diff --git a/.cvsignore b/.cvsignore index d077494..b99eac3 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssh-4.3p2-noacss.tar.bz2 +openssh-4.5p1-noacss.tar.bz2 diff --git a/openssh-4.5p1-audit.patch b/openssh-4.5p1-audit.patch new file mode 100644 index 0000000..9b148e4 --- /dev/null +++ b/openssh-4.5p1-audit.patch @@ -0,0 +1,186 @@ +--- openssh-4.5p1/loginrec.c.audit 2006-09-07 14:57:54.000000000 +0200 ++++ openssh-4.5p1/loginrec.c 2006-12-21 12:17:35.000000000 +0100 +@@ -175,6 +175,10 @@ + #include "auth.h" + #include "buffer.h" + ++#ifdef HAVE_LINUX_AUDIT ++# include ++#endif ++ + #ifdef HAVE_UTIL_H + # include + #endif +@@ -201,6 +205,9 @@ + int utmpx_write_entry(struct logininfo *li); + int wtmp_write_entry(struct logininfo *li); + int wtmpx_write_entry(struct logininfo *li); ++#ifdef HAVE_LINUX_AUDIT ++int linux_audit_write_entry(struct logininfo *li); ++#endif + int lastlog_write_entry(struct logininfo *li); + int syslogin_write_entry(struct logininfo *li); + +@@ -439,6 +446,10 @@ + + /* set the timestamp */ + login_set_current_time(li); ++#ifdef HAVE_LINUX_AUDIT ++ if (linux_audit_write_entry(li) == 0) ++ fatal("linux_audit_write_entry failed: %s", strerror(errno)); ++#endif + #ifdef USE_LOGIN + syslogin_write_entry(li); + #endif +@@ -1393,6 +1404,51 @@ + } + #endif /* USE_WTMPX */ + ++#ifdef HAVE_LINUX_AUDIT ++int ++linux_audit_record_event(int uid, const char *username, ++ const char *hostname, const char *ip, const char *ttyn, int success) ++{ ++ char buf[64]; ++ int audit_fd, rc; ++ ++ audit_fd = audit_open(); ++ if (audit_fd < 0) { ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return 1; /* No audit support in kernel */ ++ else ++ return 0; /* Must prevent login */ ++ } ++ if (username == NULL) ++ snprintf(buf, sizeof(buf), "uid=%d", uid); ++ else ++ snprintf(buf, sizeof(buf), "acct=%s", username); ++ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, ++ buf, hostname, ip, ttyn, success); ++ close(audit_fd); ++ if (rc >= 0) ++ return 1; ++ else ++ return 0; ++} ++ ++int ++linux_audit_write_entry(struct logininfo *li) ++{ ++ switch(li->type) { ++ case LTYPE_LOGIN: ++ return (linux_audit_record_event(li->uid, NULL, li->hostname, ++ NULL, li->line, 1)); ++ case LTYPE_LOGOUT: ++ return (1); /* We only care about logins */ ++ default: ++ logit("%s: invalid type field", __func__); ++ return (0); ++ } ++} ++#endif /* HAVE_LINUX_AUDIT */ ++ + /** + ** Low-level libutil login() functions + **/ +--- openssh-4.5p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 ++++ openssh-4.5p1/loginrec.h 2006-12-21 12:17:35.000000000 +0100 +@@ -127,5 +127,9 @@ + char *line_abbrevname(char *dst, const char *src, int dstsize); + + void record_failed_login(const char *, const char *, const char *); ++#ifdef HAVE_LINUX_AUDIT ++int linux_audit_record_event(int uid, const char *username, ++ const char *hostname, const char *ip, const char *ttyn, int success); ++#endif /* HAVE_LINUX_AUDIT */ + + #endif /* _HAVE_LOGINREC_H_ */ +--- openssh-4.5p1/Makefile.in.audit 2006-10-23 23:44:47.000000000 +0200 ++++ openssh-4.5p1/Makefile.in 2006-12-21 12:19:39.000000000 +0100 +@@ -45,6 +45,7 @@ + CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + LIBSELINUX=@LIBSELINUX@ ++LIBAUDIT=@LIBAUDIT@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBPAM=@LIBPAM@ +@@ -139,7 +140,7 @@ + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +--- openssh-4.5p1/config.h.in.audit 2006-11-07 14:07:01.000000000 +0100 ++++ openssh-4.5p1/config.h.in 2006-12-21 12:17:35.000000000 +0100 +@@ -1305,6 +1305,9 @@ + /* Define if you want SELinux support. */ + #undef WITH_SELINUX + ++/* Define if you want Linux audit support. */ ++#undef HAVE_LINUX_AUDIT ++ + /* Define to 1 if your processor stores words with the most significant byte + first (like Motorola and SPARC, unlike Intel and VAX). */ + #undef WORDS_BIGENDIAN +--- openssh-4.5p1/configure.ac.audit 2006-12-21 12:17:34.000000000 +0100 ++++ openssh-4.5p1/configure.ac 2006-12-21 12:17:35.000000000 +0100 +@@ -3161,6 +3161,20 @@ + ) + AC_SUBST(LIBSELINUX) + ++# Check whether user wants Linux audit support ++LINUX_AUDIT_MSG="no" ++LIBAUDIT="" ++AC_ARG_WITH(linux-audit, ++ [ --with-linux-audit Enable Linux audit support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) ++ LINUX_AUDIT_MSG="yes" ++ AC_CHECK_HEADERS(libaudit.h) ++ LIBAUDIT="-laudit" ++ fi ++ ]) ++AC_SUBST(LIBAUDIT) ++ + # Check whether user wants Kerberos 5 support + KRB5_MSG="no" + AC_ARG_WITH(kerberos5, +@@ -3982,6 +3996,7 @@ + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" + echo " SELinux support: $SELINUX_MSG" ++echo " Linux audit support: $LINUX_AUDIT_MSG" + echo " Smartcard support: $SCARD_MSG" + echo " S/KEY support: $SKEY_MSG" + echo " TCP Wrappers support: $TCPW_MSG" +--- openssh-4.5p1/auth.c.audit 2006-10-27 17:10:16.000000000 +0200 ++++ openssh-4.5p1/auth.c 2006-12-21 12:17:35.000000000 +0100 +@@ -286,6 +286,12 @@ + get_canonical_hostname(options.use_dns), "ssh", &loginmsg); + # endif + #endif ++#if HAVE_LINUX_AUDIT ++ if (authenticated == 0 && !authctxt->postponed) { ++ linux_audit_record_event(-1, authctxt->user, NULL, ++ get_remote_ipaddr(), "sshd", 0); ++ } ++#endif + #ifdef SSH_AUDIT_EVENTS + if (authenticated == 0 && !authctxt->postponed) + audit_event(audit_classify_auth(method)); +@@ -492,6 +498,10 @@ + record_failed_login(user, + get_canonical_hostname(options.use_dns), "ssh"); + #endif ++#ifdef HAVE_LINUX_AUDIT ++ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), ++ "sshd", 0); ++#endif + #ifdef SSH_AUDIT_EVENTS + audit_event(SSH_INVALID_USER); + #endif /* SSH_AUDIT_EVENTS */ diff --git a/openssh-4.5p1-redhat.patch b/openssh-4.5p1-redhat.patch new file mode 100644 index 0000000..2d10fa6 --- /dev/null +++ b/openssh-4.5p1-redhat.patch @@ -0,0 +1,99 @@ +--- openssh-4.5p1/sshd_config.0.redhat 2006-11-07 14:07:28.000000000 +0100 ++++ openssh-4.5p1/sshd_config.0 2006-12-20 22:04:16.000000000 +0100 +@@ -430,9 +430,9 @@ + + SyslogFacility + Gives the facility code that is used when logging messages from +- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- +- fault is AUTH. ++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, ++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++ The default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages +--- openssh-4.5p1/sshd_config.redhat 2006-07-24 06:06:47.000000000 +0200 ++++ openssh-4.5p1/sshd_config 2006-12-20 21:59:15.000000000 +0100 +@@ -12,6 +12,7 @@ + + #Port 22 + #Protocol 2,1 ++Protocol 2 + #AddressFamily any + #ListenAddress 0.0.0.0 + #ListenAddress :: +@@ -29,6 +30,7 @@ + # Logging + # obsoletes QuietMode and FascistLogging + #SyslogFacility AUTH ++SyslogFacility AUTHPRIV + #LogLevel INFO + + # Authentication: +@@ -55,9 +57,11 @@ + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + #PermitEmptyPasswords no ++PasswordAuthentication yes + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes ++ChallengeResponseAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -67,7 +71,9 @@ + + # GSSAPI options + #GSSAPIAuthentication no ++GSSAPIAuthentication yes + #GSSAPICleanupCredentials yes ++GSSAPICleanupCredentials yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +@@ -79,10 +85,16 @@ + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. + #UsePAM no ++UsePAM yes + ++# Accept locale-related environment variables ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL + #AllowTcpForwarding yes + #GatewayPorts no + #X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PrintMotd yes +--- openssh-4.5p1/ssh_config.redhat 2006-06-13 05:01:10.000000000 +0200 ++++ openssh-4.5p1/ssh_config 2006-12-20 21:59:15.000000000 +0100 +@@ -42,3 +42,13 @@ + # Tunnel no + # TunnelDevice any:any + # PermitLocalCommand no ++Host * ++ GSSAPIAuthentication yes ++# If this option is set to yes then remote X11 clients will have full access ++# to the original X11 display. As virtually no X11 client supports the untrusted ++# mode correctly we set this to yes. ++ ForwardX11Trusted yes ++# Send locale-related environment variables ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL +--- openssh-4.5p1/sshd_config.5.redhat 2006-08-30 03:06:34.000000000 +0200 ++++ openssh-4.5p1/sshd_config.5 2006-12-20 22:05:18.000000000 +0100 +@@ -740,7 +740,7 @@ + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from + .Xr sshd 8 . +-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, ++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + .It Cm TCPKeepAlive diff --git a/openssh-4.5p1-selinux.patch b/openssh-4.5p1-selinux.patch new file mode 100644 index 0000000..54fffe7 --- /dev/null +++ b/openssh-4.5p1-selinux.patch @@ -0,0 +1,255 @@ +--- openssh-4.5p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200 ++++ openssh-4.5p1/auth.h 2006-12-20 22:10:48.000000000 +0100 +@@ -58,6 +58,7 @@ + char *service; + struct passwd *pw; /* set if 'valid' */ + char *style; ++ char *role; + void *kbdintctxt; + #ifdef BSD_AUTH + auth_session_t *as; +--- openssh-4.5p1/auth1.c.selinux 2006-12-20 22:10:35.000000000 +0100 ++++ openssh-4.5p1/auth1.c 2006-12-20 22:10:48.000000000 +0100 +@@ -388,7 +388,7 @@ + do_authentication(Authctxt *authctxt) + { + u_int ulen; +- char *user, *style = NULL; ++ char *user, *style = NULL, *role=NULL; + + /* Get the name of the user that we wish to log in as. */ + packet_read_expect(SSH_CMSG_USER); +@@ -397,11 +397,19 @@ + user = packet_get_string(&ulen); + packet_check_eom(); + ++ if ((role = strchr(user, '/')) != NULL) ++ *role++ = '\0'; ++ + if ((style = strchr(user, ':')) != NULL) + *style++ = '\0'; ++ else ++ if (role && (style = strchr(role, ':')) != NULL) ++ *style++ = '\0'; ++ + + authctxt->user = user; + authctxt->style = style; ++ authctxt->role = role; + + /* Verify that the user is a valid user. */ + if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) +--- openssh-4.5p1/monitor.c.selinux 2006-11-07 13:16:08.000000000 +0100 ++++ openssh-4.5p1/monitor.c 2006-12-20 22:10:48.000000000 +0100 +@@ -133,6 +133,7 @@ + int mm_answer_pwnamallow(int, Buffer *); + int mm_answer_auth2_read_banner(int, Buffer *); + int mm_answer_authserv(int, Buffer *); ++int mm_answer_authrole(int, Buffer *); + int mm_answer_authpassword(int, Buffer *); + int mm_answer_bsdauthquery(int, Buffer *); + int mm_answer_bsdauthrespond(int, Buffer *); +@@ -204,6 +205,7 @@ + {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, + {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, + {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, ++ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, + {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, + {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + #ifdef USE_PAM +@@ -653,6 +655,7 @@ + else { + /* Allow service/style information on the auth context */ + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); ++ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); + } + +@@ -698,6 +701,23 @@ + } + + int ++mm_answer_authrole(int sock, Buffer *m) ++{ ++ monitor_permit_authentications(1); ++ ++ authctxt->role = buffer_get_string(m, NULL); ++ debug3("%s: role=%s", ++ __func__, authctxt->role); ++ ++ if (strlen(authctxt->role) == 0) { ++ xfree(authctxt->role); ++ authctxt->role = NULL; ++ } ++ ++ return (0); ++} ++ ++int + mm_answer_authpassword(int sock, Buffer *m) + { + static int call_count; +--- openssh-4.5p1/openbsd-compat/port-linux.c.selinux 2006-09-01 07:38:41.000000000 +0200 ++++ openssh-4.5p1/openbsd-compat/port-linux.c 2006-12-21 12:15:59.000000000 +0100 +@@ -30,11 +30,16 @@ + #ifdef WITH_SELINUX + #include "log.h" + #include "port-linux.h" ++#include "key.h" ++#include "hostfile.h" ++#include "auth.h" + + #include + #include + #include + ++extern Authctxt *the_authctxt; ++ + /* Wrapper around is_selinux_enabled() to log its return value once only */ + static int + ssh_selinux_enabled(void) +@@ -53,23 +58,36 @@ + static security_context_t + ssh_selinux_getctxbyname(char *pwname) + { +- security_context_t sc; +- char *sename = NULL, *lvl = NULL; +- int r; ++ security_context_t sc = NULL; ++ char *sename, *lvl; ++ char *role = NULL; ++ int r = 0; + ++ if (the_authctxt) ++ role=the_authctxt->role; + #ifdef HAVE_GETSEUSERBYNAME +- if (getseuserbyname(pwname, &sename, &lvl) != 0) +- return NULL; ++ if (r=getseuserbyname(pwname, &sename, &lvl) != 0) { ++ sename = NULL; ++ lvl = NULL; ++ } + #else + sename = pwname; + lvl = NULL; + #endif + ++ if (r == 0) { + #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL +- r = get_default_context_with_level(sename, lvl, NULL, &sc); ++ if (role != NULL && role[0]) ++ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc); ++ else ++ r = get_default_context_with_level(sename, lvl, NULL, &sc); + #else +- r = get_default_context(sename, NULL, &sc); ++ if (role != NULL && role[0]) ++ r = get_default_context_with_role(sename, role, NULL, &sc); ++ else ++ r = get_default_context(sename, NULL, &sc); + #endif ++ } + + if (r != 0) { + switch (security_getenforce()) { +--- openssh-4.5p1/configure.ac.selinux 2006-12-20 22:10:35.000000000 +0100 ++++ openssh-4.5p1/configure.ac 2006-12-21 11:18:48.000000000 +0100 +@@ -3137,8 +3137,16 @@ + SELINUX_MSG="no" + LIBSELINUX="" + AC_ARG_WITH(selinux, +- [ --with-selinux Enable SELinux support], ++ [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support], + [ if test "x$withval" != "xno" ; then ++ if test "x$withval" != "xyes"; then ++ CPPFLAGS="$CPPFLAGS -I${withval}/include" ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ fi + AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) + SELINUX_MSG="yes" + AC_CHECK_HEADER([selinux/selinux.h], , +--- openssh-4.5p1/auth2.c.selinux 2006-08-05 04:39:39.000000000 +0200 ++++ openssh-4.5p1/auth2.c 2006-12-20 22:10:48.000000000 +0100 +@@ -145,7 +145,7 @@ + { + Authctxt *authctxt = ctxt; + Authmethod *m = NULL; +- char *user, *service, *method, *style = NULL; ++ char *user, *service, *method, *style = NULL, *role = NULL; + int authenticated = 0; + + if (authctxt == NULL) +@@ -157,6 +157,9 @@ + debug("userauth-request for user %s service %s method %s", user, service, method); + debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); + ++ if ((role = strchr(user, '/')) != NULL) ++ *role++ = 0; ++ + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; + +@@ -182,8 +185,11 @@ + use_privsep ? " [net]" : ""); + authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; +- if (use_privsep) ++ authctxt->role = role ? xstrdup(role) : NULL; ++ if (use_privsep) { + mm_inform_authserv(service, style); ++ mm_inform_authrole(role); ++ } + } else if (strcmp(user, authctxt->user) != 0 || + strcmp(service, authctxt->service) != 0) { + packet_disconnect("Change of username or service not allowed: " +--- openssh-4.5p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200 ++++ openssh-4.5p1/monitor_wrap.h 2006-12-20 22:10:48.000000000 +0100 +@@ -41,6 +41,7 @@ + DH *mm_choose_dh(int, int, int); + int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); + void mm_inform_authserv(char *, char *); ++void mm_inform_authrole(char *); + struct passwd *mm_getpwnamallow(const char *); + char *mm_auth2_read_banner(void); + int mm_auth_password(struct Authctxt *, char *); +--- openssh-4.5p1/monitor_wrap.c.selinux 2006-09-01 07:38:37.000000000 +0200 ++++ openssh-4.5p1/monitor_wrap.c 2006-12-20 22:10:48.000000000 +0100 +@@ -282,6 +282,23 @@ + buffer_free(&m); + } + ++/* Inform the privileged process about role */ ++ ++void ++mm_inform_authrole(char *role) ++{ ++ Buffer m; ++ ++ debug3("%s entering", __func__); ++ ++ buffer_init(&m); ++ buffer_put_cstring(&m, role ? role : ""); ++ ++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); ++ ++ buffer_free(&m); ++} ++ + /* Do the password authentication */ + int + mm_auth_password(Authctxt *authctxt, char *password) +--- openssh-4.5p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200 ++++ openssh-4.5p1/monitor.h 2006-12-20 22:10:35.000000000 +0100 +@@ -30,7 +30,7 @@ + + enum monitor_reqtype { + MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, +- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, ++ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE, + MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, + MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, + MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, diff --git a/openssh-4.5p1-vendor.patch b/openssh-4.5p1-vendor.patch new file mode 100644 index 0000000..e06008a --- /dev/null +++ b/openssh-4.5p1-vendor.patch @@ -0,0 +1,143 @@ +--- openssh-4.5p1/servconf.h.vendor 2006-08-18 16:23:15.000000000 +0200 ++++ openssh-4.5p1/servconf.h 2006-12-20 22:06:27.000000000 +0100 +@@ -120,6 +120,7 @@ + int max_startups; + int max_authtries; + char *banner; /* SSH-2 banner message */ ++ int show_patchlevel; /* Show vendor patch level to clients */ + int use_dns; + int client_alive_interval; /* + * poke the client this often to +--- openssh-4.5p1/sshd_config.vendor 2006-12-20 22:06:27.000000000 +0100 ++++ openssh-4.5p1/sshd_config 2006-12-20 22:06:27.000000000 +0100 +@@ -106,6 +106,7 @@ + #Compression delayed + #ClientAliveInterval 0 + #ClientAliveCountMax 3 ++#ShowPatchLevel no + #UseDNS yes + #PidFile /var/run/sshd.pid + #MaxStartups 10 +--- openssh-4.5p1/sshd.c.vendor 2006-11-07 13:14:42.000000000 +0100 ++++ openssh-4.5p1/sshd.c 2006-12-20 22:06:27.000000000 +0100 +@@ -418,7 +418,8 @@ + major = PROTOCOL_MAJOR_1; + minor = PROTOCOL_MINOR_1; + } +- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); ++ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION); + server_version_string = xstrdup(buf); + + /* Send our protocol version identification. */ +@@ -1429,7 +1430,8 @@ + exit(1); + } + +- debug("sshd version %.100s", SSH_RELEASE); ++ debug("sshd version %.100s", ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE); + + /* Store privilege separation user for later use if required. */ + if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { +--- openssh-4.5p1/configure.ac.vendor 2006-12-20 22:06:27.000000000 +0100 ++++ openssh-4.5p1/configure.ac 2006-12-20 22:06:27.000000000 +0100 +@@ -3729,6 +3729,12 @@ + fi + ] + ) ++AC_ARG_ENABLE(vendor-patchlevel, ++ [ --enable-vendor-patchlevel=TAG specify a vendor patch level], ++ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.]) ++ SSH_VENDOR_PATCHLEVEL="$enableval"], ++ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.]) ++ SSH_VENDOR_PATCHLEVEL=none]) + + dnl lastlog, [uw]tmpx? detection + dnl NOTE: set the paths in the platform section to avoid the +@@ -3978,6 +3984,7 @@ + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" + echo " BSD Auth support: $BSD_AUTH_MSG" + echo " Random number source: $RAND_MSG" ++echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL" + if test ! -z "$USE_RAND_HELPER" ; then + echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" + fi +--- openssh-4.5p1/sshd_config.0.vendor 2006-12-20 22:06:27.000000000 +0100 ++++ openssh-4.5p1/sshd_config.0 2006-12-20 22:06:27.000000000 +0100 +@@ -413,6 +413,11 @@ + Defines the number of bits in the ephemeral protocol version 1 + server key. The minimum value is 512, and the default is 768. + ++ ShowPatchLevel ++ Specifies whether sshd will display the specific patch level of ++ the binary in the server identification string. The patch level ++ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^]. ++ + StrictModes + Specifies whether sshd(8) should check file modes and ownership + of the user's files and home directory before accepting login. +--- openssh-4.5p1/servconf.c.vendor 2006-08-18 16:23:15.000000000 +0200 ++++ openssh-4.5p1/servconf.c 2006-12-20 22:08:41.000000000 +0100 +@@ -113,6 +113,7 @@ + options->max_startups = -1; + options->max_authtries = -1; + options->banner = NULL; ++ options->show_patchlevel = -1; + options->use_dns = -1; + options->client_alive_interval = -1; + options->client_alive_count_max = -1; +@@ -250,6 +251,9 @@ + if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; + ++ if (options->show_patchlevel == -1) ++ options->show_patchlevel = 0; ++ + /* Turn privilege separation on by default */ + if (use_privsep == -1) + use_privsep = 1; +@@ -293,6 +297,7 @@ + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, + sUsePrivilegeSeparation, ++ sShowPatchLevel, + sDeprecated, sUnsupported + } ServerOpCodes; + +@@ -390,6 +395,7 @@ + { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, + { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, + { "banner", sBanner, SSHCFG_GLOBAL }, ++ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL }, + { "usedns", sUseDNS, SSHCFG_GLOBAL }, + { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, + { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, +@@ -1006,6 +1012,10 @@ + intptr = &use_privsep; + goto parse_flag; + ++ case sShowPatchLevel: ++ intptr = &options->show_patchlevel; ++ goto parse_flag; ++ + case sAllowUsers: + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_allow_users >= MAX_ALLOW_USERS) +--- openssh-4.5p1/sshd_config.5.vendor 2006-12-20 22:06:27.000000000 +0100 ++++ openssh-4.5p1/sshd_config.5 2006-12-20 22:06:27.000000000 +0100 +@@ -717,6 +717,14 @@ + .It Cm ServerKeyBits + Defines the number of bits in the ephemeral protocol version 1 server key. + The minimum value is 512, and the default is 768. ++.It Cm ShowPatchLevel ++Specifies whether ++.Nm sshd ++will display the patch level of the binary in the identification string. ++The patch level is set at compile-time. ++The default is ++.Dq no . ++This option applies to protocol version 1 only. + .It Cm StrictModes + Specifies whether + .Xr sshd 8 diff --git a/openssh.spec b/openssh.spec index fde0792..833d9cb 100644 --- a/openssh.spec +++ b/openssh.spec @@ -60,8 +60,8 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh -Version: 4.3p2 -Release: 14%{?dist}%{?rescue_rel} +Version: 4.5p1 +Release: 1%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig @@ -69,34 +69,23 @@ URL: http://www.openssh.com/portable.html # removes the ACSS cipher. Source0: openssh-%{version}-noacss.tar.bz2 Source1: openssh-nukeacss.sh -Patch0: openssh-4.3p1-redhat.patch +Patch0: openssh-4.5p1-redhat.patch Patch2: openssh-3.8.1p1-skip-initial.patch Patch3: openssh-3.8.1p1-krb5-config.patch -Patch4: openssh-4.3p1-vendor.patch +Patch4: openssh-4.5p1-vendor.patch Patch5: openssh-4.3p2-initscript.patch -Patch12: openssh-selinux.patch -Patch16: openssh-4.3p1-audit.patch -Patch20: openssh-3.9p1-gssapimitm.patch +Patch12: openssh-4.5p1-selinux.patch +Patch16: openssh-4.5p1-audit.patch Patch22: openssh-3.9p1-askpass-keep-above.patch -Patch23: openssh-3.9p1-no-log-signal.patch Patch24: openssh-4.3p1-fromto-remote.patch -Patch25: openssh-4.3p2-scp-print-err.patch Patch26: openssh-4.2p1-pam-no-stack.patch Patch27: openssh-3.9p1-log-in-chroot.patch Patch30: openssh-4.0p1-exit-deadlock.patch Patch31: openssh-3.9p1-skip-used.patch Patch35: openssh-4.2p1-askpass-progress.patch -Patch36: openssh-4.3p2-buffer-len.patch -Patch37: openssh-4.3p2-configure-typo.patch Patch38: openssh-4.3p2-askpass-grab-info.patch Patch39: openssh-4.3p2-no-v6only.patch -Patch40: openssh-4.3p2-coverity-memleaks.patch -Patch41: openssh-4.3p2-gssapi-no-spnego.patch -Patch42: openssh-4.3p2-no-dup-logs.patch Patch44: openssh-4.3p2-allow-ip-opts.patch -Patch45: openssh-4.3p2-cve-2006-4924.patch -Patch46: openssh-3.9p1-cve-2006-5051.patch -Patch47: openssh-4.3p2-cve-2006-5794.patch Patch48: openssh-4.3p2-pam-session.patch Patch49: openssh-4.3p2-gssapi-canohost.patch License: BSD @@ -212,27 +201,16 @@ an X11 passphrase dialog for OpenSSH. %patch16 -p1 -b .audit %endif -#%patch20 -p0 -b .gssapimitm %patch22 -p1 -b .keep-above -%patch23 -p1 -b .signal %patch24 -p1 -b .fromto-remote -%patch25 -p1 -b .print-err %patch26 -p1 -b .stack %patch27 -p1 -b .log-chroot %patch30 -p1 -b .exit-deadlock %patch31 -p1 -b .skip-used %patch35 -p1 -b .progress -%patch36 -p0 -b .buffer-len -%patch37 -p1 -b .typo %patch38 -p1 -b .grab-info %patch39 -p1 -b .no-v6only -%patch40 -p1 -b .memleaks -%patch41 -p1 -b .no-spnego -%patch42 -p1 -b .no-dups %patch44 -p1 -b .ip-opts -%patch45 -p1 -b .deattack-dos -%patch46 -p1 -b .sig-no-cleanup -%patch47 -p1 -b .verify %patch48 -p1 -b .pam-sesssion %patch49 -p1 -b .canohost @@ -393,10 +371,10 @@ fi %pre server %if %{nologin} -/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \ +/usr/sbin/useradd -c "Privilege-separated SSH" -u %{sshd_uid} \ -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : %else -/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \ +/usr/sbin/useradd -c "Privilege-separated SSH" -u %{sshd_uid} \ -s /dev/null -r -d /var/empty/sshd sshd 2> /dev/null || : %endif @@ -479,6 +457,9 @@ fi %endif %changelog +* Thu Dec 21 2006 Tomas Mraz - 4.5p1-1 +- update to 4.5p1 (#212606) + * Thu Nov 30 2006 Tomas Mraz - 4.3p2-14 - fix gssapi with DNS loadbalanced clusters (#216857) diff --git a/sources b/sources index 47e5239..6315519 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8dcce96be628a67ce992f089d9db81ff openssh-4.3p2-noacss.tar.bz2 +9ef9bf019945105f2ac1760c95c9b339 openssh-4.5p1-noacss.tar.bz2