diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-01 02:05:26 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-01 02:05:26 +0000 |
commit | 6d5a72bc1d98a42ba42f082e50a22e911c1d82d3 (patch) | |
tree | 1bf23174bdb6fc71e2846dda0eca195a418484e7 /contrib | |
parent | 2ee26b431f98cf1dc0e4fb9809ad1e0c879b8c08 (diff) | |
parent | 58657d96514cd6f16d82add8d6f4adbb36765758 (diff) |
Debian release 3.5p1-1.
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/Makefile | 15 | ||||
-rw-r--r-- | contrib/README | 51 | ||||
-rwxr-xr-x | contrib/aix/buildbff.sh | 29 | ||||
-rw-r--r-- | contrib/caldera/openssh.spec | 6 | ||||
-rw-r--r-- | contrib/cygwin/README | 24 | ||||
-rw-r--r-- | contrib/cygwin/ssh-host-config | 222 | ||||
-rw-r--r-- | contrib/gnome-ssh-askpass1.c (renamed from contrib/gnome-ssh-askpass.c) | 15 | ||||
-rw-r--r-- | contrib/gnome-ssh-askpass2.c | 204 | ||||
-rw-r--r-- | contrib/redhat/openssh.spec | 39 | ||||
-rwxr-xr-x | contrib/solaris/buildpkg.sh | 114 | ||||
-rwxr-xr-x | contrib/solaris/opensshd.in | 12 | ||||
-rw-r--r-- | contrib/suse/openssh.spec | 2 |
12 files changed, 577 insertions, 156 deletions
diff --git a/contrib/Makefile b/contrib/Makefile new file mode 100644 index 000000000..2cef46f6c --- /dev/null +++ b/contrib/Makefile | |||
@@ -0,0 +1,15 @@ | |||
1 | all: | ||
2 | @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2" | ||
3 | |||
4 | gnome-ssh-askpass1: gnome-ssh-askpass1.c | ||
5 | $(CC) `gnome-config --cflags gnome gnomeui` \ | ||
6 | gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \ | ||
7 | `gnome-config --libs gnome gnomeui` | ||
8 | |||
9 | gnome-ssh-askpass2: gnome-ssh-askpass2.c | ||
10 | $(CC) `pkg-config --cflags gtk+-2.0` \ | ||
11 | gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ | ||
12 | `pkg-config --libs gtk+-2.0` | ||
13 | |||
14 | clean: | ||
15 | rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass | ||
diff --git a/contrib/README b/contrib/README index 648bb2f3a..67dbbd277 100644 --- a/contrib/README +++ b/contrib/README | |||
@@ -1,30 +1,39 @@ | |||
1 | Other patches and addons for OpenSSH. Please send submissions to | 1 | Other patches and addons for OpenSSH. Please send submissions to |
2 | djm@ibs.com.au | 2 | djm@mindrot.org |
3 | 3 | ||
4 | Elsewhere | 4 | Externally maintained |
5 | --------- | 5 | --------------------- |
6 | 6 | ||
7 | http://www.imasy.or.jp/~gotoh/connect.c is a Unix and Windows | 7 | SSH Proxy Command -- connect.c |
8 | ProxyCommand which allows OpenSSH to make connections through a SOCKS5 | ||
9 | or http proxy which supports the CONNECT method (eg. Squid). | ||
10 | 8 | ||
11 | In this directory | 9 | Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand |
12 | ----------------- | 10 | which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or |
11 | https CONNECT style proxy server. His page for connect.c has extensive | ||
12 | documentation on its use as well as compiled versions for Win32. | ||
13 | 13 | ||
14 | chroot.diff: | 14 | http://www.taiyo.co.jp/~gotoh/ssh/connect.html |
15 | 15 | ||
16 | Due to the fact the patch is never in sync with the rest of the tree. It was | 16 | |
17 | removed. | 17 | X11 SSH Askpass: |
18 | |||
19 | Jim Knoble <jmknoble@pobox.com> has written an excellent X11 | ||
20 | passphrase requester. This is highly recommended: | ||
21 | |||
22 | http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html | ||
23 | |||
24 | |||
25 | In this directory | ||
26 | ----------------- | ||
18 | 27 | ||
19 | ssh-copy-id: | 28 | ssh-copy-id: |
20 | 29 | ||
21 | Phil Hands' <phil@hands.com> shell script to automate the process of adding | 30 | Phil Hands' <phil@hands.com> shell script to automate the process of adding |
22 | your public key to a remote machine's ~/.ssh/authorized_keys file. | 31 | your public key to a remote machine's ~/.ssh/authorized_keys file. |
23 | 32 | ||
24 | gnome-ssh-askpass: | 33 | gnome-ssh-askpass[12]: |
25 | 34 | ||
26 | A GNOME passphrase requester of my own creation. Compilation instructions | 35 | A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or |
27 | are in the top of the file. | 36 | "make gnome-ssh-askpass2" to build. |
28 | 37 | ||
29 | sshd.pam.generic: | 38 | sshd.pam.generic: |
30 | 39 | ||
@@ -43,19 +52,9 @@ Contributed by Mark D. Roth <roth@feep.net> | |||
43 | 52 | ||
44 | redhat: | 53 | redhat: |
45 | 54 | ||
46 | RPM spec file an scripts for building Redhat packages | 55 | RPM spec file and scripts for building Redhat packages |
47 | 56 | ||
48 | suse: | 57 | suse: |
49 | 58 | ||
50 | RPM spec file an scripts for building SuSE packages | 59 | RPM spec file and scripts for building SuSE packages |
51 | |||
52 | |||
53 | Externally maintained | ||
54 | --------------------- | ||
55 | |||
56 | X11 SSH Askpass: | ||
57 | |||
58 | Jim Knoble <jmknoble@pobox.com> has written an excellent X11 | ||
59 | passphrase requester. This is highly recommended: | ||
60 | 60 | ||
61 | http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html | ||
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index d531e53f4..5c09c6b75 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh | |||
@@ -18,6 +18,16 @@ X11_FORWARDING=no | |||
18 | 18 | ||
19 | umask 022 | 19 | umask 022 |
20 | 20 | ||
21 | startdir=`pwd` | ||
22 | |||
23 | # Path to inventory.sh: same place as buildbff.sh | ||
24 | if echo $0 | egrep '^/' | ||
25 | then | ||
26 | inventory=`dirname $0`/inventory.sh # absolute path | ||
27 | else | ||
28 | inventory=`pwd`/`dirname $0`/inventory.sh # relative path | ||
29 | fi | ||
30 | |||
21 | # | 31 | # |
22 | # We still support running from contrib/aix, but this is depreciated | 32 | # We still support running from contrib/aix, but this is depreciated |
23 | # | 33 | # |
@@ -45,14 +55,6 @@ objdir=`pwd` | |||
45 | PKGNAME=openssh | 55 | PKGNAME=openssh |
46 | PKGDIR=package | 56 | PKGDIR=package |
47 | 57 | ||
48 | # Path to inventory.sh: same place as buildbff.sh | ||
49 | if echo $0 | egrep '^/' | ||
50 | then | ||
51 | inventory=`dirname $0`/inventory.sh # absolute path | ||
52 | else | ||
53 | inventory=`pwd`/`dirname $0`/inventory.sh # relative path | ||
54 | fi | ||
55 | |||
56 | # | 58 | # |
57 | # Collect local configuration settings to override defaults | 59 | # Collect local configuration settings to override defaults |
58 | # | 60 | # |
@@ -328,15 +330,10 @@ rm -f $PKGNAME-$VERSION.bff | |||
328 | ) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist | 330 | ) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist |
329 | 331 | ||
330 | # | 332 | # |
331 | # Move package into final location | 333 | # Move package into final location and clean up |
332 | # | 334 | # |
333 | if [ "$contribaix" = "1" ] | 335 | mv ../$PKGNAME-$VERSION.bff $startdir |
334 | then | 336 | cd $startdir |
335 | mv ../$PKGNAME-$VERSION.bff $objdir/contrib/aix | ||
336 | else | ||
337 | mv ../$PKGNAME-$VERSION.bff $objdir | ||
338 | fi | ||
339 | |||
340 | rm -rf $objdir/$PKGDIR | 337 | rm -rf $objdir/$PKGDIR |
341 | 338 | ||
342 | echo $0: done. | 339 | echo $0: done. |
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index e7473947e..b7de22e8b 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec | |||
@@ -17,7 +17,7 @@ | |||
17 | #old cvs stuff. please update before use. may be deprecated. | 17 | #old cvs stuff. please update before use. may be deprecated. |
18 | %define use_stable 1 | 18 | %define use_stable 1 |
19 | %if %{use_stable} | 19 | %if %{use_stable} |
20 | %define version 3.4p1 | 20 | %define version 3.5p1 |
21 | %define cvs %{nil} | 21 | %define cvs %{nil} |
22 | %define release 2 | 22 | %define release 2 |
23 | %else | 23 | %else |
@@ -181,8 +181,6 @@ CFLAGS="$RPM_OPT_FLAGS" \ | |||
181 | --with-pam \ | 181 | --with-pam \ |
182 | --with-tcp-wrappers \ | 182 | --with-tcp-wrappers \ |
183 | --with-ipv4-default \ | 183 | --with-ipv4-default \ |
184 | --sysconfdir=%{_sysconfdir}/ssh \ | ||
185 | --libexecdir=%{_libexecdir}/openssh \ | ||
186 | --with-privsep-path=%{_var}/empty/sshd \ | 184 | --with-privsep-path=%{_var}/empty/sshd \ |
187 | #leave this line for easy edits. | 185 | #leave this line for easy edits. |
188 | 186 | ||
@@ -355,4 +353,4 @@ fi | |||
355 | * Mon Jan 01 1998 ... | 353 | * Mon Jan 01 1998 ... |
356 | Template Version: 1.31 | 354 | Template Version: 1.31 |
357 | 355 | ||
358 | $Id: openssh.spec,v 1.36 2002/06/26 13:57:13 djm Exp $ | 356 | $Id: openssh.spec,v 1.38 2002/10/03 01:56:59 djm Exp $ |
diff --git a/contrib/cygwin/README b/contrib/cygwin/README index 9021ba2b0..71ea3455f 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README | |||
@@ -1,6 +1,30 @@ | |||
1 | This package is the actual port of OpenSSH to Cygwin 1.3. | 1 | This package is the actual port of OpenSSH to Cygwin 1.3. |
2 | 2 | ||
3 | =========================================================================== | 3 | =========================================================================== |
4 | Important change since 3.4p1-2: | ||
5 | |||
6 | This version adds privilege separation as default setting, see | ||
7 | /usr/doc/openssh/README.privsep. According to that document the | ||
8 | privsep feature requires a non-privileged account called 'sshd'. | ||
9 | |||
10 | The new ssh-host-config file which is part of this version asks | ||
11 | to create 'sshd' as local user if you want to use privilege | ||
12 | separation. If you confirm, it creates that NT user and adds | ||
13 | the necessary entry to /etc/passwd. | ||
14 | |||
15 | On 9x/Me systems the script just sets UsePrivilegeSeparation to "no" | ||
16 | since that feature doesn't make any sense on a system which doesn't | ||
17 | differ between privileged and unprivileged users. | ||
18 | |||
19 | The new ssh-host-config script also adds the /var/empty directory | ||
20 | needed by privilege separation. When creating the /var/empty directory | ||
21 | by yourself, please note that in contrast to the README.privsep document | ||
22 | the owner sshould not be "root" but the user which is running sshd. So, | ||
23 | in the standard configuration this is SYSTEM. The ssh-host-config script | ||
24 | chowns /var/empty accordingly. | ||
25 | =========================================================================== | ||
26 | |||
27 | =========================================================================== | ||
4 | Important change since 3.0.1p1-2: | 28 | Important change since 3.0.1p1-2: |
5 | 29 | ||
6 | This version introduces the ability to register sshd as service on | 30 | This version introduces the ability to register sshd as service on |
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index da6011267..4df5aa969 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -18,6 +18,11 @@ progname=$0 | |||
18 | auto_answer="" | 18 | auto_answer="" |
19 | port_number=22 | 19 | port_number=22 |
20 | 20 | ||
21 | privsep_configured=no | ||
22 | privsep_used=yes | ||
23 | sshd_in_passwd=no | ||
24 | sshd_in_sam=no | ||
25 | |||
21 | request() | 26 | request() |
22 | { | 27 | { |
23 | if [ "${auto_answer}" = "yes" ] | 28 | if [ "${auto_answer}" = "yes" ] |
@@ -90,6 +95,10 @@ do | |||
90 | esac | 95 | esac |
91 | done | 96 | done |
92 | 97 | ||
98 | # Check if running on NT | ||
99 | _sys="`uname -a`" | ||
100 | _nt=`expr "$_sys" : "CYGWIN_NT"` | ||
101 | |||
93 | # Check for running ssh/sshd processes first. Refuse to do anything while | 102 | # Check for running ssh/sshd processes first. Refuse to do anything while |
94 | # some ssh processes are still running | 103 | # some ssh processes are still running |
95 | 104 | ||
@@ -98,7 +107,7 @@ then | |||
98 | echo | 107 | echo |
99 | echo "There are still ssh processes running. Please shut them down first." | 108 | echo "There are still ssh processes running. Please shut them down first." |
100 | echo | 109 | echo |
101 | #exit 1 | 110 | exit 1 |
102 | fi | 111 | fi |
103 | 112 | ||
104 | # Check for ${SYSCONFDIR} directory | 113 | # Check for ${SYSCONFDIR} directory |
@@ -126,6 +135,39 @@ then | |||
126 | fi | 135 | fi |
127 | fi | 136 | fi |
128 | 137 | ||
138 | # Create /var/log and /var/log/lastlog if not already existing | ||
139 | |||
140 | if [ -f /var/log ] | ||
141 | then | ||
142 | echo "Creating /var/log failed\!" | ||
143 | else | ||
144 | if [ ! -d /var/log ] | ||
145 | then | ||
146 | mkdir -p /var/log | ||
147 | fi | ||
148 | if [ -d /var/log/lastlog ] | ||
149 | then | ||
150 | echo "Creating /var/log/lastlog failed\!" | ||
151 | elif [ ! -f /var/log/lastlog ] | ||
152 | then | ||
153 | cat /dev/null > /var/log/lastlog | ||
154 | fi | ||
155 | fi | ||
156 | |||
157 | # Create /var/empty file used as chroot jail for privilege separation | ||
158 | if [ -f /var/empty ] | ||
159 | then | ||
160 | echo "Creating /var/empty failed\!" | ||
161 | else | ||
162 | mkdir -p /var/empty | ||
163 | # On NT change ownership of that dir to user "system" | ||
164 | if [ $_nt -gt 0 ] | ||
165 | then | ||
166 | chmod 755 /var/empty | ||
167 | chown system.system /var/empty | ||
168 | fi | ||
169 | fi | ||
170 | |||
129 | # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't | 171 | # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't |
130 | # the same as ${PREFIX} | 172 | # the same as ${PREFIX} |
131 | 173 | ||
@@ -219,9 +261,10 @@ if [ ! -f "${SYSCONFDIR}/ssh_config" ] | |||
219 | then | 261 | then |
220 | echo "Generating ${SYSCONFDIR}/ssh_config file" | 262 | echo "Generating ${SYSCONFDIR}/ssh_config file" |
221 | cat > ${SYSCONFDIR}/ssh_config << EOF | 263 | cat > ${SYSCONFDIR}/ssh_config << EOF |
222 | # This is ssh client systemwide configuration file. This file provides | 264 | # This is the ssh client system-wide configuration file. See |
223 | # defaults for users, and the values can be changed in per-user configuration | 265 | # ssh_config(5) for more information. This file provides defaults for |
224 | # files or on the command line. | 266 | # users, and the values can be changed in per-user configuration files |
267 | # or on the command line. | ||
225 | 268 | ||
226 | # Configuration data is parsed as follows: | 269 | # Configuration data is parsed as follows: |
227 | # 1. command line options | 270 | # 1. command line options |
@@ -237,20 +280,19 @@ then | |||
237 | # ForwardAgent no | 280 | # ForwardAgent no |
238 | # ForwardX11 no | 281 | # ForwardX11 no |
239 | # RhostsAuthentication no | 282 | # RhostsAuthentication no |
240 | # RhostsRSAAuthentication yes | 283 | # RhostsRSAAuthentication no |
241 | # RSAAuthentication yes | 284 | # RSAAuthentication yes |
242 | # PasswordAuthentication yes | 285 | # PasswordAuthentication yes |
243 | # FallBackToRsh no | ||
244 | # UseRsh no | ||
245 | # BatchMode no | 286 | # BatchMode no |
246 | # CheckHostIP yes | 287 | # CheckHostIP yes |
247 | # StrictHostKeyChecking yes | 288 | # StrictHostKeyChecking ask |
248 | # IdentityFile ~/.ssh/identity | 289 | # IdentityFile ~/.ssh/identity |
249 | # IdentityFile ~/.ssh/id_dsa | 290 | # IdentityFile ~/.ssh/id_dsa |
250 | # IdentityFile ~/.ssh/id_rsa | 291 | # IdentityFile ~/.ssh/id_rsa |
251 | # Port 22 | 292 | # Port 22 |
252 | # Protocol 2,1 | 293 | # Protocol 2,1 |
253 | # Cipher blowfish | 294 | # Cipher 3des |
295 | # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc | ||
254 | # EscapeChar ~ | 296 | # EscapeChar ~ |
255 | EOF | 297 | EOF |
256 | if [ "$port_number" != "22" ] | 298 | if [ "$port_number" != "22" ] |
@@ -271,17 +313,75 @@ then | |||
271 | then | 313 | then |
272 | echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." | 314 | echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." |
273 | fi | 315 | fi |
316 | else | ||
317 | grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes | ||
274 | fi | 318 | fi |
275 | fi | 319 | fi |
276 | 320 | ||
277 | # Create default sshd_config from here script | 321 | # Prior to creating or modifying sshd_config, care for privilege separation |
322 | |||
323 | if [ "$privsep_configured" != "yes" ] | ||
324 | then | ||
325 | if [ $_nt -gt 0 ] | ||
326 | then | ||
327 | echo "Privilege separation is set to yes by default since OpenSSH 3.3." | ||
328 | echo "However, this requires a non-privileged account called 'sshd'." | ||
329 | echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." | ||
330 | echo | ||
331 | if request "Shall privilege separation be used?" | ||
332 | then | ||
333 | privsep_used=yes | ||
334 | grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes | ||
335 | net user sshd >/dev/null 2>&1 && sshd_in_sam=yes | ||
336 | if [ "$sshd_in_passwd" != "yes" ] | ||
337 | then | ||
338 | if [ "$sshd_in_sam" != "yes" ] | ||
339 | then | ||
340 | echo "Warning: The following function requires administrator privileges!" | ||
341 | if request "Shall this script create a local user 'sshd' on this machine?" | ||
342 | then | ||
343 | dos_var_empty=`cygpath -w /var/empty` | ||
344 | net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes | ||
345 | if [ "$sshd_in_sam" != "yes" ] | ||
346 | then | ||
347 | echo "Warning: Creating the user 'sshd' failed!" | ||
348 | fi | ||
349 | fi | ||
350 | fi | ||
351 | if [ "$sshd_in_sam" != "yes" ] | ||
352 | then | ||
353 | echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" | ||
354 | echo " Privilege separation set to 'no' again!" | ||
355 | echo " Check your ${SYSCONFDIR}/sshd_config file!" | ||
356 | privsep_used=no | ||
357 | else | ||
358 | mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd | ||
359 | fi | ||
360 | fi | ||
361 | else | ||
362 | privsep_used=no | ||
363 | fi | ||
364 | else | ||
365 | # On 9x don't use privilege separation. Since security isn't | ||
366 | # available it just adds useless addtional processes. | ||
367 | privsep_used=no | ||
368 | fi | ||
369 | fi | ||
370 | |||
371 | # Create default sshd_config from here script or modify to add the | ||
372 | # missing privsep configuration option | ||
278 | 373 | ||
279 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] | 374 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] |
280 | then | 375 | then |
281 | echo "Generating ${SYSCONFDIR}/sshd_config file" | 376 | echo "Generating ${SYSCONFDIR}/sshd_config file" |
282 | cat > ${SYSCONFDIR}/sshd_config << EOF | 377 | cat > ${SYSCONFDIR}/sshd_config << EOF |
283 | # This is the sshd server system-wide configuration file. See sshd(8) | 378 | # This is the sshd server system-wide configuration file. See |
284 | # for more information. | 379 | # sshd_config(5) for more information. |
380 | |||
381 | # The strategy used for options in the default sshd_config shipped with | ||
382 | # OpenSSH is to specify options with their default value where | ||
383 | # possible, but leave them commented. Uncommented options change a | ||
384 | # default value. | ||
285 | 385 | ||
286 | Port $port_number | 386 | Port $port_number |
287 | #Protocol 2,1 | 387 | #Protocol 2,1 |
@@ -289,66 +389,77 @@ Port $port_number | |||
289 | #ListenAddress :: | 389 | #ListenAddress :: |
290 | 390 | ||
291 | # HostKey for protocol version 1 | 391 | # HostKey for protocol version 1 |
292 | HostKey /etc/ssh_host_key | 392 | #HostKey ${SYSCONFDIR}/ssh_host_key |
293 | # HostKeys for protocol version 2 | 393 | # HostKeys for protocol version 2 |
294 | HostKey /etc/ssh_host_rsa_key | 394 | #HostKey ${SYSCONFDIR}/ssh_host_rsa_key |
295 | HostKey /etc/ssh_host_dsa_key | 395 | #HostKey ${SYSCONFDIR}/ssh_host_dsa_key |
296 | 396 | ||
297 | # Lifetime and size of ephemeral version 1 server ke | 397 | # Lifetime and size of ephemeral version 1 server ke |
298 | KeyRegenerationInterval 3600 | 398 | #KeyRegenerationInterval 3600 |
299 | ServerKeyBits 768 | 399 | #ServerKeyBits 768 |
300 | 400 | ||
301 | # Logging | 401 | # Logging |
302 | SyslogFacility AUTH | ||
303 | LogLevel INFO | ||
304 | #obsoletes QuietMode and FascistLogging | 402 | #obsoletes QuietMode and FascistLogging |
403 | #SyslogFacility AUTH | ||
404 | #LogLevel INFO | ||
305 | 405 | ||
306 | # Authentication: | 406 | # Authentication: |
307 | 407 | ||
308 | LoginGraceTime 600 | 408 | #LoginGraceTime 600 |
309 | PermitRootLogin yes | 409 | #PermitRootLogin yes |
310 | # The following setting overrides permission checks on host key files | 410 | # The following setting overrides permission checks on host key files |
311 | # and directories. For security reasons set this to "yes" when running | 411 | # and directories. For security reasons set this to "yes" when running |
312 | # NT/W2K, NTFS and CYGWIN=ntsec. | 412 | # NT/W2K, NTFS and CYGWIN=ntsec. |
313 | StrictModes no | 413 | StrictModes no |
314 | 414 | ||
315 | RSAAuthentication yes | 415 | #RSAAuthentication yes |
316 | PubkeyAuthentication yes | 416 | #PubkeyAuthentication yes |
317 | #AuthorizedKeysFile %h/.ssh/authorized_keys | 417 | #AuthorizedKeysFile %h/.ssh/authorized_keys |
318 | 418 | ||
319 | # rhosts authentication should not be used | 419 | # rhosts authentication should not be used |
320 | RhostsAuthentication no | 420 | #RhostsAuthentication no |
321 | # Don't read ~/.rhosts and ~/.shosts files | 421 | # Don't read ~/.rhosts and ~/.shosts files |
322 | IgnoreRhosts yes | 422 | #IgnoreRhosts yes |
323 | # For this to work you will also need host keys in /etc/ssh_known_hosts | 423 | # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts |
324 | RhostsRSAAuthentication no | 424 | #RhostsRSAAuthentication no |
325 | # similar for protocol version 2 | 425 | # similar for protocol version 2 |
326 | HostbasedAuthentication no | 426 | #HostbasedAuthentication no |
327 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | 427 | # Change to yes if you don't trust ~/.ssh/known_hosts for |
328 | #IgnoreUserKnownHosts yes | 428 | # RhostsRSAAuthentication and HostbasedAuthentication |
429 | #IgnoreUserKnownHosts no | ||
329 | 430 | ||
330 | # To disable tunneled clear text passwords, change to no here! | 431 | # To disable tunneled clear text passwords, change to no here! |
331 | PasswordAuthentication yes | 432 | #PasswordAuthentication yes |
332 | PermitEmptyPasswords no | 433 | #PermitEmptyPasswords no |
333 | 434 | ||
334 | X11Forwarding no | 435 | # Change to no to disable s/key passwords |
335 | X11DisplayOffset 10 | 436 | #ChallengeResponseAuthentication yes |
336 | PrintMotd yes | 437 | |
337 | #PrintLastLog no | 438 | #X11Forwarding no |
338 | KeepAlive yes | 439 | #X11DisplayOffset 10 |
440 | #X11UseLocalhost yes | ||
441 | #PrintMotd yes | ||
442 | #PrintLastLog yes | ||
443 | #KeepAlive yes | ||
339 | #UseLogin no | 444 | #UseLogin no |
445 | UsePrivilegeSeparation $privsep_used | ||
446 | #Compression yes | ||
340 | 447 | ||
341 | #MaxStartups 10:30:60 | 448 | #MaxStartups 10 |
342 | #Banner /etc/issue.net | 449 | # no default banner path |
343 | #ReverseMappingCheck yes | 450 | #Banner /some/path |
451 | #VerifyReverseMapping no | ||
344 | 452 | ||
453 | # override default of no subsystems | ||
345 | Subsystem sftp /usr/sbin/sftp-server | 454 | Subsystem sftp /usr/sbin/sftp-server |
346 | EOF | 455 | EOF |
456 | elif [ "$privsep_configured" != "yes" ] | ||
457 | then | ||
458 | echo >> ${SYSCONFDIR}/sshd_config | ||
459 | echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config | ||
347 | fi | 460 | fi |
348 | 461 | ||
349 | # Care for services file | 462 | # Care for services file |
350 | _sys="`uname -a`" | ||
351 | _nt=`expr "$_sys" : "CYGWIN_NT"` | ||
352 | if [ $_nt -gt 0 ] | 463 | if [ $_nt -gt 0 ] |
353 | then | 464 | then |
354 | _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" | 465 | _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" |
@@ -403,8 +514,8 @@ umount "${_services}" | |||
403 | umount "${_serv_tmp}" | 514 | umount "${_serv_tmp}" |
404 | 515 | ||
405 | # Care for inetd.conf file | 516 | # Care for inetd.conf file |
406 | _inetcnf="/etc/inetd.conf" | 517 | _inetcnf="${SYSCONFDIR}/inetd.conf" |
407 | _inetcnf_tmp="/etc/inetd.conf.$$" | 518 | _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" |
408 | 519 | ||
409 | if [ -f "${_inetcnf}" ] | 520 | if [ -f "${_inetcnf}" ] |
410 | then | 521 | then |
@@ -442,25 +553,6 @@ then | |||
442 | fi | 553 | fi |
443 | fi | 554 | fi |
444 | 555 | ||
445 | # Create /var/log and /var/log/lastlog if not already existing | ||
446 | |||
447 | if [ -f /var/log ] | ||
448 | then | ||
449 | echo "Creating /var/log failed\!" | ||
450 | else | ||
451 | if [ ! -d /var/log ] | ||
452 | then | ||
453 | mkdir /var/log | ||
454 | fi | ||
455 | if [ -d /var/log/lastlog ] | ||
456 | then | ||
457 | echo "Creating /var/log/lastlog failed\!" | ||
458 | elif [ ! -f /var/log/lastlog ] | ||
459 | then | ||
460 | cat /dev/null > /var/log/lastlog | ||
461 | fi | ||
462 | fi | ||
463 | |||
464 | # On NT ask if sshd should be installed as service | 556 | # On NT ask if sshd should be installed as service |
465 | if [ $_nt -gt 0 ] | 557 | if [ $_nt -gt 0 ] |
466 | then | 558 | then |
@@ -477,7 +569,7 @@ then | |||
477 | [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" | 569 | [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" |
478 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" | 570 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" |
479 | then | 571 | then |
480 | chown system /etc/ssh* | 572 | chown system ${SYSCONFDIR}/ssh* |
481 | echo | 573 | echo |
482 | echo "The service has been installed under LocalSystem account." | 574 | echo "The service has been installed under LocalSystem account." |
483 | fi | 575 | fi |
diff --git a/contrib/gnome-ssh-askpass.c b/contrib/gnome-ssh-askpass1.c index 7cece5620..b6b342b84 100644 --- a/contrib/gnome-ssh-askpass.c +++ b/contrib/gnome-ssh-askpass1.c | |||
@@ -38,7 +38,7 @@ | |||
38 | * Compile with: | 38 | * Compile with: |
39 | * | 39 | * |
40 | * cc `gnome-config --cflags gnome gnomeui` \ | 40 | * cc `gnome-config --cflags gnome gnomeui` \ |
41 | * gnome-ssh-askpass.c -o gnome-ssh-askpass \ | 41 | * gnome-ssh-askpass1.c -o gnome-ssh-askpass \ |
42 | * `gnome-config --libs gnome gnomeui` | 42 | * `gnome-config --libs gnome gnomeui` |
43 | * | 43 | * |
44 | */ | 44 | */ |
@@ -64,7 +64,7 @@ report_failed_grab (void) | |||
64 | gnome_dialog_run_and_close(GNOME_DIALOG(err)); | 64 | gnome_dialog_run_and_close(GNOME_DIALOG(err)); |
65 | } | 65 | } |
66 | 66 | ||
67 | void | 67 | int |
68 | passphrase_dialog(char *message) | 68 | passphrase_dialog(char *message) |
69 | { | 69 | { |
70 | char *passphrase; | 70 | char *passphrase; |
@@ -135,7 +135,7 @@ passphrase_dialog(char *message) | |||
135 | gtk_entry_set_text(GTK_ENTRY(entry), passphrase); | 135 | gtk_entry_set_text(GTK_ENTRY(entry), passphrase); |
136 | 136 | ||
137 | gnome_dialog_close(GNOME_DIALOG(dialog)); | 137 | gnome_dialog_close(GNOME_DIALOG(dialog)); |
138 | return; | 138 | return (result == 0 ? 0 : -1); |
139 | 139 | ||
140 | /* At least one grab failed - ungrab what we got, and report | 140 | /* At least one grab failed - ungrab what we got, and report |
141 | the failure to the user. Note that XGrabServer() cannot | 141 | the failure to the user. Note that XGrabServer() cannot |
@@ -148,13 +148,15 @@ passphrase_dialog(char *message) | |||
148 | gnome_dialog_close(GNOME_DIALOG(dialog)); | 148 | gnome_dialog_close(GNOME_DIALOG(dialog)); |
149 | 149 | ||
150 | report_failed_grab(); | 150 | report_failed_grab(); |
151 | return (-1); | ||
151 | } | 152 | } |
152 | 153 | ||
153 | int | 154 | int |
154 | main(int argc, char **argv) | 155 | main(int argc, char **argv) |
155 | { | 156 | { |
156 | char *message; | 157 | char *message; |
157 | 158 | int result; | |
159 | |||
158 | gnome_init("GNOME ssh-askpass", "0.1", argc, argv); | 160 | gnome_init("GNOME ssh-askpass", "0.1", argc, argv); |
159 | 161 | ||
160 | if (argc == 2) | 162 | if (argc == 2) |
@@ -163,6 +165,7 @@ main(int argc, char **argv) | |||
163 | message = "Enter your OpenSSH passphrase:"; | 165 | message = "Enter your OpenSSH passphrase:"; |
164 | 166 | ||
165 | setvbuf(stdout, 0, _IONBF, 0); | 167 | setvbuf(stdout, 0, _IONBF, 0); |
166 | passphrase_dialog(message); | 168 | result = passphrase_dialog(message); |
167 | return 0; | 169 | |
170 | return (result); | ||
168 | } | 171 | } |
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c new file mode 100644 index 000000000..89a412aa8 --- /dev/null +++ b/contrib/gnome-ssh-askpass2.c | |||
@@ -0,0 +1,204 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2000-2002 Damien Miller. All rights reserved. | ||
3 | * | ||
4 | * Redistribution and use in source and binary forms, with or without | ||
5 | * modification, are permitted provided that the following conditions | ||
6 | * are met: | ||
7 | * 1. Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * 2. Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * | ||
13 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
14 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
15 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
16 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
17 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
18 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
19 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
23 | */ | ||
24 | |||
25 | /* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */ | ||
26 | |||
27 | /* | ||
28 | * This is a simple GNOME SSH passphrase grabber. To use it, set the | ||
29 | * environment variable SSH_ASKPASS to point to the location of | ||
30 | * gnome-ssh-askpass before calling "ssh-add < /dev/null". | ||
31 | * | ||
32 | * There is only two run-time options: if you set the environment variable | ||
33 | * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab | ||
34 | * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the | ||
35 | * pointer will be grabbed too. These may have some benefit to security if | ||
36 | * you don't trust your X server. We grab the keyboard always. | ||
37 | */ | ||
38 | |||
39 | /* | ||
40 | * Compile with: | ||
41 | * | ||
42 | * cc `pkg-config --cflags gtk+-2.0` \ | ||
43 | * gnome-ssh-askpass2.c -o gnome-ssh-askpass \ | ||
44 | * `pkg-config --libs gtk+-2.0` | ||
45 | * | ||
46 | */ | ||
47 | |||
48 | #include <stdlib.h> | ||
49 | #include <stdio.h> | ||
50 | #include <string.h> | ||
51 | #include <X11/Xlib.h> | ||
52 | #include <gtk/gtk.h> | ||
53 | #include <gdk/gdkx.h> | ||
54 | |||
55 | static void | ||
56 | report_failed_grab (const char *what) | ||
57 | { | ||
58 | GtkWidget *err; | ||
59 | |||
60 | err = gtk_message_dialog_new(NULL, 0, | ||
61 | GTK_MESSAGE_ERROR, | ||
62 | GTK_BUTTONS_CLOSE, | ||
63 | "Could not grab %s. " | ||
64 | "A malicious client may be eavesdropping " | ||
65 | "on your session.", what); | ||
66 | gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); | ||
67 | gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label), | ||
68 | TRUE); | ||
69 | |||
70 | gtk_dialog_run(GTK_DIALOG(err)); | ||
71 | |||
72 | gtk_widget_destroy(err); | ||
73 | } | ||
74 | |||
75 | static void | ||
76 | ok_dialog(GtkWidget *entry, gpointer dialog) | ||
77 | { | ||
78 | g_return_if_fail(GTK_IS_DIALOG(dialog)); | ||
79 | gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); | ||
80 | } | ||
81 | |||
82 | static int | ||
83 | passphrase_dialog(char *message) | ||
84 | { | ||
85 | const char *failed; | ||
86 | char *passphrase, *local; | ||
87 | char **messages; | ||
88 | int result, i, grab_server, grab_pointer; | ||
89 | GtkWidget *dialog, *entry, *label; | ||
90 | GdkGrabStatus status; | ||
91 | |||
92 | grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); | ||
93 | grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); | ||
94 | |||
95 | dialog = gtk_message_dialog_new(NULL, 0, | ||
96 | GTK_MESSAGE_QUESTION, | ||
97 | GTK_BUTTONS_OK_CANCEL, | ||
98 | "%s", | ||
99 | message); | ||
100 | |||
101 | entry = gtk_entry_new(); | ||
102 | gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, | ||
103 | FALSE, 0); | ||
104 | gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); | ||
105 | gtk_widget_grab_focus(entry); | ||
106 | gtk_widget_show(entry); | ||
107 | |||
108 | gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); | ||
109 | gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); | ||
110 | gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label), | ||
111 | TRUE); | ||
112 | |||
113 | /* Make <enter> close dialog */ | ||
114 | gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); | ||
115 | g_signal_connect(G_OBJECT(entry), "activate", | ||
116 | G_CALLBACK(ok_dialog), dialog); | ||
117 | |||
118 | /* Grab focus */ | ||
119 | gtk_widget_show_now(dialog); | ||
120 | if (grab_server) { | ||
121 | gdk_x11_grab_server(); | ||
122 | } | ||
123 | if (grab_pointer) { | ||
124 | status = gdk_pointer_grab((GTK_WIDGET(dialog))->window, TRUE, | ||
125 | 0, NULL, NULL, GDK_CURRENT_TIME); | ||
126 | if (status != GDK_GRAB_SUCCESS) { | ||
127 | failed = "mouse"; | ||
128 | goto nograb; | ||
129 | } | ||
130 | } | ||
131 | status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, FALSE, | ||
132 | GDK_CURRENT_TIME); | ||
133 | if (status != GDK_GRAB_SUCCESS) { | ||
134 | failed = "keyboard"; | ||
135 | goto nograbkb; | ||
136 | } | ||
137 | result = gtk_dialog_run(GTK_DIALOG(dialog)); | ||
138 | |||
139 | /* Ungrab */ | ||
140 | if (grab_server) | ||
141 | XUngrabServer(GDK_DISPLAY()); | ||
142 | if (grab_pointer) | ||
143 | gdk_pointer_ungrab(GDK_CURRENT_TIME); | ||
144 | gdk_keyboard_ungrab(GDK_CURRENT_TIME); | ||
145 | gdk_flush(); | ||
146 | |||
147 | /* Report passphrase if user selected OK */ | ||
148 | passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry))); | ||
149 | if (result == GTK_RESPONSE_OK) { | ||
150 | local = g_locale_from_utf8(passphrase, strlen(passphrase), | ||
151 | NULL, NULL, NULL); | ||
152 | if (local != NULL) { | ||
153 | puts(local); | ||
154 | memset(local, '\0', strlen(local)); | ||
155 | g_free(local); | ||
156 | } else { | ||
157 | puts(passphrase); | ||
158 | } | ||
159 | } | ||
160 | |||
161 | /* Zero passphrase in memory */ | ||
162 | memset(passphrase, '\b', strlen(passphrase)); | ||
163 | gtk_entry_set_text(GTK_ENTRY(entry), passphrase); | ||
164 | memset(passphrase, '\0', strlen(passphrase)); | ||
165 | g_free(passphrase); | ||
166 | |||
167 | gtk_widget_destroy(dialog); | ||
168 | return (result == GTK_RESPONSE_OK ? 0 : -1); | ||
169 | |||
170 | /* At least one grab failed - ungrab what we got, and report | ||
171 | the failure to the user. Note that XGrabServer() cannot | ||
172 | fail. */ | ||
173 | nograbkb: | ||
174 | gdk_pointer_ungrab(GDK_CURRENT_TIME); | ||
175 | nograb: | ||
176 | if (grab_server) | ||
177 | XUngrabServer(GDK_DISPLAY()); | ||
178 | gtk_widget_destroy(dialog); | ||
179 | |||
180 | report_failed_grab(failed); | ||
181 | |||
182 | return (-1); | ||
183 | } | ||
184 | |||
185 | int | ||
186 | main(int argc, char **argv) | ||
187 | { | ||
188 | char *message; | ||
189 | int result; | ||
190 | |||
191 | gtk_init(&argc, &argv); | ||
192 | |||
193 | if (argc > 1) { | ||
194 | message = g_strjoinv(" ", argv + 1); | ||
195 | } else { | ||
196 | message = g_strdup("Enter your OpenSSH passphrase:"); | ||
197 | } | ||
198 | |||
199 | setvbuf(stdout, 0, _IONBF, 0); | ||
200 | result = passphrase_dialog(message); | ||
201 | g_free(message); | ||
202 | |||
203 | return (result); | ||
204 | } | ||
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index b73fb929f..e7005064d 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,4 +1,4 @@ | |||
1 | %define ver 3.4p1 | 1 | %define ver 3.5p1 |
2 | %define rel 1 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
@@ -20,6 +20,9 @@ | |||
20 | # Do we want smartcard support (1=yes 0=no) | 20 | # Do we want smartcard support (1=yes 0=no) |
21 | %define scard 0 | 21 | %define scard 0 |
22 | 22 | ||
23 | # Use GTK2 instead of GNOME in gnome-ssh-askpass | ||
24 | %define gtk2 0 | ||
25 | |||
23 | # Is this build for RHL 6.x? | 26 | # Is this build for RHL 6.x? |
24 | %define build6x 0 | 27 | %define build6x 0 |
25 | 28 | ||
@@ -86,7 +89,7 @@ PreReq: initscripts >= 5.20 | |||
86 | %endif | 89 | %endif |
87 | BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers | 90 | BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers |
88 | BuildPreReq: /bin/login | 91 | BuildPreReq: /bin/login |
89 | %if %{build6x} | 92 | %if ! %{build6x} |
90 | BuildPreReq: glibc-devel, pam | 93 | BuildPreReq: glibc-devel, pam |
91 | %else | 94 | %else |
92 | BuildPreReq: db1-devel, /usr/include/security/pam_appl.h | 95 | BuildPreReq: db1-devel, /usr/include/security/pam_appl.h |
@@ -95,7 +98,7 @@ BuildPreReq: db1-devel, /usr/include/security/pam_appl.h | |||
95 | BuildPreReq: XFree86-devel | 98 | BuildPreReq: XFree86-devel |
96 | %endif | 99 | %endif |
97 | %if ! %{no_gnome_askpass} | 100 | %if ! %{no_gnome_askpass} |
98 | BuildPreReq: gnome-libs-devel | 101 | BuildPreReq: pkgconfig |
99 | %endif | 102 | %endif |
100 | %if %{kerberos5} | 103 | %if %{kerberos5} |
101 | BuildPreReq: krb5-devel | 104 | BuildPreReq: krb5-devel |
@@ -220,11 +223,23 @@ make | |||
220 | popd | 223 | popd |
221 | %endif | 224 | %endif |
222 | 225 | ||
226 | # Define a variable to toggle gnome1/gtk2 building. This is necessary | ||
227 | # because RPM doesn't handle nested %if statements. | ||
228 | %if %{gtk2} | ||
229 | gtk2=yes | ||
230 | %else | ||
231 | gtk2=no | ||
232 | %endif | ||
233 | |||
223 | %if ! %{no_gnome_askpass} | 234 | %if ! %{no_gnome_askpass} |
224 | pushd contrib | 235 | pushd contrib |
225 | gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \ | 236 | if [ $gtk2 = yes ] ; then |
226 | gnome-ssh-askpass.c -o gnome-ssh-askpass \ | 237 | make gnome-ssh-askpass2 |
227 | `gnome-config --libs gnome gnomeui` | 238 | mv gnome-ssh-askpass2 gnome-ssh-askpass |
239 | else | ||
240 | make gnome-ssh-askpass1 | ||
241 | mv gnome-ssh-askpass1 gnome-ssh-askpass | ||
242 | fi | ||
228 | popd | 243 | popd |
229 | %endif | 244 | %endif |
230 | 245 | ||
@@ -255,6 +270,10 @@ ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass | |||
255 | install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass | 270 | install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass |
256 | %endif | 271 | %endif |
257 | 272 | ||
273 | %if ! %{scard} | ||
274 | rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin | ||
275 | %endif | ||
276 | |||
258 | install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ | 277 | install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ |
259 | install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ | 278 | install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ |
260 | install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ | 279 | install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ |
@@ -338,7 +357,7 @@ fi | |||
338 | %attr(-,root,root) %{_bindir}/slogin | 357 | %attr(-,root,root) %{_bindir}/slogin |
339 | %attr(-,root,root) %{_mandir}/man1/slogin.1* | 358 | %attr(-,root,root) %{_mandir}/man1/slogin.1* |
340 | %if ! %{rescue} | 359 | %if ! %{rescue} |
341 | %attr(0755,root,root) %{_bindir}/ssh-agent | 360 | %attr(2755,root,nobody) %{_bindir}/ssh-agent |
342 | %attr(0755,root,root) %{_bindir}/ssh-add | 361 | %attr(0755,root,root) %{_bindir}/ssh-add |
343 | %attr(0755,root,root) %{_bindir}/ssh-keyscan | 362 | %attr(0755,root,root) %{_bindir}/ssh-keyscan |
344 | %attr(0755,root,root) %{_bindir}/sftp | 363 | %attr(0755,root,root) %{_bindir}/sftp |
@@ -381,6 +400,12 @@ fi | |||
381 | %endif | 400 | %endif |
382 | 401 | ||
383 | %changelog | 402 | %changelog |
403 | * Wed Oct 01 2002 Damien Miller <djm@mindrot.org> | ||
404 | - Install ssh-agent setgid nobody to prevent ptrace() key theft attacks | ||
405 | |||
406 | * Mon Sep 30 2002 Damien Miller <djm@mindrot.org> | ||
407 | - Use contrib/ Makefile for building askpass programs | ||
408 | |||
384 | * Fri Jun 21 2002 Damien Miller <djm@mindrot.org> | 409 | * Fri Jun 21 2002 Damien Miller <djm@mindrot.org> |
385 | - Merge in spec changes from seba@iq.pl (Sebastian Pachuta) | 410 | - Merge in spec changes from seba@iq.pl (Sebastian Pachuta) |
386 | - Add new {ssh,sshd}_config.5 manpages | 411 | - Add new {ssh,sshd}_config.5 manpages |
diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh index 1be6ed8d1..c41b3f963 100755 --- a/contrib/solaris/buildpkg.sh +++ b/contrib/solaris/buildpkg.sh | |||
@@ -11,13 +11,18 @@ umask 022 | |||
11 | # Options for building the package | 11 | # Options for building the package |
12 | # You can create a config.local with your customized options | 12 | # You can create a config.local with your customized options |
13 | # | 13 | # |
14 | # uncommenting TEST_DIR and using configure--prefix=/var/tmp and | 14 | # uncommenting TEST_DIR and using |
15 | # configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty | ||
16 | # and | ||
15 | # PKGNAME=tOpenSSH should allow testing a package without interfering | 17 | # PKGNAME=tOpenSSH should allow testing a package without interfering |
16 | # with a real OpenSSH package on a system. | 18 | # with a real OpenSSH package on a system. This is not needed on systems |
19 | # that support the -R option to pkgadd. | ||
17 | #TEST_DIR=/var/tmp # leave commented out for production build | 20 | #TEST_DIR=/var/tmp # leave commented out for production build |
18 | PKGNAME=OpenSSH | 21 | PKGNAME=OpenSSH |
19 | SYSVINIT_NAME=opensshd | 22 | SYSVINIT_NAME=opensshd |
20 | MAKE=${MAKE:="make"} | 23 | MAKE=${MAKE:="make"} |
24 | SSHDUID=67 # Default privsep uid | ||
25 | SSHDGID=67 # Default privsep gid | ||
21 | # uncomment these next two as needed | 26 | # uncomment these next two as needed |
22 | #PERMIT_ROOT_LOGIN=no | 27 | #PERMIT_ROOT_LOGIN=no |
23 | #X11_FORWARDING=yes | 28 | #X11_FORWARDING=yes |
@@ -55,7 +60,7 @@ SYSTEM_DIR="/etc \ | |||
55 | /var/tmp \ | 60 | /var/tmp \ |
56 | /tmp" | 61 | /tmp" |
57 | 62 | ||
58 | # We may need to buiild as root so we make sure PATH is set up | 63 | # We may need to build as root so we make sure PATH is set up |
59 | # only set the path if it's not set already | 64 | # only set the path if it's not set already |
60 | [ -d /usr/local/bin ] && { | 65 | [ -d /usr/local/bin ] && { |
61 | echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1 | 66 | echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1 |
@@ -96,6 +101,19 @@ do | |||
96 | eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` | 101 | eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` |
97 | done | 102 | done |
98 | 103 | ||
104 | |||
105 | ## Collect value of privsep user | ||
106 | for confvar in SSH_PRIVSEP_USER | ||
107 | do | ||
108 | eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` | ||
109 | done | ||
110 | |||
111 | ## Set privsep defaults if not defined | ||
112 | if [ -z "$SSH_PRIVSEP_USER" ] | ||
113 | then | ||
114 | SSH_PRIVSEP_USER=sshd | ||
115 | fi | ||
116 | |||
99 | ## Extract common info requires for the 'info' part of the package. | 117 | ## Extract common info requires for the 'info' part of the package. |
100 | VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'` | 118 | VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'` |
101 | 119 | ||
@@ -106,7 +124,8 @@ case ${UNAME_S} in | |||
106 | RCS_D=yes | 124 | RCS_D=yes |
107 | DEF_MSG="(default: n)" | 125 | DEF_MSG="(default: n)" |
108 | ;; | 126 | ;; |
109 | *) ARCH=`uname -m` ;; | 127 | *) ARCH=`uname -m` |
128 | DEF_MSG="\n" ;; | ||
110 | esac | 129 | esac |
111 | 130 | ||
112 | ## Setup our run level stuff while we are at it. | 131 | ## Setup our run level stuff while we are at it. |
@@ -171,13 +190,16 @@ echo "Building postinstall file..." | |||
171 | cat > postinstall << _EOF | 190 | cat > postinstall << _EOF |
172 | #! /sbin/sh | 191 | #! /sbin/sh |
173 | # | 192 | # |
174 | [ -f ${sysconfdir}/ssh_config ] || \\ | 193 | [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\ |
175 | cp -p ${sysconfdir}/ssh_config.default ${sysconfdir}/ssh_config | 194 | cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\ |
176 | [ -f ${sysconfdir}/sshd_config ] || \\ | 195 | \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config |
177 | cp -p ${sysconfdir}/sshd_config.default ${sysconfdir}/sshd_config | 196 | [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\ |
178 | [ -f ${sysconfdir}/ssh_prng_cmds.default ] && { | 197 | cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\ |
179 | [ -f ${sysconfdir}/ssh_prng_cmds ] || \\ | 198 | \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config |
180 | cp -p ${sysconfdir}/ssh_prng_cmds.default ${sysconfdir}/ssh_prng_cmds | 199 | [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default ] && { |
200 | [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds ] || \\ | ||
201 | cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default \\ | ||
202 | \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds | ||
181 | } | 203 | } |
182 | 204 | ||
183 | # make rc?.d dirs only if we are doing a test install | 205 | # make rc?.d dirs only if we are doing a test install |
@@ -191,23 +213,75 @@ cat > postinstall << _EOF | |||
191 | if [ "\${USE_SYM_LINKS}" = yes ] | 213 | if [ "\${USE_SYM_LINKS}" = yes ] |
192 | then | 214 | then |
193 | [ "$RCS_D" = yes ] && \ | 215 | [ "$RCS_D" = yes ] && \ |
194 | installf ${PKGNAME} $TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s | 216 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s |
195 | installf ${PKGNAME} $TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s | 217 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s |
196 | installf ${PKGNAME} $TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s | 218 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s |
197 | installf ${PKGNAME} $TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s | 219 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s |
198 | else | 220 | else |
199 | [ "$RCS_D" = yes ] && \ | 221 | [ "$RCS_D" = yes ] && \ |
200 | installf ${PKGNAME} $TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l | 222 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l |
201 | installf ${PKGNAME} $TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l | 223 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l |
202 | installf ${PKGNAME} $TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l | 224 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l |
203 | installf ${PKGNAME} $TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l | 225 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l |
204 | fi | 226 | fi |
205 | 227 | ||
206 | # If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh) | 228 | # If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh) |
207 | [ -d $piddir ] || installf ${PKGNAME} $TEST_DIR$piddir d 755 root sys | 229 | [ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 755 root sys |
208 | 230 | ||
209 | installf -f ${PKGNAME} | 231 | installf -f ${PKGNAME} |
210 | 232 | ||
233 | # Use chroot to handle PKG_INSTALL_ROOT | ||
234 | if [ ! -z "\${PKG_INSTALL_ROOT}" ] | ||
235 | then | ||
236 | chroot="chroot \${PKG_INSTALL_ROOT}" | ||
237 | fi | ||
238 | # If this is a test build, we will skip the groupadd/useradd/passwd commands | ||
239 | if [ ! -z "${TEST_DIR}" ] | ||
240 | then | ||
241 | chroot=echo | ||
242 | fi | ||
243 | |||
244 | if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null | ||
245 | then | ||
246 | echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" | ||
247 | echo "or group." | ||
248 | else | ||
249 | echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." | ||
250 | |||
251 | # create group if required | ||
252 | if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null | ||
253 | then | ||
254 | echo "PrivSep group $SSH_PRIVSEP_USER already exists." | ||
255 | else | ||
256 | # Use gid of 67 if possible | ||
257 | if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null | ||
258 | then | ||
259 | : | ||
260 | else | ||
261 | sshdgid="-g $SSHDGID" | ||
262 | fi | ||
263 | echo "Creating PrivSep group $SSH_PRIVSEP_USER." | ||
264 | \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER | ||
265 | fi | ||
266 | |||
267 | # Create user if required | ||
268 | if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null | ||
269 | then | ||
270 | echo "PrivSep user $SSH_PRIVSEP_USER already exists." | ||
271 | else | ||
272 | # Use uid of 67 if possible | ||
273 | if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null | ||
274 | then | ||
275 | : | ||
276 | else | ||
277 | sshduid="-u $SSHDUID" | ||
278 | fi | ||
279 | echo "Creating PrivSep user $SSH_PRIVSEP_USER." | ||
280 | \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER | ||
281 | \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER | ||
282 | fi | ||
283 | fi | ||
284 | |||
211 | [ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start | 285 | [ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start |
212 | exit 0 | 286 | exit 0 |
213 | _EOF | 287 | _EOF |
diff --git a/contrib/solaris/opensshd.in b/contrib/solaris/opensshd.in index 212254dc8..e7ca2489f 100755 --- a/contrib/solaris/opensshd.in +++ b/contrib/solaris/opensshd.in | |||
@@ -3,11 +3,8 @@ | |||
3 | # | 3 | # |
4 | # Stripped PRNGd out of it for the time being. | 4 | # Stripped PRNGd out of it for the time being. |
5 | 5 | ||
6 | AWK=/usr/bin/awk | ||
7 | CAT=/usr/bin/cat | 6 | CAT=/usr/bin/cat |
8 | KILL=/usr/bin/kill | 7 | KILL=/usr/bin/kill |
9 | PS=/usr/bin/ps | ||
10 | XARGS=/usr/bin/xargs | ||
11 | 8 | ||
12 | prefix=%%openSSHDir%% | 9 | prefix=%%openSSHDir%% |
13 | etcdir=%%configDir%% | 10 | etcdir=%%configDir%% |
@@ -20,12 +17,6 @@ HOST_KEY_RSA1=$etcdir/ssh_host_key | |||
20 | HOST_KEY_DSA=$etcdir/ssh_host_dsa_key | 17 | HOST_KEY_DSA=$etcdir/ssh_host_dsa_key |
21 | HOST_KEY_RSA=$etcdir/ssh_host_rsa_key | 18 | HOST_KEY_RSA=$etcdir/ssh_host_rsa_key |
22 | 19 | ||
23 | killproc() { | ||
24 | _procname=$1 | ||
25 | _signal=$2 | ||
26 | ${PS} -u root | ${AWK} '/'"$_procname"'$/ {print $1}' | ${XARGS} ${KILL} | ||
27 | } | ||
28 | |||
29 | 20 | ||
30 | checkkeys() { | 21 | checkkeys() { |
31 | if [ ! -f $HOST_KEY_RSA1 ]; then | 22 | if [ ! -f $HOST_KEY_RSA1 ]; then |
@@ -46,8 +37,7 @@ stop_service() { | |||
46 | if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then | 37 | if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then |
47 | ${KILL} ${PID} | 38 | ${KILL} ${PID} |
48 | else | 39 | else |
49 | echo "Unable to read PID file, killing using alternate method" | 40 | echo "Unable to read PID file" |
50 | killproc sshd TERM | ||
51 | fi | 41 | fi |
52 | } | 42 | } |
53 | 43 | ||
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 126dac335..3ae1dfc80 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -1,6 +1,6 @@ | |||
1 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 1 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
2 | Name: openssh | 2 | Name: openssh |
3 | Version: 3.4p1 | 3 | Version: 3.5p1 |
4 | URL: http://www.openssh.com/ | 4 | URL: http://www.openssh.com/ |
5 | Release: 1 | 5 | Release: 1 |
6 | Source0: openssh-%{version}.tar.gz | 6 | Source0: openssh-%{version}.tar.gz |