diff --git a/openssh-5.3p1-audit.patch b/openssh-5.3p1-audit.patch deleted file mode 100644 index 5809294..0000000 --- a/openssh-5.3p1-audit.patch +++ /dev/null @@ -1,153 +0,0 @@ -diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c ---- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100 -+++ openssh-5.3p1/auth.c 2009-12-21 08:50:12.000000000 +0100 -@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent - get_canonical_hostname(options.use_dns), "ssh", &loginmsg); - # endif - #endif -+#if HAVE_LINUX_AUDIT -+ if (authenticated == 0 && !authctxt->postponed) { -+ linux_audit_record_event(-1, authctxt->user, NULL, -+ get_remote_ipaddr(), "sshd", 0); -+ } -+#endif - #ifdef SSH_AUDIT_EVENTS - if (authenticated == 0 && !authctxt->postponed) - audit_event(audit_classify_auth(method)); -@@ -533,6 +539,10 @@ getpwnamallow(const char *user) - record_failed_login(user, - get_canonical_hostname(options.use_dns), "ssh"); - #endif -+#ifdef HAVE_LINUX_AUDIT -+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), -+ "sshd", 0); -+#endif - #ifdef SSH_AUDIT_EVENTS - audit_event(SSH_INVALID_USER); - #endif /* SSH_AUDIT_EVENTS */ -diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.audit 2009-12-21 08:48:59.000000000 +0100 -+++ openssh-5.3p1/configure.ac 2009-12-21 08:51:47.000000000 +0100 -@@ -3409,6 +3409,18 @@ AC_ARG_WITH(selinux, - fi ] - ) - -+# Check whether user wants Linux audit support -+LINUX_AUDIT_MSG="no" -+AC_ARG_WITH(linux-audit, -+ [ --with-linux-audit Enable Linux audit support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) -+ LINUX_AUDIT_MSG="yes" -+ AC_CHECK_HEADERS(libaudit.h) -+ SSHDLIBS="$SSHDLIBS -laudit" -+ fi ] -+) -+ - # Check whether user wants Kerberos 5 support - KRB5_MSG="no" - AC_ARG_WITH(kerberos5, -@@ -4234,6 +4246,7 @@ echo " PAM support - echo " OSF SIA support: $SIA_MSG" - echo " KerberosV support: $KRB5_MSG" - echo " SELinux support: $SELINUX_MSG" -+echo " Linux audit support: $LINUX_AUDIT_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c ---- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100 -+++ openssh-5.3p1/loginrec.c 2009-12-21 08:54:17.000000000 +0100 -@@ -176,6 +176,10 @@ - #include "auth.h" - #include "buffer.h" - -+#ifdef HAVE_LINUX_AUDIT -+# include -+#endif -+ - #ifdef HAVE_UTIL_H - # include - #endif -@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l - int utmpx_write_entry(struct logininfo *li); - int wtmp_write_entry(struct logininfo *li); - int wtmpx_write_entry(struct logininfo *li); -+#ifdef HAVE_LINUX_AUDIT -+int linux_audit_write_entry(struct logininfo *li); -+#endif - int lastlog_write_entry(struct logininfo *li); - int syslogin_write_entry(struct logininfo *li); - -@@ -440,6 +447,10 @@ login_write(struct logininfo *li) - - /* set the timestamp */ - login_set_current_time(li); -+#ifdef HAVE_LINUX_AUDIT -+ if (linux_audit_write_entry(li) == 0) -+ fatal("linux_audit_write_entry failed: %s", strerror(errno)); -+#endif - #ifdef USE_LOGIN - syslogin_write_entry(li); - #endif -@@ -1394,6 +1405,47 @@ wtmpx_get_entry(struct logininfo *li) - } - #endif /* USE_WTMPX */ - -+#ifdef HAVE_LINUX_AUDIT -+int -+linux_audit_record_event(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success) -+{ -+ int audit_fd, rc; -+ -+ audit_fd = audit_open(); -+ if (audit_fd < 0) { -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return 1; /* No audit support in kernel */ -+ else -+ return 0; /* Must prevent login */ -+ } -+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, -+ NULL, "login", username ? username : "(unknown)", -+ username == NULL ? uid : -1, hostname, ip, ttyn, success); -+ close(audit_fd); -+ if (rc >= 0) -+ return 1; -+ else -+ return 0; -+} -+ -+int -+linux_audit_write_entry(struct logininfo *li) -+{ -+ switch(li->type) { -+ case LTYPE_LOGIN: -+ return (linux_audit_record_event(li->uid, NULL, li->hostname, -+ NULL, li->line, 1)); -+ case LTYPE_LOGOUT: -+ return (1); /* We only care about logins */ -+ default: -+ logit("%s: invalid type field", __func__); -+ return (0); -+ } -+} -+#endif /* HAVE_LINUX_AUDIT */ -+ - /** - ** Low-level libutil login() functions - **/ -diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h ---- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-5.3p1/loginrec.h 2009-12-21 08:48:59.000000000 +0100 -@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch - char *line_abbrevname(char *dst, const char *src, int dstsize); - - void record_failed_login(const char *, const char *, const char *); -+#ifdef HAVE_LINUX_AUDIT -+int linux_audit_record_event(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success); -+#endif /* HAVE_LINUX_AUDIT */ - - #endif /* _HAVE_LOGINREC_H_ */ diff --git a/openssh-5.6p1-audit.patch b/openssh-5.6p1-audit.patch new file mode 100644 index 0000000..4d047f9 --- /dev/null +++ b/openssh-5.6p1-audit.patch @@ -0,0 +1,276 @@ +diff -up openssh-5.6p1/audit-bsm.c.audit openssh-5.6p1/audit-bsm.c +--- openssh-5.6p1/audit-bsm.c.audit 2008-02-25 11:05:04.000000000 +0100 ++++ openssh-5.6p1/audit-bsm.c 2010-09-25 16:07:42.000000000 +0200 +@@ -305,13 +305,13 @@ audit_run_command(const char *command) + } + + void +-audit_session_open(const char *ttyn) ++audit_session_open(struct logininfo *li) + { + /* not implemented */ + } + + void +-audit_session_close(const char *ttyn) ++audit_session_close(struct logininfo *li) + { + /* not implemented */ + } +diff -up openssh-5.6p1/audit.c.audit openssh-5.6p1/audit.c +--- openssh-5.6p1/audit.c.audit 2006-09-01 07:38:36.000000000 +0200 ++++ openssh-5.6p1/audit.c 2010-09-25 16:07:42.000000000 +0200 +@@ -147,9 +147,9 @@ audit_event(ssh_audit_event_t event) + * within a single connection. + */ + void +-audit_session_open(const char *ttyn) ++audit_session_open(struct logininfo *li) + { +- const char *t = ttyn ? ttyn : "(no tty)"; ++ const char *t = li->line ? li->line : "(no tty)"; + + debug("audit session open euid %d user %s tty name %s", geteuid(), + audit_username(), t); +@@ -163,9 +163,9 @@ audit_session_open(const char *ttyn) + * within a single connection. + */ + void +-audit_session_close(const char *ttyn) ++audit_session_close(struct logininfo *li) + { +- const char *t = ttyn ? ttyn : "(no tty)"; ++ const char *t = li->line ? li->line : "(no tty)"; + + debug("audit session close euid %d user %s tty name %s", geteuid(), + audit_username(), t); +diff -up openssh-5.6p1/audit.h.audit openssh-5.6p1/audit.h +--- openssh-5.6p1/audit.h.audit 2006-08-05 16:05:10.000000000 +0200 ++++ openssh-5.6p1/audit.h 2010-09-25 16:07:42.000000000 +0200 +@@ -26,6 +26,9 @@ + + #ifndef _SSH_AUDIT_H + # define _SSH_AUDIT_H ++ ++#include "loginrec.h" ++ + enum ssh_audit_event_type { + SSH_LOGIN_EXCEED_MAXTRIES, + SSH_LOGIN_ROOT_DENIED, +@@ -46,8 +49,8 @@ typedef enum ssh_audit_event_type ssh_au + + void audit_connection_from(const char *, int); + void audit_event(ssh_audit_event_t); +-void audit_session_open(const char *); +-void audit_session_close(const char *); ++void audit_session_open(struct logininfo *); ++void audit_session_close(struct logininfo *); + void audit_run_command(const char *); + ssh_audit_event_t audit_classify_auth(const char *); + +diff -up openssh-5.6p1/audit-linux.c.audit openssh-5.6p1/audit-linux.c +--- openssh-5.6p1/audit-linux.c.audit 2010-09-25 16:07:42.000000000 +0200 ++++ openssh-5.6p1/audit-linux.c 2010-09-25 16:08:37.000000000 +0200 +@@ -0,0 +1,128 @@ ++/* $Id: audit-linux.c,v 1.1 jfch Exp $ */ ++ ++/* ++ * Copyright 2010 Red Hat, Inc. All rights reserved. ++ * Use is subject to license terms. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Red Hat author: Jan F. Chadima ++ */ ++/* #pragma ident "@(#)audit-linux.c 1.1 01/09/17 SMI" */ ++ ++#include "includes.h" ++#if defined(USE_LINUX_AUDIT) ++#include ++#include ++#include ++ ++#include "log.h" ++#include "audit.h" ++ ++int ++linux_audit_record_event(int uid, const char *username, ++ const char *hostname, const char *ip, const char *ttyn, int success) ++{ ++ int audit_fd, rc; ++ ++ audit_fd = audit_open(); ++ if (audit_fd < 0) { ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return 1; /* No audit support in kernel */ ++ else ++ return 0; /* Must prevent login */ ++ } ++ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, ++ NULL, "login", username ? username : "(unknown)", ++ username == NULL ? uid : -1, hostname, ip, ttyn, success); ++ close(audit_fd); ++ if (rc >= 0) ++ return 1; ++ else ++ return 0; ++} ++ ++/* Below is the sshd audit API code */ ++ ++void ++audit_connection_from(const char *host, int port) ++{ ++} ++ /* not implemented */ ++ ++void ++audit_run_command(const char *command) ++{ ++ /* not implemented */ ++} ++ ++void ++audit_session_open(struct logininfo *li) ++{ ++ debug("audit session open euid %d", geteuid()); ++ if (linux_audit_record_event(li->uid, NULL, li->hostname, ++ NULL, li->line, 1) == 0) ++ fatal("linux_audit_write_entry failed: %s", strerror(errno)); ++} ++ ++void ++audit_session_close(struct logininfo *li) ++{ ++ /* not implemented */ ++} ++ ++void ++audit_event(ssh_audit_event_t event) ++{ ++ switch(event) { ++// case SSH_AUTH_SUCCESS: ++// break; ++// ++// case SSH_CONNECTION_CLOSE: ++// break; ++// ++// case SSH_NOLOGIN: ++// break; ++// ++// case SSH_LOGIN_EXCEED_MAXTRIES: ++// break; ++// ++// case SSH_LOGIN_ROOT_DENIED: ++// break; ++ ++ case SSH_AUTH_FAIL_NONE: ++ case SSH_AUTH_FAIL_PASSWD: ++ case SSH_AUTH_FAIL_KBDINT: ++ case SSH_AUTH_FAIL_PUBKEY: ++ case SSH_AUTH_FAIL_HOSTBASED: ++ case SSH_AUTH_FAIL_GSSAPI: ++ case SSH_INVALID_USER: ++ linux_audit_record_event(-1, audit_username(), NULL, ++ get_remote_ipaddr(), "sshd", 0); ++ break; ++ ++ default: ++ debug("%s: unhandled event %d", __func__, event); ++ } ++} ++ ++#endif /* USE_LINUX_AUDIT */ +diff -up openssh-5.6p1/configure.ac.audit openssh-5.6p1/configure.ac +--- openssh-5.6p1/configure.ac.audit 2010-08-16 05:15:23.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-09-25 16:07:42.000000000 +0200 +@@ -1308,7 +1308,7 @@ int main(void) + + AUDIT_MODULE=none + AC_ARG_WITH(audit, +- [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], ++ [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm,linux)], + [ + AC_MSG_CHECKING(for supported audit module) + case "$withval" in +@@ -1332,10 +1332,18 @@ AC_ARG_WITH(audit, + AC_CHECK_FUNCS(getaudit_addr aug_get_machine) + AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module]) + ;; ++ linux) ++ AC_MSG_RESULT(linux) ++ AUDIT_MODULE=linux ++ dnl Checks for headers, libs and functions ++ AC_CHECK_HEADERS(libaudit.h) ++ SSHDLIBS="$SSHDLIBS -laudit" ++ AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module]) ++ ;; + debug) + AUDIT_MODULE=debug + AC_MSG_RESULT(debug) +- AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module) ++ AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module]) + ;; + no) + AC_MSG_RESULT(no) +diff -up openssh-5.6p1/defines.h.audit openssh-5.6p1/defines.h +--- openssh-5.6p1/defines.h.audit 2010-04-09 10:13:27.000000000 +0200 ++++ openssh-5.6p1/defines.h 2010-09-25 16:07:42.000000000 +0200 +@@ -566,6 +566,11 @@ struct winsize { + # define CUSTOM_SSH_AUDIT_EVENTS + #endif + ++#ifdef USE_LINUX_AUDIT ++# define SSH_AUDIT_EVENTS ++# define CUSTOM_SSH_AUDIT_EVENTS ++#endif ++ + #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) + # define __func__ __FUNCTION__ + #elif !defined(HAVE___func__) +diff -up openssh-5.6p1/loginrec.c.audit openssh-5.6p1/loginrec.c +--- openssh-5.6p1/loginrec.c.audit 2010-04-09 10:13:27.000000000 +0200 ++++ openssh-5.6p1/loginrec.c 2010-09-25 16:07:42.000000000 +0200 +@@ -468,9 +468,9 @@ login_write(struct logininfo *li) + #endif + #ifdef SSH_AUDIT_EVENTS + if (li->type == LTYPE_LOGIN) +- audit_session_open(li->line); ++ audit_session_open(li); + else if (li->type == LTYPE_LOGOUT) +- audit_session_close(li->line); ++ audit_session_close(li); + #endif + return (0); + } +diff -up openssh-5.6p1/Makefile.in.audit openssh-5.6p1/Makefile.in +--- openssh-5.6p1/Makefile.in.audit 2010-05-12 08:51:39.000000000 +0200 ++++ openssh-5.6p1/Makefile.in 2010-09-25 16:07:42.000000000 +0200 +@@ -90,7 +90,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw + auth-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ +- audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ ++ audit.o audit-bsm.o audit-linux.o platform.o sftp-server.o sftp-common.o \ + roaming_common.o roaming_serv.o + + MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out diff --git a/openssh-5.6p1-gsskex.patch b/openssh-5.6p1-gsskex.patch index 95da913..a0079ae 100644 --- a/openssh-5.6p1-gsskex.patch +++ b/openssh-5.6p1-gsskex.patch @@ -1,6 +1,6 @@ diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c ---- openssh-5.6p1/auth2.c.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/auth2.c 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/auth2.c.gsskex 2010-09-25 12:10:55.000000000 +0200 ++++ openssh-5.6p1/auth2.c 2010-09-25 12:10:58.000000000 +0200 @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -36,8 +36,8 @@ diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c ---- openssh-5.6p1/auth2-gss.c.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/auth2-gss.c 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/auth2-gss.c.gsskex 2010-09-25 12:10:55.000000000 +0200 ++++ openssh-5.6p1/auth2-gss.c 2010-09-25 12:10:58.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ @@ -138,8 +138,8 @@ diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c "gssapi-with-mic", userauth_gssapi, diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h ---- openssh-5.6p1/auth.h.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/auth.h 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/auth.h.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/auth.h 2010-09-25 12:10:58.000000000 +0200 @@ -53,6 +53,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; @@ -150,7 +150,7 @@ diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h char *service; diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c --- openssh-5.6p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100 -+++ openssh-5.6p1/auth-krb5.c 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/auth-krb5.c 2010-09-25 12:10:58.000000000 +0200 @@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c len = strlen(authctxt->krb5_ticket_file) + 6; @@ -199,8 +199,8 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c return (krb5_cc_resolve(ctx, ccname, ccache)); } diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi ---- openssh-5.6p1/ChangeLog.gssapi.gsskex 2010-08-23 12:51:58.000000000 +0200 -+++ openssh-5.6p1/ChangeLog.gssapi 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/ChangeLog.gssapi.gsskex 2010-09-25 12:10:58.000000000 +0200 ++++ openssh-5.6p1/ChangeLog.gssapi 2010-09-25 12:10:58.000000000 +0200 @@ -0,0 +1,95 @@ +20090615 + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c @@ -299,7 +299,7 @@ diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi + diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c --- openssh-5.6p1/clientloop.c.gsskex 2010-08-03 08:04:46.000000000 +0200 -+++ openssh-5.6p1/clientloop.c 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/clientloop.c 2010-09-25 12:10:58.000000000 +0200 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -326,8 +326,8 @@ diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c debug("need rekeying"); xxx_kex->done = 0; diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac ---- openssh-5.6p1/configure.ac.gsskex 2010-08-23 12:51:57.000000000 +0200 -+++ openssh-5.6p1/configure.ac 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/configure.ac.gsskex 2010-09-25 12:10:58.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-09-25 12:10:58.000000000 +0200 @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE(SSH_TUN_PREPEND_AF, 1, @@ -361,7 +361,7 @@ diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c --- openssh-5.6p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.6p1/gss-genr.c 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/gss-genr.c 2010-09-25 12:10:59.000000000 +0200 @@ -39,12 +39,167 @@ #include "buffer.h" #include "log.h" @@ -702,7 +702,7 @@ diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c #endif /* GSSAPI */ diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c --- openssh-5.6p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200 -+++ openssh-5.6p1/gss-serv.c 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/gss-serv.c 2010-09-25 12:10:59.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ @@ -1018,7 +1018,7 @@ diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c #endif diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c --- openssh-5.6p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.6p1/gss-serv-krb5.c 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/gss-serv-krb5.c 2010-09-25 12:10:59.000000000 +0200 @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1141,7 +1141,7 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c #endif /* KRB5 */ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c --- openssh-5.6p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100 -+++ openssh-5.6p1/kex.c 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/kex.c 2010-09-25 12:10:59.000000000 +0200 @@ -50,6 +50,10 @@ #include "monitor.h" #include "roaming.h" @@ -1175,8 +1175,8 @@ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c fatal("bad kex alg %s", k->name); } diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c ---- openssh-5.6p1/kexgssc.c.gsskex 2010-08-23 12:51:58.000000000 +0200 -+++ openssh-5.6p1/kexgssc.c 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/kexgssc.c.gsskex 2010-09-25 12:10:59.000000000 +0200 ++++ openssh-5.6p1/kexgssc.c 2010-09-25 12:10:59.000000000 +0200 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1513,8 +1513,8 @@ diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c + +#endif /* GSSAPI */ diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c ---- openssh-5.6p1/kexgsss.c.gsskex 2010-08-23 12:51:58.000000000 +0200 -+++ openssh-5.6p1/kexgsss.c 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/kexgsss.c.gsskex 2010-09-25 12:10:59.000000000 +0200 ++++ openssh-5.6p1/kexgsss.c 2010-09-25 12:10:59.000000000 +0200 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1806,7 +1806,7 @@ diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c +#endif /* GSSAPI */ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h --- openssh-5.6p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100 -+++ openssh-5.6p1/kex.h 2010-08-23 12:51:58.000000000 +0200 ++++ openssh-5.6p1/kex.h 2010-09-25 12:10:59.000000000 +0200 @@ -67,6 +67,9 @@ enum kex_exchange { KEX_DH_GRP14_SHA1, KEX_DH_GEX_SHA1, @@ -1844,7 +1844,7 @@ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c --- openssh-5.6p1/key.c.gsskex 2010-07-16 05:58:37.000000000 +0200 -+++ openssh-5.6p1/key.c 2010-08-23 12:56:03.000000000 +0200 ++++ openssh-5.6p1/key.c 2010-09-25 12:10:59.000000000 +0200 @@ -1020,6 +1020,8 @@ key_type_from_name(char *name) return KEY_RSA_CERT; } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { @@ -1856,7 +1856,7 @@ diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c return KEY_UNSPEC; diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h --- openssh-5.6p1/key.h.gsskex 2010-04-16 07:56:22.000000000 +0200 -+++ openssh-5.6p1/key.h 2010-08-23 12:56:32.000000000 +0200 ++++ openssh-5.6p1/key.h 2010-09-25 12:10:59.000000000 +0200 @@ -39,6 +39,7 @@ enum types { KEY_DSA_CERT, KEY_RSA_CERT_V00, @@ -1866,9 +1866,9 @@ diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h }; enum fp_type { diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in ---- openssh-5.6p1/Makefile.in.gsskex 2010-08-23 12:51:58.000000000 +0200 -+++ openssh-5.6p1/Makefile.in 2010-08-23 12:51:58.000000000 +0200 -@@ -76,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b +--- openssh-5.6p1/Makefile.in.gsskex 2010-09-25 12:10:58.000000000 +0200 ++++ openssh-5.6p1/Makefile.in 2010-09-25 12:11:54.000000000 +0200 +@@ -77,11 +77,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ entropy.o gss-genr.o umac.o jpake.o schnorr.o \ @@ -1882,18 +1882,18 @@ diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ -@@ -93,7 +93,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -94,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ + audit.o audit-bsm.o audit-linux.o platform.o sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o + roaming_common.o roaming_serv.o kexgsss.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c ---- openssh-5.6p1/monitor.c.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/monitor.c 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/monitor.c.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/monitor.c 2010-09-25 12:10:59.000000000 +0200 @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -2087,8 +2087,8 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c #ifdef JPAKE diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h ---- openssh-5.6p1/monitor.h.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/monitor.h 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/monitor.h.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/monitor.h 2010-09-25 12:10:59.000000000 +0200 @@ -56,6 +56,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, @@ -2099,8 +2099,8 @@ diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c ---- openssh-5.6p1/monitor_wrap.c.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/monitor_wrap.c 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/monitor_wrap.c.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/monitor_wrap.c 2010-09-25 12:10:59.000000000 +0200 @@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } @@ -2163,8 +2163,8 @@ diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c #ifdef JPAKE diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h ---- openssh-5.6p1/monitor_wrap.h.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/monitor_wrap.h 2010-08-23 12:51:58.000000000 +0200 +--- openssh-5.6p1/monitor_wrap.h.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/monitor_wrap.h 2010-09-25 12:10:59.000000000 +0200 @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2179,7 +2179,7 @@ diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h #ifdef USE_PAM diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c --- openssh-5.6p1/readconf.c.gsskex 2010-08-03 08:04:46.000000000 +0200 -+++ openssh-5.6p1/readconf.c 2010-08-23 12:57:26.000000000 +0200 ++++ openssh-5.6p1/readconf.c 2010-09-25 12:10:59.000000000 +0200 @@ -127,6 +127,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -2263,7 +2263,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c if (options->kbd_interactive_authentication == -1) diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h --- openssh-5.6p1/readconf.h.gsskex 2010-08-03 08:04:46.000000000 +0200 -+++ openssh-5.6p1/readconf.h 2010-08-23 12:51:59.000000000 +0200 ++++ openssh-5.6p1/readconf.h 2010-09-25 12:10:59.000000000 +0200 @@ -46,7 +46,11 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2277,8 +2277,8 @@ diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c ---- openssh-5.6p1/servconf.c.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/servconf.c 2010-08-23 12:51:59.000000000 +0200 +--- openssh-5.6p1/servconf.c.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/servconf.c 2010-09-25 12:10:59.000000000 +0200 @@ -93,7 +93,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; @@ -2356,8 +2356,8 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c intptr = &options->password_authentication; goto parse_flag; diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h ---- openssh-5.6p1/servconf.h.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/servconf.h 2010-08-23 12:51:59.000000000 +0200 +--- openssh-5.6p1/servconf.h.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/servconf.h 2010-09-25 12:10:59.000000000 +0200 @@ -94,7 +94,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -2371,7 +2371,7 @@ diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h int kbd_interactive_authentication; /* If true, permit */ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5 --- openssh-5.6p1/ssh_config.5.gsskex 2010-08-05 05:03:13.000000000 +0200 -+++ openssh-5.6p1/ssh_config.5 2010-08-23 12:51:59.000000000 +0200 ++++ openssh-5.6p1/ssh_config.5 2010-09-25 12:10:59.000000000 +0200 @@ -509,11 +509,38 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2413,8 +2413,8 @@ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5 Indicates that .Xr ssh 1 diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config ---- openssh-5.6p1/ssh_config.gsskex 2010-08-23 12:51:55.000000000 +0200 -+++ openssh-5.6p1/ssh_config 2010-08-23 12:51:59.000000000 +0200 +--- openssh-5.6p1/ssh_config.gsskex 2010-09-25 12:10:55.000000000 +0200 ++++ openssh-5.6p1/ssh_config 2010-09-25 12:10:59.000000000 +0200 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2425,8 +2425,8 @@ diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config # CheckHostIP yes # AddressFamily any diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c ---- openssh-5.6p1/sshconnect2.c.gsskex 2010-08-23 12:51:58.000000000 +0200 -+++ openssh-5.6p1/sshconnect2.c 2010-08-23 12:51:59.000000000 +0200 +--- openssh-5.6p1/sshconnect2.c.gsskex 2010-09-25 12:10:58.000000000 +0200 ++++ openssh-5.6p1/sshconnect2.c 2010-09-25 12:10:59.000000000 +0200 @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho { Kex *kex; @@ -2625,8 +2625,8 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c int diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c ---- openssh-5.6p1/sshd.c.gsskex 2010-08-23 12:51:58.000000000 +0200 -+++ openssh-5.6p1/sshd.c 2010-08-23 12:51:59.000000000 +0200 +--- openssh-5.6p1/sshd.c.gsskex 2010-09-25 12:10:58.000000000 +0200 ++++ openssh-5.6p1/sshd.c 2010-09-25 12:10:59.000000000 +0200 @@ -129,6 +129,10 @@ int allow_severity; int deny_severity; #endif /* LIBWRAP */ @@ -2776,8 +2776,8 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5 ---- openssh-5.6p1/sshd_config.5.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/sshd_config.5 2010-08-23 12:51:59.000000000 +0200 +--- openssh-5.6p1/sshd_config.5.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/sshd_config.5 2010-09-25 12:10:59.000000000 +0200 @@ -424,12 +424,40 @@ Specifies whether user authentication ba The default is .Dq no . @@ -2820,8 +2820,8 @@ diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5 Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config ---- openssh-5.6p1/sshd_config.gsskex 2010-08-23 12:51:56.000000000 +0200 -+++ openssh-5.6p1/sshd_config 2010-08-23 12:51:59.000000000 +0200 +--- openssh-5.6p1/sshd_config.gsskex 2010-09-25 12:10:56.000000000 +0200 ++++ openssh-5.6p1/sshd_config 2010-09-25 12:10:59.000000000 +0200 @@ -78,6 +78,8 @@ ChallengeResponseAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes @@ -2833,7 +2833,7 @@ diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config # and session processing. If this is enabled, PAM authentication will diff -up openssh-5.6p1/ssh-gss.h.gsskex openssh-5.6p1/ssh-gss.h --- openssh-5.6p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200 -+++ openssh-5.6p1/ssh-gss.h 2010-08-23 12:51:59.000000000 +0200 ++++ openssh-5.6p1/ssh-gss.h 2010-09-25 12:10:59.000000000 +0200 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* diff --git a/openssh-5.6p1-ldap.patch b/openssh-5.6p1-ldap.patch index 1010a8c..a1917e8 100644 --- a/openssh-5.6p1-ldap.patch +++ b/openssh-5.6p1-ldap.patch @@ -1,7 +1,7 @@ diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac ---- openssh-5.6p1/configure.ac.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/configure.ac 2010-08-23 12:28:11.000000000 +0200 -@@ -1358,6 +1358,106 @@ AC_ARG_WITH(authorized-keys-command, +--- openssh-5.6p1/configure.ac.ldap 2010-09-25 12:07:39.000000000 +0200 ++++ openssh-5.6p1/configure.ac 2010-09-25 12:07:39.000000000 +0200 +@@ -1366,6 +1366,106 @@ AC_ARG_WITH(authorized-keys-command, ] ) @@ -109,8 +109,8 @@ diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac AC_CHECK_FUNCS( \ arc4random \ diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c ---- openssh-5.6p1/ldapbody.c.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldapbody.c 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldapbody.c.ldap 2010-09-25 12:07:39.000000000 +0200 ++++ openssh-5.6p1/ldapbody.c 2010-09-25 12:07:39.000000000 +0200 @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -607,8 +607,8 @@ diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c +} + diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h ---- openssh-5.6p1/ldapbody.h.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldapbody.h 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldapbody.h.ldap 2010-09-25 12:07:39.000000000 +0200 ++++ openssh-5.6p1/ldapbody.h 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -648,8 +648,8 @@ diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h +#endif /* LDAPBODY_H */ + diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c ---- openssh-5.6p1/ldapconf.c.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldapconf.c 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldapconf.c.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ldapconf.c 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1334,8 +1334,8 @@ diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c +} + diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h ---- openssh-5.6p1/ldapconf.h.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldapconf.h 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldapconf.h.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ldapconf.h 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1409,8 +1409,8 @@ diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h + +#endif /* LDAPCONF_H */ diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf ---- openssh-5.6p1/ldap.conf.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldap.conf 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldap.conf.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ldap.conf 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -1501,8 +1501,8 @@ diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf +#tls_key + diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c ---- openssh-5.6p1/ldap-helper.c.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldap-helper.c 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldap-helper.c.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ldap-helper.c 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,154 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1659,8 +1659,8 @@ diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h ---- openssh-5.6p1/ldap-helper.h.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldap-helper.h 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldap-helper.h.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ldap-helper.h 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1695,8 +1695,8 @@ diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h + +#endif /* LDAP_HELPER_H */ diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h ---- openssh-5.6p1/ldapincludes.h.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldapincludes.h 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldapincludes.h.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ldapincludes.h 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1740,8 +1740,8 @@ diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h + +#endif /* LDAPINCLUDES_H */ diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c ---- openssh-5.6p1/ldapmisc.c.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldapmisc.c 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldapmisc.c.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ldapmisc.c 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -1823,8 +1823,8 @@ diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c +#endif + diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h ---- openssh-5.6p1/ldapmisc.h.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ldapmisc.h 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ldapmisc.h.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ldapmisc.h 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1862,8 +1862,8 @@ diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h +#endif /* LDAPMISC_H */ + diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example.txt ---- openssh-5.6p1/lpk-user-example.txt.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/lpk-user-example.txt 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/lpk-user-example.txt.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/lpk-user-example.txt 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,117 @@ + +Post to ML -> User Made Quick Install Doc. @@ -1983,8 +1983,8 @@ diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example. + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in ---- openssh-5.6p1/Makefile.in.ldap 2010-05-12 08:51:39.000000000 +0200 -+++ openssh-5.6p1/Makefile.in 2010-08-23 12:29:24.000000000 +0200 +--- openssh-5.6p1/Makefile.in.ldap 2010-09-25 12:07:39.000000000 +0200 ++++ openssh-5.6p1/Makefile.in 2010-09-25 12:09:46.000000000 +0200 @@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -2005,7 +2005,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ @@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ + audit.o audit-bsm.o audit-linux.o platform.o sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out @@ -2069,8 +2069,8 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in tests interop-tests: $(TARGETS) diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lpk-openldap.schema ---- openssh-5.6p1/openssh-lpk-openldap.schema.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/openssh-lpk-openldap.schema 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/openssh-lpk-openldap.schema.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/openssh-lpk-openldap.schema 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2094,8 +2094,8 @@ diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lp + MUST ( sshPublicKey $ uid ) + ) diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun.schema ---- openssh-5.6p1/openssh-lpk-sun.schema.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/openssh-lpk-sun.schema 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/openssh-lpk-sun.schema.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/openssh-lpk-sun.schema 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2121,8 +2121,8 @@ diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun + MUST ( sshPublicKey $ uid ) + ) diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk ---- openssh-5.6p1/README.lpk.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/README.lpk 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/README.lpk.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/README.lpk 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,274 @@ +OpenSSH LDAP PUBLIC KEY PATCH +Copyright (c) 2003 Eric AUGE (eau@phear.org) @@ -2399,8 +2399,8 @@ diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk + Jan F. Chadima + diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5 ---- openssh-5.6p1/ssh-ldap.conf.5.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ssh-ldap.conf.5 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ssh-ldap.conf.5.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ssh-ldap.conf.5 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,373 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2776,8 +2776,8 @@ diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5 +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com diff -up openssh-5.6p1/ssh-ldap-helper.8.ldap openssh-5.6p1/ssh-ldap-helper.8 ---- openssh-5.6p1/ssh-ldap-helper.8.ldap 2010-08-23 12:28:11.000000000 +0200 -+++ openssh-5.6p1/ssh-ldap-helper.8 2010-08-23 12:28:11.000000000 +0200 +--- openssh-5.6p1/ssh-ldap-helper.8.ldap 2010-09-25 12:07:40.000000000 +0200 ++++ openssh-5.6p1/ssh-ldap-helper.8 2010-09-25 12:07:40.000000000 +0200 @@ -0,0 +1,78 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" diff --git a/openssh.spec b/openssh.spec index cf6d850..49b1b79 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.6p1 -%define openssh_rel 8 +%define openssh_rel 9 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 27 @@ -94,14 +94,16 @@ Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/p Source5: pam_ssh_agent-rmheaders Patch0: openssh-5.6p1-redhat.patch +#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 +Patch1: openssh-5.6p1-audit.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 Patch4: openssh-5.2p1-vendor.patch Patch10: pam_ssh_agent_auth-0.9-build.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Patch12: openssh-5.4p1-selinux.patch Patch13: openssh-5.6p1-mls.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 -Patch16: openssh-5.3p1-audit.patch +####https://bugzilla.mindrot.org/show_bug.cgi?id=1402 +###Patch16: openssh-5.3p1-audit.patch Patch18: openssh-5.4p1-pam_selinux.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Patch20: openssh-5.6p1-authorized-keys-command.patch @@ -267,6 +269,7 @@ The module is most useful for su and sudo service stacks. %prep %setup -q -a 4 %patch0 -p1 -b .redhat +%patch1 -p1 -b .audit %patch4 -p1 -b .vendor %if %{pam_ssh_agent} @@ -281,7 +284,6 @@ popd #SELinux %patch12 -p1 -b .selinux %patch13 -p1 -b .mls -%patch16 -p1 -b .audit %patch18 -p1 -b .pam_selinux %endif @@ -369,7 +371,7 @@ fi --with-pam \ %endif %if %{WITH_SELINUX} - --with-selinux --with-linux-audit \ + --with-selinux --with-audit=linux \ %endif %if %{kerberos5} --with-kerberos5${krb5_prefix:+=${krb5_prefix}} \ @@ -585,6 +587,9 @@ fi %endif %changelog +* Wed Sep 29 2010 Jan F. Chadima - 5.6p1-9 + 0.9.2-27 +- audit module now uses openssh audit framevork + * Wed Sep 15 2010 Jan F. Chadima - 5.6p1-8 + 0.9.2-27 - Add the GSSAPI kuserok switch to the kuserok patch