From 204858e58df7e196f7fb25089f172ef27e4689f6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Sat, 15 Feb 2020 13:06:22 +0100 Subject: [PATCH] - up to 8.2p1; new - FIDO/U2F support --- openssh-include.patch | 11 --------- openssh-ldap.patch | 54 ++++++++++++++++++++++--------------------- openssh-sigpipe.patch | 10 ++++---- openssh.spec | 17 +++++++------- ossh-bug-3093.patch | 40 -------------------------------- 5 files changed, 42 insertions(+), 90 deletions(-) delete mode 100644 openssh-include.patch delete mode 100644 ossh-bug-3093.patch diff --git a/openssh-include.patch b/openssh-include.patch deleted file mode 100644 index 801c681..0000000 --- a/openssh-include.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssh-5.9p1/configure.ac~ 2011-09-06 19:31:16.000000000 +0200 -+++ openssh-5.9p1/configure.ac 2011-09-06 19:31:55.291791679 +0200 -@@ -1076,6 +1076,7 @@ - - AC_MSG_CHECKING([for possibly buggy zlib]) - AC_RUN_IFELSE([AC_LANG_PROGRAM([[ -+#include - #include - #include - ]], - diff --git a/openssh-ldap.patch b/openssh-ldap.patch index 2920eab..fe93879 100644 --- a/openssh-ldap.patch +++ b/openssh-ldap.patch @@ -1995,14 +1995,16 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -61,8 +63,9 @@ +@@ -61,10 +63,11 @@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ MKDIR_P=@MKDIR_P@ +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ + + .SUFFIXES: .lo --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) LIBOPENSSH_OBJS=\ ssh_api.o \ @@ -2010,45 +2012,45 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ sandbox-solaris.o --MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out --MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out -+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 +-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out +-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out ++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -184,6 +187,9 @@ - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +@@ -235,6 +235,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) + ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -311,6 +317,10 @@ - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) +@@ -395,6 +395,10 @@ install-files: $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ -+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ -+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ ++ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ ++ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ + fi $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -@@ -327,6 +337,10 @@ - $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 +@@ -416,6 +416,10 @@ install-files: $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ -+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ -+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ ++ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ ++ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ + fi install-sysconf: - if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ + $(MKDIR_P) $(DESTDIR)$(sysconfdir) @@ -352,6 +366,13 @@ else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ @@ -2063,23 +2065,23 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -392,6 +413,8 @@ - -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) +@@ -488,6 +488,8 @@ uninstall: -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -403,6 +426,7 @@ - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 +@@ -502,6 +502,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 regress-prep: - [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + $(MKDIR_P) `pwd`/regress/unittests/test_helper diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema --- openssh-6.2p1/openssh-lpk-openldap.schema.ldap 2013-03-25 21:27:15.894248110 +0100 +++ openssh-6.2p1/openssh-lpk-openldap.schema 2013-03-25 21:27:15.894248110 +0100 diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch index 3d60ddf..a190b7c 100644 --- a/openssh-sigpipe.patch +++ b/openssh-sigpipe.patch @@ -10,13 +10,13 @@ /* * Flag to indicate that we have received a window change signal which has * not yet been processed. This will cause a message indicating the new -@@ -1236,6 +1239,8 @@ - signal(SIGQUIT, signal_handler); - if (signal(SIGTERM, SIG_IGN) != SIG_IGN) - signal(SIGTERM, signal_handler); +@@ -1317,6 +1317,8 @@ client_loop(struct ssh *ssh, int have_pt + ssh_signal(SIGQUIT, signal_handler); + if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN) + ssh_signal(SIGTERM, signal_handler); + if (enable_sigpipe) + signal(SIGPIPE, signal_handler); - signal(SIGWINCH, window_change_handler); + ssh_signal(SIGWINCH, window_change_handler); if (have_pty) diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 diff --git a/openssh.spec b/openssh.spec index 065eb67..b6e6ed1 100644 --- a/openssh.spec +++ b/openssh.spec @@ -36,13 +36,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 8.1p1 -Release: 4 +Version: 8.2p1 +Release: 1 Epoch: 2 License: BSD Group: Applications/Networking Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 513694343631a99841e815306806edf0 +# Source0-md5: 3076e6413e8dbe56d33848c1054ac091 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -68,13 +68,12 @@ Patch8: ldap-helper-sigpipe.patch # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/ # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz Patch9: %{name}-5.2p1-hpn13v6.diff -Patch10: %{name}-include.patch + Patch11: %{name}-chroot.patch Patch12: openssh-bug-2905.patch Patch13: %{name}-skip-interop-tests.patch Patch14: %{name}-bind.patch Patch15: %{name}-disable_ldap.patch -Patch16: ossh-bug-3093.patch URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} %{?with_audit:BuildRequires: audit-libs-devel} @@ -85,6 +84,7 @@ BuildRequires: automake %{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7} %{?with_ldns:BuildRequires: ldns-devel} %{?with_libedit:BuildRequires: libedit-devel} +BuildRequires: libfido2-devel BuildRequires: libseccomp-devel %{?with_selinux:BuildRequires: libselinux-devel} %{?with_ldap:BuildRequires: openldap-devel} @@ -538,7 +538,7 @@ openldap-a. %patch8 -p1 %{?with_hpn:%patch9 -p1} -%patch10 -p1 + %patch11 -p1 %patch12 -p1 %patch13 -p1 @@ -551,8 +551,6 @@ openldap-a. %{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile %endif -%patch16 -p1 - # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile* @@ -586,6 +584,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" --with-pid-dir=%{_localstatedir}/run \ --with-privsep-path=%{_privsepdir} \ --with-privsep-user=sshd \ + --with-security-key-builtin \ %{?with_selinux:--with-selinux} \ %if "%{pld_release}" == "ac" --with-xauth=/usr/X11R6/bin/xauth @@ -794,6 +793,7 @@ fi %attr(755,root,root) %{_bindir}/ssh-add %attr(755,root,root) %{_bindir}/ssh-copy-id %attr(755,root,root) %{_bindir}/scp +%attr(755,root,root) %{_libexecdir}/ssh-sk-helper %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config %config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS %{_mandir}/man1/scp.1* @@ -803,6 +803,7 @@ fi %{_mandir}/man1/ssh-add.1* %{_mandir}/man1/ssh-copy-id.1* %{_mandir}/man5/ssh_config.5* +%{_mandir}/man8/ssh-sk-helper.8* %lang(it) %{_mandir}/it/man1/ssh.1* %lang(it) %{_mandir}/it/man5/ssh_config.5* %lang(pl) %{_mandir}/pl/man1/scp.1* diff --git a/ossh-bug-3093.patch b/ossh-bug-3093.patch deleted file mode 100644 index fa33bae..0000000 --- a/ossh-bug-3093.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70b..f80981fa 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_shmdt - SC_DENY(__NR_shmdt, EACCES), - #endif -+#ifdef __NR_ipc -+ SC_DENY(__NR_ipc, EACCES), -+#endif - - /* Syscalls to permit */ - #ifdef __NR_brk -@@ -185,6 +188,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_gettime - SC_ALLOW(__NR_clock_gettime), - #endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR_close - SC_ALLOW(__NR_close), - #endif -@@ -242,6 +248,15 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif -+#ifdef __NR_clock_nanosleep_time64 -+ SC_ALLOW(__NR_clock_nanosleep_time64), -+#endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif -- 2.43.0