From afde20c1a359c98a03ce68879e8cb59fd2437115 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Tue, 6 Sep 2011 17:58:54 +0000 Subject: [PATCH] - up to 5.9p1 (lpk patch needs update; builds --without ldap only for now) Changed files: openssh-blacklist.diff -> 1.9 openssh-heimdal.patch -> 1.17 openssh-include.patch -> 1.2 openssh-kuserok.patch -> 1.3 openssh-lpk.patch -> 1.7 openssh-no_libnsl.patch -> 1.6 openssh-pam_misc.patch -> 1.4 openssh.spec -> 1.365 --- openssh-blacklist.diff | 18 +++---- openssh-heimdal.patch | 23 ++++----- openssh-include.patch | 13 ++--- openssh-kuserok.patch | 14 ++--- openssh-lpk.patch | 110 +++++++++++++++++++++++----------------- openssh-no_libnsl.patch | 15 +++--- openssh-pam_misc.patch | 9 ++-- openssh.spec | 11 ++-- 8 files changed, 118 insertions(+), 95 deletions(-) diff --git a/openssh-blacklist.diff b/openssh-blacklist.diff index 1925afa..a0f38ec 100644 --- a/openssh-blacklist.diff +++ b/openssh-blacklist.diff @@ -120,8 +120,8 @@ This patch is up to date with respect to Debian openssh 1:4.7p1-10. INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ @@ -129,10 +129,10 @@ This patch is up to date with respect to Debian openssh 1:4.7p1-10. audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o ldapauth.o --MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out --MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-vulnkey.1.out -+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-vulnkey.1 +-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out +-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-vulnkey.1.out ++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-vulnkey.1 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out @@ -851,8 +851,8 @@ This patch is up to date with respect to Debian openssh 1:4.7p1-10. + /* We don't need the RNG ourselves, but symbol references here allow + * ld to link us properly. + */ -+ init_rng(); -+ seed_rng(); ++ //init_rng(); ++ //seed_rng(); + + while ((opt = getopt(argc, argv, "ahq")) != -1) { + switch (opt) { @@ -965,7 +965,7 @@ This patch is up to date with respect to Debian openssh 1:4.7p1-10. user_key_allowed(struct passwd *pw, Key *key) { + char *fp; - int success; + u_int success, i; char *file; + if (blacklisted_key(key)) { diff --git a/openssh-heimdal.patch b/openssh-heimdal.patch index 1b7f6e9..2ce97a5 100644 --- a/openssh-heimdal.patch +++ b/openssh-heimdal.patch @@ -1,22 +1,21 @@ ---- openssh-5.7p1/configure.ac.orig 2011-01-22 00:37:05.000000000 +0200 -+++ openssh-5.7p1/configure.ac 2011-01-24 16:21:01.711393457 +0200 -@@ -3572,14 +3572,14 @@ - [ AC_MSG_RESULT(yes) - AC_DEFINE(HEIMDAL) +--- openssh-5.9p1/configure.ac~ 2011-08-18 06:48:24.000000000 +0200 ++++ openssh-5.9p1/configure.ac 2011-09-06 19:00:46.856319713 +0200 +@@ -3424,13 +3424,13 @@ + [ AC_MSG_RESULT([yes]) + AC_DEFINE([HEIMDAL]) K5LIBS="-lkrb5" - K5LIBS="$K5LIBS -lcom_err -lasn1" + K5LIBS="$K5LIBS -lasn1" - AC_CHECK_LIB(roken, net_write, + AC_CHECK_LIB([roken], [net_write], [K5LIBS="$K5LIBS -lroken"]) - AC_CHECK_LIB(des, des_cbc_encrypt, + AC_CHECK_LIB([des], [des_cbc_encrypt], [K5LIBS="$K5LIBS -ldes"]) - ], - [ AC_MSG_RESULT(no) + ], [ AC_MSG_RESULT([no]) - K5LIBS="-lkrb5 -lk5crypto -lcom_err" + K5LIBS="-lkrb5 -lk5crypto" - ] - ) - AC_SEARCH_LIBS(dn_expand, resolv) + + ]) + AC_SEARCH_LIBS([dn_expand], [resolv]) diff -ur openssh-5.8p1-orig/auth-krb5.c openssh-5.8p1/auth-krb5.c --- openssh-5.8p1-orig/auth-krb5.c 2011-04-20 00:30:23.632652510 +0200 +++ openssh-5.8p1/auth-krb5.c 2011-04-20 00:34:06.218117429 +0200 diff --git a/openssh-include.patch b/openssh-include.patch index 42f3fff..801c681 100644 --- a/openssh-include.patch +++ b/openssh-include.patch @@ -1,10 +1,11 @@ ---- openssh-4.2p1/configure.ac~ 2006-01-05 02:09:10.000000000 +0100 -+++ openssh-4.2p1/configure.ac 2006-01-05 02:32:00.000000000 +0100 -@@ -808,6 +808,7 @@ +--- openssh-5.9p1/configure.ac~ 2011-09-06 19:31:16.000000000 +0200 ++++ openssh-5.9p1/configure.ac 2011-09-06 19:31:55.291791679 +0200 +@@ -1076,6 +1076,7 @@ - AC_MSG_CHECKING(for possibly buggy zlib) - AC_RUN_IFELSE([AC_LANG_SOURCE([[ + AC_MSG_CHECKING([for possibly buggy zlib]) + AC_RUN_IFELSE([AC_LANG_PROGRAM([[ +#include #include #include - int main() + ]], + diff --git a/openssh-kuserok.patch b/openssh-kuserok.patch index 31e03f7..22e3bfe 100644 --- a/openssh-kuserok.patch +++ b/openssh-kuserok.patch @@ -54,14 +54,14 @@ diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c --- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100 +++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100 -@@ -142,6 +142,7 @@ initialize_server_options(ServerOptions - options->authorized_principals_file = NULL; - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; +@@ -133,6 +133,7 @@ + options->num_accept_env = 0; + options->permit_tun = -1; + options->num_permitted_opens = -1; + options->use_kuserok = -1; - #ifdef WITH_LDAP_PUBKEY - /* XXX dirty */ - options->lpk.ld = NULL; + options->adm_forced_command = NULL; + options->chroot_directory = NULL; + options->zero_knowledge_password_authentication = -1; @@ -291,6 +292,8 @@ fill_default_server_options(ServerOption if (use_privsep == -1) use_privsep = 1; diff --git a/openssh-lpk.patch b/openssh-lpk.patch index 010ef8d..8e2457c 100644 --- a/openssh-lpk.patch +++ b/openssh-lpk.patch @@ -27,42 +27,41 @@ diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-5.1p1.orig/auth2-pubkey. /* import */ extern ServerOptions options; extern u_char *session_id2; -@@ -187,10 +191,79 @@ - u_long linenum = 0; - Key *found; - char *fp; +@@ -272,9 +272,97 @@ + { + char *file; + u_int i, allowed = 0; +#ifdef WITH_LDAP_PUBKEY + ldap_key_t * k; + unsigned int i = 0; +#endif - /* Temporarily use the user's uid. */ temporarily_use_uid(pw); +#ifdef WITH_LDAP_PUBKEY -+ found_key = 0; -+ /* allocate a new key type */ -+ found = key_new(key->type); -+ -+ /* first check if the options is enabled, then try.. */ ++ /* here is the job */ ++ key = key_new(KEY_RSA1); ++ + if (options.lpk.on) { -+ debug("[LDAP] trying LDAP first uid=%s",pw->pw_name); -+ if (ldap_ismember(&options.lpk, pw->pw_name) > 0) { -+ if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { -+ /* Skip leading whitespace, empty and comment lines. */ ++ debug("[LDAP] trying LDAP first uid=%s", pw->pw_name); ++ if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) { ++ if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { + for (i = 0 ; i < k->num ; i++) { -+ /* dont forget if multiple keys to reset options */ + char *cp, *options = NULL; + -+ for (cp = (char *)k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++) ++ for (cp = k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + -+ if (key_read(found, &cp) != 1) { -+ /* no key? check if there are options for this key */ ++ /* ++ * Check if there are options for this key, and if so, ++ * save their starting address and skip the option part ++ * for now. If there are no options, set the starting ++ * address to NULL. ++ */ ++ if (*cp < '0' || *cp > '9') { + int quoted = 0; -+ debug2("[LDAP] user_key_allowed: check options: '%s'", cp); + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') @@ -70,32 +69,49 @@ diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-5.1p1.orig/auth2-pubkey. + else if (*cp == '"') + quoted = !quoted; + } -+ /* Skip remaining whitespace. */ -+ for (; *cp == ' ' || *cp == '\t'; cp++) -+ ; -+ if (key_read(found, &cp) != 1) { -+ debug2("[LDAP] user_key_allowed: advance: '%s'", cp); -+ /* still no key? advance to next line*/ -+ continue; -+ } -+ } ++ } else ++ options = NULL; + -+ if (key_equal(found, key) && -+ auth_parse_options(pw, options, file, linenum) == 1) { -+ found_key = 1; -+ debug("[LDAP] matching key found"); -+ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); -+ verbose("[LDAP] Found matching %s key: %s", key_type(found), fp); -+ -+ /* restoring memory */ -+ ldap_keys_free(k); -+ xfree(fp); -+ restore_uid(); -+ key_free(found); -+ return found_key; -+ break; ++ /* Parse the key from the line. */ ++ if (hostfile_read_key(&cp, &bits, key) == 0) { ++ debug("[LDAP] line %d: non ssh1 key syntax", i); ++ continue; + } -+ }/* end of LDAP for() */ ++ /* cp now points to the comment part. */ ++ ++ /* Check if the we have found the desired key (identified by its modulus). */ ++ if (BN_cmp(key->rsa->n, client_n) != 0) ++ continue; ++ ++ /* check the real bits */ ++ if (bits != (unsigned int)BN_num_bits(key->rsa->n)) ++ logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: " ++ "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits); ++ ++ /* We have found the desired key. */ ++ /* ++ * If our options do not allow this key to be used, ++ * do not send challenge. ++ */ ++ if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i)) ++ continue; ++ ++ /* break out, this key is allowed */ ++ allowed = 1; ++ ++ /* add the return stuff etc... */ ++ /* Restore the privileged uid. */ ++ restore_uid(); ++ ++ /* return key if allowed */ ++ if (allowed && rkey != NULL) ++ *rkey = key; ++ else ++ key_free(key); ++ ++ ldap_keys_free(k); ++ return (allowed); ++ } + } else { + logit("[LDAP] no keys found for '%s'!", pw->pw_name); + } @@ -104,9 +120,11 @@ diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-5.1p1.orig/auth2-pubkey. + } + } +#endif - debug("trying public key file %s", file); - f = auth_openkeyfile(file, pw, options.strict_modes); - ++ ++ /* The authorized keys. */ + for (i = 0; !allowed && i < options.num_authkeys_files; i++) { + file = expand_authorized_keys( + options.authorized_keys_files[i], pw); diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-5.1p1.orig/auth-rsa.c openssh-5.1p1+lpk/auth-rsa.c --- openssh-5.1p1.orig/auth-rsa.c 2008-07-02 05:37:30.000000000 -0700 +++ openssh-5.1p1+lpk/auth-rsa.c 2008-08-23 15:02:47.000000000 -0700 diff --git a/openssh-no_libnsl.patch b/openssh-no_libnsl.patch index e45344c..c8fbdd4 100644 --- a/openssh-no_libnsl.patch +++ b/openssh-no_libnsl.patch @@ -10,13 +10,14 @@ diff -urN openssh-3.0p1.orig/configure.ac openssh-3.0p1/configure.ac case `uname -r` in 1.*|2.0.*) AC_DEFINE(BROKEN_CMSG_TYPE) ---- openssh-3.2.3p1/configure.ac.orig Sat May 25 13:02:18 2002 -+++ openssh-3.2.3p1/configure.ac Sat May 25 13:14:58 2002 -@@ -360,7 +359,6 @@ - util.h utime.h utmp.h utmpx.h) +--- openssh-5.9p1/configure.ac~ 2011-09-06 19:01:09.000000000 +0200 ++++ openssh-5.9p1/configure.ac 2011-09-06 19:02:14.816070290 +0200 +@@ -972,7 +972,6 @@ + dnl Checks for header files. # Checks for libraries. --AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) - AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) +-AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])]) + AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])]) - dnl SCO OS3 needs this for libwrap + dnl IRIX and Solaris 2.5.1 have dirname() in libgen + diff --git a/openssh-pam_misc.patch b/openssh-pam_misc.patch index 591c47f..c05a1b6 100644 --- a/openssh-pam_misc.patch +++ b/openssh-pam_misc.patch @@ -1,11 +1,12 @@ ---- openssh-4.4p1/configure.ac~ 2006-09-28 17:40:25.601119384 +0300 -+++ openssh-4.4p1/configure.ac 2006-09-28 17:41:49.162994417 +0300 -@@ -2056,7 +2056,7 @@ +--- openssh-5.9p1/configure.ac~ 2011-09-06 19:02:28.000000000 +0200 ++++ openssh-5.9p1/configure.ac 2011-09-06 19:03:14.340571364 +0200 +@@ -2419,7 +2419,7 @@ PAM_MSG="yes" - SSHDLIBS="$SSHDLIBS -lpam" + SSHDLIBS="$SSHDLIBS -lpam -lpam_misc" - AC_DEFINE(USE_PAM, 1, + AC_DEFINE([USE_PAM], [1], [Define if you want to enable PAM support]) + diff --git a/openssh.spec b/openssh.spec index 9023c96..580eaba 100644 --- a/openssh.spec +++ b/openssh.spec @@ -28,13 +28,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 5.8p2 -Release: 3 +Version: 5.9p1 +Release: 0.1 Epoch: 2 License: BSD Group: Applications/Networking Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 88a4a83b0e0e60cd545430d4e4bd7e0c +# Source0-md5: b50a499fa02616a47984b1920848b565 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -513,6 +513,9 @@ install -p %{SOURCE2} sshd.init %{__sed} -i -e '/ecdsa/d' sshd.init %endif +# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa +sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile* + %build cp /usr/share/automake/config.sub . %{__aclocal} @@ -660,7 +663,7 @@ fi %files %defattr(644,root,root,755) -%doc *.RNG TODO README OVERVIEW CREDITS Change* +%doc TODO README OVERVIEW CREDITS Change* %attr(755,root,root) %{_bindir}/ssh-key* %attr(755,root,root) %{_bindir}/ssh-vulnkey* %{_mandir}/man1/ssh-key*.1* -- 2.43.0