diff options
author | Colin Watson <cjwatson@debian.org> | 2010-01-01 23:53:30 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-01-01 23:53:30 +0000 |
commit | df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch) | |
tree | 1aab079441dff9615274769b19f2d734ddf508dd /contrib | |
parent | 6ad6994c288662fca6949f42bf91fec2aff00bca (diff) | |
parent | 99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff) |
* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out
for a while, but there's no GSSAPI patch available for it yet.
- Change the default cipher order to prefer the AES CTR modes and the
revised "arcfour256" mode to CBC mode ciphers that are susceptible to
CPNI-957037 "Plaintext Recovery Attack Against SSH".
- Add countermeasures to mitigate CPNI-957037-style attacks against the
SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
packet length or Message Authentication Code, ssh/sshd will continue
reading up to the maximum supported packet length rather than
immediately terminating the connection. This eliminates most of the
known differences in behaviour that leaked information about the
plaintext of injected data which formed the basis of this attack
(closes: #506115, LP: #379329).
- ForceCommand directive now accepts commandline arguments for the
internal-sftp server (closes: #524423, LP: #362511).
- Add AllowAgentForwarding to available Match keywords list (closes:
#540623).
- Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
- Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
behaviour introduced in openssh-5.1; closes: #496017).
* Update to GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
including cascading credentials support (LP: #416958).
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/caldera/openssh.spec | 8 | ||||
-rwxr-xr-x | contrib/caldera/ssh-host-keygen | 10 | ||||
-rw-r--r-- | contrib/caldera/sshd.pam | 2 | ||||
-rw-r--r-- | contrib/cygwin/Makefile | 4 | ||||
-rw-r--r-- | contrib/cygwin/ssh-host-config | 241 | ||||
-rw-r--r-- | contrib/redhat/openssh.spec | 4 | ||||
-rw-r--r-- | contrib/redhat/sshd.pam | 2 | ||||
-rw-r--r-- | contrib/sshd.pam.generic | 2 | ||||
-rw-r--r-- | contrib/suse/openssh.spec | 4 | ||||
-rw-r--r-- | contrib/suse/rc.sshd | 6 |
10 files changed, 144 insertions, 139 deletions
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 32d175d4b..42dbcfeeb 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec | |||
@@ -17,11 +17,11 @@ | |||
17 | #old cvs stuff. please update before use. may be deprecated. | 17 | #old cvs stuff. please update before use. may be deprecated. |
18 | %define use_stable 1 | 18 | %define use_stable 1 |
19 | %if %{use_stable} | 19 | %if %{use_stable} |
20 | %define version 5.1p1 | 20 | %define version 5.2p1 |
21 | %define cvs %{nil} | 21 | %define cvs %{nil} |
22 | %define release 1 | 22 | %define release 1 |
23 | %else | 23 | %else |
24 | %define version 5.1p1 | 24 | %define version 5.2p1 |
25 | %define cvs cvs20050315 | 25 | %define cvs cvs20050315 |
26 | %define release 0r1 | 26 | %define release 0r1 |
27 | %endif | 27 | %endif |
@@ -251,7 +251,7 @@ install -m 0755 contrib/caldera/ssh-host-keygen $SKG | |||
251 | # install remaining docs | 251 | # install remaining docs |
252 | DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}" | 252 | DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}" |
253 | mkdir -p $DocD/%{askpass} | 253 | mkdir -p $DocD/%{askpass} |
254 | cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $DocD | 254 | cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD |
255 | install -p -m 0444 %{SOURCE3} $DocD/faq.html | 255 | install -p -m 0444 %{SOURCE3} $DocD/faq.html |
256 | cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass} | 256 | cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass} |
257 | %if %{use_stable} | 257 | %if %{use_stable} |
@@ -358,4 +358,4 @@ fi | |||
358 | * Mon Jan 01 1998 ... | 358 | * Mon Jan 01 1998 ... |
359 | Template Version: 1.31 | 359 | Template Version: 1.31 |
360 | 360 | ||
361 | $Id: openssh.spec,v 1.65 2008/07/21 08:21:53 djm Exp $ | 361 | $Id: openssh.spec,v 1.66 2009/02/21 07:03:05 djm Exp $ |
diff --git a/contrib/caldera/ssh-host-keygen b/contrib/caldera/ssh-host-keygen index 3c5c17182..86382ddfb 100755 --- a/contrib/caldera/ssh-host-keygen +++ b/contrib/caldera/ssh-host-keygen | |||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # | 2 | # |
3 | # $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $ | 3 | # $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $ |
4 | # | 4 | # |
5 | # This script is normally run only *once* for a given host | 5 | # This script is normally run only *once* for a given host |
6 | # (in a given period of time) -- on updates/upgrades/recovery | 6 | # (in a given period of time) -- on updates/upgrades/recovery |
@@ -15,16 +15,16 @@ if [ -f $keydir/ssh_host_key -o \ | |||
15 | -f $keydir/ssh_host_key.pub ]; then | 15 | -f $keydir/ssh_host_key.pub ]; then |
16 | echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." | 16 | echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." |
17 | else | 17 | else |
18 | echo "Generating 1024 bit SSH1 RSA host key." | 18 | echo "Generating SSH1 RSA host key." |
19 | $keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N '' | 19 | $keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N '' |
20 | fi | 20 | fi |
21 | 21 | ||
22 | if [ -f $keydir/ssh_host_rsa_key -o \ | 22 | if [ -f $keydir/ssh_host_rsa_key -o \ |
23 | -f $keydir/ssh_host_rsa_key.pub ]; then | 23 | -f $keydir/ssh_host_rsa_key.pub ]; then |
24 | echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." | 24 | echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." |
25 | else | 25 | else |
26 | echo "Generating 1024 bit SSH2 RSA host key." | 26 | echo "Generating SSH2 RSA host key." |
27 | $keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N '' | 27 | $keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N '' |
28 | fi | 28 | fi |
29 | 29 | ||
30 | if [ -f $keydir/ssh_host_dsa_key -o \ | 30 | if [ -f $keydir/ssh_host_dsa_key -o \ |
diff --git a/contrib/caldera/sshd.pam b/contrib/caldera/sshd.pam index 26dcb34d9..f050a9aee 100644 --- a/contrib/caldera/sshd.pam +++ b/contrib/caldera/sshd.pam | |||
@@ -1,6 +1,6 @@ | |||
1 | #%PAM-1.0 | 1 | #%PAM-1.0 |
2 | auth required /lib/security/pam_pwdb.so shadow nodelay | 2 | auth required /lib/security/pam_pwdb.so shadow nodelay |
3 | auth required /lib/security/pam_nologin.so | 3 | account required /lib/security/pam_nologin.so |
4 | account required /lib/security/pam_pwdb.so | 4 | account required /lib/security/pam_pwdb.so |
5 | password required /lib/security/pam_cracklib.so | 5 | password required /lib/security/pam_cracklib.so |
6 | password required /lib/security/pam_pwdb.so shadow nullok use_authtok | 6 | password required /lib/security/pam_pwdb.so shadow nullok use_authtok |
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile index 3e2d26404..2ebd143dc 100644 --- a/contrib/cygwin/Makefile +++ b/contrib/cygwin/Makefile | |||
@@ -38,11 +38,13 @@ install-sshdoc: | |||
38 | $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog | 38 | $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog |
39 | $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE | 39 | $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE |
40 | $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW | 40 | $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW |
41 | $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL | ||
42 | $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent | ||
41 | $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README | 43 | $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README |
42 | $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns | 44 | $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns |
45 | $(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform | ||
43 | $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep | 46 | $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep |
44 | $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard | 47 | $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard |
45 | $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff | ||
46 | $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO | 48 | $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO |
47 | $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG | 49 | $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG |
48 | 50 | ||
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index bbb6da4c4..57e728fbc 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -25,7 +25,7 @@ source ${CSIH_SCRIPT} | |||
25 | port_number=22 | 25 | port_number=22 |
26 | privsep_configured=no | 26 | privsep_configured=no |
27 | privsep_used=yes | 27 | privsep_used=yes |
28 | cygwin_value="ntsec" | 28 | cygwin_value="" |
29 | password_value= | 29 | password_value= |
30 | 30 | ||
31 | # ====================================================================== | 31 | # ====================================================================== |
@@ -37,13 +37,13 @@ create_host_keys() { | |||
37 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" | 37 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" |
38 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null | 38 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null |
39 | fi | 39 | fi |
40 | 40 | ||
41 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] | 41 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] |
42 | then | 42 | then |
43 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" | 43 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" |
44 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null | 44 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null |
45 | fi | 45 | fi |
46 | 46 | ||
47 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] | 47 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] |
48 | then | 48 | then |
49 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" | 49 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" |
@@ -75,12 +75,12 @@ update_services_file() { | |||
75 | _spaces=" # " | 75 | _spaces=" # " |
76 | fi | 76 | fi |
77 | _serv_tmp="${_my_etcdir}/srv.out.$$" | 77 | _serv_tmp="${_my_etcdir}/srv.out.$$" |
78 | 78 | ||
79 | mount -t -f "${_win_etcdir}" "${_my_etcdir}" | 79 | mount -o text -f "${_win_etcdir}" "${_my_etcdir}" |
80 | 80 | ||
81 | # Depends on the above mount | 81 | # Depends on the above mount |
82 | _wservices=`cygpath -w "${_services}"` | 82 | _wservices=`cygpath -w "${_services}"` |
83 | 83 | ||
84 | # Remove sshd 22/port from services | 84 | # Remove sshd 22/port from services |
85 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | 85 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] |
86 | then | 86 | then |
@@ -89,16 +89,16 @@ update_services_file() { | |||
89 | then | 89 | then |
90 | if mv "${_serv_tmp}" "${_services}" | 90 | if mv "${_serv_tmp}" "${_services}" |
91 | then | 91 | then |
92 | csih_inform "Removing sshd from ${_wservices}" | 92 | csih_inform "Removing sshd from ${_wservices}" |
93 | else | 93 | else |
94 | csih_warning "Removing sshd from ${_wservices} failed!" | 94 | csih_warning "Removing sshd from ${_wservices} failed!" |
95 | fi | 95 | fi |
96 | rm -f "${_serv_tmp}" | 96 | rm -f "${_serv_tmp}" |
97 | else | 97 | else |
98 | csih_warning "Removing sshd from ${_wservices} failed!" | 98 | csih_warning "Removing sshd from ${_wservices} failed!" |
99 | fi | 99 | fi |
100 | fi | 100 | fi |
101 | 101 | ||
102 | # Add ssh 22/tcp and ssh 22/udp to services | 102 | # Add ssh 22/tcp and ssh 22/udp to services |
103 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | 103 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
104 | then | 104 | then |
@@ -106,9 +106,9 @@ update_services_file() { | |||
106 | then | 106 | then |
107 | if mv "${_serv_tmp}" "${_services}" | 107 | if mv "${_serv_tmp}" "${_services}" |
108 | then | 108 | then |
109 | csih_inform "Added ssh to ${_wservices}" | 109 | csih_inform "Added ssh to ${_wservices}" |
110 | else | 110 | else |
111 | csih_warning "Adding ssh to ${_wservices} failed!" | 111 | csih_warning "Adding ssh to ${_wservices} failed!" |
112 | fi | 112 | fi |
113 | rm -f "${_serv_tmp}" | 113 | rm -f "${_serv_tmp}" |
114 | else | 114 | else |
@@ -134,16 +134,16 @@ sshd_privsep() { | |||
134 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | 134 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." |
135 | if csih_request "Should privilege separation be used?" | 135 | if csih_request "Should privilege separation be used?" |
136 | then | 136 | then |
137 | privsep_used=yes | 137 | privsep_used=yes |
138 | if ! csih_create_unprivileged_user sshd | 138 | if ! csih_create_unprivileged_user sshd |
139 | then | 139 | then |
140 | csih_warning "Couldn't create user 'sshd'!" | 140 | csih_warning "Couldn't create user 'sshd'!" |
141 | csih_warning "Privilege separation set to 'no' again!" | 141 | csih_warning "Privilege separation set to 'no' again!" |
142 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | 142 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" |
143 | privsep_used=no | 143 | privsep_used=no |
144 | fi | 144 | fi |
145 | else | 145 | else |
146 | privsep_used=no | 146 | privsep_used=no |
147 | fi | 147 | fi |
148 | else | 148 | else |
149 | # On 9x don't use privilege separation. Since security isn't | 149 | # On 9x don't use privilege separation. Since security isn't |
@@ -151,7 +151,7 @@ sshd_privsep() { | |||
151 | privsep_used=no | 151 | privsep_used=no |
152 | fi | 152 | fi |
153 | fi | 153 | fi |
154 | 154 | ||
155 | # Create default sshd_config from skeleton files in /etc/defaults/etc or | 155 | # Create default sshd_config from skeleton files in /etc/defaults/etc or |
156 | # modify to add the missing privsep configuration option | 156 | # modify to add the missing privsep configuration option |
157 | if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 157 | if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
@@ -161,8 +161,8 @@ sshd_privsep() { | |||
161 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ | 161 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ |
162 | s/^#Port 22/Port ${port_number}/ | 162 | s/^#Port 22/Port ${port_number}/ |
163 | s/^#StrictModes yes/StrictModes no/" \ | 163 | s/^#StrictModes yes/StrictModes no/" \ |
164 | < ${SYSCONFDIR}/sshd_config \ | 164 | < ${SYSCONFDIR}/sshd_config \ |
165 | > "${sshdconfig_tmp}" | 165 | > "${sshdconfig_tmp}" |
166 | mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config | 166 | mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config |
167 | elif [ "${privsep_configured}" != "yes" ] | 167 | elif [ "${privsep_configured}" != "yes" ] |
168 | then | 168 | then |
@@ -193,19 +193,19 @@ update_inetd_conf() { | |||
193 | # will be replaced by a file in inetd.d/ | 193 | # will be replaced by a file in inetd.d/ |
194 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] | 194 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] |
195 | then | 195 | then |
196 | grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" | 196 | grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
197 | if [ -f "${_inetcnf_tmp}" ] | 197 | if [ -f "${_inetcnf_tmp}" ] |
198 | then | 198 | then |
199 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 199 | if mv "${_inetcnf_tmp}" "${_inetcnf}" |
200 | then | 200 | then |
201 | csih_inform "Removed ssh[d] from ${_inetcnf}" | 201 | csih_inform "Removed ssh[d] from ${_inetcnf}" |
202 | else | 202 | else |
203 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | 203 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
204 | fi | 204 | fi |
205 | rm -f "${_inetcnf_tmp}" | 205 | rm -f "${_inetcnf_tmp}" |
206 | else | 206 | else |
207 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | 207 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
208 | fi | 208 | fi |
209 | fi | 209 | fi |
210 | fi | 210 | fi |
211 | 211 | ||
@@ -214,13 +214,13 @@ update_inetd_conf() { | |||
214 | then | 214 | then |
215 | if [ "${_with_comment}" -eq 0 ] | 215 | if [ "${_with_comment}" -eq 0 ] |
216 | then | 216 | then |
217 | sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 217 | sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
218 | else | 218 | else |
219 | sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 219 | sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
220 | fi | 220 | fi |
221 | mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | 221 | mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" |
222 | csih_inform "Updated ${_sshd_inetd_conf}" | 222 | csih_inform "Updated ${_sshd_inetd_conf}" |
223 | fi | 223 | fi |
224 | 224 | ||
225 | elif [ -f "${_inetcnf}" ] | 225 | elif [ -f "${_inetcnf}" ] |
226 | then | 226 | then |
@@ -233,26 +233,26 @@ update_inetd_conf() { | |||
233 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | 233 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
234 | if [ -f "${_inetcnf_tmp}" ] | 234 | if [ -f "${_inetcnf_tmp}" ] |
235 | then | 235 | then |
236 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 236 | if mv "${_inetcnf_tmp}" "${_inetcnf}" |
237 | then | 237 | then |
238 | csih_inform "Removed sshd from ${_inetcnf}" | 238 | csih_inform "Removed sshd from ${_inetcnf}" |
239 | else | 239 | else |
240 | csih_warning "Removing sshd from ${_inetcnf} failed!" | 240 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
241 | fi | 241 | fi |
242 | rm -f "${_inetcnf_tmp}" | 242 | rm -f "${_inetcnf_tmp}" |
243 | else | 243 | else |
244 | csih_warning "Removing sshd from ${_inetcnf} failed!" | 244 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
245 | fi | 245 | fi |
246 | fi | 246 | fi |
247 | 247 | ||
248 | # Add ssh line to inetd.conf | 248 | # Add ssh line to inetd.conf |
249 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] | 249 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] |
250 | then | 250 | then |
251 | if [ "${_with_comment}" -eq 0 ] | 251 | if [ "${_with_comment}" -eq 0 ] |
252 | then | 252 | then |
253 | echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | 253 | echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
254 | else | 254 | else |
255 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | 255 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
256 | fi | 256 | fi |
257 | csih_inform "Added ssh to ${_inetcnf}" | 257 | csih_inform "Added ssh to ${_inetcnf}" |
258 | fi | 258 | fi |
@@ -278,80 +278,83 @@ install_service() { | |||
278 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | 278 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" |
279 | if csih_request "(Say \"no\" if it is already installed as a service)" | 279 | if csih_request "(Say \"no\" if it is already installed as a service)" |
280 | then | 280 | then |
281 | csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\"" | 281 | csih_get_cygenv "${cygwin_value}" |
282 | csih_inform "for sshd to be able to change user context without password." | 282 | |
283 | csih_get_cygenv "${cygwin_value}" | 283 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) |
284 | 284 | then | |
285 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) | 285 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" |
286 | then | 286 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" |
287 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" | 287 | csih_inform "sshd requires. You need to have or to create a privileged" |
288 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" | 288 | csih_inform "account. This script will help you do so." |
289 | csih_inform "sshd requires. You need to have or to create a privileged" | 289 | echo |
290 | csih_inform "account. This script will help you do so." | 290 | if ! csih_create_privileged_user "${password_value}" |
291 | echo | 291 | then |
292 | if ! csih_create_privileged_user "${password_value}" | 292 | csih_error_recoverable "There was a serious problem creating a privileged user." |
293 | then | 293 | csih_request "Do you want to proceed anyway?" || exit 1 |
294 | csih_error_recoverable "There was a serious problem creating a privileged user." | 294 | fi |
295 | csih_request "Do you want to proceed anyway?" || exit 1 | 295 | fi |
296 | fi | 296 | |
297 | fi | 297 | # never returns empty if NT or above |
298 | 298 | run_service_as=$(csih_service_should_run_as) | |
299 | # never returns empty if NT or above | 299 | |
300 | run_service_as=$(csih_service_should_run_as) | 300 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] |
301 | 301 | then | |
302 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] | 302 | password="${csih_PRIVILEGED_PASSWORD}" |
303 | then | 303 | if [ -z "${password}" ] |
304 | password="${csih_PRIVILEGED_PASSWORD}" | 304 | then |
305 | if [ -z "${password}" ] | 305 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" |
306 | then | 306 | password="${csih_value}" |
307 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" | 307 | fi |
308 | password="${csih_value}" | 308 | fi |
309 | fi | 309 | |
310 | fi | 310 | # at this point, we either have $run_service_as = "system" and $password is empty, |
311 | 311 | # or $run_service_as is some privileged user and (hopefully) $password contains | |
312 | # at this point, we either have $run_service_as = "system" and $password is empty, | 312 | # the correct password. So, from here out, we use '-z "${password}"' to discriminate |
313 | # or $run_service_as is some privileged user and (hopefully) $password contains | 313 | # the two cases. |
314 | # the correct password. So, from here out, we use '-z "${password}"' to discriminate | 314 | |
315 | # the two cases. | 315 | csih_check_user "${run_service_as}" |
316 | 316 | ||
317 | csih_check_user "${run_service_as}" | 317 | if [ -n "${csih_cygenv}" ] |
318 | 318 | then | |
319 | if [ -z "${password}" ] | 319 | cygwin_env="-e CYGWIN=\"${csih_cygenv}\"" |
320 | then | 320 | fi |
321 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ | 321 | if [ -z "${password}" ] |
322 | -e CYGWIN="${csih_cygenv}" | 322 | then |
323 | then | 323 | if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ |
324 | echo | 324 | -a "-D" -y tcpip ${cygwin_env} |
325 | csih_inform "The sshd service has been installed under the LocalSystem" | 325 | then |
326 | csih_inform "account (also known as SYSTEM). To start the service now, call" | 326 | echo |
327 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | 327 | csih_inform "The sshd service has been installed under the LocalSystem" |
328 | csih_inform "will start automatically after the next reboot." | 328 | csih_inform "account (also known as SYSTEM). To start the service now, call" |
329 | fi | 329 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" |
330 | else | 330 | csih_inform "will start automatically after the next reboot." |
331 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ | 331 | fi |
332 | -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}" | 332 | else |
333 | then | 333 | if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ |
334 | -a "-D" -y tcpip ${cygwin_env} \ | ||
335 | -u "${run_service_as}" -w "${password}" | ||
336 | then | ||
334 | echo | 337 | echo |
335 | csih_inform "The sshd service has been installed under the '${run_service_as}'" | 338 | csih_inform "The sshd service has been installed under the '${run_service_as}'" |
336 | csih_inform "account. To start the service now, call \`net start sshd' or" | 339 | csih_inform "account. To start the service now, call \`net start sshd' or" |
337 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" | 340 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" |
338 | csih_inform "after the next reboot." | 341 | csih_inform "after the next reboot." |
339 | fi | 342 | fi |
340 | fi | 343 | fi |
341 | 344 | ||
342 | # now, if successfully installed, set ownership of the affected files | 345 | # now, if successfully installed, set ownership of the affected files |
343 | if cygrunsrv -Q sshd >/dev/null 2>&1 | 346 | if cygrunsrv -Q sshd >/dev/null 2>&1 |
344 | then | 347 | then |
345 | chown "${run_service_as}" ${SYSCONFDIR}/ssh* | 348 | chown "${run_service_as}" ${SYSCONFDIR}/ssh* |
346 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty | 349 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty |
347 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog | 350 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog |
348 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | 351 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] |
349 | then | 352 | then |
350 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log | 353 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log |
351 | fi | 354 | fi |
352 | else | 355 | else |
353 | csih_warning "Something went wrong installing the sshd service." | 356 | csih_warning "Something went wrong installing the sshd service." |
354 | fi | 357 | fi |
355 | fi # user allowed us to install as service | 358 | fi # user allowed us to install as service |
356 | fi # service not yet installed | 359 | fi # service not yet installed |
357 | fi # csih_is_nt | 360 | fi # csih_is_nt |
@@ -456,7 +459,7 @@ done | |||
456 | 459 | ||
457 | # Check for running ssh/sshd processes first. Refuse to do anything while | 460 | # Check for running ssh/sshd processes first. Refuse to do anything while |
458 | # some ssh processes are still running | 461 | # some ssh processes are still running |
459 | if ps -ef | grep -v grep | grep -q ssh | 462 | if ps -ef | grep -q '/sshd\?$' |
460 | then | 463 | then |
461 | echo | 464 | echo |
462 | csih_error "There are still ssh processes running. Please shut them down first." | 465 | csih_error "There are still ssh processes running. Please shut them down first." |
@@ -475,9 +478,9 @@ setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" | |||
475 | # Create /var/log/lastlog if not already exists | 478 | # Create /var/log/lastlog if not already exists |
476 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] | 479 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
477 | then | 480 | then |
478 | echo | 481 | echo |
479 | csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ | 482 | csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ |
480 | "Cannot create ssh host configuration." | 483 | "Cannot create ssh host configuration." |
481 | fi | 484 | fi |
482 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] | 485 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] |
483 | then | 486 | then |
@@ -520,7 +523,7 @@ sshd_privsep | |||
520 | 523 | ||
521 | 524 | ||
522 | 525 | ||
523 | update_services_file | 526 | update_services_file |
524 | update_inetd_conf | 527 | update_inetd_conf |
525 | install_service | 528 | install_service |
526 | 529 | ||
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index bb9e4d616..10bdc1989 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,4 +1,4 @@ | |||
1 | %define ver 5.1p1 | 1 | %define ver 5.2p1 |
2 | %define rel 1 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
@@ -333,7 +333,7 @@ fi | |||
333 | 333 | ||
334 | %files | 334 | %files |
335 | %defattr(-,root,root) | 335 | %defattr(-,root,root) |
336 | %doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* | 336 | %doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING* |
337 | %attr(0755,root,root) %{_bindir}/scp | 337 | %attr(0755,root,root) %{_bindir}/scp |
338 | %attr(0644,root,root) %{_mandir}/man1/scp.1* | 338 | %attr(0644,root,root) %{_mandir}/man1/scp.1* |
339 | %attr(0755,root,root) %dir %{_sysconfdir}/ssh | 339 | %attr(0755,root,root) %dir %{_sysconfdir}/ssh |
diff --git a/contrib/redhat/sshd.pam b/contrib/redhat/sshd.pam index e48607766..ffa5adbe5 100644 --- a/contrib/redhat/sshd.pam +++ b/contrib/redhat/sshd.pam | |||
@@ -1,6 +1,6 @@ | |||
1 | #%PAM-1.0 | 1 | #%PAM-1.0 |
2 | auth required pam_stack.so service=system-auth | 2 | auth required pam_stack.so service=system-auth |
3 | auth required pam_nologin.so | 3 | account required pam_nologin.so |
4 | account required pam_stack.so service=system-auth | 4 | account required pam_stack.so service=system-auth |
5 | password required pam_stack.so service=system-auth | 5 | password required pam_stack.so service=system-auth |
6 | session required pam_stack.so service=system-auth | 6 | session required pam_stack.so service=system-auth |
diff --git a/contrib/sshd.pam.generic b/contrib/sshd.pam.generic index cf5af3024..215f0fe30 100644 --- a/contrib/sshd.pam.generic +++ b/contrib/sshd.pam.generic | |||
@@ -1,6 +1,6 @@ | |||
1 | #%PAM-1.0 | 1 | #%PAM-1.0 |
2 | auth required /lib/security/pam_unix.so shadow nodelay | 2 | auth required /lib/security/pam_unix.so shadow nodelay |
3 | auth required /lib/security/pam_nologin.so | 3 | account required /lib/security/pam_nologin.so |
4 | account required /lib/security/pam_unix.so | 4 | account required /lib/security/pam_unix.so |
5 | password required /lib/security/pam_cracklib.so | 5 | password required /lib/security/pam_cracklib.so |
6 | password required /lib/security/pam_unix.so shadow nullok use_authtok | 6 | password required /lib/security/pam_unix.so shadow nullok use_authtok |
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 7bd9e0569..62f43e137 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -13,7 +13,7 @@ | |||
13 | 13 | ||
14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
15 | Name: openssh | 15 | Name: openssh |
16 | Version: 5.1p1 | 16 | Version: 5.2p1 |
17 | URL: http://www.openssh.com/ | 17 | URL: http://www.openssh.com/ |
18 | Release: 1 | 18 | Release: 1 |
19 | Source0: openssh-%{version}.tar.gz | 19 | Source0: openssh-%{version}.tar.gz |
@@ -200,7 +200,7 @@ fi | |||
200 | 200 | ||
201 | %files | 201 | %files |
202 | %defattr(-,root,root) | 202 | %defattr(-,root,root) |
203 | %doc ChangeLog OVERVIEW README* | 203 | %doc ChangeLog OVERVIEW README* PROTOCOL* |
204 | %doc TODO CREDITS LICENCE | 204 | %doc TODO CREDITS LICENCE |
205 | %attr(0755,root,root) %dir %{_sysconfdir}/ssh | 205 | %attr(0755,root,root) %dir %{_sysconfdir}/ssh |
206 | %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config | 206 | %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config |
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd index 573960bfa..4d4880d7e 100644 --- a/contrib/suse/rc.sshd +++ b/contrib/suse/rc.sshd | |||
@@ -45,17 +45,17 @@ case "$1" in | |||
45 | start) | 45 | start) |
46 | if ! test -f /etc/ssh/ssh_host_key ; then | 46 | if ! test -f /etc/ssh/ssh_host_key ; then |
47 | echo Generating /etc/ssh/ssh_host_key. | 47 | echo Generating /etc/ssh/ssh_host_key. |
48 | ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N '' | 48 | ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' |
49 | fi | 49 | fi |
50 | if ! test -f /etc/ssh/ssh_host_dsa_key ; then | 50 | if ! test -f /etc/ssh/ssh_host_dsa_key ; then |
51 | echo Generating /etc/ssh/ssh_host_dsa_key. | 51 | echo Generating /etc/ssh/ssh_host_dsa_key. |
52 | 52 | ||
53 | ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N '' | 53 | ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' |
54 | fi | 54 | fi |
55 | if ! test -f /etc/ssh/ssh_host_rsa_key ; then | 55 | if ! test -f /etc/ssh/ssh_host_rsa_key ; then |
56 | echo Generating /etc/ssh/ssh_host_rsa_key. | 56 | echo Generating /etc/ssh/ssh_host_rsa_key. |
57 | 57 | ||
58 | ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N '' | 58 | ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' |
59 | fi | 59 | fi |
60 | echo -n "Starting SSH daemon" | 60 | echo -n "Starting SSH daemon" |
61 | ## Start daemon with startproc(8). If this fails | 61 | ## Start daemon with startproc(8). If this fails |