diff --git a/openssh-5.4p1-redhat.patch b/openssh-5.4p1-redhat.patch deleted file mode 100644 index bd2ad80..0000000 --- a/openssh-5.4p1-redhat.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config ---- openssh-5.4p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 -+++ openssh-5.4p1/ssh_config 2010-03-01 15:15:51.000000000 +0100 -@@ -45,3 +45,14 @@ - # PermitLocalCommand no - # VisualHostKey no - # ProxyCommand ssh -q -W %h:%p gateway.example.com -+Host * -+ GSSAPIAuthentication yes -+# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 display. As virtually no X11 client supports the untrusted -+# mode correctly we set this to yes. -+ ForwardX11Trusted yes -+# Send locale-related environment variables -+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+ SendEnv XMODIFIERS -diff -up openssh-5.4p1/sshd_config.0.redhat openssh-5.4p1/sshd_config.0 ---- openssh-5.4p1/sshd_config.0.redhat 2010-03-01 14:30:04.000000000 +0100 -+++ openssh-5.4p1/sshd_config.0 2010-03-01 15:14:13.000000000 +0100 -@@ -501,9 +501,9 @@ DESCRIPTION - - SyslogFacility - Gives the facility code that is used when logging messages from -- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- -- fault is AUTH. -+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, -+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -+ The default is AUTH. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages -diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5 ---- openssh-5.4p1/sshd_config.5.redhat 2010-02-26 21:55:06.000000000 +0100 -+++ openssh-5.4p1/sshd_config.5 2010-03-01 15:14:14.000000000 +0100 -@@ -865,7 +865,7 @@ Note that this option applies to protoco - .It Cm SyslogFacility - Gives the facility code that is used when logging messages from - .Xr sshd 8 . --The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, - LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. - The default is AUTH. - .It Cm TCPKeepAlive -diff -up openssh-5.4p1/sshd_config.redhat openssh-5.4p1/sshd_config ---- openssh-5.4p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200 -+++ openssh-5.4p1/sshd_config 2010-03-01 15:14:14.000000000 +0100 -@@ -31,6 +31,7 @@ - # Logging - # obsoletes QuietMode and FascistLogging - #SyslogFacility AUTH -+SyslogFacility AUTHPRIV - #LogLevel INFO - - # Authentication: -@@ -58,9 +59,11 @@ - # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes - #PermitEmptyPasswords no -+PasswordAuthentication yes - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no -@@ -70,7 +73,9 @@ - - # GSSAPI options - #GSSAPIAuthentication no -+GSSAPIAuthentication yes - #GSSAPICleanupCredentials yes -+GSSAPICleanupCredentials yes - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -82,11 +87,19 @@ - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. - #UsePAM no -+UsePAM yes -+ -+# Accept locale-related environment variables -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+AcceptEnv XMODIFIERS - - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no - #X11Forwarding no -+X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PrintMotd yes diff --git a/openssh-5.6p1-authorized-keys-command.patch b/openssh-5.6p1-authorized-keys-command.patch index 4c9b5b1..3075f34 100644 --- a/openssh-5.6p1-authorized-keys-command.patch +++ b/openssh-5.6p1-authorized-keys-command.patch @@ -1,6 +1,6 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c ---- openssh-5.6p1/auth2-pubkey.c.akc 2010-08-23 12:15:42.000000000 +0200 -+++ openssh-5.6p1/auth2-pubkey.c 2010-08-23 12:15:42.000000000 +0200 +--- openssh-5.6p1/auth2-pubkey.c.akc 2010-09-03 15:24:51.000000000 +0200 ++++ openssh-5.6p1/auth2-pubkey.c 2010-09-03 15:24:51.000000000 +0200 @@ -27,6 +27,7 @@ #include @@ -241,8 +241,8 @@ diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c return 0; if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac ---- openssh-5.6p1/configure.ac.akc 2010-08-23 12:15:42.000000000 +0200 -+++ openssh-5.6p1/configure.ac 2010-08-23 12:15:42.000000000 +0200 +--- openssh-5.6p1/configure.ac.akc 2010-09-03 15:24:51.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-09-03 15:24:51.000000000 +0200 @@ -1346,6 +1346,18 @@ AC_ARG_WITH(audit, esac ] ) @@ -271,8 +271,8 @@ diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c ---- openssh-5.6p1/servconf.c.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/servconf.c 2010-08-23 12:22:22.000000000 +0200 +--- openssh-5.6p1/servconf.c.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/servconf.c 2010-09-03 15:24:51.000000000 +0200 @@ -129,6 +129,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; @@ -344,8 +344,8 @@ diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h ---- openssh-5.6p1/servconf.h.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/servconf.h 2010-08-23 12:17:58.000000000 +0200 +--- openssh-5.6p1/servconf.h.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/servconf.h 2010-09-03 15:24:51.000000000 +0200 @@ -158,6 +158,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; @@ -356,45 +356,45 @@ diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h void initialize_server_options(ServerOptions *); diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0 ---- openssh-5.6p1/sshd_config.0.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/sshd_config.0 2010-08-23 12:25:18.000000000 +0200 -@@ -374,7 +374,8 @@ DESCRIPTION +--- openssh-5.6p1/sshd_config.0.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/sshd_config.0 2010-09-03 15:27:26.000000000 +0200 +@@ -71,6 +71,23 @@ DESCRIPTION - Only a subset of keywords may be used on the lines following a - Match keyword. Available keywords are AllowAgentForwarding, -- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, -+ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand, -+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, - Banner, ChrootDirectory, ForceCommand, GatewayPorts, - GSSAPIAuthentication, HostbasedAuthentication, - HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, -@@ -496,6 +497,23 @@ DESCRIPTION - this file is not readable, then public key authentication will be - refused for all users. + See PATTERNS in ssh_config(5) for more information on patterns. + AuthorizedKeysCommand + + Specifies a program to be used for lookup of the user's -+ public keys. The program will be invoked with its first -+ argument the name of the user being authorized, and should produce -+ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS -+ in sshd(8)). By default (or when set to the empty string) there is no -+ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully -+ authorize the user, authorization falls through to the -+ AuthorizedKeysFile. Note that this option has an effect -+ only with PubkeyAuthentication turned on. ++ public keys. The program will be invoked with its first ++ argument the name of the user being authorized, and should produce ++ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS ++ in sshd(8)). By default (or when set to the empty string) there is no ++ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully ++ authorize the user, authorization falls through to the ++ AuthorizedKeysFile. Note that this option has an effect ++ only with PubkeyAuthentication turned on. + + AuthorizedKeysCommandRunAs + Specifies the user under whose account the AuthorizedKeysCommand is run. + Empty string (the default value) means the user being authorized + is used. + - RhostsRSAAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication to- - gether with successful RSA host authentication is allowed. The + AuthorizedKeysFile + Specifies the file that contains the public keys that can be used + for user authentication. The format is described in the +@@ -375,7 +392,8 @@ DESCRIPTION + + Only a subset of keywords may be used on the lines following a + Match keyword. Available keywords are AllowAgentForwarding, +- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, ++ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand, ++ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, + Banner, ChrootDirectory, ForceCommand, GatewayPorts, + GSSAPIAuthentication, HostbasedAuthentication, + HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5 ---- openssh-5.6p1/sshd_config.5.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/sshd_config.5 2010-08-23 12:25:46.000000000 +0200 +--- openssh-5.6p1/sshd_config.5.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/sshd_config.5 2010-09-03 15:24:51.000000000 +0200 @@ -654,6 +654,8 @@ Available keywords are .Cm AllowAgentForwarding , .Cm AllowTcpForwarding , @@ -434,8 +434,8 @@ diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5 Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. diff -up openssh-5.6p1/sshd_config.akc openssh-5.6p1/sshd_config ---- openssh-5.6p1/sshd_config.akc 2010-08-23 12:15:41.000000000 +0200 -+++ openssh-5.6p1/sshd_config 2010-08-23 12:15:42.000000000 +0200 +--- openssh-5.6p1/sshd_config.akc 2010-09-03 15:24:50.000000000 +0200 ++++ openssh-5.6p1/sshd_config 2010-09-03 15:24:51.000000000 +0200 @@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV #RSAAuthentication yes #PubkeyAuthentication yes diff --git a/openssh-5.6p1-redhat.patch b/openssh-5.6p1-redhat.patch new file mode 100644 index 0000000..f4560a9 --- /dev/null +++ b/openssh-5.6p1-redhat.patch @@ -0,0 +1,99 @@ +diff -up openssh-5.6p1/ssh_config.redhat openssh-5.6p1/ssh_config +--- openssh-5.6p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 ++++ openssh-5.6p1/ssh_config 2010-09-03 15:21:17.000000000 +0200 +@@ -45,3 +45,14 @@ + # PermitLocalCommand no + # VisualHostKey no + # ProxyCommand ssh -q -W %h:%p gateway.example.com ++Host * ++ GSSAPIAuthentication yes ++# If this option is set to yes then remote X11 clients will have full access ++# to the original X11 display. As virtually no X11 client supports the untrusted ++# mode correctly we set this to yes. ++ ForwardX11Trusted yes ++# Send locale-related environment variables ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++ SendEnv XMODIFIERS +diff -up openssh-5.6p1/sshd_config.0.redhat openssh-5.6p1/sshd_config.0 +--- openssh-5.6p1/sshd_config.0.redhat 2010-08-23 05:24:16.000000000 +0200 ++++ openssh-5.6p1/sshd_config.0 2010-09-03 15:23:20.000000000 +0200 +@@ -537,9 +537,9 @@ DESCRIPTION + + SyslogFacility + Gives the facility code that is used when logging messages from +- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, +- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The +- default is AUTH. ++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, ++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++ The default is AUTH. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages +diff -up openssh-5.6p1/sshd_config.5.redhat openssh-5.6p1/sshd_config.5 +--- openssh-5.6p1/sshd_config.5.redhat 2010-07-02 05:37:17.000000000 +0200 ++++ openssh-5.6p1/sshd_config.5 2010-09-03 15:21:17.000000000 +0200 +@@ -919,7 +919,7 @@ Note that this option applies to protoco + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from + .Xr sshd 8 . +-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, ++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. + .It Cm TCPKeepAlive +diff -up openssh-5.6p1/sshd_config.redhat openssh-5.6p1/sshd_config +--- openssh-5.6p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200 ++++ openssh-5.6p1/sshd_config 2010-09-03 15:21:17.000000000 +0200 +@@ -31,6 +31,7 @@ + # Logging + # obsoletes QuietMode and FascistLogging + #SyslogFacility AUTH ++SyslogFacility AUTHPRIV + #LogLevel INFO + + # Authentication: +@@ -58,9 +59,11 @@ + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + #PermitEmptyPasswords no ++PasswordAuthentication yes + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes ++ChallengeResponseAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -70,7 +73,9 @@ + + # GSSAPI options + #GSSAPIAuthentication no ++GSSAPIAuthentication yes + #GSSAPICleanupCredentials yes ++GSSAPICleanupCredentials yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +@@ -82,11 +87,19 @@ + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. + #UsePAM no ++UsePAM yes ++ ++# Accept locale-related environment variables ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++AcceptEnv XMODIFIERS + + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no + #X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PrintMotd yes diff --git a/openssh.spec b/openssh.spec index 92d712b..68f38aa 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.6p1 -%define openssh_rel 1 +%define openssh_rel 2 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 27 @@ -93,7 +93,7 @@ Source3: sshd.init Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 Source5: pam_ssh_agent-rmheaders -Patch0: openssh-5.4p1-redhat.patch +Patch0: openssh-5.6p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 Patch4: openssh-5.2p1-vendor.patch Patch10: pam_ssh_agent_auth-0.9-build.patch @@ -317,7 +317,7 @@ CFLAGS="$CFLAGS -fpic" %endif export CFLAGS SAVE_LDFLAGS="$LDFLAGS" -LDFLAGS="$LDFLAGS -pie"; export LDFLAGS +LDFLAGS="$LDFLAGS -pie -z relro -z now"; export LDFLAGS %endif %if %{kerberos5} if test -r /etc/profile.d/krb5-devel.sh ; then @@ -579,6 +579,10 @@ fi %endif %changelog +* Fri Sep 3 2010 Jan F. Chadima - 5.6p1-1 + 0.9.2-27 +- Rebased to openssh5.6p1 +- Added -z relro -z now to LDFLAGS + * Wed Jul 7 2010 Jan F. Chadima - 5.5p1-18 + 0.9.2-26 - merged with newer bugzilla's version of authorized keys command patch