rpms/openssh/FC-5 openssh-4.3p2-allow-ip-opts.patch, NONE, 1.1 openssh-4.3p2-askpass-grab-info.patch, NONE, 1.1 openssh-4.3p2-buffer-len.patch, NONE, 1.1 openssh-4.3p2-configure-typo.patch, NONE, 1.1 openssh-4.3p2-coverity-memleaks.patch, NONE, 1.1 openssh-4.3p2-gssapi-no-spnego.patch, NONE, 1.1 openssh-4.3p2-localtime.patch, NONE, 1.1 openssh-4.3p2-no-dup-logs.patch, NONE, 1.1 openssh-4.3p2-no-v6only.patch, NONE, 1.1 openssh-4.3p1-fromto-remote.patch, 1.1, 1.2 openssh-selinux.patch, 1.17, 1.18 openssh.spec, 1.90, 1.91
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 13 11:29:51 UTC 2006
Author: tmraz
Update of /cvs/dist/rpms/openssh/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv20564
Modified Files:
openssh-4.3p1-fromto-remote.patch openssh-selinux.patch
openssh.spec
Added Files:
openssh-4.3p2-allow-ip-opts.patch
openssh-4.3p2-askpass-grab-info.patch
openssh-4.3p2-buffer-len.patch
openssh-4.3p2-configure-typo.patch
openssh-4.3p2-coverity-memleaks.patch
openssh-4.3p2-gssapi-no-spnego.patch
openssh-4.3p2-localtime.patch openssh-4.3p2-no-dup-logs.patch
openssh-4.3p2-no-v6only.patch
Log Message:
* Wed Sep 13 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.1
- sync with FC6 version
- build for FC5
openssh-4.3p2-allow-ip-opts.patch:
canohost.c | 23 +++++++++++++++++------
1 files changed, 17 insertions(+), 6 deletions(-)
--- NEW FILE openssh-4.3p2-allow-ip-opts.patch ---
From: Paul Moore <paul.moore at hp.com>
Subject: OpenSSH: fix option handling on incoming connections
OpenSSH rejects incoming connections if any IP options are present when the
comments state that they are only concerned with source routing options. This
connection rejection causes problems with CIPSO which uses IP options to tag
packets with security attributes.
This patch modifies the check_ip_options() function to only fail if loose or
strict source routing options are present, all other options are allowed.
Signed-off-by: Paul Moore <paul.moore at hp.com>
---
canohost.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
Index: openssh-4.3p2/canohost.c
===================================================================
--- openssh-4.3p2.orig/canohost.c
+++ openssh-4.3p2/canohost.c
@@ -146,6 +146,7 @@ check_ip_options(int sock, char *ipaddr)
u_int i;
int ipproto;
struct protoent *ip;
+ u_int opt_iter;
if ((ip = getprotobyname("ip")) != NULL)
ipproto = ip->p_proto;
@@ -154,13 +155,23 @@ check_ip_options(int sock, char *ipaddr)
option_size = sizeof(options);
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
&option_size) >= 0 && option_size != 0) {
- text[0] = '\0';
- for (i = 0; i < option_size; i++)
- snprintf(text + i*3, sizeof(text) - i*3,
- " %2.2x", options[i]);
- fatal("Connection from %.100s with IP options:%.800s",
- ipaddr, text);
+ opt_iter = 0;
+ do {
+ /* Fail, fatally, if we detect either loose or strict
+ * source routing options. */
+ if (options[opt_iter] == 131 ||
+ options[opt_iter] == 137)
+ goto fail;
+ opt_iter += options[opt_iter + 1] + 2;
+ } while (opt_iter < option_size);
}
+ return;
+
+fail:
+ text[0] = '\0';
+ for (i = 0; i < option_size; i++)
+ snprintf(text + i*3, sizeof(text) - i*3, " %2.2x", options[i]);
+ fatal("Connection from %.100s with IP options:%.800s", ipaddr, text);
#endif /* IP_OPTIONS */
}
openssh-4.3p2-askpass-grab-info.patch:
gnome-ssh-askpass2.c | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
--- NEW FILE openssh-4.3p2-askpass-grab-info.patch ---
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info 2006-07-17 15:10:11.000000000 +0200
+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c 2006-07-17 15:25:04.000000000 +0200
@@ -65,9 +65,12 @@
err = gtk_message_dialog_new(NULL, 0,
GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE,
- "Could not grab %s. "
- "A malicious client may be eavesdropping "
- "on your session.", what);
+ "SSH password dialog could not grab the %s input.\n"
+ "This might be caused by application such as screensaver, "
+ "however it could also mean that someone may be eavesdropping "
+ "on your session.\n"
+ "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
TRUE);
openssh-4.3p2-buffer-len.patch:
buffer.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++------------
buffer.h | 5 ++---
channels.c | 6 ++----
3 files changed, 51 insertions(+), 19 deletions(-)
--- NEW FILE openssh-4.3p2-buffer-len.patch ---
Index: buffer.c
===================================================================
RCS file: /var/cvs/openssh/buffer.c,v
retrieving revision 1.26
diff -u -p -r1.26 buffer.c
--- buffer.c 26 Mar 2006 03:24:49 -0000 1.26
+++ buffer.c 5 Apr 2006 02:30:16 -0000
@@ -18,6 +18,10 @@
#include "buffer.h"
#include "log.h"
+#define BUFFER_MAX_CHUNK 0x100000
+#define BUFFER_MAX_LEN 0xa00000
+#define BUFFER_ALLOCSZ 0x008000
+
/* Initializes the buffer structure. */
void
@@ -66,6 +70,23 @@ buffer_append(Buffer *buffer, const void
memcpy(p, data, len);
}
+static int
+buffer_compact(Buffer *buffer)
+{
+ /*
+ * If the buffer is quite empty, but all data is at the end, move the
+ * data to the beginning.
+ */
+ if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
+ memmove(buffer->buf, buffer->buf + buffer->offset,
+ buffer->end - buffer->offset);
+ buffer->end -= buffer->offset;
+ buffer->offset = 0;
+ return (1);
+ }
+ return (0);
+}
+
/*
* Appends space to the buffer, expanding the buffer if necessary. This does
* not actually copy the data into the buffer, but instead returns a pointer
@@ -93,20 +114,13 @@ restart:
buffer->end += len;
return p;
}
- /*
- * If the buffer is quite empty, but all data is at the end, move the
- * data to the beginning and retry.
- */
- if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
- memmove(buffer->buf, buffer->buf + buffer->offset,
- buffer->end - buffer->offset);
- buffer->end -= buffer->offset;
- buffer->offset = 0;
+
+ /* Compact data back to the start of the buffer if necessary */
+ if (buffer_compact(buffer))
goto restart;
- }
- /* Increase the size of the buffer and retry. */
- newlen = buffer->alloc + len + 32768;
+ /* Increase the size of the buffer and retry. */
+ newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
if (newlen > BUFFER_MAX_LEN)
fatal("buffer_append_space: alloc %u not supported",
newlen);
@@ -114,6 +128,27 @@ restart:
buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
+}
+
+/*
+ * Check whether an allocation of 'len' will fit in the buffer
+ * This must follow the same math as buffer_append_space
+ */
+int
+buffer_check_alloc(Buffer *buffer, u_int len)
+{
+ if (buffer->offset == buffer->end) {
+ buffer->offset = 0;
+ buffer->end = 0;
+ }
+ restart:
+ if (buffer->end + len < buffer->alloc)
+ return (1);
+ if (buffer_compact(buffer))
+ goto restart;
+ if (roundup(buffer->alloc + len, BUFFER_ALLOCSZ) <= BUFFER_MAX_LEN)
+ return (1);
+ return (0);
}
/* Returns the number of bytes of data in the buffer. */
Index: buffer.h
===================================================================
RCS file: /var/cvs/openssh/buffer.h,v
retrieving revision 1.14
diff -u -p -r1.14 buffer.h
--- buffer.h 26 Mar 2006 03:30:01 -0000 1.14
+++ buffer.h 4 Apr 2006 00:39:16 -0000
@@ -23,9 +23,6 @@ typedef struct {
u_int end; /* Offset of last byte containing data. */
} Buffer;
-#define BUFFER_MAX_CHUNK 0x100000
-#define BUFFER_MAX_LEN 0xa00000
-
void buffer_init(Buffer *);
void buffer_clear(Buffer *);
void buffer_free(Buffer *);
@@ -35,6 +32,8 @@ void *buffer_ptr(Buffer *);
void buffer_append(Buffer *, const void *, u_int);
void *buffer_append_space(Buffer *, u_int);
+
+int buffer_check_alloc(Buffer *, u_int);
void buffer_get(Buffer *, void *, u_int);
Index: channels.c
===================================================================
RCS file: /var/cvs/openssh/channels.c,v
retrieving revision 1.228
diff -u -p -r1.228 channels.c
--- channels.c 31 Mar 2006 12:11:44 -0000 1.228
+++ channels.c 5 Apr 2006 02:30:36 -0000
@@ -747,12 +747,10 @@ channel_pre_open(Channel *c, fd_set *rea
{
u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
- /* check buffer limits */
- limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
-
if (c->istate == CHAN_INPUT_OPEN &&
limit > 0 &&
- buffer_len(&c->input) < limit)
+ buffer_len(&c->input) < limit &&
+ buffer_check_alloc(&c->input, CHAN_RBUF))
FD_SET(c->rfd, readset);
if (c->ostate == CHAN_OUTPUT_OPEN ||
c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
openssh-4.3p2-configure-typo.patch:
configure.ac | 1 +
1 files changed, 1 insertion(+)
--- NEW FILE openssh-4.3p2-configure-typo.patch ---
--- openssh-4.3p2/configure.ac.typo 2006-07-17 13:29:27.000000000 +0200
+++ openssh-4.3p2/configure.ac 2006-07-17 13:29:45.000000000 +0200
@@ -1608,6 +1608,7 @@
AC_MSG_RESULT(no)
AC_DEFINE(BROKEN_GETADDRINFO)
],
+ [
AC_MSG_RESULT(cross-compiling, assuming no)
]
)
openssh-4.3p2-coverity-memleaks.patch:
auth2-gss.c | 2 ++
gss-genr.c | 14 +++++++++++---
gss-serv.c | 2 ++
monitor.c | 4 ++++
serverloop.c | 1 +
sftp.c | 6 ++++--
6 files changed, 24 insertions(+), 5 deletions(-)
--- NEW FILE openssh-4.3p2-coverity-memleaks.patch ---
Some memleaks fixes from coverity scan taken from upstream CVS
--- openssh/auth2-gss.c 2005/11/05 05:07:05 1.13
+++ openssh/auth2-gss.c 2006/03/25 14:04:53 1.14
@@ -100,6 +100,8 @@
}
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+ if (ctxt != NULL)
+ ssh_gssapi_delete_ctx(&ctxt);
xfree(doid);
return (0);
}
--- openssh/gss-genr.c 2005/11/05 05:07:05 1.7
+++ openssh/gss-genr.c 2006/03/25 14:05:23 1.8
@@ -72,7 +72,11 @@
void
ssh_gssapi_error(Gssctxt *ctxt)
{
- debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL));
+ char *s;
+
+ s = ssh_gssapi_last_error(ctxt, NULL, NULL);
+ debug("%s", s);
+ xfree(s);
}
char *
@@ -231,11 +235,15 @@
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
- if (gethostname(lname, MAXHOSTNAMELEN))
+ if (gethostname(lname, MAXHOSTNAMELEN)) {
+ gss_release_oid_set(&status, &oidset);
return (-1);
+ }
- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname)))
+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset);
return (ctx->major);
+ }
if ((ctx->major = gss_acquire_cred(&ctx->minor,
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
--- openssh/gss-serv.c 2006/03/15 01:20:04 1.14
+++ openssh/gss-serv.c 2006/03/25 14:05:44 1.15
@@ -78,6 +78,8 @@
&supported_mechs[i]->oid, oidset);
i++;
}
+
+ gss_release_oid_set(&min_status, &supported);
}
--- openssh/monitor.c 2006/03/26 03:58:56 1.96
+++ openssh/monitor.c 2006/03/26 04:01:55 1.97
@@ -1021,6 +1021,10 @@
key_blobtype = type;
hostbased_cuser = cuser;
hostbased_chost = chost;
+ } else {
+ xfree(blob);
+ xfree(cuser);
+ xfree(chost);
}
debug3("%s: key %p is %s",
--- openssh/sftp.c 2006/03/25 14:03:23 1.82
+++ openssh/sftp.c 2006/03/26 03:51:44 1.83
@@ -548,6 +548,7 @@
if (g.gl_matchc == 1 && dst) {
/* If directory specified, append filename */
+ xfree(tmp);
if (is_dir(dst)) {
if (infer_path(g.gl_pathv[0], &tmp)) {
err = 1;
@@ -572,8 +573,6 @@
out:
xfree(abs_src);
- if (abs_dst)
- xfree(abs_dst);
globfree(&g);
return(err);
}
@@ -1289,6 +1288,7 @@
if (parse_dispatch_command(conn, cmd, &pwd, 1) != 0) {
xfree(dir);
xfree(pwd);
+ xfree(conn);
return (-1);
}
} else {
@@ -1301,6 +1301,7 @@
err = parse_dispatch_command(conn, cmd, &pwd, 1);
xfree(dir);
xfree(pwd);
+ xfree(conn);
return (err);
}
xfree(dir);
@@ -1365,6 +1366,7 @@
break;
}
xfree(pwd);
+ xfree(conn);
#ifdef USE_LIBEDIT
if (el != NULL)
--- openssh/serverloop.c 2006/03/25 14:03:23 1.131
+++ openssh/serverloop.c 2006/03/26 03:51:09 1.132
@@ -1090,6 +1090,7 @@
success = channel_cancel_rport_listener(cancel_address,
cancel_port);
+ xfree(cancel_address);
}
if (want_reply) {
packet_start(success ?
openssh-4.3p2-gssapi-no-spnego.patch:
gss-genr.c | 29 +++++++++++++++++++++++++++++
ssh-gss.h | 1 +
sshconnect2.c | 9 ++-------
3 files changed, 32 insertions(+), 7 deletions(-)
--- NEW FILE openssh-4.3p2-gssapi-no-spnego.patch ---
--- openssh/gss-genr.c 2006/08/05 02:39:40 1.15
+++ openssh/gss-genr.c 2006/08/18 14:33:34 1.16
@@ -289,6 +289,35 @@
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
return (ssh_gssapi_acquire_cred(*ctx));
+}
+
+int
+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+{
+ gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+ OM_uint32 major, minor;
+ gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
+
+ /* RFC 4462 says we MUST NOT do SPNEGO */
+ if (oid->length == spnego_oid.length &&
+ (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
+ return 0;
+
+ ssh_gssapi_build_ctx(ctx);
+ ssh_gssapi_set_oid(*ctx, oid);
+ major = ssh_gssapi_import_name(*ctx, host);
+ if (!GSS_ERROR(major)) {
+ major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
+ NULL);
+ gss_release_buffer(&minor, &token);
+ gss_delete_sec_context(&minor, &(*ctx)->context,
+ GSS_C_NO_BUFFER);
+ }
+
+ if (GSS_ERROR(major))
+ ssh_gssapi_delete_ctx(ctx);
+
+ return (!GSS_ERROR(major));
}
#endif /* GSSAPI */
--- openssh/ssh-gss.h 2006/08/05 02:39:40 1.9
+++ openssh/ssh-gss.h 2006/08/18 14:33:34 1.10
@@ -118,6 +118,7 @@
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
/* In the server */
int ssh_gssapi_userok(char *name);
--- openssh/sshconnect2.c 2006/08/05 02:39:41 1.150
+++ openssh/sshconnect2.c 2006/08/18 14:33:34 1.151
@@ -508,15 +508,10 @@
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
- if (gssctxt)
- ssh_gssapi_delete_ctx(&gssctxt);
- ssh_gssapi_build_ctx(&gssctxt);
- ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]);
-
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
- !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
- authctxt->host))) {
+ ssh_gssapi_check_mechanism(&gssctxt,
+ &gss_supported->elements[mech], authctxt->host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
openssh-4.3p2-localtime.patch:
sshd.init | 2 ++
1 files changed, 2 insertions(+)
--- NEW FILE openssh-4.3p2-localtime.patch ---
--- openssh-4.3p2/contrib/redhat/sshd.init.localtime 2006-08-23 14:50:05.000000000 +0200
+++ openssh-4.3p2/contrib/redhat/sshd.init 2006-08-23 22:08:13.000000000 +0200
@@ -102,6 +102,8 @@
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen
+
+ cp -af /etc/localtime /var/empty/sshd/etc
echo -n $"Starting $prog: "
$SSHD $OPTIONS && success || failure
openssh-4.3p2-no-dup-logs.patch:
auth.c | 42 ++++++------------------------------------
monitor.c | 18 +++++++++++++++---
2 files changed, 21 insertions(+), 39 deletions(-)
--- NEW FILE openssh-4.3p2-no-dup-logs.patch ---
Don't log duplicate auth messages in the system log.
--- openssh-4.3p2/auth.c.no-dups 2006-08-23 14:50:05.000000000 +0200
+++ openssh-4.3p2/auth.c 2006-08-23 14:51:14.000000000 +0200
@@ -55,6 +55,7 @@
/* import */
extern ServerOptions options;
+extern int use_privsep;
extern Buffer loginmsg;
/* Debugging messages */
@@ -231,6 +232,9 @@
void (*authlog) (const char *fmt,...) = verbose;
char *authmsg;
+ if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
+ return;
+
/* Raise logging level */
if (authenticated == 1 ||
!authctxt->valid ||
@@ -267,42 +271,8 @@
}
#endif
#ifdef SSH_AUDIT_EVENTS
- if (authenticated == 0 && !authctxt->postponed) {
- ssh_audit_event_t event;
-
- debug3("audit failed auth attempt, method %s euid %d",
- method, (int)geteuid());
- /*
- * Because the auth loop is used in both monitor and slave,
- * we must be careful to send each event only once and with
- * enough privs to write the event.
- */
- event = audit_classify_auth(method);
- switch(event) {
- case SSH_AUTH_FAIL_NONE:
- case SSH_AUTH_FAIL_PASSWD:
- case SSH_AUTH_FAIL_KBDINT:
- if (geteuid() == 0)
- audit_event(event);
- break;
- case SSH_AUTH_FAIL_PUBKEY:
- case SSH_AUTH_FAIL_HOSTBASED:
- case SSH_AUTH_FAIL_GSSAPI:
- /*
- * This is required to handle the case where privsep
- * is enabled but it's root logging in, since
- * use_privsep won't be cleared until after a
- * successful login.
- */
- if (geteuid() == 0)
- audit_event(event);
- else
- PRIVSEP(audit_event(event));
- break;
- default:
- error("unknown authentication audit event %d", event);
- }
- }
+ if (authenticated == 0 && !authctxt->postponed)
+ audit_event(audit_classify_auth(method));
#endif
}
--- openssh-4.3p2/monitor.c.no-dups 2006-08-23 14:50:42.000000000 +0200
+++ openssh-4.3p2/monitor.c 2006-08-23 14:51:14.000000000 +0200
@@ -172,6 +172,7 @@
#define MON_ISAUTH 0x0004 /* Required for Authentication */
#define MON_AUTHDECIDE 0x0008 /* Decides Authentication */
#define MON_ONCE 0x0010 /* Disable after calling */
+#define MON_ALOG 0x0020 /* Log auth attempt without authenticating */
#define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE)
@@ -233,8 +234,8 @@
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
- {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
- {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
+ {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed},
+ {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed},
{MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
{MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
#ifdef BSD_AUTH
@@ -328,6 +329,7 @@
/* The first few requests do not require asynchronous access */
while (!authenticated) {
+ auth_method = "unknown";
authenticated = monitor_read(pmonitor, mon_dispatch, &ent);
if (authenticated) {
if (!(ent->flags & MON_AUTHDECIDE))
@@ -350,7 +352,7 @@
#endif
}
- if (ent->flags & MON_AUTHDECIDE) {
+ if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
auth_log(authctxt, authenticated, auth_method,
compat20 ? " ssh2" : "");
if (!authenticated)
@@ -360,6 +362,8 @@
if (!authctxt->valid)
fatal("%s: authenticated invalid user", __func__);
+ if (strcmp(auth_method, "unknown") == 0)
+ fatal("%s: authentication method name unknown", __func__);
debug("%s: %s has been authenticated by privileged process",
__func__, authctxt->user);
@@ -913,6 +917,7 @@
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
+ auth_method = "keyboard-interactive/pam";
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0);
}
@@ -955,6 +960,7 @@
(sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ auth_method = "keyboard-interactive/pam";
return (sshpam_authok == sshpam_ctxt);
}
#endif
@@ -1000,17 +1006,20 @@
case MM_USERKEY:
allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key);
+ auth_method = "publickey";
break;
case MM_HOSTKEY:
allowed = options.hostbased_authentication &&
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
+ auth_method = "hostbased";
break;
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
allowed = options.rhosts_rsa_authentication &&
auth_rhosts_rsa_key_allowed(authctxt->pw,
cuser, chost, key);
+ auth_method = "rsa";
break;
default:
fatal("%s: unknown key type %d", __func__, type);
@@ -1031,6 +1040,8 @@
hostbased_cuser = cuser;
hostbased_chost = chost;
} else {
+ /* Log failed attempt */
+ auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
xfree(blob);
xfree(cuser);
xfree(chost);
@@ -1398,6 +1409,7 @@
debug3("%s entering", __func__);
+ auth_method = "rsa";
if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
openssh-4.3p2-no-v6only.patch:
channels.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE openssh-4.3p2-no-v6only.patch ---
--- openssh-4.3p2/channels.c.no-v6only 2006-07-17 15:39:31.000000000 +0200
+++ openssh-4.3p2/channels.c 2006-08-08 12:44:51.000000000 +0200
@@ -2794,7 +2794,7 @@
}
}
#ifdef IPV6_V6ONLY
- if (ai->ai_family == AF_INET6) {
+ if (x11_use_localhost && ai->ai_family == AF_INET6) {
int on = 1;
if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
openssh-4.3p1-fromto-remote.patch:
scp.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletion(-)
Index: openssh-4.3p1-fromto-remote.patch
===================================================================
RCS file: /cvs/dist/rpms/openssh/FC-5/openssh-4.3p1-fromto-remote.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openssh-4.3p1-fromto-remote.patch 1 Feb 2006 16:19:54 -0000 1.1
+++ openssh-4.3p1-fromto-remote.patch 13 Sep 2006 11:29:49 -0000 1.2
@@ -1,11 +1,15 @@
---- openssh-4.3p1/scp.c.fromto-remote 2006-01-31 12:11:38.000000000 +0100
-+++ openssh-4.3p1/scp.c 2006-02-01 16:59:46.000000000 +0100
-@@ -446,7 +446,7 @@
+--- openssh-4.3p2/scp.c.fromto-remote 2006-01-31 12:11:38.000000000 +0100
++++ openssh-4.3p2/scp.c 2006-04-14 10:09:56.000000000 +0200
+@@ -446,7 +446,11 @@
addargs(&alist, "-v");
addargs(&alist, "-x");
addargs(&alist, "-oClearAllForwardings yes");
- addargs(&alist, "-n");
-+ addargs(&alist, "-t");
++ if (isatty(fileno(stdin))) {
++ addargs(&alist, "-t");
++ } else {
++ addargs(&alist, "-n");
++ }
*src++ = 0;
if (*src == 0)
openssh-selinux.patch:
Makefile.in | 5 +-
auth.h | 1
auth1.c | 10 +++++
auth2.c | 10 ++++-
configure.ac | 23 ++++++++++++
contrib/redhat/sshd.init | 9 +++++
monitor.c | 20 +++++++++++
monitor.h | 2 -
monitor_wrap.c | 17 +++++++++
monitor_wrap.h | 1
selinux.c | 84 +++++++++++++++++++++++++++++++++++++++++++++++
selinux.h | 10 +++++
session.c | 4 ++
sshpty.c | 4 ++
14 files changed, 194 insertions(+), 6 deletions(-)
Index: openssh-selinux.patch
===================================================================
RCS file: /cvs/dist/rpms/openssh/FC-5/openssh-selinux.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- openssh-selinux.patch 18 Oct 2005 20:57:58 -0000 1.17
+++ openssh-selinux.patch 13 Sep 2006 11:29:49 -0000 1.18
@@ -319,7 +319,7 @@
if (errno == EROFS &&
--- openssh-4.2p1/configure.ac.selinux 2005-10-18 15:50:12.000000000 -0400
+++ openssh-4.2p1/configure.ac 2005-10-18 15:50:12.000000000 -0400
-@@ -2667,6 +2667,20 @@
+@@ -2667,6 +2667,28 @@
[#include <arpa/nameser.h>])
])
@@ -327,8 +327,16 @@
+SELINUX_MSG="no"
+LIBSELINUX=""
+AC_ARG_WITH(selinux,
-+ [ --with-selinux Enable SELinux support],
++ [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support],
+ [ if test "x$withval" != "xno" ; then
++ if test "x$withval" != "xyes"; then
++ CPPFLAGS="$CPPFLAGS -I${withval}/include"
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ fi
+ AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
+ SELINUX_MSG="yes"
+ AC_CHECK_HEADERS(selinux.h)
@@ -340,7 +348,7 @@
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
-@@ -3459,6 +3473,7 @@
+@@ -3459,6 +3481,7 @@
echo " Manpage format: $MANTYPE"
echo " PAM support: $PAM_MSG"
echo " KerberosV support: $KRB5_MSG"
@@ -397,7 +405,7 @@
+extern void setup_selinux_pty(const char *name, const char *tty);
+extern void setup_selinux_exec_context(const char *name);
+#else
-+inline void setup_selinux_pty(const char *name, const char *tty) {}
-+inline void setup_selinux_exec_context(const char *name) {}
++static inline void setup_selinux_pty(const char *name, const char *tty) {}
++static inline void setup_selinux_exec_context(const char *name) {}
+#endif /* WITH_SELINUX */
+#endif /* __SELINUX_H_ */
Index: openssh.spec
===================================================================
RCS file: /cvs/dist/rpms/openssh/FC-5/openssh.spec,v
retrieving revision 1.90
retrieving revision 1.91
diff -u -r1.90 -r1.91
--- openssh.spec 2 Mar 2006 21:37:28 -0000 1.90
+++ openssh.spec 13 Sep 2006 11:29:49 -0000 1.91
@@ -2,6 +2,8 @@
%if %{WITH_SELINUX}
# Audit patch applicable only over SELinux patch
%define WITH_AUDIT 1
+%else
+%define WITH_AUDIT 0
%endif
# OpenSSH privilege separation requires a user & group ID
@@ -49,21 +51,17 @@
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%define rescue 0
%{?build_rescue:%define rescue 1}
+%{?build_rescue:%define rescue_rel rescue}
# Turn off some stuff for resuce builds
%if %{rescue}
%define kerberos5 0
%endif
-Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
+Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 4.3p2
-%define rel 4
-%if %{rescue}
-%define %{rel}rescue
-%else
-Release: %{rel}
-%endif
+Release: 4.1%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -89,36 +87,43 @@
Patch30: openssh-4.0p1-exit-deadlock.patch
Patch31: openssh-3.9p1-skip-used.patch
Patch35: openssh-4.2p1-askpass-progress.patch
+Patch36: openssh-4.3p2-buffer-len.patch
+Patch37: openssh-4.3p2-configure-typo.patch
+Patch38: openssh-4.3p2-askpass-grab-info.patch
+Patch39: openssh-4.3p2-no-v6only.patch
+Patch40: openssh-4.3p2-coverity-memleaks.patch
+Patch41: openssh-4.3p2-gssapi-no-spnego.patch
+Patch42: openssh-4.3p2-no-dup-logs.patch
+Patch43: openssh-4.3p2-localtime.patch
+Patch44: openssh-4.3p2-allow-ip-opts.patch
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
-Obsoletes: ssh
%if %{nologin}
Requires: /sbin/nologin
%endif
-PreReq: initscripts >= 5.20
+Requires: initscripts >= 5.20
%if ! %{no_gnome_askpass}
%if %{gtk2}
-BuildPreReq: gtk2-devel
-BuildPreReq: libX11-devel
+BuildRequires: gtk2-devel
+BuildRequires: libX11-devel
%else
-BuildPreReq: gnome-libs-devel
+BuildRequires: gnome-libs-devel
%endif
%endif
%if %{scard}
-BuildPreReq: sharutils
+BuildRequires: sharutils
%endif
-BuildPreReq: autoconf, automake, openssl-devel, perl, tcp_wrappers, zlib-devel
-BuildPreReq: audit-libs-devel
-BuildPreReq: util-linux, groff, man
-
-BuildPreReq: pam-devel
+BuildRequires: autoconf, automake, openssl-devel, perl, tcp_wrappers, zlib-devel
+BuildRequires: audit-libs-devel
+BuildRequires: util-linux, groff, man
+BuildRequires: pam-devel
%if %{kerberos5}
-BuildPreReq: krb5-devel
+BuildRequires: krb5-devel
%endif
%if %{WITH_SELINUX}
@@ -131,25 +136,27 @@
BuildRequires: audit-libs >= 1.0.8
%endif
+BuildRequires: xauth
+
%package clients
-Summary: OpenSSH clients.
+Summary: The OpenSSH client applications
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
-Obsoletes: ssh-clients
%package server
-Summary: The OpenSSH server daemon.
+Summary: The OpenSSH server daemon
Group: System Environment/Daemons
-Obsoletes: ssh-server
-PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9, /usr/sbin/useradd
+Requires: openssh = %{version}-%{release}
+Requires(post): chkconfig >= 0.9, /sbin/service
+Requires(pre): /usr/sbin/useradd
Requires: /etc/pam.d/system-auth, /%{_lib}/security/pam_loginuid.so
-BuildRequires: xorg-x11-xauth
%package askpass
-Summary: A passphrase dialog for OpenSSH and X.
+Summary: A passphrase dialog for OpenSSH and X
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
-Obsoletes: ssh-extras, openssh-askpass-gnome
+Obsoletes: openssh-askpass-gnome
+Provides: openssh-askpass-gnome
%description
SSH (Secure SHell) is a program for logging into and executing
@@ -213,6 +220,15 @@
%patch30 -p1 -b .exit-deadlock
%patch31 -p1 -b .skip-used
%patch35 -p1 -b .progress
+%patch36 -p0 -b .buffer-len
+%patch37 -p1 -b .typo
+%patch38 -p1 -b .grab-info
+%patch39 -p1 -b .no-v6only
+%patch40 -p1 -b .memleaks
+%patch41 -p1 -b .no-spnego
+%patch42 -p1 -b .no-dups
+%patch43 -p1 -b .localtime
+%patch44 -p1 -b .ip-opts
autoreconf
@@ -222,7 +238,7 @@
CFLAGS="$CFLAGS -Os"
%endif
%if %{pie}
-%ifarch s390 s390x
+%ifarch s390 s390x sparc sparc64
CFLAGS="$CFLAGS -fPIE"
%else
CFLAGS="$CFLAGS -fpie"
@@ -305,9 +321,10 @@
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
-mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd/etc
make install DESTDIR=$RPM_BUILD_ROOT
+touch $RPM_BUILD_ROOT%{_var}/empty/sshd/etc/localtime
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
@@ -399,7 +416,7 @@
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
-%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(4755,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%endif
%if %{scard}
@@ -414,7 +431,7 @@
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
-%attr(-,root,root) %{_bindir}/slogin
+%attr(0755,root,root) %{_bindir}/slogin
%attr(0644,root,root) %{_mandir}/man1/slogin.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%if ! %{rescue}
@@ -433,7 +450,9 @@
%if ! %{rescue}
%files server
%defattr(-,root,root)
-%dir %attr(0111,root,root) %{_var}/empty/sshd
+%dir %attr(0711,root,root) %{_var}/empty/sshd
+%dir %attr(0755,root,root) %{_var}/empty/sshd/etc
+%ghost %verify(not md5 size mtime) %{_var}/empty/sshd/etc/localtime
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
@@ -442,7 +461,7 @@
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
-%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
+%attr(0755,root,root) /etc/rc.d/init.d/sshd
%endif
%if ! %{no_gnome_askpass}
@@ -454,6 +473,41 @@
%endif
%changelog
+* Wed Sep 13 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.1
+- sync with FC6 version
+- build for FC5
+
+* Wed Aug 23 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-9
+- don't report duplicate syslog messages, use correct local time (#189158)
+- don't allow spnego as gssapi mechanism (from upstream)
+- fixed memleaks found by Coverity (from upstream)
+- allow ip options except source routing (#202856) (patch by HP)
+
+* Tue Aug 8 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-8
+- drop the pam-session patch from the previous build (#201341)
+- don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
+
+* Thu Jul 20 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-7
+- dropped old ssh obsoletes
+- call the pam_session_open/close from the monitor when privsep is
+ enabled so it is always called as root (patch by Darren Tucker)
+
+* Mon Jul 17 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-6
+- improve selinux patch (by Jan Kiszka)
+- upstream patch for buffer append space error (#191940)
+- fixed typo in configure.ac (#198986)
+- added pam_keyinit to pam configuration (#198628)
+- improved error message when askpass dialog cannot grab
+ keyboard input (#198332)
+- buildrequires xauth instead of xorg-x11-xauth
+- fixed a few rpmlint warnings
+
+* Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com> - 4.3p2-5.1
+- rebuild
+
+* Fri Apr 14 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-5
+- don't request pseudoterminal allocation if stdin is not tty (#188983)
+
* Thu Mar 2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4
- allow access if audit is not compiled in kernel (#183243)
More information about the fedora-cvs-commits
mailing list