From c03a3167bf7c2a58873894e7ad90ee72ed601789 Mon Sep 17 00:00:00 2001 From: cvs2git Date: Tue, 17 Aug 2004 17:30:20 +0000 Subject: [PATCH] This commit was manufactured by cvs2git to create branch 'RA-DEVEL'. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Cherrypick from master 2004-08-17 17:30:20 UTC Arkadiusz Miśkiewicz '- fix format sign': openssh-chroot.patch -> 1.4 openssh-heimdal.patch -> 1.6 openssh-pam-conv.patch -> 1.2 openssh.conf -> 1.5 --- openssh-chroot.patch | 157 +++++++++++++++++++++++++++++++++++++++++ openssh-heimdal.patch | 20 ++++++ openssh-pam-conv.patch | 18 +++++ openssh.conf | 40 +++++++++++ 4 files changed, 235 insertions(+) create mode 100644 openssh-chroot.patch create mode 100644 openssh-heimdal.patch create mode 100644 openssh-pam-conv.patch create mode 100644 openssh.conf diff --git a/openssh-chroot.patch b/openssh-chroot.patch new file mode 100644 index 0000000..60cb12c --- /dev/null +++ b/openssh-chroot.patch @@ -0,0 +1,157 @@ +--- openssh-3.7.1p2/servconf.c 2003-09-23 11:24:21.000000000 +0200 ++++ openssh-3.7.1p2.pius/servconf.c 2003-10-07 20:49:08.000000000 +0200 +@@ -41,7 +41,9 @@ + + /* Portable-specific options */ + options->use_pam = -1; +- ++ ++ options->use_chroot = -1; ++ + /* Standard Options */ + options->num_ports = 0; + options->ports_from_cmdline = 0; +@@ -112,6 +114,9 @@ + if (options->use_pam == -1) + options->use_pam = 0; + ++ if (options->use_chroot == -1) ++ options->use_chroot = 0; ++ + /* Standard Options */ + if (options->protocol == SSH_PROTO_UNKNOWN) + options->protocol = SSH_PROTO_1|SSH_PROTO_2; +@@ -245,6 +250,7 @@ + sBadOption, /* == unknown option */ + /* Portable-specific options */ + sUsePAM, ++ sUseChroot, + /* Standard Options */ + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sLogFacility, sLogLevel, +@@ -278,6 +284,11 @@ + #else + { "usepam", sUnsupported }, + #endif ++#ifdef CHROOT ++ { "usechroot", sUseChroot }, ++#else ++ { "usechroot", sUnsupported }, ++#endif /* CHROOT */ + { "pamauthenticationviakbdint", sDeprecated }, + /* Standard Options */ + { "port", sPort }, +@@ -437,6 +448,10 @@ + intptr = &options->use_pam; + goto parse_flag; + ++ case sUseChroot: ++ intptr = &options->use_chroot; ++ goto parse_flag; ++ + /* Standard Options */ + case sBadOption: + return -1; +--- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 ++++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 +@@ -109,6 +109,7 @@ + int max_startups_rate; + int max_startups; + char *banner; /* SSH-2 banner message */ ++ int use_chroot; /* Enable chrooted enviroment support */ + int use_dns; + int client_alive_interval; /* + * poke the client this often to +--- openssh-3.7.1p2/session.c 2003-09-23 10:59:08.000000000 +0200 ++++ openssh-3.7.1p2.pius/session.c 2003-10-07 20:49:08.000000000 +0200 +@@ -1231,6 +1231,10 @@ + void + do_setusercontext(struct passwd *pw) + { ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ + #ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) + #endif /* HAVE_CYGWIN */ +@@ -1268,6 +1272,28 @@ + exit(1); + } + endgrent(); ++ ++#ifdef CHROOT ++ if (options.use_chroot) { ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); ++ pw->pw_dir = new_root; ++ break; ++ } ++ new_root += 2; ++ } ++ } ++#endif /* CHROOT */ ++ + # ifdef USE_PAM + /* + * PAM credentials may take the form of supplementary groups. +--- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 ++++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 +@@ -71,6 +71,10 @@ + # bypass the setting of 'PasswordAuthentication' + #UsePAM yes + ++# Set this to 'yes' to enable support for chrooted user environment. ++# You must create such environment before you can use this feature. ++#UseChroot yes ++ + #AllowTcpForwarding yes + #GatewayPorts no + #X11Forwarding no +--- openssh-3.7.1p2/sshd_config.0 2003-09-23 11:55:19.000000000 +0200 ++++ openssh-3.7.1p2.pius/sshd_config.0 2003-10-07 20:49:08.000000000 +0200 +@@ -349,6 +349,16 @@ + CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- + fault is AUTH. + ++ UseChroot ++ Specifies whether to use chroot-jail environment with ssh/sftp, ++ i.e. restrict users to a particular area in the filesystem. This ++ is done by setting user home directory to, for example, ++ /path/to/chroot/./home/username. sshd looks for a '.' in the ++ users home directory, then calls chroot(2) to whatever directory ++ was before the . and continues with the normal ssh functionality. ++ For this to work properly you have to create special chroot-jail ++ environment in a /path/to/chroot directory. ++ + UseDNS Specifies whether sshd should lookup the remote host name and + check that the resolved host name for the remote IP address maps + back to the very same IP address. The default is ``yes''. +--- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 ++++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 +@@ -552,6 +552,16 @@ + The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. ++.It Cm UseChroot ++Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict ++users to a particular area in the filesystem. This is done by setting user ++home directory to, for example, /path/to/chroot/./home/username. ++.Nm sshd ++looks for a '.' in the users home directory, then calls ++.Xr chroot 2 ++to whatever directory was before the . and continues with the normal ssh ++functionality. For this to work properly you have to create special chroot-jail ++environment in a /path/to/chroot directory. + .It Cm TCPKeepAlive + Specifies whether the system should send TCP keepalive messages to the + other side. diff --git a/openssh-heimdal.patch b/openssh-heimdal.patch new file mode 100644 index 0000000..fb856cc --- /dev/null +++ b/openssh-heimdal.patch @@ -0,0 +1,20 @@ +diff -urN openssh-3.9p1.org/configure.ac openssh-3.9p1/configure.ac +--- openssh-3.9p1.org/configure.ac 2004-08-17 19:25:31.977492488 +0200 ++++ openssh-3.9p1/configure.ac 2004-08-17 19:25:48.157032824 +0200 +@@ -2265,13 +2265,13 @@ + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL) +- K5LIBS="-lkrb5 -ldes" +- K5LIBS="$K5LIBS -lcom_err -lasn1" ++ K5LIBS="-lkrb5" ++ K5LIBS="$K5LIBS -lasn1" + AC_CHECK_LIB(roken, net_write, + [K5LIBS="$K5LIBS -lroken"]) + ], + [ AC_MSG_RESULT(no) +- K5LIBS="-lkrb5 -lk5crypto -lcom_err" ++ K5LIBS="-lkrb5 -lk5crypto" + ] + ) + AC_SEARCH_LIBS(dn_expand, resolv) diff --git a/openssh-pam-conv.patch b/openssh-pam-conv.patch new file mode 100644 index 0000000..0cbb9bc --- /dev/null +++ b/openssh-pam-conv.patch @@ -0,0 +1,18 @@ +diff -ur openssh-3.7.1p2/auth-pam.c openssh-3.7.1p2-pam/auth-pam.c +--- openssh-3.7.1p2/auth-pam.c 2003-09-23 11:24:21.000000000 +0200 ++++ openssh-3.7.1p2-pam/auth-pam.c 2003-09-23 18:44:46.000000000 +0200 +@@ -175,12 +175,14 @@ + case PAM_ERROR_MSG: + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); ++ buffer_put_char(&buffer, '\n'); + ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer); + break; + case PAM_TEXT_INFO: + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); ++ buffer_put_char(&buffer, '\n'); + ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer); + break; diff --git a/openssh.conf b/openssh.conf new file mode 100644 index 0000000..cc1130e --- /dev/null +++ b/openssh.conf @@ -0,0 +1,40 @@ +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for various options + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsAuthentication no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# BatchMode no +# CheckHostIP yes +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +# EscapeChar ~ + +# Be paranoid by default +Host * + ForwardAgent no + ForwardX11 no + ForwardX11Trusted no + StrictHostKeyChecking no -- 2.44.0