diff options
author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
tree | 89400a44e42d84937deba7864e4964d6c7734da5 /contrib/redhat/sshd.init | |
parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'contrib/redhat/sshd.init')
-rwxr-xr-x | contrib/redhat/sshd.init | 71 |
1 files changed, 7 insertions, 64 deletions
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index 854aff665..2334d8142 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init | |||
@@ -22,70 +22,9 @@ RETVAL=0 | |||
22 | prog="sshd" | 22 | prog="sshd" |
23 | 23 | ||
24 | # Some functions to make the below more readable | 24 | # Some functions to make the below more readable |
25 | KEYGEN=/usr/bin/ssh-keygen | ||
26 | SSHD=/usr/sbin/sshd | 25 | SSHD=/usr/sbin/sshd |
27 | RSA1_KEY=/etc/ssh/ssh_host_key | ||
28 | RSA_KEY=/etc/ssh/ssh_host_rsa_key | ||
29 | DSA_KEY=/etc/ssh/ssh_host_dsa_key | ||
30 | PID_FILE=/var/run/sshd.pid | 26 | PID_FILE=/var/run/sshd.pid |
31 | 27 | ||
32 | do_rsa1_keygen() { | ||
33 | if [ ! -s $RSA1_KEY ]; then | ||
34 | echo -n $"Generating SSH1 RSA host key: " | ||
35 | if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then | ||
36 | chmod 600 $RSA1_KEY | ||
37 | chmod 644 $RSA1_KEY.pub | ||
38 | if [ -x /sbin/restorecon ]; then | ||
39 | /sbin/restorecon $RSA1_KEY.pub | ||
40 | fi | ||
41 | success $"RSA1 key generation" | ||
42 | echo | ||
43 | else | ||
44 | failure $"RSA1 key generation" | ||
45 | echo | ||
46 | exit 1 | ||
47 | fi | ||
48 | fi | ||
49 | } | ||
50 | |||
51 | do_rsa_keygen() { | ||
52 | if [ ! -s $RSA_KEY ]; then | ||
53 | echo -n $"Generating SSH2 RSA host key: " | ||
54 | if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then | ||
55 | chmod 600 $RSA_KEY | ||
56 | chmod 644 $RSA_KEY.pub | ||
57 | if [ -x /sbin/restorecon ]; then | ||
58 | /sbin/restorecon $RSA_KEY.pub | ||
59 | fi | ||
60 | success $"RSA key generation" | ||
61 | echo | ||
62 | else | ||
63 | failure $"RSA key generation" | ||
64 | echo | ||
65 | exit 1 | ||
66 | fi | ||
67 | fi | ||
68 | } | ||
69 | |||
70 | do_dsa_keygen() { | ||
71 | if [ ! -s $DSA_KEY ]; then | ||
72 | echo -n $"Generating SSH2 DSA host key: " | ||
73 | if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then | ||
74 | chmod 600 $DSA_KEY | ||
75 | chmod 644 $DSA_KEY.pub | ||
76 | if [ -x /sbin/restorecon ]; then | ||
77 | /sbin/restorecon $DSA_KEY.pub | ||
78 | fi | ||
79 | success $"DSA key generation" | ||
80 | echo | ||
81 | else | ||
82 | failure $"DSA key generation" | ||
83 | echo | ||
84 | exit 1 | ||
85 | fi | ||
86 | fi | ||
87 | } | ||
88 | |||
89 | do_restart_sanity_check() | 28 | do_restart_sanity_check() |
90 | { | 29 | { |
91 | $SSHD -t | 30 | $SSHD -t |
@@ -99,9 +38,13 @@ do_restart_sanity_check() | |||
99 | start() | 38 | start() |
100 | { | 39 | { |
101 | # Create keys if necessary | 40 | # Create keys if necessary |
102 | do_rsa1_keygen | 41 | /usr/bin/ssh-keygen -A |
103 | do_rsa_keygen | 42 | if [ -x /sbin/restorecon ]; then |
104 | do_dsa_keygen | 43 | /sbin/restorcon /etc/ssh/ssh_host_key.pub |
44 | /sbin/restorcon /etc/ssh/ssh_host_rsa_key.pub | ||
45 | /sbin/restorcon /etc/ssh/ssh_host_dsa_key.pub | ||
46 | /sbin/restorcon /etc/ssh/ssh_host_ecdsa_key.pub | ||
47 | fi | ||
105 | 48 | ||
106 | echo -n $"Starting $prog:" | 49 | echo -n $"Starting $prog:" |
107 | $SSHD $OPTIONS && success || failure | 50 | $SSHD $OPTIONS && success || failure |