INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o ldapauth.o
--MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
--MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
-+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-vulnkey.1.out
-+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-vulnkey.1
+-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
+-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-vulnkey.1.out
++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-vulnkey.1
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
+ /* We don't need the RNG ourselves, but symbol references here allow
+ * ld to link us properly.
+ */
-+ init_rng();
-+ seed_rng();
++ //init_rng();
++ //seed_rng();
+
+ while ((opt = getopt(argc, argv, "ahq")) != -1) {
+ switch (opt) {
user_key_allowed(struct passwd *pw, Key *key)
{
+ char *fp;
- int success;
+ u_int success, i;
char *file;
+ if (blacklisted_key(key)) {
---- openssh-5.7p1/configure.ac.orig 2011-01-22 00:37:05.000000000 +0200
-+++ openssh-5.7p1/configure.ac 2011-01-24 16:21:01.711393457 +0200
-@@ -3572,14 +3572,14 @@
- [ AC_MSG_RESULT(yes)
- AC_DEFINE(HEIMDAL)
+--- openssh-5.9p1/configure.ac~ 2011-08-18 06:48:24.000000000 +0200
++++ openssh-5.9p1/configure.ac 2011-09-06 19:00:46.856319713 +0200
+@@ -3424,13 +3424,13 @@
+ [ AC_MSG_RESULT([yes])
+ AC_DEFINE([HEIMDAL])
K5LIBS="-lkrb5"
- K5LIBS="$K5LIBS -lcom_err -lasn1"
+ K5LIBS="$K5LIBS -lasn1"
- AC_CHECK_LIB(roken, net_write,
+ AC_CHECK_LIB([roken], [net_write],
[K5LIBS="$K5LIBS -lroken"])
- AC_CHECK_LIB(des, des_cbc_encrypt,
+ AC_CHECK_LIB([des], [des_cbc_encrypt],
[K5LIBS="$K5LIBS -ldes"])
- ],
- [ AC_MSG_RESULT(no)
+ ], [ AC_MSG_RESULT([no])
- K5LIBS="-lkrb5 -lk5crypto -lcom_err"
+ K5LIBS="-lkrb5 -lk5crypto"
- ]
- )
- AC_SEARCH_LIBS(dn_expand, resolv)
+
+ ])
+ AC_SEARCH_LIBS([dn_expand], [resolv])
diff -ur openssh-5.8p1-orig/auth-krb5.c openssh-5.8p1/auth-krb5.c
--- openssh-5.8p1-orig/auth-krb5.c 2011-04-20 00:30:23.632652510 +0200
+++ openssh-5.8p1/auth-krb5.c 2011-04-20 00:34:06.218117429 +0200
---- openssh-4.2p1/configure.ac~ 2006-01-05 02:09:10.000000000 +0100
-+++ openssh-4.2p1/configure.ac 2006-01-05 02:32:00.000000000 +0100
-@@ -808,6 +808,7 @@
+--- openssh-5.9p1/configure.ac~ 2011-09-06 19:31:16.000000000 +0200
++++ openssh-5.9p1/configure.ac 2011-09-06 19:31:55.291791679 +0200
+@@ -1076,6 +1076,7 @@
- AC_MSG_CHECKING(for possibly buggy zlib)
- AC_RUN_IFELSE([AC_LANG_SOURCE([[
+ AC_MSG_CHECKING([for possibly buggy zlib])
+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[
+#include <stdlib.h>
#include <stdio.h>
#include <zlib.h>
- int main()
+ ]],
+
diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
--- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100
+++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100
-@@ -142,6 +142,7 @@ initialize_server_options(ServerOptions
- options->authorized_principals_file = NULL;
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
+@@ -133,6 +133,7 @@
+ options->num_accept_env = 0;
+ options->permit_tun = -1;
+ options->num_permitted_opens = -1;
+ options->use_kuserok = -1;
- #ifdef WITH_LDAP_PUBKEY
- /* XXX dirty */
- options->lpk.ld = NULL;
+ options->adm_forced_command = NULL;
+ options->chroot_directory = NULL;
+ options->zero_knowledge_password_authentication = -1;
@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
if (use_privsep == -1)
use_privsep = 1;
/* import */
extern ServerOptions options;
extern u_char *session_id2;
-@@ -187,10 +191,79 @@
- u_long linenum = 0;
- Key *found;
- char *fp;
+@@ -272,9 +272,97 @@
+ {
+ char *file;
+ u_int i, allowed = 0;
+#ifdef WITH_LDAP_PUBKEY
+ ldap_key_t * k;
+ unsigned int i = 0;
+#endif
- /* Temporarily use the user's uid. */
temporarily_use_uid(pw);
+#ifdef WITH_LDAP_PUBKEY
-+ found_key = 0;
-+ /* allocate a new key type */
-+ found = key_new(key->type);
-+
-+ /* first check if the options is enabled, then try.. */
++ /* here is the job */
++ key = key_new(KEY_RSA1);
++
+ if (options.lpk.on) {
-+ debug("[LDAP] trying LDAP first uid=%s",pw->pw_name);
-+ if (ldap_ismember(&options.lpk, pw->pw_name) > 0) {
-+ if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
-+ /* Skip leading whitespace, empty and comment lines. */
++ debug("[LDAP] trying LDAP first uid=%s", pw->pw_name);
++ if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) {
++ if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
+ for (i = 0 ; i < k->num ; i++) {
-+ /* dont forget if multiple keys to reset options */
+ char *cp, *options = NULL;
+
-+ for (cp = (char *)k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
++ for (cp = k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
+ ;
+ if (!*cp || *cp == '\n' || *cp == '#')
+ continue;
+
-+ if (key_read(found, &cp) != 1) {
-+ /* no key? check if there are options for this key */
++ /*
++ * Check if there are options for this key, and if so,
++ * save their starting address and skip the option part
++ * for now. If there are no options, set the starting
++ * address to NULL.
++ */
++ if (*cp < '0' || *cp > '9') {
+ int quoted = 0;
-+ debug2("[LDAP] user_key_allowed: check options: '%s'", cp);
+ options = cp;
+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+ if (*cp == '\\' && cp[1] == '"')
+ else if (*cp == '"')
+ quoted = !quoted;
+ }
-+ /* Skip remaining whitespace. */
-+ for (; *cp == ' ' || *cp == '\t'; cp++)
-+ ;
-+ if (key_read(found, &cp) != 1) {
-+ debug2("[LDAP] user_key_allowed: advance: '%s'", cp);
-+ /* still no key? advance to next line*/
-+ continue;
-+ }
-+ }
++ } else
++ options = NULL;
+
-+ if (key_equal(found, key) &&
-+ auth_parse_options(pw, options, file, linenum) == 1) {
-+ found_key = 1;
-+ debug("[LDAP] matching key found");
-+ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-+ verbose("[LDAP] Found matching %s key: %s", key_type(found), fp);
-+
-+ /* restoring memory */
-+ ldap_keys_free(k);
-+ xfree(fp);
-+ restore_uid();
-+ key_free(found);
-+ return found_key;
-+ break;
++ /* Parse the key from the line. */
++ if (hostfile_read_key(&cp, &bits, key) == 0) {
++ debug("[LDAP] line %d: non ssh1 key syntax", i);
++ continue;
+ }
-+ }/* end of LDAP for() */
++ /* cp now points to the comment part. */
++
++ /* Check if the we have found the desired key (identified by its modulus). */
++ if (BN_cmp(key->rsa->n, client_n) != 0)
++ continue;
++
++ /* check the real bits */
++ if (bits != (unsigned int)BN_num_bits(key->rsa->n))
++ logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: "
++ "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits);
++
++ /* We have found the desired key. */
++ /*
++ * If our options do not allow this key to be used,
++ * do not send challenge.
++ */
++ if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i))
++ continue;
++
++ /* break out, this key is allowed */
++ allowed = 1;
++
++ /* add the return stuff etc... */
++ /* Restore the privileged uid. */
++ restore_uid();
++
++ /* return key if allowed */
++ if (allowed && rkey != NULL)
++ *rkey = key;
++ else
++ key_free(key);
++
++ ldap_keys_free(k);
++ return (allowed);
++ }
+ } else {
+ logit("[LDAP] no keys found for '%s'!", pw->pw_name);
+ }
+ }
+ }
+#endif
- debug("trying public key file %s", file);
- f = auth_openkeyfile(file, pw, options.strict_modes);
-
++
++ /* The authorized keys. */
+ for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
+ file = expand_authorized_keys(
+ options.authorized_keys_files[i], pw);
diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-5.1p1.orig/auth-rsa.c openssh-5.1p1+lpk/auth-rsa.c
--- openssh-5.1p1.orig/auth-rsa.c 2008-07-02 05:37:30.000000000 -0700
+++ openssh-5.1p1+lpk/auth-rsa.c 2008-08-23 15:02:47.000000000 -0700
case `uname -r` in
1.*|2.0.*)
AC_DEFINE(BROKEN_CMSG_TYPE)
---- openssh-3.2.3p1/configure.ac.orig Sat May 25 13:02:18 2002
-+++ openssh-3.2.3p1/configure.ac Sat May 25 13:14:58 2002
-@@ -360,7 +359,6 @@
- util.h utime.h utmp.h utmpx.h)
+--- openssh-5.9p1/configure.ac~ 2011-09-06 19:01:09.000000000 +0200
++++ openssh-5.9p1/configure.ac 2011-09-06 19:02:14.816070290 +0200
+@@ -972,7 +972,6 @@
+ dnl Checks for header files.
# Checks for libraries.
--AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
- AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt))
+-AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])])
+ AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
- dnl SCO OS3 needs this for libwrap
+ dnl IRIX and Solaris 2.5.1 have dirname() in libgen
+
---- openssh-4.4p1/configure.ac~ 2006-09-28 17:40:25.601119384 +0300
-+++ openssh-4.4p1/configure.ac 2006-09-28 17:41:49.162994417 +0300
-@@ -2056,7 +2056,7 @@
+--- openssh-5.9p1/configure.ac~ 2011-09-06 19:02:28.000000000 +0200
++++ openssh-5.9p1/configure.ac 2011-09-06 19:03:14.340571364 +0200
+@@ -2419,7 +2419,7 @@
PAM_MSG="yes"
- SSHDLIBS="$SSHDLIBS -lpam"
+ SSHDLIBS="$SSHDLIBS -lpam -lpam_misc"
- AC_DEFINE(USE_PAM, 1,
+ AC_DEFINE([USE_PAM], [1],
[Define if you want to enable PAM support])
+
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 5.8p2
-Release: 3
+Version: 5.9p1
+Release: 0.1
Epoch: 2
License: BSD
Group: Applications/Networking
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: 88a4a83b0e0e60cd545430d4e4bd7e0c
+# Source0-md5: b50a499fa02616a47984b1920848b565
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
%{__sed} -i -e '/ecdsa/d' sshd.init
%endif
+# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
+sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh#g' Makefile*
+
%build
cp /usr/share/automake/config.sub .
%{__aclocal}
%files
%defattr(644,root,root,755)
-%doc *.RNG TODO README OVERVIEW CREDITS Change*
+%doc TODO README OVERVIEW CREDITS Change*
%attr(755,root,root) %{_bindir}/ssh-key*
%attr(755,root,root) %{_bindir}/ssh-vulnkey*
%{_mandir}/man1/ssh-key*.1*
projects / packages / openssh.git / commitdiff