summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2003-09-01 02:05:26 +0000
committerColin Watson <cjwatson@debian.org>2003-09-01 02:05:26 +0000
commit6d5a72bc1d98a42ba42f082e50a22e911c1d82d3 (patch)
tree1bf23174bdb6fc71e2846dda0eca195a418484e7 /contrib
parent2ee26b431f98cf1dc0e4fb9809ad1e0c879b8c08 (diff)
parent58657d96514cd6f16d82add8d6f4adbb36765758 (diff)
Debian release 3.5p1-1.
Diffstat (limited to 'contrib')
-rw-r--r--contrib/Makefile15
-rw-r--r--contrib/README51
-rwxr-xr-xcontrib/aix/buildbff.sh29
-rw-r--r--contrib/caldera/openssh.spec6
-rw-r--r--contrib/cygwin/README24
-rw-r--r--contrib/cygwin/ssh-host-config222
-rw-r--r--contrib/gnome-ssh-askpass1.c (renamed from contrib/gnome-ssh-askpass.c)15
-rw-r--r--contrib/gnome-ssh-askpass2.c204
-rw-r--r--contrib/redhat/openssh.spec39
-rwxr-xr-xcontrib/solaris/buildpkg.sh114
-rwxr-xr-xcontrib/solaris/opensshd.in12
-rw-r--r--contrib/suse/openssh.spec2
12 files changed, 577 insertions, 156 deletions
diff --git a/contrib/Makefile b/contrib/Makefile
new file mode 100644
index 000000000..2cef46f6c
--- /dev/null
+++ b/contrib/Makefile
@@ -0,0 +1,15 @@
1all:
2 @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
3
4gnome-ssh-askpass1: gnome-ssh-askpass1.c
5 $(CC) `gnome-config --cflags gnome gnomeui` \
6 gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
7 `gnome-config --libs gnome gnomeui`
8
9gnome-ssh-askpass2: gnome-ssh-askpass2.c
10 $(CC) `pkg-config --cflags gtk+-2.0` \
11 gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
12 `pkg-config --libs gtk+-2.0`
13
14clean:
15 rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
diff --git a/contrib/README b/contrib/README
index 648bb2f3a..67dbbd277 100644
--- a/contrib/README
+++ b/contrib/README
@@ -1,30 +1,39 @@
1Other patches and addons for OpenSSH. Please send submissions to 1Other patches and addons for OpenSSH. Please send submissions to
2djm@ibs.com.au 2djm@mindrot.org
3 3
4Elsewhere 4Externally maintained
5--------- 5---------------------
6 6
7http://www.imasy.or.jp/~gotoh/connect.c is a Unix and Windows 7SSH Proxy Command -- connect.c
8ProxyCommand which allows OpenSSH to make connections through a SOCKS5
9or http proxy which supports the CONNECT method (eg. Squid).
10 8
11In this directory 9Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
12----------------- 10which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
11https CONNECT style proxy server. His page for connect.c has extensive
12documentation on its use as well as compiled versions for Win32.
13 13
14chroot.diff: 14http://www.taiyo.co.jp/~gotoh/ssh/connect.html
15 15
16Due to the fact the patch is never in sync with the rest of the tree. It was 16
17removed. 17X11 SSH Askpass:
18
19Jim Knoble <jmknoble@pobox.com> has written an excellent X11
20passphrase requester. This is highly recommended:
21
22http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html
23
24
25In this directory
26-----------------
18 27
19ssh-copy-id: 28ssh-copy-id:
20 29
21Phil Hands' <phil@hands.com> shell script to automate the process of adding 30Phil Hands' <phil@hands.com> shell script to automate the process of adding
22your public key to a remote machine's ~/.ssh/authorized_keys file. 31your public key to a remote machine's ~/.ssh/authorized_keys file.
23 32
24gnome-ssh-askpass: 33gnome-ssh-askpass[12]:
25 34
26A GNOME passphrase requester of my own creation. Compilation instructions 35A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
27are in the top of the file. 36"make gnome-ssh-askpass2" to build.
28 37
29sshd.pam.generic: 38sshd.pam.generic:
30 39
@@ -43,19 +52,9 @@ Contributed by Mark D. Roth <roth@feep.net>
43 52
44redhat: 53redhat:
45 54
46RPM spec file an scripts for building Redhat packages 55RPM spec file and scripts for building Redhat packages
47 56
48suse: 57suse:
49 58
50RPM spec file an scripts for building SuSE packages 59RPM spec file and scripts for building SuSE packages
51
52
53Externally maintained
54---------------------
55
56X11 SSH Askpass:
57
58Jim Knoble <jmknoble@pobox.com> has written an excellent X11
59passphrase requester. This is highly recommended:
60 60
61http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index d531e53f4..5c09c6b75 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -18,6 +18,16 @@ X11_FORWARDING=no
18 18
19umask 022 19umask 022
20 20
21startdir=`pwd`
22
23# Path to inventory.sh: same place as buildbff.sh
24if echo $0 | egrep '^/'
25then
26 inventory=`dirname $0`/inventory.sh # absolute path
27else
28 inventory=`pwd`/`dirname $0`/inventory.sh # relative path
29fi
30
21# 31#
22# We still support running from contrib/aix, but this is depreciated 32# We still support running from contrib/aix, but this is depreciated
23# 33#
@@ -45,14 +55,6 @@ objdir=`pwd`
45PKGNAME=openssh 55PKGNAME=openssh
46PKGDIR=package 56PKGDIR=package
47 57
48# Path to inventory.sh: same place as buildbff.sh
49if echo $0 | egrep '^/'
50then
51 inventory=`dirname $0`/inventory.sh # absolute path
52else
53 inventory=`pwd`/`dirname $0`/inventory.sh # relative path
54fi
55
56# 58#
57# Collect local configuration settings to override defaults 59# Collect local configuration settings to override defaults
58# 60#
@@ -328,15 +330,10 @@ rm -f $PKGNAME-$VERSION.bff
328) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist 330) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist
329 331
330# 332#
331# Move package into final location 333# Move package into final location and clean up
332# 334#
333if [ "$contribaix" = "1" ] 335mv ../$PKGNAME-$VERSION.bff $startdir
334then 336cd $startdir
335 mv ../$PKGNAME-$VERSION.bff $objdir/contrib/aix
336else
337 mv ../$PKGNAME-$VERSION.bff $objdir
338fi
339
340rm -rf $objdir/$PKGDIR 337rm -rf $objdir/$PKGDIR
341 338
342echo $0: done. 339echo $0: done.
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index e7473947e..b7de22e8b 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,7 +17,7 @@
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%if %{use_stable} 19%if %{use_stable}
20 %define version 3.4p1 20 %define version 3.5p1
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 2 22 %define release 2
23%else 23%else
@@ -181,8 +181,6 @@ CFLAGS="$RPM_OPT_FLAGS" \
181 --with-pam \ 181 --with-pam \
182 --with-tcp-wrappers \ 182 --with-tcp-wrappers \
183 --with-ipv4-default \ 183 --with-ipv4-default \
184 --sysconfdir=%{_sysconfdir}/ssh \
185 --libexecdir=%{_libexecdir}/openssh \
186 --with-privsep-path=%{_var}/empty/sshd \ 184 --with-privsep-path=%{_var}/empty/sshd \
187 #leave this line for easy edits. 185 #leave this line for easy edits.
188 186
@@ -355,4 +353,4 @@ fi
355* Mon Jan 01 1998 ... 353* Mon Jan 01 1998 ...
356Template Version: 1.31 354Template Version: 1.31
357 355
358$Id: openssh.spec,v 1.36 2002/06/26 13:57:13 djm Exp $ 356$Id: openssh.spec,v 1.38 2002/10/03 01:56:59 djm Exp $
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 9021ba2b0..71ea3455f 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -1,6 +1,30 @@
1This package is the actual port of OpenSSH to Cygwin 1.3. 1This package is the actual port of OpenSSH to Cygwin 1.3.
2 2
3=========================================================================== 3===========================================================================
4Important change since 3.4p1-2:
5
6This version adds privilege separation as default setting, see
7/usr/doc/openssh/README.privsep. According to that document the
8privsep feature requires a non-privileged account called 'sshd'.
9
10The new ssh-host-config file which is part of this version asks
11to create 'sshd' as local user if you want to use privilege
12separation. If you confirm, it creates that NT user and adds
13the necessary entry to /etc/passwd.
14
15On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
16since that feature doesn't make any sense on a system which doesn't
17differ between privileged and unprivileged users.
18
19The new ssh-host-config script also adds the /var/empty directory
20needed by privilege separation. When creating the /var/empty directory
21by yourself, please note that in contrast to the README.privsep document
22the owner sshould not be "root" but the user which is running sshd. So,
23in the standard configuration this is SYSTEM. The ssh-host-config script
24chowns /var/empty accordingly.
25===========================================================================
26
27===========================================================================
4Important change since 3.0.1p1-2: 28Important change since 3.0.1p1-2:
5 29
6This version introduces the ability to register sshd as service on 30This version introduces the ability to register sshd as service on
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index da6011267..4df5aa969 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -18,6 +18,11 @@ progname=$0
18auto_answer="" 18auto_answer=""
19port_number=22 19port_number=22
20 20
21privsep_configured=no
22privsep_used=yes
23sshd_in_passwd=no
24sshd_in_sam=no
25
21request() 26request()
22{ 27{
23 if [ "${auto_answer}" = "yes" ] 28 if [ "${auto_answer}" = "yes" ]
@@ -90,6 +95,10 @@ do
90 esac 95 esac
91done 96done
92 97
98# Check if running on NT
99_sys="`uname -a`"
100_nt=`expr "$_sys" : "CYGWIN_NT"`
101
93# Check for running ssh/sshd processes first. Refuse to do anything while 102# Check for running ssh/sshd processes first. Refuse to do anything while
94# some ssh processes are still running 103# some ssh processes are still running
95 104
@@ -98,7 +107,7 @@ then
98 echo 107 echo
99 echo "There are still ssh processes running. Please shut them down first." 108 echo "There are still ssh processes running. Please shut them down first."
100 echo 109 echo
101 #exit 1 110 exit 1
102fi 111fi
103 112
104# Check for ${SYSCONFDIR} directory 113# Check for ${SYSCONFDIR} directory
@@ -126,6 +135,39 @@ then
126 fi 135 fi
127fi 136fi
128 137
138# Create /var/log and /var/log/lastlog if not already existing
139
140if [ -f /var/log ]
141then
142 echo "Creating /var/log failed\!"
143else
144 if [ ! -d /var/log ]
145 then
146 mkdir -p /var/log
147 fi
148 if [ -d /var/log/lastlog ]
149 then
150 echo "Creating /var/log/lastlog failed\!"
151 elif [ ! -f /var/log/lastlog ]
152 then
153 cat /dev/null > /var/log/lastlog
154 fi
155fi
156
157# Create /var/empty file used as chroot jail for privilege separation
158if [ -f /var/empty ]
159then
160 echo "Creating /var/empty failed\!"
161else
162 mkdir -p /var/empty
163 # On NT change ownership of that dir to user "system"
164 if [ $_nt -gt 0 ]
165 then
166 chmod 755 /var/empty
167 chown system.system /var/empty
168 fi
169fi
170
129# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't 171# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
130# the same as ${PREFIX} 172# the same as ${PREFIX}
131 173
@@ -219,9 +261,10 @@ if [ ! -f "${SYSCONFDIR}/ssh_config" ]
219then 261then
220 echo "Generating ${SYSCONFDIR}/ssh_config file" 262 echo "Generating ${SYSCONFDIR}/ssh_config file"
221 cat > ${SYSCONFDIR}/ssh_config << EOF 263 cat > ${SYSCONFDIR}/ssh_config << EOF
222# This is ssh client systemwide configuration file. This file provides 264# This is the ssh client system-wide configuration file. See
223# defaults for users, and the values can be changed in per-user configuration 265# ssh_config(5) for more information. This file provides defaults for
224# files or on the command line. 266# users, and the values can be changed in per-user configuration files
267# or on the command line.
225 268
226# Configuration data is parsed as follows: 269# Configuration data is parsed as follows:
227# 1. command line options 270# 1. command line options
@@ -237,20 +280,19 @@ then
237# ForwardAgent no 280# ForwardAgent no
238# ForwardX11 no 281# ForwardX11 no
239# RhostsAuthentication no 282# RhostsAuthentication no
240# RhostsRSAAuthentication yes 283# RhostsRSAAuthentication no
241# RSAAuthentication yes 284# RSAAuthentication yes
242# PasswordAuthentication yes 285# PasswordAuthentication yes
243# FallBackToRsh no
244# UseRsh no
245# BatchMode no 286# BatchMode no
246# CheckHostIP yes 287# CheckHostIP yes
247# StrictHostKeyChecking yes 288# StrictHostKeyChecking ask
248# IdentityFile ~/.ssh/identity 289# IdentityFile ~/.ssh/identity
249# IdentityFile ~/.ssh/id_dsa 290# IdentityFile ~/.ssh/id_dsa
250# IdentityFile ~/.ssh/id_rsa 291# IdentityFile ~/.ssh/id_rsa
251# Port 22 292# Port 22
252# Protocol 2,1 293# Protocol 2,1
253# Cipher blowfish 294# Cipher 3des
295# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
254# EscapeChar ~ 296# EscapeChar ~
255EOF 297EOF
256 if [ "$port_number" != "22" ] 298 if [ "$port_number" != "22" ]
@@ -271,17 +313,75 @@ then
271 then 313 then
272 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." 314 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
273 fi 315 fi
316 else
317 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
274 fi 318 fi
275fi 319fi
276 320
277# Create default sshd_config from here script 321# Prior to creating or modifying sshd_config, care for privilege separation
322
323if [ "$privsep_configured" != "yes" ]
324then
325 if [ $_nt -gt 0 ]
326 then
327 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
328 echo "However, this requires a non-privileged account called 'sshd'."
329 echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
330 echo
331 if request "Shall privilege separation be used?"
332 then
333 privsep_used=yes
334 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
335 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
336 if [ "$sshd_in_passwd" != "yes" ]
337 then
338 if [ "$sshd_in_sam" != "yes" ]
339 then
340 echo "Warning: The following function requires administrator privileges!"
341 if request "Shall this script create a local user 'sshd' on this machine?"
342 then
343 dos_var_empty=`cygpath -w /var/empty`
344 net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
345 if [ "$sshd_in_sam" != "yes" ]
346 then
347 echo "Warning: Creating the user 'sshd' failed!"
348 fi
349 fi
350 fi
351 if [ "$sshd_in_sam" != "yes" ]
352 then
353 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
354 echo " Privilege separation set to 'no' again!"
355 echo " Check your ${SYSCONFDIR}/sshd_config file!"
356 privsep_used=no
357 else
358 mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
359 fi
360 fi
361 else
362 privsep_used=no
363 fi
364 else
365 # On 9x don't use privilege separation. Since security isn't
366 # available it just adds useless addtional processes.
367 privsep_used=no
368 fi
369fi
370
371# Create default sshd_config from here script or modify to add the
372# missing privsep configuration option
278 373
279if [ ! -f "${SYSCONFDIR}/sshd_config" ] 374if [ ! -f "${SYSCONFDIR}/sshd_config" ]
280then 375then
281 echo "Generating ${SYSCONFDIR}/sshd_config file" 376 echo "Generating ${SYSCONFDIR}/sshd_config file"
282 cat > ${SYSCONFDIR}/sshd_config << EOF 377 cat > ${SYSCONFDIR}/sshd_config << EOF
283# This is the sshd server system-wide configuration file. See sshd(8) 378# This is the sshd server system-wide configuration file. See
284# for more information. 379# sshd_config(5) for more information.
380
381# The strategy used for options in the default sshd_config shipped with
382# OpenSSH is to specify options with their default value where
383# possible, but leave them commented. Uncommented options change a
384# default value.
285 385
286Port $port_number 386Port $port_number
287#Protocol 2,1 387#Protocol 2,1
@@ -289,66 +389,77 @@ Port $port_number
289#ListenAddress :: 389#ListenAddress ::
290 390
291# HostKey for protocol version 1 391# HostKey for protocol version 1
292HostKey /etc/ssh_host_key 392#HostKey ${SYSCONFDIR}/ssh_host_key
293# HostKeys for protocol version 2 393# HostKeys for protocol version 2
294HostKey /etc/ssh_host_rsa_key 394#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
295HostKey /etc/ssh_host_dsa_key 395#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
296 396
297# Lifetime and size of ephemeral version 1 server ke 397# Lifetime and size of ephemeral version 1 server ke
298KeyRegenerationInterval 3600 398#KeyRegenerationInterval 3600
299ServerKeyBits 768 399#ServerKeyBits 768
300 400
301# Logging 401# Logging
302SyslogFacility AUTH
303LogLevel INFO
304#obsoletes QuietMode and FascistLogging 402#obsoletes QuietMode and FascistLogging
403#SyslogFacility AUTH
404#LogLevel INFO
305 405
306# Authentication: 406# Authentication:
307 407
308LoginGraceTime 600 408#LoginGraceTime 600
309PermitRootLogin yes 409#PermitRootLogin yes
310# The following setting overrides permission checks on host key files 410# The following setting overrides permission checks on host key files
311# and directories. For security reasons set this to "yes" when running 411# and directories. For security reasons set this to "yes" when running
312# NT/W2K, NTFS and CYGWIN=ntsec. 412# NT/W2K, NTFS and CYGWIN=ntsec.
313StrictModes no 413StrictModes no
314 414
315RSAAuthentication yes 415#RSAAuthentication yes
316PubkeyAuthentication yes 416#PubkeyAuthentication yes
317#AuthorizedKeysFile %h/.ssh/authorized_keys 417#AuthorizedKeysFile %h/.ssh/authorized_keys
318 418
319# rhosts authentication should not be used 419# rhosts authentication should not be used
320RhostsAuthentication no 420#RhostsAuthentication no
321# Don't read ~/.rhosts and ~/.shosts files 421# Don't read ~/.rhosts and ~/.shosts files
322IgnoreRhosts yes 422#IgnoreRhosts yes
323# For this to work you will also need host keys in /etc/ssh_known_hosts 423# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
324RhostsRSAAuthentication no 424#RhostsRSAAuthentication no
325# similar for protocol version 2 425# similar for protocol version 2
326HostbasedAuthentication no 426#HostbasedAuthentication no
327# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication 427# Change to yes if you don't trust ~/.ssh/known_hosts for
328#IgnoreUserKnownHosts yes 428# RhostsRSAAuthentication and HostbasedAuthentication
429#IgnoreUserKnownHosts no
329 430
330# To disable tunneled clear text passwords, change to no here! 431# To disable tunneled clear text passwords, change to no here!
331PasswordAuthentication yes 432#PasswordAuthentication yes
332PermitEmptyPasswords no 433#PermitEmptyPasswords no
333 434
334X11Forwarding no 435# Change to no to disable s/key passwords
335X11DisplayOffset 10 436#ChallengeResponseAuthentication yes
336PrintMotd yes 437
337#PrintLastLog no 438#X11Forwarding no
338KeepAlive yes 439#X11DisplayOffset 10
440#X11UseLocalhost yes
441#PrintMotd yes
442#PrintLastLog yes
443#KeepAlive yes
339#UseLogin no 444#UseLogin no
445UsePrivilegeSeparation $privsep_used
446#Compression yes
340 447
341#MaxStartups 10:30:60 448#MaxStartups 10
342#Banner /etc/issue.net 449# no default banner path
343#ReverseMappingCheck yes 450#Banner /some/path
451#VerifyReverseMapping no
344 452
453# override default of no subsystems
345Subsystem sftp /usr/sbin/sftp-server 454Subsystem sftp /usr/sbin/sftp-server
346EOF 455EOF
456elif [ "$privsep_configured" != "yes" ]
457then
458 echo >> ${SYSCONFDIR}/sshd_config
459 echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
347fi 460fi
348 461
349# Care for services file 462# Care for services file
350_sys="`uname -a`"
351_nt=`expr "$_sys" : "CYGWIN_NT"`
352if [ $_nt -gt 0 ] 463if [ $_nt -gt 0 ]
353then 464then
354 _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" 465 _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
@@ -403,8 +514,8 @@ umount "${_services}"
403umount "${_serv_tmp}" 514umount "${_serv_tmp}"
404 515
405# Care for inetd.conf file 516# Care for inetd.conf file
406_inetcnf="/etc/inetd.conf" 517_inetcnf="${SYSCONFDIR}/inetd.conf"
407_inetcnf_tmp="/etc/inetd.conf.$$" 518_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
408 519
409if [ -f "${_inetcnf}" ] 520if [ -f "${_inetcnf}" ]
410then 521then
@@ -442,25 +553,6 @@ then
442 fi 553 fi
443fi 554fi
444 555
445# Create /var/log and /var/log/lastlog if not already existing
446
447if [ -f /var/log ]
448then
449 echo "Creating /var/log failed\!"
450else
451 if [ ! -d /var/log ]
452 then
453 mkdir /var/log
454 fi
455 if [ -d /var/log/lastlog ]
456 then
457 echo "Creating /var/log/lastlog failed\!"
458 elif [ ! -f /var/log/lastlog ]
459 then
460 cat /dev/null > /var/log/lastlog
461 fi
462fi
463
464# On NT ask if sshd should be installed as service 556# On NT ask if sshd should be installed as service
465if [ $_nt -gt 0 ] 557if [ $_nt -gt 0 ]
466then 558then
@@ -477,7 +569,7 @@ then
477 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" 569 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
478 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" 570 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
479 then 571 then
480 chown system /etc/ssh* 572 chown system ${SYSCONFDIR}/ssh*
481 echo 573 echo
482 echo "The service has been installed under LocalSystem account." 574 echo "The service has been installed under LocalSystem account."
483 fi 575 fi
diff --git a/contrib/gnome-ssh-askpass.c b/contrib/gnome-ssh-askpass1.c
index 7cece5620..b6b342b84 100644
--- a/contrib/gnome-ssh-askpass.c
+++ b/contrib/gnome-ssh-askpass1.c
@@ -38,7 +38,7 @@
38 * Compile with: 38 * Compile with:
39 * 39 *
40 * cc `gnome-config --cflags gnome gnomeui` \ 40 * cc `gnome-config --cflags gnome gnomeui` \
41 * gnome-ssh-askpass.c -o gnome-ssh-askpass \ 41 * gnome-ssh-askpass1.c -o gnome-ssh-askpass \
42 * `gnome-config --libs gnome gnomeui` 42 * `gnome-config --libs gnome gnomeui`
43 * 43 *
44 */ 44 */
@@ -64,7 +64,7 @@ report_failed_grab (void)
64 gnome_dialog_run_and_close(GNOME_DIALOG(err)); 64 gnome_dialog_run_and_close(GNOME_DIALOG(err));
65} 65}
66 66
67void 67int
68passphrase_dialog(char *message) 68passphrase_dialog(char *message)
69{ 69{
70 char *passphrase; 70 char *passphrase;
@@ -135,7 +135,7 @@ passphrase_dialog(char *message)
135 gtk_entry_set_text(GTK_ENTRY(entry), passphrase); 135 gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
136 136
137 gnome_dialog_close(GNOME_DIALOG(dialog)); 137 gnome_dialog_close(GNOME_DIALOG(dialog));
138 return; 138 return (result == 0 ? 0 : -1);
139 139
140 /* At least one grab failed - ungrab what we got, and report 140 /* At least one grab failed - ungrab what we got, and report
141 the failure to the user. Note that XGrabServer() cannot 141 the failure to the user. Note that XGrabServer() cannot
@@ -148,13 +148,15 @@ passphrase_dialog(char *message)
148 gnome_dialog_close(GNOME_DIALOG(dialog)); 148 gnome_dialog_close(GNOME_DIALOG(dialog));
149 149
150 report_failed_grab(); 150 report_failed_grab();
151 return (-1);
151} 152}
152 153
153int 154int
154main(int argc, char **argv) 155main(int argc, char **argv)
155{ 156{
156 char *message; 157 char *message;
157 158 int result;
159
158 gnome_init("GNOME ssh-askpass", "0.1", argc, argv); 160 gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
159 161
160 if (argc == 2) 162 if (argc == 2)
@@ -163,6 +165,7 @@ main(int argc, char **argv)
163 message = "Enter your OpenSSH passphrase:"; 165 message = "Enter your OpenSSH passphrase:";
164 166
165 setvbuf(stdout, 0, _IONBF, 0); 167 setvbuf(stdout, 0, _IONBF, 0);
166 passphrase_dialog(message); 168 result = passphrase_dialog(message);
167 return 0; 169
170 return (result);
168} 171}
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
new file mode 100644
index 000000000..89a412aa8
--- /dev/null
+++ b/contrib/gnome-ssh-askpass2.c
@@ -0,0 +1,204 @@
1/*
2 * Copyright (c) 2000-2002 Damien Miller. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
26
27/*
28 * This is a simple GNOME SSH passphrase grabber. To use it, set the
29 * environment variable SSH_ASKPASS to point to the location of
30 * gnome-ssh-askpass before calling "ssh-add < /dev/null".
31 *
32 * There is only two run-time options: if you set the environment variable
33 * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
34 * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
35 * pointer will be grabbed too. These may have some benefit to security if
36 * you don't trust your X server. We grab the keyboard always.
37 */
38
39/*
40 * Compile with:
41 *
42 * cc `pkg-config --cflags gtk+-2.0` \
43 * gnome-ssh-askpass2.c -o gnome-ssh-askpass \
44 * `pkg-config --libs gtk+-2.0`
45 *
46 */
47
48#include <stdlib.h>
49#include <stdio.h>
50#include <string.h>
51#include <X11/Xlib.h>
52#include <gtk/gtk.h>
53#include <gdk/gdkx.h>
54
55static void
56report_failed_grab (const char *what)
57{
58 GtkWidget *err;
59
60 err = gtk_message_dialog_new(NULL, 0,
61 GTK_MESSAGE_ERROR,
62 GTK_BUTTONS_CLOSE,
63 "Could not grab %s. "
64 "A malicious client may be eavesdropping "
65 "on your session.", what);
66 gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
67 gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
68 TRUE);
69
70 gtk_dialog_run(GTK_DIALOG(err));
71
72 gtk_widget_destroy(err);
73}
74
75static void
76ok_dialog(GtkWidget *entry, gpointer dialog)
77{
78 g_return_if_fail(GTK_IS_DIALOG(dialog));
79 gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
80}
81
82static int
83passphrase_dialog(char *message)
84{
85 const char *failed;
86 char *passphrase, *local;
87 char **messages;
88 int result, i, grab_server, grab_pointer;
89 GtkWidget *dialog, *entry, *label;
90 GdkGrabStatus status;
91
92 grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
93 grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
94
95 dialog = gtk_message_dialog_new(NULL, 0,
96 GTK_MESSAGE_QUESTION,
97 GTK_BUTTONS_OK_CANCEL,
98 "%s",
99 message);
100
101 entry = gtk_entry_new();
102 gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
103 FALSE, 0);
104 gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
105 gtk_widget_grab_focus(entry);
106 gtk_widget_show(entry);
107
108 gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
109 gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
110 gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
111 TRUE);
112
113 /* Make <enter> close dialog */
114 gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
115 g_signal_connect(G_OBJECT(entry), "activate",
116 G_CALLBACK(ok_dialog), dialog);
117
118 /* Grab focus */
119 gtk_widget_show_now(dialog);
120 if (grab_server) {
121 gdk_x11_grab_server();
122 }
123 if (grab_pointer) {
124 status = gdk_pointer_grab((GTK_WIDGET(dialog))->window, TRUE,
125 0, NULL, NULL, GDK_CURRENT_TIME);
126 if (status != GDK_GRAB_SUCCESS) {
127 failed = "mouse";
128 goto nograb;
129 }
130 }
131 status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, FALSE,
132 GDK_CURRENT_TIME);
133 if (status != GDK_GRAB_SUCCESS) {
134 failed = "keyboard";
135 goto nograbkb;
136 }
137 result = gtk_dialog_run(GTK_DIALOG(dialog));
138
139 /* Ungrab */
140 if (grab_server)
141 XUngrabServer(GDK_DISPLAY());
142 if (grab_pointer)
143 gdk_pointer_ungrab(GDK_CURRENT_TIME);
144 gdk_keyboard_ungrab(GDK_CURRENT_TIME);
145 gdk_flush();
146
147 /* Report passphrase if user selected OK */
148 passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
149 if (result == GTK_RESPONSE_OK) {
150 local = g_locale_from_utf8(passphrase, strlen(passphrase),
151 NULL, NULL, NULL);
152 if (local != NULL) {
153 puts(local);
154 memset(local, '\0', strlen(local));
155 g_free(local);
156 } else {
157 puts(passphrase);
158 }
159 }
160
161 /* Zero passphrase in memory */
162 memset(passphrase, '\b', strlen(passphrase));
163 gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
164 memset(passphrase, '\0', strlen(passphrase));
165 g_free(passphrase);
166
167 gtk_widget_destroy(dialog);
168 return (result == GTK_RESPONSE_OK ? 0 : -1);
169
170 /* At least one grab failed - ungrab what we got, and report
171 the failure to the user. Note that XGrabServer() cannot
172 fail. */
173 nograbkb:
174 gdk_pointer_ungrab(GDK_CURRENT_TIME);
175 nograb:
176 if (grab_server)
177 XUngrabServer(GDK_DISPLAY());
178 gtk_widget_destroy(dialog);
179
180 report_failed_grab(failed);
181
182 return (-1);
183}
184
185int
186main(int argc, char **argv)
187{
188 char *message;
189 int result;
190
191 gtk_init(&argc, &argv);
192
193 if (argc > 1) {
194 message = g_strjoinv(" ", argv + 1);
195 } else {
196 message = g_strdup("Enter your OpenSSH passphrase:");
197 }
198
199 setvbuf(stdout, 0, _IONBF, 0);
200 result = passphrase_dialog(message);
201 g_free(message);
202
203 return (result);
204}
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index b73fb929f..e7005064d 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 3.4p1 1%define ver 3.5p1
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
@@ -20,6 +20,9 @@
20# Do we want smartcard support (1=yes 0=no) 20# Do we want smartcard support (1=yes 0=no)
21%define scard 0 21%define scard 0
22 22
23# Use GTK2 instead of GNOME in gnome-ssh-askpass
24%define gtk2 0
25
23# Is this build for RHL 6.x? 26# Is this build for RHL 6.x?
24%define build6x 0 27%define build6x 0
25 28
@@ -86,7 +89,7 @@ PreReq: initscripts >= 5.20
86%endif 89%endif
87BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers 90BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
88BuildPreReq: /bin/login 91BuildPreReq: /bin/login
89%if %{build6x} 92%if ! %{build6x}
90BuildPreReq: glibc-devel, pam 93BuildPreReq: glibc-devel, pam
91%else 94%else
92BuildPreReq: db1-devel, /usr/include/security/pam_appl.h 95BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
@@ -95,7 +98,7 @@ BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
95BuildPreReq: XFree86-devel 98BuildPreReq: XFree86-devel
96%endif 99%endif
97%if ! %{no_gnome_askpass} 100%if ! %{no_gnome_askpass}
98BuildPreReq: gnome-libs-devel 101BuildPreReq: pkgconfig
99%endif 102%endif
100%if %{kerberos5} 103%if %{kerberos5}
101BuildPreReq: krb5-devel 104BuildPreReq: krb5-devel
@@ -220,11 +223,23 @@ make
220popd 223popd
221%endif 224%endif
222 225
226# Define a variable to toggle gnome1/gtk2 building. This is necessary
227# because RPM doesn't handle nested %if statements.
228%if %{gtk2}
229 gtk2=yes
230%else
231 gtk2=no
232%endif
233
223%if ! %{no_gnome_askpass} 234%if ! %{no_gnome_askpass}
224pushd contrib 235pushd contrib
225gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \ 236if [ $gtk2 = yes ] ; then
226 gnome-ssh-askpass.c -o gnome-ssh-askpass \ 237 make gnome-ssh-askpass2
227 `gnome-config --libs gnome gnomeui` 238 mv gnome-ssh-askpass2 gnome-ssh-askpass
239else
240 make gnome-ssh-askpass1
241 mv gnome-ssh-askpass1 gnome-ssh-askpass
242fi
228popd 243popd
229%endif 244%endif
230 245
@@ -255,6 +270,10 @@ ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
255install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass 270install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
256%endif 271%endif
257 272
273%if ! %{scard}
274 rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
275%endif
276
258install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 277install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
259install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 278install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
260install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ 279install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@@ -338,7 +357,7 @@ fi
338%attr(-,root,root) %{_bindir}/slogin 357%attr(-,root,root) %{_bindir}/slogin
339%attr(-,root,root) %{_mandir}/man1/slogin.1* 358%attr(-,root,root) %{_mandir}/man1/slogin.1*
340%if ! %{rescue} 359%if ! %{rescue}
341%attr(0755,root,root) %{_bindir}/ssh-agent 360%attr(2755,root,nobody) %{_bindir}/ssh-agent
342%attr(0755,root,root) %{_bindir}/ssh-add 361%attr(0755,root,root) %{_bindir}/ssh-add
343%attr(0755,root,root) %{_bindir}/ssh-keyscan 362%attr(0755,root,root) %{_bindir}/ssh-keyscan
344%attr(0755,root,root) %{_bindir}/sftp 363%attr(0755,root,root) %{_bindir}/sftp
@@ -381,6 +400,12 @@ fi
381%endif 400%endif
382 401
383%changelog 402%changelog
403* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
404- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
405
406* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
407- Use contrib/ Makefile for building askpass programs
408
384* Fri Jun 21 2002 Damien Miller <djm@mindrot.org> 409* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
385- Merge in spec changes from seba@iq.pl (Sebastian Pachuta) 410- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
386- Add new {ssh,sshd}_config.5 manpages 411- Add new {ssh,sshd}_config.5 manpages
diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh
index 1be6ed8d1..c41b3f963 100755
--- a/contrib/solaris/buildpkg.sh
+++ b/contrib/solaris/buildpkg.sh
@@ -11,13 +11,18 @@ umask 022
11# Options for building the package 11# Options for building the package
12# You can create a config.local with your customized options 12# You can create a config.local with your customized options
13# 13#
14# uncommenting TEST_DIR and using configure--prefix=/var/tmp and 14# uncommenting TEST_DIR and using
15# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
16# and
15# PKGNAME=tOpenSSH should allow testing a package without interfering 17# PKGNAME=tOpenSSH should allow testing a package without interfering
16# with a real OpenSSH package on a system. 18# with a real OpenSSH package on a system. This is not needed on systems
19# that support the -R option to pkgadd.
17#TEST_DIR=/var/tmp # leave commented out for production build 20#TEST_DIR=/var/tmp # leave commented out for production build
18PKGNAME=OpenSSH 21PKGNAME=OpenSSH
19SYSVINIT_NAME=opensshd 22SYSVINIT_NAME=opensshd
20MAKE=${MAKE:="make"} 23MAKE=${MAKE:="make"}
24SSHDUID=67 # Default privsep uid
25SSHDGID=67 # Default privsep gid
21# uncomment these next two as needed 26# uncomment these next two as needed
22#PERMIT_ROOT_LOGIN=no 27#PERMIT_ROOT_LOGIN=no
23#X11_FORWARDING=yes 28#X11_FORWARDING=yes
@@ -55,7 +60,7 @@ SYSTEM_DIR="/etc \
55/var/tmp \ 60/var/tmp \
56/tmp" 61/tmp"
57 62
58# We may need to buiild as root so we make sure PATH is set up 63# We may need to build as root so we make sure PATH is set up
59# only set the path if it's not set already 64# only set the path if it's not set already
60[ -d /usr/local/bin ] && { 65[ -d /usr/local/bin ] && {
61 echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1 66 echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1
@@ -96,6 +101,19 @@ do
96 eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` 101 eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
97done 102done
98 103
104
105## Collect value of privsep user
106for confvar in SSH_PRIVSEP_USER
107do
108 eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
109done
110
111## Set privsep defaults if not defined
112if [ -z "$SSH_PRIVSEP_USER" ]
113then
114 SSH_PRIVSEP_USER=sshd
115fi
116
99## Extract common info requires for the 'info' part of the package. 117## Extract common info requires for the 'info' part of the package.
100VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'` 118VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
101 119
@@ -106,7 +124,8 @@ case ${UNAME_S} in
106 RCS_D=yes 124 RCS_D=yes
107 DEF_MSG="(default: n)" 125 DEF_MSG="(default: n)"
108 ;; 126 ;;
109 *) ARCH=`uname -m` ;; 127 *) ARCH=`uname -m`
128 DEF_MSG="\n" ;;
110esac 129esac
111 130
112## Setup our run level stuff while we are at it. 131## Setup our run level stuff while we are at it.
@@ -171,13 +190,16 @@ echo "Building postinstall file..."
171cat > postinstall << _EOF 190cat > postinstall << _EOF
172#! /sbin/sh 191#! /sbin/sh
173# 192#
174[ -f ${sysconfdir}/ssh_config ] || \\ 193[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\
175 cp -p ${sysconfdir}/ssh_config.default ${sysconfdir}/ssh_config 194 cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
176[ -f ${sysconfdir}/sshd_config ] || \\ 195 \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
177 cp -p ${sysconfdir}/sshd_config.default ${sysconfdir}/sshd_config 196[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\
178[ -f ${sysconfdir}/ssh_prng_cmds.default ] && { 197 cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
179 [ -f ${sysconfdir}/ssh_prng_cmds ] || \\ 198 \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
180 cp -p ${sysconfdir}/ssh_prng_cmds.default ${sysconfdir}/ssh_prng_cmds 199[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default ] && {
200 [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds ] || \\
201 cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default \\
202 \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds
181} 203}
182 204
183# make rc?.d dirs only if we are doing a test install 205# make rc?.d dirs only if we are doing a test install
@@ -191,23 +213,75 @@ cat > postinstall << _EOF
191if [ "\${USE_SYM_LINKS}" = yes ] 213if [ "\${USE_SYM_LINKS}" = yes ]
192then 214then
193 [ "$RCS_D" = yes ] && \ 215 [ "$RCS_D" = yes ] && \
194installf ${PKGNAME} $TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 216installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
195 installf ${PKGNAME} $TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 217 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
196 installf ${PKGNAME} $TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 218 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
197 installf ${PKGNAME} $TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 219 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
198else 220else
199 [ "$RCS_D" = yes ] && \ 221 [ "$RCS_D" = yes ] && \
200installf ${PKGNAME} $TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 222installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
201 installf ${PKGNAME} $TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 223 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
202 installf ${PKGNAME} $TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 224 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
203 installf ${PKGNAME} $TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 225 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
204fi 226fi
205 227
206# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh) 228# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
207[ -d $piddir ] || installf ${PKGNAME} $TEST_DIR$piddir d 755 root sys 229[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 755 root sys
208 230
209installf -f ${PKGNAME} 231installf -f ${PKGNAME}
210 232
233# Use chroot to handle PKG_INSTALL_ROOT
234if [ ! -z "\${PKG_INSTALL_ROOT}" ]
235then
236 chroot="chroot \${PKG_INSTALL_ROOT}"
237fi
238# If this is a test build, we will skip the groupadd/useradd/passwd commands
239if [ ! -z "${TEST_DIR}" ]
240then
241 chroot=echo
242fi
243
244if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
245then
246 echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
247 echo "or group."
248else
249 echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
250
251 # create group if required
252 if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
253 then
254 echo "PrivSep group $SSH_PRIVSEP_USER already exists."
255 else
256 # Use gid of 67 if possible
257 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
258 then
259 :
260 else
261 sshdgid="-g $SSHDGID"
262 fi
263 echo "Creating PrivSep group $SSH_PRIVSEP_USER."
264 \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER
265 fi
266
267 # Create user if required
268 if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
269 then
270 echo "PrivSep user $SSH_PRIVSEP_USER already exists."
271 else
272 # Use uid of 67 if possible
273 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
274 then
275 :
276 else
277 sshduid="-u $SSHDUID"
278 fi
279 echo "Creating PrivSep user $SSH_PRIVSEP_USER."
280 \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
281 \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER
282 fi
283fi
284
211[ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start 285[ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
212exit 0 286exit 0
213_EOF 287_EOF
diff --git a/contrib/solaris/opensshd.in b/contrib/solaris/opensshd.in
index 212254dc8..e7ca2489f 100755
--- a/contrib/solaris/opensshd.in
+++ b/contrib/solaris/opensshd.in
@@ -3,11 +3,8 @@
3# 3#
4# Stripped PRNGd out of it for the time being. 4# Stripped PRNGd out of it for the time being.
5 5
6AWK=/usr/bin/awk
7CAT=/usr/bin/cat 6CAT=/usr/bin/cat
8KILL=/usr/bin/kill 7KILL=/usr/bin/kill
9PS=/usr/bin/ps
10XARGS=/usr/bin/xargs
11 8
12prefix=%%openSSHDir%% 9prefix=%%openSSHDir%%
13etcdir=%%configDir%% 10etcdir=%%configDir%%
@@ -20,12 +17,6 @@ HOST_KEY_RSA1=$etcdir/ssh_host_key
20HOST_KEY_DSA=$etcdir/ssh_host_dsa_key 17HOST_KEY_DSA=$etcdir/ssh_host_dsa_key
21HOST_KEY_RSA=$etcdir/ssh_host_rsa_key 18HOST_KEY_RSA=$etcdir/ssh_host_rsa_key
22 19
23killproc() {
24 _procname=$1
25 _signal=$2
26 ${PS} -u root | ${AWK} '/'"$_procname"'$/ {print $1}' | ${XARGS} ${KILL}
27}
28
29 20
30checkkeys() { 21checkkeys() {
31 if [ ! -f $HOST_KEY_RSA1 ]; then 22 if [ ! -f $HOST_KEY_RSA1 ]; then
@@ -46,8 +37,7 @@ stop_service() {
46 if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then 37 if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then
47 ${KILL} ${PID} 38 ${KILL} ${PID}
48 else 39 else
49 echo "Unable to read PID file, killing using alternate method" 40 echo "Unable to read PID file"
50 killproc sshd TERM
51 fi 41 fi
52} 42}
53 43
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 126dac335..3ae1dfc80 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,6 +1,6 @@
1Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 1Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
2Name: openssh 2Name: openssh
3Version: 3.4p1 3Version: 3.5p1
4URL: http://www.openssh.com/ 4URL: http://www.openssh.com/
5Release: 1 5Release: 1
6Source0: openssh-%{version}.tar.gz 6Source0: openssh-%{version}.tar.gz