* New upstream release (http://www.openssh.org/txt/release-5.9).

- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
author: Colin Watson <cjwatson@debian.org> 2011-09-06 14:56:29 +0100
committer: Colin Watson <cjwatson@debian.org> 2011-09-06 14:56:29 +0100
commit: 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree: 89400a44e42d84937deba7864e4964d6c7734da5 /contrib/redhat
parent: 87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent: 3a7e89697ca363de0f64e0d5704c57219294e41c (diff)
2 files changed, 19 insertions, 76 deletions
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index e99e33d0f..be6de088c 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 5.8p1
+%define ver 5.9p1
 %define rel 1
 # OpenSSH privilege separation requires a user & group ID
@@ -84,24 +84,24 @@ Obsoletes: ssh
 %if %{build6x}
 PreReq: initscripts >= 5.00
 %else
-PreReq: initscripts >= 5.20
+Requires: initscripts >= 5.20
 %endif
-BuildPreReq: perl, openssl-devel, tcp_wrappers
+BuildRequires: perl, openssl-devel, tcp_wrappers
-BuildPreReq: /bin/login
+BuildRequires: /bin/login
 %if ! %{build6x}
 BuildPreReq: glibc-devel, pam
 %else
-BuildPreReq: /usr/include/security/pam_appl.h
+BuildRequires: /usr/include/security/pam_appl.h
 %endif
 %if ! %{no_x11_askpass}
-BuildPreReq: /usr/include/X11/Xlib.h
+BuildRequires: /usr/include/X11/Xlib.h
 %endif
 %if ! %{no_gnome_askpass}
-BuildPreReq: pkgconfig
+BuildRequires: pkgconfig
 %endif
 %if %{kerberos5}
-BuildPreReq: krb5-devel
+BuildRequires: krb5-devel
-BuildPreReq: krb5-libs
+BuildRequires: krb5-libs
 %endif
 %package clients
@@ -114,7 +114,7 @@ Obsoletes: ssh-clients
 Summary: The OpenSSH server daemon.
 Group: System Environment/Daemons
 Obsoletes: ssh-server
-PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
+Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
 %if ! %{build6x}
 Requires: /etc/pam.d/system-auth
 %endif
@@ -712,7 +712,7 @@ fi
  it generates.
 * Thu Oct  5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always
+- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always
  build PAM authentication in.
 - Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
 - Clean out no-longer-used patches.
@@ -721,7 +721,7 @@ fi
 * Mon Oct  2 2000 Nalin Dahyabhai <nalin@redhat.com>
 - Update x11-askpass to 1.0.2. (#17835)
- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will
+- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will
  always find them in the right place. (#17909)
 - Set the default path to be the same as the one supplied by /bin/login, but
  add /usr/X11R6/bin. (#17909)
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index 854aff665..2334d8142 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -22,70 +22,9 @@ RETVAL=0
 prog="sshd"
 # Some functions to make the below more readable
-KEYGEN=/usr/bin/ssh-keygen
 SSHD=/usr/sbin/sshd
-RSA1_KEY=/etc/ssh/ssh_host_key
-RSA_KEY=/etc/ssh/ssh_host_rsa_key
-DSA_KEY=/etc/ssh/ssh_host_dsa_key
 PID_FILE=/var/run/sshd.pid
-do_rsa1_keygen() {
-        if [ ! -s $RSA1_KEY ]; then
-                echo -n $"Generating SSH1 RSA host key: "
-                if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
-                        chmod 600 $RSA1_KEY
-                        chmod 644 $RSA1_KEY.pub
-                        if [ -x /sbin/restorecon ]; then
-                            /sbin/restorecon $RSA1_KEY.pub
-                        fi
-                        success $"RSA1 key generation"
-                        echo
-                else
-                        failure $"RSA1 key generation"
-                        echo
-                        exit 1
-                fi
-        fi
-}
-do_rsa_keygen() {
-        if [ ! -s $RSA_KEY ]; then
-                echo -n $"Generating SSH2 RSA host key: "
-                if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
-                        chmod 600 $RSA_KEY
-                        chmod 644 $RSA_KEY.pub
-                        if [ -x /sbin/restorecon ]; then
-                            /sbin/restorecon $RSA_KEY.pub
-                        fi
-                        success $"RSA key generation"
-                        echo
-                else
-                        failure $"RSA key generation"
-                        echo
-                        exit 1
-                fi
-        fi
-}
-do_dsa_keygen() {
-        if [ ! -s $DSA_KEY ]; then
-                echo -n $"Generating SSH2 DSA host key: "
-                if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
-                        chmod 600 $DSA_KEY
-                        chmod 644 $DSA_KEY.pub
-                        if [ -x /sbin/restorecon ]; then
-                            /sbin/restorecon $DSA_KEY.pub
-                        fi
-                        success $"DSA key generation"
-                        echo
-                else
-                        failure $"DSA key generation"
-                        echo
-                        exit 1
-                fi
-        fi
-}
 do_restart_sanity_check()
 {
        $SSHD -t
@@ -99,9 +38,13 @@ do_restart_sanity_check()
 start()
 {
        # Create keys if necessary
-        do_rsa1_keygen
+        /usr/bin/ssh-keygen -A
-        do_rsa_keygen
+        if [ -x /sbin/restorecon ]; then
-        do_dsa_keygen
+                /sbin/restorcon /etc/ssh/ssh_host_key.pub
+                /sbin/restorcon /etc/ssh/ssh_host_rsa_key.pub
+                /sbin/restorcon /etc/ssh/ssh_host_dsa_key.pub
+                /sbin/restorcon /etc/ssh/ssh_host_ecdsa_key.pub
+        fi
        echo -n $"Starting $prog:"
        $SSHD $OPTIONS && success || failure
author	Colin Watson <cjwatson@debian.org>	2011-09-06 14:56:29 +0100
committer	Colin Watson <cjwatson@debian.org>	2011-09-06 14:56:29 +0100
commit	978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree	89400a44e42d84937deba7864e4964d6c7734da5 /contrib/redhat
parent	87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent	3a7e89697ca363de0f64e0d5704c57219294e41c (diff)