rpms/openssh/FC-6 openssh-4.3p2-gssapi-canohost.patch, NONE, 1.1 openssh-4.3p2-pam-session.patch, 1.2, 1.3 openssh.spec, 1.98, 1.99
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Nov 30 11:01:17 UTC 2006
Author: tmraz
Update of /cvs/dist/rpms/openssh/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv4688
Modified Files:
openssh.spec
Added Files:
openssh-4.3p2-gssapi-canohost.patch
openssh-4.3p2-pam-session.patch
Log Message:
* Thu Nov 30 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-14
- fix gssapi with DNS loadbalanced clusters (#216857)
openssh-4.3p2-gssapi-canohost.patch:
sshconnect2.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)
--- NEW FILE openssh-4.3p2-gssapi-canohost.patch ---
Symptom: intermittent errors on GSSAPI authentication vs
machines on DNS loadbalancer, stupid client message "Generic Error",
server-side debug complains about unknown principal.
Comes from the fact that we resolve the generic DNS name once for
the connection, then again for getting the GSSAPI/Kerberos service
ticket. So the service ticket may be for a different host, if
the DNS alias switches in between the two resolves.
--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100
+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100
@@ -485,6 +485,7 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char* remotehost = get_canonical_hostname(1);
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -497,7 +498,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], remotehost)) {
ok = 1; /* Mechanism works */
} else {
mech++;
openssh-4.3p2-pam-session.patch:
auth-pam.c | 6 ++++--
monitor.c | 5 +++++
session.c | 29 -----------------------------
sshd.c | 16 +++++++++++++++-
4 files changed, 24 insertions(+), 32 deletions(-)
Index: openssh-4.3p2-pam-session.patch
===================================================================
RCS file: openssh-4.3p2-pam-session.patch
diff -N openssh-4.3p2-pam-session.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ openssh-4.3p2-pam-session.patch 30 Nov 2006 11:01:11 -0000 1.3
@@ -0,0 +1,129 @@
+--- openssh-4.3p2/auth-pam.c.pam-session 2006-11-27 17:39:08.000000000 +0100
++++ openssh-4.3p2/auth-pam.c 2006-11-27 19:31:41.000000000 +0100
+@@ -563,15 +563,17 @@
+ void
+ sshpam_cleanup(void)
+ {
+- debug("PAM: cleanup");
+- if (sshpam_handle == NULL)
++ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
+ return;
++ debug("PAM: cleanup");
+ pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
+ if (sshpam_cred_established) {
++ debug("PAM: deleting credentials");
+ pam_setcred(sshpam_handle, PAM_DELETE_CRED);
+ sshpam_cred_established = 0;
+ }
+ if (sshpam_session_open) {
++ debug("PAM: closing session");
+ pam_close_session(sshpam_handle, PAM_SILENT);
+ sshpam_session_open = 0;
+ }
+--- openssh-4.3p2/sshd.c.pam-session 2006-11-27 17:29:44.000000000 +0100
++++ openssh-4.3p2/sshd.c 2006-11-28 21:21:52.000000000 +0100
+@@ -1745,7 +1745,21 @@
+ audit_event(SSH_AUTH_SUCCESS);
+ #endif
+
+- /*
++#ifdef GSSAPI
++ if (options.gss_authentication) {
++ temporarily_use_uid(authctxt->pw);
++ ssh_gssapi_storecreds();
++ restore_uid();
++ }
++#endif
++#ifdef USE_PAM
++ if (options.use_pam) {
++ do_pam_setcred(1);
++ do_pam_session();
++ }
++#endif
++
++ /*
+ * In privilege separation, we fork another child and prepare
+ * file descriptor passing.
+ */
+--- openssh-4.3p2/monitor.c.pam-session 2006-11-27 17:29:44.000000000 +0100
++++ openssh-4.3p2/monitor.c 2006-11-28 14:01:23.000000000 +0100
+@@ -1539,6 +1539,11 @@
+ /* The child is terminating */
+ session_destroy_all(&mm_session_close);
+
++#ifdef USE_PAM
++ if (options.use_pam)
++ sshpam_cleanup();
++#endif
++
+ while (waitpid(pmonitor->m_pid, &status, 0) == -1)
+ if (errno != EINTR)
+ exit(1);
+--- openssh-4.3p2/session.c.pam-session 2006-11-27 17:29:43.000000000 +0100
++++ openssh-4.3p2/session.c 2006-11-28 21:17:56.000000000 +0100
+@@ -395,11 +395,6 @@
+
+ session_proctitle(s);
+
+-#if defined(USE_PAM)
+- if (options.use_pam && !use_privsep)
+- do_pam_setcred(1);
+-#endif /* USE_PAM */
+-
+ /* Fork the child. */
+ if ((pid = fork()) == 0) {
+ is_child = 1;
+@@ -530,14 +525,6 @@
+ ptyfd = s->ptyfd;
+ ttyfd = s->ttyfd;
+
+-#if defined(USE_PAM)
+- if (options.use_pam) {
+- do_pam_set_tty(s->tty);
+- if (!use_privsep)
+- do_pam_setcred(1);
+- }
+-#endif
+-
+ /* Fork the child. */
+ if ((pid = fork()) == 0) {
+ is_child = 1;
+@@ -1266,16 +1253,8 @@
+ # ifdef __bsdi__
+ setpgid(0, 0);
+ # endif
+-#ifdef GSSAPI
+- if (options.gss_authentication) {
+- temporarily_use_uid(pw);
+- ssh_gssapi_storecreds();
+- restore_uid();
+- }
+-#endif
+ # ifdef USE_PAM
+ if (options.use_pam) {
+- do_pam_session();
+ do_pam_setcred(0);
+ }
+ # endif /* USE_PAM */
+@@ -1303,13 +1282,6 @@
+ exit(1);
+ }
+ endgrent();
+-#ifdef GSSAPI
+- if (options.gss_authentication) {
+- temporarily_use_uid(pw);
+- ssh_gssapi_storecreds();
+- restore_uid();
+- }
+-#endif
+ # ifdef USE_PAM
+ /*
+ * PAM credentials may take the form of supplementary groups.
+@@ -1317,7 +1289,6 @@
+ * Reestablish them here.
+ */
+ if (options.use_pam) {
+- do_pam_session();
+ do_pam_setcred(0);
+ }
+ # endif /* USE_PAM */
Index: openssh.spec
===================================================================
RCS file: /cvs/dist/rpms/openssh/FC-6/openssh.spec,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -r1.98 -r1.99
--- openssh.spec 10 Nov 2006 10:24:10 -0000 1.98
+++ openssh.spec 30 Nov 2006 11:01:11 -0000 1.99
@@ -61,7 +61,7 @@
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 4.3p2
-Release: 10.0%{?dist}%{?rescue_rel}
+Release: 14%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -100,6 +100,8 @@
Patch46: openssh-3.9p1-cve-2006-5051.patch
Patch47: openssh-4.3p2-cve-2006-5794.patch
Patch48: openssh-4.3p2-initscript.patch
+Patch49: openssh-4.3p2-pam-session.patch
+Patch50: openssh-4.3p2-gssapi-canohost.patch
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@@ -237,6 +239,8 @@
%patch46 -p1 -b .sig-no-cleanup
%patch47 -p1 -b .verify
%patch48 -p1 -b .initscript
+%patch49 -p1 -b .pam-sesssion
+%patch50 -p1 -b .canohost
autoreconf
@@ -481,6 +485,13 @@
%endif
%changelog
+* Thu Nov 30 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-14
+- fix gssapi with DNS loadbalanced clusters (#216857)
+
+* Tue Nov 28 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-13
+- improved pam_session patch so it doesn't regress, the patch is necessary
+ for the pam_session_close to be called correctly as uid 0
+
* Fri Nov 10 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-10.0
- CVE-2006-5794 - properly detect failed key verify in monitor (#214642)
- kill all ssh sessions when stop is called in halt or reboot runlevel (#213008)
More information about the fedora-cvs-commits
mailing list