From 1b51f874ed56f3a627c1834bf2be01ecb8344a0b Mon Sep 17 00:00:00 2001 From: Anas Nashif Date: Tue, 12 Feb 2013 06:01:40 -0800 Subject: [PATCH] remove integrated patches --- packaging/converter-linking.patch | 11 - packaging/openssh-5.9p1-audit.patch | 236 ------------------ packaging/openssh-5.9p1-blocksigalrm.diff | 43 ---- packaging/openssh-5.9p1-default-protocol.diff | 13 - packaging/openssh-5.9p1-eal3.diff | 45 ---- packaging/openssh-5.9p1-engines.diff | 140 ----------- packaging/openssh-5.9p1-gssapimitm.patch | 259 ------------------- packaging/openssh-5.9p1-homechroot.patch | 277 --------------------- packaging/openssh-5.9p1-host_ident.diff | 16 -- packaging/openssh-5.9p1-pam-fix2.diff | 22 -- packaging/openssh-5.9p1-pam-fix3.diff | 15 -- packaging/openssh-5.9p1-pts.diff | 24 -- packaging/openssh-5.9p1-saveargv-fix.diff | 25 -- packaging/openssh-5.9p1-send_locale.diff | 31 --- .../openssh-5.9p1-sshconfig-knownhostschanges.diff | 19 -- packaging/openssh-5.9p1-sshd_config.diff | 51 ---- packaging/openssh-5.9p1-xauth.diff | 45 ---- packaging/openssh-5.9p1-xauthlocalhostname.diff | 78 ------ packaging/openssh-nocrazyabicheck.patch | 17 -- packaging/openssh.spec | 36 --- 20 files changed, 1403 deletions(-) delete mode 100644 packaging/converter-linking.patch delete mode 100644 packaging/openssh-5.9p1-audit.patch delete mode 100644 packaging/openssh-5.9p1-blocksigalrm.diff delete mode 100644 packaging/openssh-5.9p1-default-protocol.diff delete mode 100644 packaging/openssh-5.9p1-eal3.diff delete mode 100644 packaging/openssh-5.9p1-engines.diff delete mode 100644 packaging/openssh-5.9p1-gssapimitm.patch delete mode 100644 packaging/openssh-5.9p1-homechroot.patch delete mode 100644 packaging/openssh-5.9p1-host_ident.diff delete mode 100644 packaging/openssh-5.9p1-pam-fix2.diff delete mode 100644 packaging/openssh-5.9p1-pam-fix3.diff delete mode 100644 packaging/openssh-5.9p1-pts.diff delete mode 100644 packaging/openssh-5.9p1-saveargv-fix.diff delete mode 100644 packaging/openssh-5.9p1-send_locale.diff delete mode 100644 packaging/openssh-5.9p1-sshconfig-knownhostschanges.diff delete mode 100644 packaging/openssh-5.9p1-sshd_config.diff delete mode 100644 packaging/openssh-5.9p1-xauth.diff delete mode 100644 packaging/openssh-5.9p1-xauthlocalhostname.diff delete mode 100644 packaging/openssh-nocrazyabicheck.patch diff --git a/packaging/converter-linking.patch b/packaging/converter-linking.patch deleted file mode 100644 index 9919275..0000000 --- a/packaging/converter-linking.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- converter/Makefile.orig -+++ converter/Makefile -@@ -8,7 +8,7 @@ ssh-keyconverter.o: ssh-keyconverter.c . - gcc $(RPM_OPT_FLAGS) -c -I../ $< -o $@ - - ssh-keyconverter: ssh-keyconverter.o ../libssh.a ../openbsd-compat/libopenbsd-compat.a -- gcc $< -L../ -L../openbsd-compat/ -lssh -lopenbsd-compat -lssh -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@ -+ gcc -Wl,--no-as-needed $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ $< -lssl -lcrypto -lssh -lopenbsd-compat -lssl -lssh -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -o $@ - - install: ssh-keyconverter ssh-keyconverter.1 - if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755 $(DESTDIR)$(bindir); fi diff --git a/packaging/openssh-5.9p1-audit.patch b/packaging/openssh-5.9p1-audit.patch deleted file mode 100644 index ddf6174..0000000 --- a/packaging/openssh-5.9p1-audit.patch +++ /dev/null @@ -1,236 +0,0 @@ -# add support for Linux audit (FATE #120269) -================================================================================ -Index: openssh-5.8p1/Makefile.in -=================================================================== ---- openssh-5.8p1.orig/Makefile.in -+++ openssh-5.8p1/Makefile.in -@@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@ - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - LIBS=@LIBS@ - SSHLIBS=@SSHLIBS@ -+LIBAUDIT=@LIBAUDIT@ - SSHDLIBS=@SSHDLIBS@ - LIBEDIT=@LIBEDIT@ - AR=@AR@ -@@ -146,7 +147,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT) - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -Index: openssh-5.8p1/auth.c -=================================================================== ---- openssh-5.8p1.orig/auth.c -+++ openssh-5.8p1/auth.c -@@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent - get_canonical_hostname(options.use_dns), "ssh", &loginmsg); - # endif - #endif -+#if HAVE_LINUX_AUDIT -+ if (authenticated == 0 && !authctxt->postponed) { -+ linux_audit_record_event(-1, authctxt->user, NULL, -+ get_remote_ipaddr(), "sshd", 0); -+ } -+#endif - #ifdef SSH_AUDIT_EVENTS - if (authenticated == 0 && !authctxt->postponed) - audit_event(audit_classify_auth(method)); -@@ -592,6 +598,10 @@ getpwnamallow(const char *user) - record_failed_login(user, - get_canonical_hostname(options.use_dns), "ssh"); - #endif -+#ifdef HAVE_LINUX_AUDIT -+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), -+ "sshd", 0); -+#endif - #ifdef SSH_AUDIT_EVENTS - audit_event(SSH_INVALID_USER); - #endif /* SSH_AUDIT_EVENTS */ -Index: openssh-5.8p1/config.h.in -=================================================================== ---- openssh-5.8p1.orig/config.h.in -+++ openssh-5.8p1/config.h.in -@@ -1460,6 +1460,9 @@ - /* Define if you want SELinux support. */ - #undef WITH_SELINUX - -+/* Define if you want Linux audit support. */ -+#undef HAVE_LINUX_AUDIT -+ - /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most - significant byte first (like Motorola and SPARC, unlike Intel). */ - #if defined AC_APPLE_UNIVERSAL_BUILD -Index: openssh-5.8p1/configure.ac -=================================================================== ---- openssh-5.8p1.orig/configure.ac -+++ openssh-5.8p1/configure.ac -@@ -3522,6 +3522,20 @@ AC_ARG_WITH(selinux, - AC_SUBST([SSHLIBS]) - AC_SUBST([SSHDLIBS]) - -+# Check whether user wants Linux audit support -+LINUX_AUDIT_MSG="no" -+LIBAUDIT="" -+AC_ARG_WITH([linux-audit], -+ [ --with-linux-audit Enable Linux audit support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE([HAVE_LINUX_AUDIT],[1],[Define if you want Linux audit support.]) -+ LINUX_AUDIT_MSG="yes" -+ AC_CHECK_HEADERS([libaudit.h]) -+ LIBAUDIT="-laudit" -+ fi -+ ]) -+AC_SUBST([LIBAUDIT]) -+ - # Check whether user wants Kerberos 5 support - KRB5_MSG="no" - AC_ARG_WITH([kerberos5], -@@ -4316,6 +4330,7 @@ echo " PAM support - echo " OSF SIA support: $SIA_MSG" - echo " KerberosV support: $KRB5_MSG" - echo " SELinux support: $SELINUX_MSG" -+echo " Linux audit support: $LINUX_AUDIT_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -Index: openssh-5.8p1/loginrec.c -=================================================================== ---- openssh-5.8p1.orig/loginrec.c -+++ openssh-5.8p1/loginrec.c -@@ -176,6 +176,10 @@ - #include "auth.h" - #include "buffer.h" - -+#ifdef HAVE_LINUX_AUDIT -+# include -+#endif -+ - #ifdef HAVE_UTIL_H - # include - #endif -@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l - int utmpx_write_entry(struct logininfo *li); - int wtmp_write_entry(struct logininfo *li); - int wtmpx_write_entry(struct logininfo *li); -+#ifdef HAVE_LINUX_AUDIT -+int linux_audit_write_entry(struct logininfo *li); -+#endif - int lastlog_write_entry(struct logininfo *li); - int syslogin_write_entry(struct logininfo *li); - -@@ -442,6 +449,10 @@ login_write(struct logininfo *li) - - /* set the timestamp */ - login_set_current_time(li); -+#ifdef HAVE_LINUX_AUDIT -+ if (linux_audit_write_entry(li) == 0) -+ fatal("linux_audit_write_entry failed: %s", strerror(errno)); -+#endif - #ifdef USE_LOGIN - syslogin_write_entry(li); - #endif -@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li) - } - #endif /* USE_WTMPX */ - -+#ifdef HAVE_LINUX_AUDIT -+static void -+_audit_hexscape(const char *what, char *where, unsigned int size) -+{ -+ const char *ptr = what; -+ const char *hex = "0123456789ABCDEF"; -+ -+ while (*ptr) { -+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) { -+ unsigned int i; -+ ptr = what; -+ for (i = 0; *ptr && i+2 < size; i += 2) { -+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */ -+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */ -+ ptr++; -+ } -+ where[i] = '\0'; -+ return; -+ } -+ ptr++; -+ } -+ where[0] = '"'; -+ if ((unsigned)(ptr - what) < size - 3) -+ { -+ size = ptr - what + 3; -+ } -+ strncpy(where + 1, what, size - 3); -+ where[size-2] = '"'; -+ where[size-1] = '\0'; -+} -+ -+#define AUDIT_LOG_SIZE 128 -+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8) -+ -+int -+linux_audit_record_event(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success) -+{ -+ char buf[AUDIT_LOG_SIZE]; -+ int audit_fd, rc; -+ -+ audit_fd = audit_open(); -+ if (audit_fd < 0) { -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return 1; /* No audit support in kernel */ -+ else -+ return 0; /* Must prevent login */ -+ } -+ if (username == NULL) -+ snprintf(buf, sizeof(buf), "uid=%d", uid); -+ else { -+ char encoded[AUDIT_ACCT_SIZE]; -+ _audit_hexscape(username, encoded, sizeof(encoded)); -+ snprintf(buf, sizeof(buf), "acct=%s", encoded); -+ } -+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, -+ buf, hostname, ip, ttyn, success); -+ close(audit_fd); -+ if (rc >= 0) -+ return 1; -+ else -+ return 0; -+} -+ -+int -+linux_audit_write_entry(struct logininfo *li) -+{ -+ switch(li->type) { -+ case LTYPE_LOGIN: -+ return (linux_audit_record_event(li->uid, NULL, li->hostname, -+ NULL, li->line, 1)); -+ case LTYPE_LOGOUT: -+ return (1); /* We only care about logins */ -+ default: -+ logit("%s: invalid type field", __func__); -+ return (0); -+ } -+} -+#endif /* HAVE_LINUX_AUDIT */ -+ - /** - ** Low-level libutil login() functions - **/ -Index: openssh-5.8p1/loginrec.h -=================================================================== ---- openssh-5.8p1.orig/loginrec.h -+++ openssh-5.8p1/loginrec.h -@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch - char *line_abbrevname(char *dst, const char *src, int dstsize); - - void record_failed_login(const char *, const char *, const char *); -+#ifdef HAVE_LINUX_AUDIT -+int linux_audit_record_event(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success); -+#endif /* HAVE_LINUX_AUDIT */ - - #endif /* _HAVE_LOGINREC_H_ */ diff --git a/packaging/openssh-5.9p1-blocksigalrm.diff b/packaging/openssh-5.9p1-blocksigalrm.diff deleted file mode 100644 index 0a65959..0000000 --- a/packaging/openssh-5.9p1-blocksigalrm.diff +++ /dev/null @@ -1,43 +0,0 @@ -Index: log.c -=================================================================== ---- log.c.orig -+++ log.c -@@ -51,6 +51,7 @@ - - #include "xmalloc.h" - #include "log.h" -+#include - - static LogLevel log_level = SYSLOG_LEVEL_INFO; - static int log_on_stderr = 1; -@@ -336,6 +337,7 @@ do_log(LogLevel level, const char *fmt, - char fmtbuf[MSGBUFSIZ]; - char *txt = NULL; - int pri = LOG_INFO; -+ sigset_t nset, oset; - int saved_errno = errno; - log_handler_fn *tmp_handler; - -@@ -387,6 +389,14 @@ do_log(LogLevel level, const char *fmt, - snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); - write(STDERR_FILENO, msgbuf, strlen(msgbuf)); - } else { -+ /* Prevent a race between the grace_alarm -+ * which writes a log message and terminates -+ * and main sshd code that leads to deadlock -+ * as syslog is not async safe. -+ */ -+ sigemptyset(&nset); -+ sigaddset(&nset, SIGALRM); -+ sigprocmask(SIG_BLOCK, &nset, &oset); - #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) - openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); - syslog_r(pri, &sdata, "%.500s", fmtbuf); -@@ -396,6 +406,7 @@ do_log(LogLevel level, const char *fmt, - syslog(pri, "%.500s", fmtbuf); - closelog(); - #endif -+ sigprocmask(SIG_SETMASK, &oset, NULL); - } - errno = saved_errno; - } diff --git a/packaging/openssh-5.9p1-default-protocol.diff b/packaging/openssh-5.9p1-default-protocol.diff deleted file mode 100644 index 2cbf554..0000000 --- a/packaging/openssh-5.9p1-default-protocol.diff +++ /dev/null @@ -1,13 +0,0 @@ -Index: ssh_config -=================================================================== ---- ssh_config.orig -+++ ssh_config -@@ -46,7 +46,7 @@ ForwardX11Trusted yes - # IdentityFile ~/.ssh/id_rsa - # IdentityFile ~/.ssh/id_dsa - # Port 22 --# Protocol 2,1 -+ Protocol 2 - # Cipher 3des - # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc - # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 diff --git a/packaging/openssh-5.9p1-eal3.diff b/packaging/openssh-5.9p1-eal3.diff deleted file mode 100644 index e4286ca..0000000 --- a/packaging/openssh-5.9p1-eal3.diff +++ /dev/null @@ -1,45 +0,0 @@ -Index: openssh-5.8p1/sshd.8 -=================================================================== ---- openssh-5.8p1.orig/sshd.8 -+++ openssh-5.8p1/sshd.8 -@@ -855,7 +855,7 @@ Contains Diffie-Hellman groups used for - The file format is described in - .Xr moduli 5 . - .Pp --.It Pa /etc/motd -+.It Pa /etc/lib/motd - See - .Xr motd 5 . - .Pp -@@ -868,7 +868,7 @@ are displayed to anyone trying to log in - refused. - The file should be world-readable. - .Pp --.It Pa /etc/shosts.equiv -+.It Pa /etc/ssh/shosts.equiv - This file is used in exactly the same way as - .Pa hosts.equiv , - but allows host-based authentication without permitting login with -@@ -947,8 +947,7 @@ The content of this file is not sensitiv - .Xr ssh-keyscan 1 , - .Xr chroot 2 , - .Xr hosts_access 5 , --.Xr login.conf 5 , --.Xr moduli 5 , -+.Xr login.defs 5 , - .Xr sshd_config 5 , - .Xr inetd 8 , - .Xr sftp-server 8 -Index: openssh-5.8p1/sshd_config.5 -=================================================================== ---- openssh-5.8p1.orig/sshd_config.5 -+++ openssh-5.8p1/sshd_config.5 -@@ -497,7 +497,7 @@ or - .Pp - .Pa /etc/hosts.equiv - and --.Pa /etc/shosts.equiv -+.Pa /etc/ssh/shosts.equiv - are still used. - The default is - .Dq yes . diff --git a/packaging/openssh-5.9p1-engines.diff b/packaging/openssh-5.9p1-engines.diff deleted file mode 100644 index f105eec..0000000 --- a/packaging/openssh-5.9p1-engines.diff +++ /dev/null @@ -1,140 +0,0 @@ -Index: openssh-5.8p1/ssh-add.c -=================================================================== ---- openssh-5.8p1.orig/ssh-add.c -+++ openssh-5.8p1/ssh-add.c -@@ -43,6 +43,7 @@ - - #include - #include "openbsd-compat/openssl-compat.h" -+#include - - #include - #include -@@ -377,6 +378,10 @@ main(int argc, char **argv) - - OpenSSL_add_all_algorithms(); - -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ - /* At first, get a connection to the authentication agent. */ - ac = ssh_get_authentication_connection(); - if (ac == NULL) { -Index: openssh-5.8p1/ssh-agent.c -=================================================================== ---- openssh-5.8p1.orig/ssh-agent.c -+++ openssh-5.8p1/ssh-agent.c -@@ -52,6 +52,7 @@ - #include - #include - #include "openbsd-compat/openssl-compat.h" -+#include - - #include - #include -@@ -1153,6 +1154,10 @@ main(int ac, char **av) - - OpenSSL_add_all_algorithms(); - -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ - __progname = ssh_get_progname(av[0]); - seed_rng(); - -Index: openssh-5.8p1/ssh-keygen.c -=================================================================== ---- openssh-5.8p1.orig/ssh-keygen.c -+++ openssh-5.8p1/ssh-keygen.c -@@ -22,6 +22,7 @@ - #include - #include - #include "openbsd-compat/openssl-compat.h" -+#include - - #include - #include -@@ -1815,6 +1816,11 @@ main(int argc, char **argv) - __progname = ssh_get_progname(argv[0]); - - OpenSSL_add_all_algorithms(); -+ -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); - - seed_rng(); -Index: openssh-5.8p1/ssh-keysign.c -=================================================================== ---- openssh-5.8p1.orig/ssh-keysign.c -+++ openssh-5.8p1/ssh-keysign.c -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - - #include "xmalloc.h" - #include "log.h" -@@ -195,6 +196,11 @@ main(int argc, char **argv) - fatal("could not open any host key"); - - OpenSSL_add_all_algorithms(); -+ -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ - for (i = 0; i < 256; i++) - rnd[i] = arc4random(); - RAND_seed(rnd, sizeof(rnd)); -Index: openssh-5.8p1/ssh.c -=================================================================== ---- openssh-5.8p1.orig/ssh.c -+++ openssh-5.8p1/ssh.c -@@ -75,6 +75,7 @@ - #include - #include "openbsd-compat/openssl-compat.h" - #include "openbsd-compat/sys-queue.h" -+#include - - #include "xmalloc.h" - #include "ssh.h" -@@ -601,6 +602,10 @@ main(int ac, char **av) - OpenSSL_add_all_algorithms(); - ERR_load_crypto_strings(); - -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ - /* Initialize the command to execute on remote host. */ - buffer_init(&command); - -Index: openssh-5.8p1/sshd.c -=================================================================== ---- openssh-5.8p1.orig/sshd.c -+++ openssh-5.8p1/sshd.c -@@ -77,6 +77,7 @@ - #include - #include - #include "openbsd-compat/openssl-compat.h" -+#include - - #ifdef HAVE_SECUREWARE - #include -@@ -1474,6 +1475,10 @@ main(int ac, char **av) - - OpenSSL_add_all_algorithms(); - -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ - /* - * Force logging to stderr until we have loaded the private host - * key (unless started from inetd) diff --git a/packaging/openssh-5.9p1-gssapimitm.patch b/packaging/openssh-5.9p1-gssapimitm.patch deleted file mode 100644 index 93bfb7b..0000000 --- a/packaging/openssh-5.9p1-gssapimitm.patch +++ /dev/null @@ -1,259 +0,0 @@ -The patch below adds support for the deprecated 'gssapi' authentication -mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included -in this release. The use of 'gssapi' is deprecated due to the presence of -potential man-in-the-middle attacks, which 'gssapi-with-mic' is not -susceptible to. - -To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling, -backwards compatibility may be obtained by supplying the -'GssapiEnableMitmAttack yes' option to either the client or server. - -It should be noted that this patch is being made available purely as a means -of easing the process of moving to OpenSSH 3.8p1. Any new installations are -recommended to use the 'gssapi-with-mic' mechanism. Existing installations -are encouraged to upgrade as soon as possible. - -Index: auth2-gss.c -=================================================================== ---- auth2-gss.c.orig -+++ auth2-gss.c -@@ -177,6 +177,15 @@ input_gssapi_token(int type, u_int32_t p - dispatch_set( - SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, - &input_gssapi_exchange_complete); -+ -+ /* -+ * Old style 'gssapi' didn't have the GSSAPI_MIC -+ * and went straight to sending exchange_complete -+ */ -+ if (options.gss_enable_mitm) -+ dispatch_set( -+ SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, -+ &input_gssapi_exchange_complete); - } - } - -@@ -298,4 +307,10 @@ Authmethod method_gssapi = { - &options.gss_authentication - }; - -+Authmethod method_gssapi_old = { -+ "gssapi", -+ userauth_gssapi, -+ &options.gss_enable_mitm -+}; -+ - #endif /* GSSAPI */ -Index: auth2.c -=================================================================== ---- auth2.c.orig -+++ auth2.c -@@ -70,6 +70,7 @@ extern Authmethod method_kbdint; - extern Authmethod method_hostbased; - #ifdef GSSAPI - extern Authmethod method_gssapi; -+extern Authmethod method_gssapi_old; - #endif - #ifdef JPAKE - extern Authmethod method_jpake; -@@ -80,6 +81,7 @@ Authmethod *authmethods[] = { - &method_pubkey, - #ifdef GSSAPI - &method_gssapi, -+ &method_gssapi_old, - #endif - #ifdef JPAKE - &method_jpake, -Index: readconf.c -=================================================================== ---- readconf.c.orig -+++ readconf.c -@@ -128,7 +128,7 @@ typedef enum { - oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, -- oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -170,9 +170,11 @@ static struct { - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapienablemitmattack", oGssEnableMITM }, - #else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapienablemitmattack", oUnsupported }, - #endif - { "fallbacktorsh", oDeprecated }, - { "usersh", oDeprecated }, -@@ -483,6 +485,10 @@ parse_flag: - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssEnableMITM: -+ intptr = &options->gss_enable_mitm; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1093,6 +1099,7 @@ initialize_options(Options * options) - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_enable_mitm = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1195,6 +1202,8 @@ fill_default_options(Options * options) - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_enable_mitm == -1) -+ options->gss_enable_mitm = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -Index: readconf.h -=================================================================== ---- readconf.h.orig -+++ readconf.h -@@ -47,6 +47,7 @@ typedef struct { - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_enable_mitm; /* Enable old style gssapi auth */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -Index: servconf.c -=================================================================== ---- servconf.c.orig -+++ servconf.c -@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions - options->kerberos_get_afs_token = -1; - options->gss_authentication=-1; - options->gss_cleanup_creds = -1; -+ options->gss_enable_mitm = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; -@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption - options->gss_authentication = 0; - if (options->gss_cleanup_creds == -1) - options->gss_cleanup_creds = 1; -+ if (options->gss_enable_mitm == -1) -+ options->gss_enable_mitm = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -@@ -322,7 +325,7 @@ typedef enum { - sBanner, sUseDNS, sHostbasedAuthentication, - sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, -- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, -+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, - sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -386,9 +389,11 @@ static struct { - #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, - { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, -+ { "gssapienablemitmattack", sGssEnableMITM }, - #else - { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, - { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, -+ { "gssapienablemitmattack", sUnsupported }, - #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions - intptr = &options->gss_cleanup_creds; - goto parse_flag; - -+ case sGssEnableMITM: -+ intptr = &options->gss_enable_mitm; -+ goto parse_flag; -+ - case sPasswordAuthentication: - intptr = &options->password_authentication; - goto parse_flag; -Index: servconf.h -=================================================================== ---- servconf.h.orig -+++ servconf.h -@@ -98,6 +98,7 @@ typedef struct { - * authenticated with Kerberos. */ - int gss_authentication; /* If true, permit GSSAPI authentication */ - int gss_cleanup_creds; /* If true, destroy cred cache on logout */ -+ int gss_enable_mitm; /* If true, enable old style GSSAPI */ - int password_authentication; /* If true, permit password - * authentication. */ - int kbd_interactive_authentication; /* If true, permit */ -Index: ssh_config -=================================================================== ---- ssh_config.orig -+++ ssh_config -@@ -54,5 +54,15 @@ ForwardX11Trusted yes - # Tunnel no - # TunnelDevice any:any - # PermitLocalCommand no -+# GSSAPIAuthentication no -+# GSSAPIDelegateCredentials no -+ -+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication -+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included -+# in this release. The use of 'gssapi' is deprecated due to the presence of -+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. -+# GSSAPIEnableMITMAttack no -+ -+>>>>>>> - # VisualHostKey no - # ProxyCommand ssh -q -W %h:%p gateway.example.com -Index: sshconnect2.c -=================================================================== ---- sshconnect2.c.orig -+++ sshconnect2.c -@@ -324,6 +324,10 @@ Authmethod authmethods[] = { - NULL, - &options.gss_authentication, - NULL}, -+ {"gssapi", -+ userauth_gssapi, -+ &options.gss_enable_mitm, -+ NULL}, - #endif - {"hostbased", - userauth_hostbased, -@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf - - if (status == GSS_S_COMPLETE) { - /* send either complete or MIC, depending on mechanism */ -- if (!(flags & GSS_C_INTEG_FLAG)) { -+ -+ if (strcmp(authctxt->method->name,"gssapi")==0 || -+ (!(flags & GSS_C_INTEG_FLAG))) { - packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); - packet_send(); - } else { -Index: sshd_config -=================================================================== ---- sshd_config.orig -+++ sshd_config -@@ -73,6 +73,12 @@ PasswordAuthentication no - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes - -+# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication -+# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included -+# in this release. The use of 'gssapi' is deprecated due to the presence of -+# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. -+#GSSAPIEnableMITMAttack no -+ - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will - # be allowed through the ChallengeResponseAuthentication and diff --git a/packaging/openssh-5.9p1-homechroot.patch b/packaging/openssh-5.9p1-homechroot.patch deleted file mode 100644 index 5978168..0000000 --- a/packaging/openssh-5.9p1-homechroot.patch +++ /dev/null @@ -1,277 +0,0 @@ -Index: chrootenv.h -=================================================================== ---- /dev/null -+++ chrootenv.h -@@ -0,0 +1,32 @@ -+/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ -+ -+/* -+ * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+#ifndef CHROOTENV_H -+#define CHROOTENV_H -+ -+extern int chroot_no_tree; -+ -+#endif -+ -Index: session.c -=================================================================== ---- session.c.orig -+++ session.c -@@ -120,6 +120,8 @@ void do_child(Session *, const char *); - void do_motd(void); - int check_quietlogin(Session *, const char *); - -+int chroot_no_tree = 0; -+ - static void do_authenticated1(Authctxt *); - static void do_authenticated2(Authctxt *); - -@@ -808,6 +810,11 @@ do_exec(Session *s, const char *command) - debug("Forced command (key option) '%.900s'", command); - } - -+ if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) { -+ logit("You aren't welcomed, go away!"); -+ exit (1); -+ } -+ - #ifdef SSH_AUDIT_EVENTS - if (command != NULL) - PRIVSEP(audit_run_command(command)); -@@ -1421,6 +1428,63 @@ do_nologin(struct passwd *pw) - } - - /* -+ * Test if filesystem is mounted nosuid and nodev -+ */ -+ -+static void -+test_nosuid (char * path, dev_t fs) -+{ -+ FILE *f; -+ struct stat st; -+ char buf[4096], *s, *on, *mountpoint, *opt; -+ int nodev, nosuid; -+ -+ if (!(f = popen ("/bin/mount", "r"))) -+ fatal ("%s: popen(\"/bin/mount\", \"r\"): %s", -+ __func__, strerror (errno)); -+ for (;;) { -+ s = fgets (buf, sizeof (buf), f); -+ if (ferror (f)) -+ fatal ("%s: read from popen: %s", __func__, -+ strerror (errno)); -+ if (!s) { -+ pclose (f); -+ fatal ("cannot found filesystem with the chroot directory"); -+ } -+ (void) strtok (buf, " "); -+ on = strtok (NULL, " "); -+ if (strcmp (on, "on")) { -+ pclose (f); -+ fatal ("bad format of mount output"); -+ } -+ mountpoint = strtok (NULL, " "); -+ if (memcmp (path, mountpoint, strlen (mountpoint))) -+ continue; -+ if (stat(mountpoint, &st) != 0) { -+ pclose (f); -+ fatal("%s: stat(\"%s\"): %s", __func__, -+ mountpoint, strerror(errno)); -+ } -+ if (fs != st.st_dev) -+ continue; -+ nodev = nosuid = 0; -+ for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) { -+ if (!strcmp (opt, "nodev")) -+ nodev = 1; -+ else if (!strcmp (opt, "nosuid")) -+ nosuid = 1; -+ else if (!strcmp (opt, "noexec")) -+ nosuid = 1; -+ if (nodev && nosuid) { -+ pclose (f); -+ return; -+ } -+ } -+ fatal ("chroot into directory without nodev or nosuid"); -+ } -+} -+ -+/* - * Chroot into a directory after checking it for safety: all path components - * must be root-owned directories with strict permissions. - */ -@@ -1430,6 +1494,7 @@ safely_chroot(const char *path, uid_t ui - const char *cp; - char component[MAXPATHLEN]; - struct stat st; -+ int last; - - if (*path != '/') - fatal("chroot path does not begin at root"); -@@ -1441,7 +1506,7 @@ safely_chroot(const char *path, uid_t ui - * root-owned directory with strict permissions. - */ - for (cp = path; cp != NULL;) { -- if ((cp = strchr(cp, '/')) == NULL) -+ if (((last = ((cp = strchr(cp, '/')) == NULL)))) - strlcpy(component, path, sizeof(component)); - else { - cp++; -@@ -1454,14 +1519,20 @@ safely_chroot(const char *path, uid_t ui - if (stat(component, &st) != 0) - fatal("%s: stat(\"%s\"): %s", __func__, - component, strerror(errno)); -- if (st.st_uid != 0 || (st.st_mode & 022) != 0) -+ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid)) - fatal("bad ownership or modes for chroot " - "directory %s\"%s\"", - cp == NULL ? "" : "component ", component); - if (!S_ISDIR(st.st_mode)) - fatal("chroot path %s\"%s\" is not a directory", - cp == NULL ? "" : "component ", component); -+ } -+ setenv ("TZ", "/etc/localtime", 0); -+ tzset (); - -+ if (st.st_uid) { -+ test_nosuid (path, st.st_dev); -+ ++chroot_no_tree; - } - - if (chdir(path) == -1) -@@ -1472,6 +1543,10 @@ safely_chroot(const char *path, uid_t ui - if (chdir("/") == -1) - fatal("%s: chdir(/) after chroot: %s", - __func__, strerror(errno)); -+ -+ if (access ("/etc/localtime", R_OK) < 0) -+ ++chroot_no_tree; -+ - verbose("Changed root directory to \"%s\"", path); - } - -Index: sftp.c -=================================================================== ---- sftp.c.orig -+++ sftp.c -@@ -106,6 +106,8 @@ int remote_glob(struct sftp_conn *, cons - - extern char *__progname; - -+int chroot_no_tree = 0; -+ - /* Separators for interactive commands */ - #define WHITESPACE " \t\r\n" - -Index: sftp-common.c -=================================================================== ---- sftp-common.c.orig -+++ sftp-common.c -@@ -43,6 +43,7 @@ - #include "xmalloc.h" - #include "buffer.h" - #include "log.h" -+#include "chrootenv.h" - - #include "sftp.h" - #include "sftp-common.h" -@@ -196,13 +197,13 @@ ls_file(const char *name, const struct s - char sbuf[FMT_SCALED_STRSIZE]; - - strmode(st->st_mode, mode); -- if (!remote) { -+ if (!remote && !chroot_no_tree) { - user = user_from_uid(st->st_uid, 0); - } else { - snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid); - user = ubuf; - } -- if (!remote) { -+ if (!remote && !chroot_no_tree) { - group = group_from_gid(st->st_gid, 0); - } else { - snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid); -Index: sftp-server-main.c -=================================================================== ---- sftp-server-main.c.orig -+++ sftp-server-main.c -@@ -22,11 +22,14 @@ - #include - #include - #include -+#include - - #include "log.h" - #include "sftp.h" - #include "misc.h" - -+int chroot_no_tree = 0; -+ - void - cleanup_exit(int i) - { -Index: sshd_config.0 -=================================================================== ---- sshd_config.0.orig -+++ sshd_config.0 -@@ -143,6 +143,14 @@ DESCRIPTION - though sessions which use logging do require /dev/log inside the - chroot directory (see sftp-server(8) for details). - -+ In the special case when only sftp is used, not ssh nor scp, it -+ is possible to use ChrootDirectory %h or ChrootDirectory -+ /some/path/%u. The file system containing this directory must be -+ mounted with options nodev and either nosuid or noexec. The owner -+ of the directory should be the user. The ownership of the other -+ components of the path must fulfill the usual conditions. No adi- -+ tional files are required to be present in the directory. -+ - The default is not to chroot(2). - - Ciphers -Index: sshd_config.5 -=================================================================== ---- sshd_config.5.orig -+++ sshd_config.5 -@@ -268,6 +268,17 @@ inside the chroot directory (see - .Xr sftp-server 8 - for details). - .Pp -+In the special case when only sftp is used, not ssh nor scp, -+it is possible to use -+.Cm ChrootDirectory -+%h or -+.Cm ChrootDirectory -+/some/path/%u. The file system containing this directory must be -+mounted with options nodev and either nosuid or noexec. The owner of the -+directory should be the user. The ownership of the other components of the path -+must fulfill the usual conditions. No aditional files are required to be present -+in the directory. -+.Pp - The default is not to - .Xr chroot 2 . - .It Cm Ciphers diff --git a/packaging/openssh-5.9p1-host_ident.diff b/packaging/openssh-5.9p1-host_ident.diff deleted file mode 100644 index 3476a8f..0000000 --- a/packaging/openssh-5.9p1-host_ident.diff +++ /dev/null @@ -1,16 +0,0 @@ -Index: openssh-5.7p1/sshconnect.c -=================================================================== ---- openssh-5.7p1.orig/sshconnect.c -+++ openssh-5.7p1/sshconnect.c -@@ -958,6 +958,11 @@ check_host_key(char *hostname, struct so - user_hostfiles[0]); - error("Offending %s key in %s:%lu", key_type(host_found->key), - host_found->file, host_found->line); -+ error("You can use following command to remove all keys for this IP:"); -+ if (host_found->file) -+ error("ssh-keygen -R %s -f %s", hostname, host_found->file); -+ else -+ error("ssh-keygen -R %s", hostname); - - /* - * If strict host key checking is in use, the user will have diff --git a/packaging/openssh-5.9p1-pam-fix2.diff b/packaging/openssh-5.9p1-pam-fix2.diff deleted file mode 100644 index f142309..0000000 --- a/packaging/openssh-5.9p1-pam-fix2.diff +++ /dev/null @@ -1,22 +0,0 @@ -Index: sshd_config -=================================================================== ---- sshd_config.orig -+++ sshd_config -@@ -57,7 +57,7 @@ - #IgnoreRhosts yes - - # To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -82,7 +82,7 @@ - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. --#UsePAM no -+UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes diff --git a/packaging/openssh-5.9p1-pam-fix3.diff b/packaging/openssh-5.9p1-pam-fix3.diff deleted file mode 100644 index fb00189..0000000 --- a/packaging/openssh-5.9p1-pam-fix3.diff +++ /dev/null @@ -1,15 +0,0 @@ -Index: auth-pam.c -=================================================================== ---- auth-pam.c.orig -+++ auth-pam.c -@@ -786,7 +786,9 @@ sshpam_query(void *ctx, char **name, cha - fatal("Internal error: PAM auth " - "succeeded when it should have " - "failed"); -- import_environments(&buffer); -+#ifndef USE_POSIX_THREADS -+ import_environments(&buffer); -+#endif - *num = 0; - **echo_on = 0; - ctxt->pam_done = 1; diff --git a/packaging/openssh-5.9p1-pts.diff b/packaging/openssh-5.9p1-pts.diff deleted file mode 100644 index 2df8081..0000000 --- a/packaging/openssh-5.9p1-pts.diff +++ /dev/null @@ -1,24 +0,0 @@ -Index: loginrec.c -=================================================================== ---- loginrec.c.orig -+++ loginrec.c -@@ -555,7 +555,7 @@ getlast_entry(struct logininfo *li) - * 1. The full filename (including '/dev') - * 2. The stripped name (excluding '/dev') - * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 -- * /dev/pts/1 -> ts/1 ) -+ * /dev/pts/1 -> /1 ) - * - * Form 3 is used on some systems to identify a .tmp.? entry when - * attempting to remove it. Typically both addition and removal is -@@ -616,6 +616,10 @@ line_abbrevname(char *dst, const char *s - if (strncmp(src, "tty", 3) == 0) - src += 3; - #endif -+ if (strncmp(src, "pts/", 4) == 0) { -+ src += 3; -+ if (strlen(src) > 4) src++; -+ } - - len = strlen(src); - diff --git a/packaging/openssh-5.9p1-saveargv-fix.diff b/packaging/openssh-5.9p1-saveargv-fix.diff deleted file mode 100644 index edc258d..0000000 --- a/packaging/openssh-5.9p1-saveargv-fix.diff +++ /dev/null @@ -1,25 +0,0 @@ -Index: sshd.c -=================================================================== ---- sshd.c.orig -+++ sshd.c -@@ -306,6 +306,7 @@ sighup_handler(int sig) - static void - sighup_restart(void) - { -+ int i; - logit("Received SIGHUP; restarting."); - close_listen_socks(); - close_startup_pipes(); -@@ -1319,7 +1320,11 @@ main(int ac, char **av) - #ifndef HAVE_SETPROCTITLE - /* Prepare for later setproctitle emulation */ - compat_init_setproctitle(ac, av); -- av = saved_argv; -+ -+ av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1)); -+ for (i = 0; i < saved_argc; i++) -+ av[i] = xstrdup(saved_argv[i]); -+ av[i] = NULL; - #endif - - if (geteuid() == 0 && setgroups(0, NULL) == -1) diff --git a/packaging/openssh-5.9p1-send_locale.diff b/packaging/openssh-5.9p1-send_locale.diff deleted file mode 100644 index e0f7d56..0000000 --- a/packaging/openssh-5.9p1-send_locale.diff +++ /dev/null @@ -1,31 +0,0 @@ -Index: ssh_config -=================================================================== ---- ssh_config.orig -+++ ssh_config -@@ -63,6 +63,9 @@ ForwardX11Trusted yes - # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. - # GSSAPIEnableMITMAttack no - -->>>>>>> -+# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). -+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+SendEnv LC_IDENTIFICATION LC_ALL - # VisualHostKey no - # ProxyCommand ssh -q -W %h:%p gateway.example.com -Index: sshd_config -=================================================================== ---- sshd_config.orig -+++ sshd_config -@@ -117,6 +117,11 @@ X11Forwarding yes - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - -+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL -+ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no diff --git a/packaging/openssh-5.9p1-sshconfig-knownhostschanges.diff b/packaging/openssh-5.9p1-sshconfig-knownhostschanges.diff deleted file mode 100644 index 5b12494..0000000 --- a/packaging/openssh-5.9p1-sshconfig-knownhostschanges.diff +++ /dev/null @@ -1,19 +0,0 @@ -Index: ssh_config -=================================================================== ---- ssh_config.orig -+++ ssh_config -@@ -67,5 +67,13 @@ ForwardX11Trusted yes - SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES - SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - SendEnv LC_IDENTIFICATION LC_ALL --# VisualHostKey no -+ -+# This will print the fingerprint of the host key in "visual" form -+# this should make it easier to also recognize bad things -+VisualHostKey no -+ -+# This will hash new host keys and make them so unusable for malicious -+# people or software trying to use known_hosts to find further hops. -+HashKnownHosts yes -+ - # ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/packaging/openssh-5.9p1-sshd_config.diff b/packaging/openssh-5.9p1-sshd_config.diff deleted file mode 100644 index 0e7f4ee..0000000 --- a/packaging/openssh-5.9p1-sshd_config.diff +++ /dev/null @@ -1,51 +0,0 @@ -Index: ssh_config -=================================================================== ---- ssh_config.orig -+++ ssh_config -@@ -17,9 +17,20 @@ - # list of available options, their meanings and defaults, please see the - # ssh_config(5) man page. - --# Host * -+Host * - # ForwardAgent no - # ForwardX11 no -+ -+# If you do not trust your remote host (or its administrator), you -+# should not forward X11 connections to your local X11-display for -+# security reasons: Someone stealing the authentification data on the -+# remote side (the "spoofed" X-server by the remote sshd) can read your -+# keystrokes as you type, just like any other X11 client could do. -+# Set this to "no" here for global effect or in your own ~/.ssh/config -+# file if you want to have the remote X11 authentification data to -+# expire after two minutes after remote login. -+ForwardX11Trusted yes -+ - # RhostsRSAAuthentication no - # RSAAuthentication yes - # PasswordAuthentication yes -Index: sshd_config -=================================================================== ---- sshd_config.orig -+++ sshd_config -@@ -87,7 +87,7 @@ - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no --#X11Forwarding no -+X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PrintMotd yes -Index: sshlogin.c -=================================================================== ---- sshlogin.c.orig -+++ sshlogin.c -@@ -133,6 +133,7 @@ record_login(pid_t pid, const char *tty, - - li = login_alloc_entry(pid, user, host, tty); - login_set_addr(li, addr, addrlen); -+ li->uid=uid; - login_login(li); - login_free_entry(li); - } diff --git a/packaging/openssh-5.9p1-xauth.diff b/packaging/openssh-5.9p1-xauth.diff deleted file mode 100644 index 2bb891b..0000000 --- a/packaging/openssh-5.9p1-xauth.diff +++ /dev/null @@ -1,45 +0,0 @@ -Index: session.c -=================================================================== ---- session.c.orig -+++ session.c -@@ -2463,8 +2463,40 @@ void - session_close(Session *s) - { - u_int i; -+ int do_xauth; - - debug("session_close: session %d pid %ld", s->self, (long)s->pid); -+ -+ do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; -+ if (do_xauth && options.xauth_location != NULL) { -+ pid_t pid; -+ FILE *f; -+ char cmd[1024]; -+ struct passwd * pw = s->pw; -+ -+ if (!(pid = fork())) { -+ permanently_set_uid(pw); -+ -+ /* Remove authority data from .Xauthority if appropriate. */ -+ debug("Running %.500s remove %.100s\n", -+ options.xauth_location, s->auth_display); -+ -+ snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -", -+ s->pw->pw_dir, options.xauth_location); -+ f = popen(cmd, "w"); -+ if (f) { -+ fprintf(f, "remove %s\n", s->auth_display); -+ pclose(f); -+ } else -+ error("Could not run %s\n", cmd); -+ exit(0); -+ } else if (pid > 0) { -+ int status; -+ -+ waitpid(pid, &status, 0); -+ } -+ } -+ - if (s->ttyfd != -1) - session_pty_cleanup(s); - if (s->term) diff --git a/packaging/openssh-5.9p1-xauthlocalhostname.diff b/packaging/openssh-5.9p1-xauthlocalhostname.diff deleted file mode 100644 index 2a58535..0000000 --- a/packaging/openssh-5.9p1-xauthlocalhostname.diff +++ /dev/null @@ -1,78 +0,0 @@ -Index: session.c -=================================================================== ---- session.c.orig -+++ session.c -@@ -1116,7 +1116,7 @@ copy_environment(char **source, char *** - } - - static char ** --do_setup_env(Session *s, const char *shell) -+do_setup_env(Session *s, const char *shell, int *env_size) - { - char buf[256]; - u_int i, envsize; -@@ -1303,6 +1303,8 @@ do_setup_env(Session *s, const char *she - for (i = 0; env[i]; i++) - fprintf(stderr, " %.200s\n", env[i]); - } -+ -+ *env_size = envsize; - return env; - } - -@@ -1311,7 +1313,7 @@ do_setup_env(Session *s, const char *she - * first in this order). - */ - static void --do_rc_files(Session *s, const char *shell) -+do_rc_files(Session *s, const char *shell, char **env, int *env_size) - { - FILE *f = NULL; - char cmd[1024]; -@@ -1365,12 +1367,20 @@ do_rc_files(Session *s, const char *shel - options.xauth_location); - f = popen(cmd, "w"); - if (f) { -+ char hostname[MAXHOSTNAMELEN]; -+ - fprintf(f, "remove %s\n", - s->auth_display); - fprintf(f, "add %s %s %s\n", - s->auth_display, s->auth_proto, - s->auth_data); - pclose(f); -+ if (gethostname(hostname,sizeof(hostname)) >= 0) -+ child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME", -+ hostname); -+ else -+ debug("Cannot set up XAUTHLOCALHOSTNAME %s\n", -+ strerror(errno)); - } else { - fprintf(stderr, "Could not run %s\n", - cmd); -@@ -1608,6 +1618,7 @@ do_child(Session *s, const char *command - { - extern char **environ; - char **env; -+ int env_size; - char *argv[ARGV_MAX]; - const char *shell, *shell0, *hostname = NULL; - struct passwd *pw = s->pw; -@@ -1674,7 +1685,7 @@ do_child(Session *s, const char *command - * Make sure $SHELL points to the shell from the password file, - * even if shell is overridden from login.conf - */ -- env = do_setup_env(s, shell); -+ env = do_setup_env(s, shell, &env_size); - - #ifdef HAVE_LOGIN_CAP - shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1743,7 +1754,7 @@ do_child(Session *s, const char *command - closefrom(STDERR_FILENO + 1); - - if (!options.use_login) -- do_rc_files(s, shell); -+ do_rc_files(s, shell, env, &env_size); - - /* restore SIGPIPE for child */ - signal(SIGPIPE, SIG_DFL); diff --git a/packaging/openssh-nocrazyabicheck.patch b/packaging/openssh-nocrazyabicheck.patch deleted file mode 100644 index 650c2dc..0000000 --- a/packaging/openssh-nocrazyabicheck.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- entropy.c.orig -+++ entropy.c -@@ -216,12 +216,13 @@ seed_rng(void) - * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed - * within a patch series. - */ -+#if 0 - u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; - if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || - (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) - fatal("OpenSSL version mismatch. Built against %lx, you " - "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); -- -+#endif - #ifndef OPENSSL_PRNG_ONLY - if (RAND_status() == 1) { - debug3("RNG is ready, skipping seeding"); diff --git a/packaging/openssh.spec b/packaging/openssh.spec index 46425d1..b77a0b8 100644 --- a/packaging/openssh.spec +++ b/packaging/openssh.spec @@ -19,24 +19,6 @@ Source11: sshd-gen-keys-start Source12: sshd.service Source13: sshd.socket Source14: sshd@.service -Patch: %{name}-5.9p1-sshd_config.diff -Patch2: %{name}-5.9p1-pam-fix2.diff -Patch3: %{name}-5.9p1-saveargv-fix.diff -Patch4: %{name}-5.9p1-pam-fix3.diff -Patch5: %{name}-5.9p1-gssapimitm.patch -Patch6: %{name}-5.9p1-eal3.diff -Patch7: %{name}-5.9p1-engines.diff -Patch8: %{name}-5.9p1-blocksigalrm.diff -Patch9: %{name}-5.9p1-send_locale.diff -Patch10: %{name}-5.9p1-xauthlocalhostname.diff -Patch12: %{name}-5.9p1-xauth.diff -Patch14: %{name}-5.9p1-default-protocol.diff -Patch15: %{name}-5.9p1-audit.patch -Patch16: %{name}-5.9p1-pts.diff -Patch17: %{name}-5.9p1-homechroot.patch -Patch18: %{name}-5.9p1-sshconfig-knownhostschanges.diff -Patch19: %{name}-5.9p1-host_ident.diff -Patch21: openssh-nocrazyabicheck.patch BuildRequires: systemd %{!?_initddir:%global _initddir %{_initrddir}} @@ -52,24 +34,6 @@ also be forwarded over the secure channel. %prep %setup -q -%patch -%patch2 -%patch3 -%patch4 -%patch5 -%patch6 -p1 -%patch7 -p1 -%patch8 -%patch9 -%patch10 -%patch12 -%patch14 -%patch15 -p1 -%patch16 -%patch17 -%patch18 -%patch19 -p1 -%patch21 %build autoreconf -fiv -- 2.7.4