -up openssh-5.1p1/sshd_config.5.redhat openssh-5.1p1/sshd_config.5 +--- openssh-5.1p1/sshd_config.5.redhat 2008-07-02 14:35:43.000000000 +0200 ++++ openssh-5.1p1/sshd_config.5 2008-07-23 14:07:29.000000000 +0200 +@@ -846,7 +846,7 @@ Note that this option applies to protoco + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from + .Xr sshd 8 . +-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, ++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + .It Cm TCPKeepAlive diff --git a/openssh-5.1p1-selinux.patch b/openssh-5.1p1-selinux.patch new file mode 100644 index 0000000..8cd618a --- /dev/null +++ b/openssh-5.1p1-selinux.patch @@ -0,0 +1,328 @@ +diff -up openssh-5.1p1/configure.ac.selinux openssh-5.1p1/configure.ac +--- openssh-5.1p1/configure.ac.selinux 2008-07-23 16:32:13.000000000 +0200 ++++ openssh-5.1p1/configure.ac 2008-07-23 16:32:13.000000000 +0200 +@@ -3309,6 +3309,7 @@ AC_ARG_WITH(selinux, + AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], + AC_MSG_ERROR(SELinux support requires libselinux library)) + SSHDLIBS="$SSHDLIBS $LIBSELINUX" ++ LIBS="$LIBS $LIBSELINUX" + AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) + LIBS="$save_LIBS" + fi ] +diff -up openssh-5.1p1/auth1.c.selinux openssh-5.1p1/auth1.c +--- openssh-5.1p1/auth1.c.selinux 2008-07-23 16:32:13.000000000 +0200 ++++ openssh-5.1p1/auth1.c 2008-07-23 16:32:13.000000000 +0200 +@@ -391,7 +391,7 @@ void + do_authentication(Authctxt *authctxt) + { + u_int ulen; +- char *user, *style = NULL; ++ char *user, *style = NULL, *role=NULL; + + /* Get the name of the user that we wish to log in as. */ + packet_read_expect(SSH_CMSG_USER); +@@ -400,11 +400,19 @@ do_authentication(Authctxt *authctxt) + user = packet_get_string(&ulen); + packet_check_eom(); + ++ if ((role = strchr(user, '/')) != NULL) ++ *role++ = '\0'; ++ + if ((style = strchr(user, ':')) != NULL) + *style++ = '\0'; ++ else ++ if (role && (style = strchr(role, ':')) != NULL) ++ *style++ = '\0'; ++ + + authctxt->user = user; + authctxt->style = style; ++ authctxt->role = role; + + /* Verify that the user is a valid user. */ + if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) +diff -up openssh-5.1p1/auth2-pubkey.c.selinux openssh-5.1p1/auth2-pubkey.c +--- openssh-5.1p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200 ++++ openssh-5.1p1/auth2-pubkey.c 2008-07-23 16:32:13.000000000 +0200 +@@ -117,7 +117,14 @@ userauth_pubkey(Authctxt *authctxt) + } + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); +- buffer_put_cstring(&b, authctxt->user); ++ if (authctxt->role) { ++ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); ++ buffer_append(&b, authctxt->user, strlen(authctxt->user)); ++ buffer_put_char(&b, '/'); ++ buffer_append(&b, authctxt->role, strlen(authctxt->role)); ++ } else { ++ buffer_put_cstring(&b, authctxt->user); ++ } + buffer_put_cstring(&b, + datafellows & SSH_BUG_PKSERVICE ? + "ssh-userauth" : +diff -up openssh-5.1p1/monitor_wrap.h.selinux openssh-5.1p1/monitor_wrap.h +--- openssh-5.1p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 ++++ openssh-5.1p1/monitor_wrap.h 2008-07-23 16:32:13.000000000 +0200 +@@ -41,6 +41,7 @@ int mm_is_monitor(void); + DH *mm_choose_dh(int, int, int); + int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); + void mm_inform_authserv(char *, char *); ++void mm_inform_authrole(char *); + struct passwd *mm_getpwnamallow(const char *); + char *mm_auth2_read_banner(void); + int mm_auth_password(struct Authctxt *, char *); +diff -up openssh-5.1p1/monitor.h.selinux openssh-5.1p1/monitor.h +--- openssh-5.1p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 ++++ openssh-5.1p1/monitor.h 2008-07-23 16:32:13.000000000 +0200 +@@ -30,7 +30,7 @@ + + enum monitor_reqtype { + MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, +- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, ++ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE, + MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, + MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, + MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, +diff -up openssh-5.1p1/auth2-hostbased.c.selinux openssh-5.1p1/auth2-hostbased.c +--- openssh-5.1p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200 ++++ openssh-5.1p1/auth2-hostbased.c 2008-07-23 16:32:13.000000000 +0200 +@@ -106,7 +106,14 @@ userauth_hostbased(Authctxt *authctxt) + buffer_put_string(&b, session_id2, session_id2_len); + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); +- buffer_put_cstring(&b, authctxt->user); ++ if (authctxt->role) { ++ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); ++ buffer_append(&b, authctxt->user, strlen(authctxt->user)); ++ buffer_put_char(&b, '/'); ++ buffer_append(&b, authctxt->role, strlen(authctxt->role)); ++ } else { ++ buffer_put_cstring(&b, authctxt->user); ++ } + buffer_put_cstring(&b, service); + buffer_put_cstring(&b, "hostbased"); + buffer_put_string(&b, pkalg, alen); +diff -up openssh-5.1p1/monitor_wrap.c.selinux openssh-5.1p1/monitor_wrap.c +--- openssh-5.1p1/monitor_wrap.c.selinux 2008-07-11 09:36:48.000000000 +0200 ++++ openssh-5.1p1/monitor_wrap.c 2008-07-23 16:32:13.000000000 +0200 +@@ -296,6 +296,23 @@ mm_inform_authserv(char *service, char * + buffer_free(&m); + } + ++/* Inform the privileged process about role */ ++ ++void ++mm_inform_authrole(char *role) ++{ ++ Buffer m; ++ ++ debug3("%s entering", __func__); ++ ++ buffer_init(&m); ++ buffer_put_cstring(&m, role ? role : ""); ++ ++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); ++ ++ buffer_free(&m); ++} ++ + /* Do the password authentication */ + int + mm_auth_password(Authctxt *authctxt, char *password) +diff -up openssh-5.1p1/openbsd-compat/port-linux.c.selinux openssh-5.1p1/openbsd-compat/port-linux.c +--- openssh-5.1p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100 ++++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-07-23 16:32:13.000000000 +0200 +@@ -30,11 +30,16 @@ + #ifdef WITH_SELINUX + #include "log.h" + #include "port-linux.h" ++#include "key.h" ++#include "hostfile.h" ++#include "auth.h" + + #include + #include + #include + ++extern Authctxt *the_authctxt; ++ + /* Wrapper around is_selinux_enabled() to log its return value once only */ + int + ssh_selinux_enabled(void) +@@ -53,23 +58,36 @@ ssh_selinux_enabled(void) + static security_context_t + ssh_selinux_getctxbyname(char *pwname) + { +- security_context_t sc; +- char *sename = NULL, *lvl = NULL; +- int r; ++ security_context_t sc = NULL; ++ char *sename, *lvl; ++ char *role = NULL; ++ int r = 0; + ++ if (the_authctxt) ++ role=the_authctxt->role; + #ifdef HAVE_GETSEUSERBYNAME +- if (getseuserbyname(pwname, &sename, &lvl) != 0) +- return NULL; ++ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { ++ sename = NULL; ++ lvl = NULL; ++ } + #else + sename = pwname; + lvl = NULL; + #endif + ++ if (r == 0) { + #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL +- r = get_default_context_with_level(sename, lvl, NULL, &sc); ++ if (role != NULL && role[0]) ++ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc); ++ else ++ r = get_default_context_with_level(sename, lvl, NULL, &sc); + #else +- r = get_default_context(sename, NULL, &sc); ++ if (role != NULL && role[0]) ++ r = get_default_context_with_role(sename, role, NULL, &sc); ++ else ++ r = get_default_context(sename, NULL, &sc); + #endif ++ } + + if (r != 0) { + switch (security_getenforce()) { +diff -up openssh-5.1p1/auth.h.selinux openssh-5.1p1/auth.h +--- openssh-5.1p1/auth.h.selinux 2008-07-02 14:37:30.000000000 +0200 ++++ openssh-5.1p1/auth.h 2008-07-23 16:32:13.000000000 +0200 +@@ -58,6 +58,7 @@ struct Authctxt { + char *service; + struct passwd *pw; /* set if 'valid' */ + char *style; ++ char *role; + void *kbdintctxt; + #ifdef BSD_AUTH + auth_session_t *as; +diff -up openssh-5.1p1/auth2.c.selinux openssh-5.1p1/auth2.c +--- openssh-5.1p1/auth2.c.selinux 2008-07-05 01:44:53.000000000 +0200 ++++ openssh-5.1p1/auth2.c 2008-07-23 16:32:13.000000000 +0200 +@@ -209,7 +209,7 @@ input_userauth_request(int type, u_int32 + { + Authctxt *authctxt = ctxt; + Authmethod *m = NULL; +- char *user, *service, *method, *style = NULL; ++ char *user, *service, *method, *style = NULL, *role = NULL; + int authenticated = 0; + + if (authctxt == NULL) +@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32 + debug("userauth-request for user %s service %s method %s", user, service, method); + debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); + ++ if ((role = strchr(user, '/')) != NULL) ++ *role++ = 0; ++ + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; + +@@ -246,8 +249,11 @@ input_userauth_request(int type, u_int32 + use_privsep ? " [net]" : ""); + authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; +- if (use_privsep) ++ authctxt->role = role ? xstrdup(role) : NULL; ++ if (use_privsep) { + mm_inform_authserv(service, style); ++ mm_inform_authrole(role); ++ } + userauth_banner(); + } else if (strcmp(user, authctxt->user) != 0 || + strcmp(service, authctxt->service) != 0) { +diff -up openssh-5.1p1/monitor.c.selinux openssh-5.1p1/monitor.c +--- openssh-5.1p1/monitor.c.selinux 2008-07-11 09:36:48.000000000 +0200 ++++ openssh-5.1p1/monitor.c 2008-07-23 16:36:10.000000000 +0200 +@@ -134,6 +134,7 @@ int mm_answer_sign(int, Buffer *); + int mm_answer_pwnamallow(int, Buffer *); + int mm_answer_auth2_read_banner(int, Buffer *); + int mm_answer_authserv(int, Buffer *); ++int mm_answer_authrole(int, Buffer *); + int mm_answer_authpassword(int, Buffer *); + int mm_answer_bsdauthquery(int, Buffer *); + int mm_answer_bsdauthrespond(int, Buffer *); +@@ -205,6 +206,7 @@ struct mon_table mon_dispatch_proto20[] + {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, + {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, + {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, ++ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, + {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, + {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + #ifdef USE_PAM +@@ -658,6 +660,7 @@ mm_answer_pwnamallow(int sock, Buffer *m + else { + /* Allow service/style information on the auth context */ + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); ++ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); + } + +@@ -703,6 +706,23 @@ mm_answer_authserv(int sock, Buffer *m) + } + + int ++mm_answer_authrole(int sock, Buffer *m) ++{ ++ monitor_permit_authentications(1); ++ ++ authctxt->role = buffer_get_string(m, NULL); ++ debug3("%s: role=%s", ++ __func__, authctxt->role); ++ ++ if (strlen(authctxt->role) == 0) { ++ xfree(authctxt->role); ++ authctxt->role = NULL; ++ } ++ ++ return (0); ++} ++ ++int + mm_answer_authpassword(int sock, Buffer *m) + { + static int call_count; +@@ -1080,7 +1100,7 @@ static int + monitor_valid_userblob(u_char *data, u_int datalen) + { + Buffer b; +- char *p; ++ char *p, *r; + u_int len; + int fail = 0; + +@@ -1106,6 +1126,8 @@ monitor_valid_userblob(u_char *data, u_i + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + fail++; + p = buffer_get_string(&b, NULL); ++ if ((r = strchr(p, '/')) != NULL) ++ *r = '\0'; + if (strcmp(authctxt->user, p) != 0) { + logit("wrong user name passed to monitor: expected %s != %.100s", + authctxt->user, p); +@@ -1137,7 +1159,7 @@ monitor_valid_hostbasedblob(u_char *data + char *chost) + { + Buffer b; +- char *p; ++ char *p, *r; + u_int len; + int fail = 0; + +@@ -1154,6 +1176,8 @@ monitor_valid_hostbasedblob(u_char *data + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + fail++; + p = buffer_get_string(&b, NULL); ++ if ((r = strchr(p, '/')) != NULL) ++ *r = '\0'; + if (strcmp(authctxt->user, p) != 0) { + logit("wrong user name passed to monitor: expected %s != %.100s", + authctxt->user, p); diff --git a/openssh-5.1p1-vendor.patch b/openssh-5.1p1-vendor.patch new file mode 100644 index 0000000..826a1df --- /dev/null +++ b/openssh-5.1p1-vendor.patch @@ -0,0 +1,158 @@ +diff -up openssh-5.1p1/configure.ac.vendor openssh-5.1p1/configure.ac +--- openssh-5.1p1/configure.ac.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/configure.ac 2008-07-23 14:13:22.000000000 +0200 +@@ -3890,6 +3890,12 @@ AC_ARG_WITH(lastlog, + fi + ] + ) ++AC_ARG_ENABLE(vendor-patchlevel, ++ [ --enable-vendor-patchlevel=TAG specify a vendor patch level], ++ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.]) ++ SSH_VENDOR_PATCHLEVEL="$enableval"], ++ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.]) ++ SSH_VENDOR_PATCHLEVEL=none]) + + dnl lastlog, [uw]tmpx? detection + dnl NOTE: set the paths in the platform section to avoid the +@@ -4146,6 +4152,7 @@ echo " IP address in \$DISPLAY hac + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" + echo " BSD Auth support: $BSD_AUTH_MSG" + echo " Random number source: $RAND_MSG" ++echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL" + if test ! -z "$USE_RAND_HELPER" ; then + echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" + fi +diff -up openssh-5.1p1/sshd_config.5.vendor openssh-5.1p1/sshd_config.5 +--- openssh-5.1p1/sshd_config.5.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config.5 2008-07-23 14:19:23.000000000 +0200 +@@ -812,6 +812,14 @@ This option applies to protocol version + .It Cm ServerKeyBits + Defines the number of bits in the ephemeral protocol version 1 server key. + The minimum value is 512, and the default is 1024. ++.It Cm ShowPatchLevel ++Specifies whether ++.Nm sshd ++will display the patch level of the binary in the identification string. ++The patch level is set at compile-time. ++The default is ++.Dq no . ++This option applies to protocol version 1 only. + .It Cm StrictModes + Specifies whether + .Xr sshd 8 +diff -up openssh-5.1p1/servconf.h.vendor openssh-5.1p1/servconf.h +--- openssh-5.1p1/servconf.h.vendor 2008-06-10 15:01:51.000000000 +0200 ++++ openssh-5.1p1/servconf.h 2008-07-23 14:13:22.000000000 +0200 +@@ -126,6 +126,7 @@ typedef struct { + int max_authtries; + int max_sessions; + char *banner; /* SSH-2 banner message */ ++ int show_patchlevel; /* Show vendor patch level to clients */ + int use_dns; + int client_alive_interval; /* + * poke the client this often to +diff -up openssh-5.1p1/servconf.c.vendor openssh-5.1p1/servconf.c +--- openssh-5.1p1/servconf.c.vendor 2008-07-04 05:51:12.000000000 +0200 ++++ openssh-5.1p1/servconf.c 2008-07-23 14:32:27.000000000 +0200 +@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions + options->max_authtries = -1; + options->max_sessions = -1; + options->banner = NULL; ++ options->show_patchlevel = -1; + options->use_dns = -1; + options->client_alive_interval = -1; + options->client_alive_count_max = -1; +@@ -259,6 +260,9 @@ fill_default_server_options(ServerOption + if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; + ++ if (options->show_patchlevel == -1) ++ options->show_patchlevel = 0; ++ + /* Turn privilege separation on by default */ + if (use_privsep == -1) + use_privsep = 1; +@@ -296,7 +300,7 @@ typedef enum { + sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, + sMaxStartups, sMaxAuthTries, sMaxSessions, +- sBanner, sUseDNS, sHostbasedAuthentication, ++ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, +@@ -401,6 +405,7 @@ static struct { + { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, + { "maxsessions", sMaxSessions, SSHCFG_ALL }, + { "banner", sBanner, SSHCFG_ALL }, ++ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL }, + { "usedns", sUseDNS, SSHCFG_GLOBAL }, + { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, + { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, +@@ -1020,6 +1025,10 @@ process_server_config_line(ServerOptions + intptr = &use_privsep; + goto parse_flag; + ++ case sShowPatchLevel: ++ intptr = &options->show_patchlevel; ++ goto parse_flag; ++ + case sAllowUsers: + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_allow_users >= MAX_ALLOW_USERS) +@@ -1584,6 +1593,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sUseLogin, o->use_login); + dump_cfg_fmtint(sCompression, o->compression); + dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); ++ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); + dump_cfg_fmtint(sUseDNS, o->use_dns); + dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); + dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); +diff -up openssh-5.1p1/sshd_config.0.vendor openssh-5.1p1/sshd_config.0 +--- openssh-5.1p1/sshd_config.0.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config.0 2008-07-23 14:13:22.000000000 +0200 +@@ -466,6 +466,11 @@ DESCRIPTION + Defines the number of bits in the ephemeral protocol version 1 + server key. The minimum value is 512, and the default is 1024. + ++ ShowPatchLevel ++ Specifies whether sshd will display the specific patch level of ++ the binary in the server identification string. The patch level ++ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^]. ++ + StrictModes + Specifies whether sshd(8) should check file modes and ownership + of the user's files and home directory before accepting login. +diff -up openssh-5.1p1/sshd_config.vendor openssh-5.1p1/sshd_config +--- openssh-5.1p1/sshd_config.vendor 2008-07-23 14:13:22.000000000 +0200 ++++ openssh-5.1p1/sshd_config 2008-07-23 14:13:22.000000000 +0200 +@@ -112,6 +112,7 @@ X11Forwarding yes + #Compression delayed + #ClientAliveInterval 0 + #ClientAliveCountMax 3 ++#ShowPatchLevel no + #UseDNS yes + #PidFile /var/run/sshd.pid + #MaxStartups 10 +diff -up openssh-5.1p1/sshd.c.vendor openssh-5.1p1/sshd.c +--- openssh-5.1p1/sshd.c.vendor 2008-07-11 09:36:49.000000000 +0200 ++++ openssh-5.1p1/sshd.c 2008-07-23 14:35:43.000000000 +0200 +@@ -416,7 +416,7 @@ sshd_exchange_identification(int sock_in + minor = PROTOCOL_MINOR_1; + } + snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, +- SSH_VERSION, newline); ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline); + server_version_string = xstrdup(buf); + + /* Send our protocol version identification. */ +@@ -1484,7 +1484,8 @@ main(int ac, char **av) + exit(1); + } + +- debug("sshd version %.100s", SSH_RELEASE); ++ debug("sshd version %.100s", ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE); + + /* Store privilege separation user for later use if required. */ + if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { diff --git a/openssh.spec b/openssh.spec index 2849676..3555ade 100644 --- a/openssh.spec +++ b/openssh.spec @@ -62,8 +62,8 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh -Version: 5.0p1 -Release: 3%{?dist}%{?rescue_rel} +Version: 5.1p1 +Release: 1%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -74,17 +74,17 @@ Source0: openssh-%{version}-noacss.tar.bz2 Source1: openssh-nukeacss.sh Source2: sshd.pam Source3: sshd.init -Patch0: openssh-4.7p1-redhat.patch +Patch0: openssh-5.1p1-redhat.patch Patch2: openssh-3.8.1p1-skip-initial.patch Patch3: openssh-3.8.1p1-krb5-config.patch -Patch4: openssh-4.7p1-vendor.patch -Patch12: openssh-4.7p1-selinux.patch +Patch4: openssh-5.1p1-vendor.patch +Patch12: openssh-5.1p1-selinux.patch Patch13: openssh-4.7p1-mls.patch Patch16: openssh-4.7p1-audit.patch Patch17: openssh-4.3p2-cve-2007-3102.patch Patch22: openssh-3.9p1-askpass-keep-above.patch Patch24: openssh-4.3p1-fromto-remote.patch -Patch27: openssh-4.7p1-log-in-chroot.patch +Patch27: openssh-5.1p1-log-in-chroot.patch Patch30: openssh-4.0p1-exit-deadlock.patch Patch35: openssh-4.2p1-askpass-progress.patch Patch38: openssh-4.3p2-askpass-grab-info.patch @@ -93,11 +93,8 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch Patch49: openssh-4.3p2-gssapi-canohost.patch Patch51: openssh-4.7p1-nss-keys.patch Patch54: openssh-4.7p1-gssapi-role.patch -Patch55: openssh-4.7p1-cloexec.patch -Patch58: openssh-4.5p1-controlcleanup.patch -Patch59: openssh-4.7p1-master-race.patch +Patch55: openssh-5.1p1-cloexec.patch Patch60: openssh-5.0p1-pam_selinux.patch -Patch61: openssh-5.0p1-unbreakalive.patch Patch62: openssh-3.9p1-scp-manpage.patch License: BSD @@ -229,10 +226,7 @@ an X11 passphrase dialog for OpenSSH. %patch51 -p1 -b .nss-keys %patch54 -p0 -b .gssapi-role %patch55 -p1 -b .cloexec -%patch58 -p1 -b .controlcleanup -%patch59 -p1 -b .master-race %patch60 -p1 -b .pam_selinux -%patch61 -p0 -b .unbreakalive %patch62 -p0 -b .manpage autoreconf @@ -423,7 +417,7 @@ fi %files %defattr(-,root,root) -%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README* TODO WARNING* %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %if ! %{rescue} @@ -468,6 +462,7 @@ fi %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config @@ -484,6 +479,11 @@ fi %endif %changelog +* Wed Jul 23 2008 Tomas Mraz - 5.1p1-1 +- upgrade to new upstream release +- fixed a problem with public key authentication and explicitely + specified SELinux role + * Wed May 21 2008 Tomas Mraz - 5.0p1-3 - pass the connection socket to ssh-keysign (#447680) diff --git a/sources b/sources index dcc3173..eda40d2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e39c15a5fb9036bd64256c78a6fbf394 openssh-5.0p1-noacss.tar.bz2 +5273579190b10f53baaf87f3c6eb0d73 openssh-5.1p1-noacss.tar.bz2