diff options
| author | Colin Watson <cjwatson@debian.org> | 2007-06-12 16:16:35 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2007-06-12 16:16:35 +0000 |
| commit | b7e40fa9da0b5491534a429dadb321eab5a77558 (patch) | |
| tree | bed1da11e9f829925797aa093e379fc0b5868ecd /contrib | |
| parent | 4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff) | |
| parent | 086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff) | |
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2:
- 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
+ On portable OpenSSH, fix a GSSAPI authentication abort that could be
used to determine the validity of usernames on some platforms.
+ Implemented conditional configuration in sshd_config(5) using the
"Match" directive. This allows some configuration options to be
selectively overridden if specific criteria (based on user, group,
hostname and/or address) are met. So far a useful subset of
post-authentication options are supported and more are expected to
be added in future releases.
+ Add support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256.
+ Added a "ForceCommand" directive to sshd_config(5). Similar to the
command="..." option accepted in ~/.ssh/authorized_keys, this forces
the execution of the specified command regardless of what the user
requested. This is very useful in conjunction with the new "Match"
option.
+ Add a "PermitOpen" directive to sshd_config(5). This mirrors the
permitopen="..." authorized_keys option, allowing fine-grained
control over the port-forwardings that a user is allowed to
establish.
+ Add optional logging of transactions to sftp-server(8).
+ ssh(1) will now record port numbers for hosts stored in
~/.ssh/known_hosts when a non-standard port has been requested
(closes: #50612).
+ Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
non-zero exit code) when requested port forwardings could not be
established.
+ Extend sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments.
+ Replacement of all integer overflow susceptible invocations of
malloc(3) and realloc(3) with overflow-checking equivalents.
+ Many manpage fixes and improvements.
+ Add optional support for OpenSSL hardware accelerators (engines),
enabled using the --with-ssl-engine configure option.
+ Tokens in configuration files may be double-quoted in order to
contain spaces (closes: #319639).
+ Move a debug() call out of a SIGCHLD handler, fixing a hang when the
session exits very quickly (closes: #307890).
+ Fix some incorrect buffer allocation calculations (closes: #410599).
+ ssh-add doesn't ask for a passphrase if key file permissions are too
liberal (closes: #103677).
+ Likewise, ssh doesn't ask either (closes: #99675).
- 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
+ sshd now allows the enabling and disabling of authentication methods
on a per user, group, host and network basis via the Match directive
in sshd_config.
+ Fixed an inconsistent check for a terminal when displaying scp
progress meter (closes: #257524).
+ Fix "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
install ChangeLog.gssapi.
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/aix/buildbff.sh | 46 | ||||
| -rw-r--r-- | contrib/caldera/openssh.spec | 4 | ||||
| -rw-r--r-- | contrib/cygwin/ssh-host-config | 41 | ||||
| -rw-r--r-- | contrib/findssl.sh | 21 | ||||
| -rw-r--r-- | contrib/redhat/openssh.spec | 2 | ||||
| -rwxr-xr-x | contrib/redhat/sshd.init | 12 | ||||
| -rw-r--r-- | contrib/suse/openssh.spec | 2 |
7 files changed, 78 insertions, 50 deletions
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index 09b9c118c..97a7cbbba 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | #!/bin/sh | 1 | #!/bin/sh |
| 2 | # | 2 | # |
| 3 | # buildbff.sh: Create AIX SMIT-installable OpenSSH packages | 3 | # buildbff.sh: Create AIX SMIT-installable OpenSSH packages |
| 4 | # $Id: buildbff.sh,v 1.8 2005/03/29 13:24:12 dtucker Exp $ | 4 | # $Id: buildbff.sh,v 1.10 2006/09/10 03:24:19 dtucker Exp $ |
| 5 | # | 5 | # |
| 6 | # Author: Darren Tucker (dtucker at zip dot com dot au) | 6 | # Author: Darren Tucker (dtucker at zip dot com dot au) |
| 7 | # This file is placed in the public domain and comes with absolutely | 7 | # This file is placed in the public domain and comes with absolutely |
| @@ -23,6 +23,8 @@ umask 022 | |||
| 23 | 23 | ||
| 24 | startdir=`pwd` | 24 | startdir=`pwd` |
| 25 | 25 | ||
| 26 | perl -v >/dev/null || (echo perl required; exit 1) | ||
| 27 | |||
| 26 | # Path to inventory.sh: same place as buildbff.sh | 28 | # Path to inventory.sh: same place as buildbff.sh |
| 27 | if echo $0 | egrep '^/' | 29 | if echo $0 | egrep '^/' |
| 28 | then | 30 | then |
| @@ -200,33 +202,29 @@ do | |||
| 200 | done | 202 | done |
| 201 | echo | 203 | echo |
| 202 | 204 | ||
| 203 | # Create PrivSep user if PrivSep not disabled in config | 205 | # Create PrivilegeSeparation user and group if not present |
| 204 | echo Creating PrivSep prereqs if required. | 206 | echo Checking for PrivilegeSeparation user and group. |
| 205 | if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null | 207 | if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null |
| 206 | then | 208 | then |
| 207 | echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user," | 209 | echo "PrivSep group $SSH_PRIVSEP_USER already exists." |
| 208 | echo "group or chroot directory." | ||
| 209 | else | 210 | else |
| 210 | echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." | 211 | echo "Creating PrivSep group $SSH_PRIVSEP_USER." |
| 211 | 212 | mkgroup -A $SSH_PRIVSEP_USER | |
| 212 | # create group if required | 213 | fi |
| 213 | if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null | ||
| 214 | then | ||
| 215 | echo "PrivSep group $SSH_PRIVSEP_USER already exists." | ||
| 216 | else | ||
| 217 | echo "Creating PrivSep group $SSH_PRIVSEP_USER." | ||
| 218 | mkgroup -A $SSH_PRIVSEP_USER | ||
| 219 | fi | ||
| 220 | 214 | ||
| 221 | # Create user if required | 215 | # Create user if required |
| 222 | if lsuser "$SSH_PRIVSEP_USER" >/dev/null | 216 | if lsuser "$SSH_PRIVSEP_USER" >/dev/null |
| 223 | then | 217 | then |
| 224 | echo "PrivSep user $SSH_PRIVSEP_USER already exists." | 218 | echo "PrivSep user $SSH_PRIVSEP_USER already exists." |
| 225 | else | 219 | else |
| 226 | echo "Creating PrivSep user $SSH_PRIVSEP_USER." | 220 | echo "Creating PrivSep user $SSH_PRIVSEP_USER." |
| 227 | mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER | 221 | mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER |
| 228 | fi | 222 | fi |
| 229 | 223 | ||
| 224 | if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null | ||
| 225 | then | ||
| 226 | echo UsePrivilegeSeparation not enabled, privsep directory not required. | ||
| 227 | else | ||
| 230 | # create chroot directory if required | 228 | # create chroot directory if required |
| 231 | if [ -d $PRIVSEP_PATH ] | 229 | if [ -d $PRIVSEP_PATH ] |
| 232 | then | 230 | then |
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 09c08f194..3d756eb7f 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec | |||
| @@ -17,7 +17,7 @@ | |||
| 17 | #old cvs stuff. please update before use. may be deprecated. | 17 | #old cvs stuff. please update before use. may be deprecated. |
| 18 | %define use_stable 1 | 18 | %define use_stable 1 |
| 19 | %if %{use_stable} | 19 | %if %{use_stable} |
| 20 | %define version 4.3p2 | 20 | %define version 4.6p1 |
| 21 | %define cvs %{nil} | 21 | %define cvs %{nil} |
| 22 | %define release 1 | 22 | %define release 1 |
| 23 | %else | 23 | %else |
| @@ -357,4 +357,4 @@ fi | |||
| 357 | * Mon Jan 01 1998 ... | 357 | * Mon Jan 01 1998 ... |
| 358 | Template Version: 1.31 | 358 | Template Version: 1.31 |
| 359 | 359 | ||
| 360 | $Id: openssh.spec,v 1.56.2.1 2006/02/11 00:00:45 djm Exp $ | 360 | $Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $ |
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 0540890e6..e2ad69f19 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
| @@ -153,22 +153,31 @@ fi | |||
| 153 | 153 | ||
| 154 | # Create /var/log and /var/log/lastlog if not already existing | 154 | # Create /var/log and /var/log/lastlog if not already existing |
| 155 | 155 | ||
| 156 | if [ -f ${LOCALSTATEDIR}/log ] | 156 | if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ] |
| 157 | then | 157 | then |
| 158 | echo "Creating ${LOCALSTATEDIR}/log failed!" | 158 | echo |
| 159 | else | 159 | echo "${LOCALSTATEDIR}/log is existant but not a directory." |
| 160 | if [ ! -d ${LOCALSTATEDIR}/log ] | 160 | echo "Cannot create ssh host configuration." |
| 161 | then | 161 | echo |
| 162 | mkdir -p ${LOCALSTATEDIR}/log | 162 | exit 1 |
| 163 | fi | 163 | fi |
| 164 | if [ -d ${LOCALSTATEDIR}/log/lastlog ] | 164 | if [ ! -e ${LOCALSTATEDIR}/log ] |
| 165 | then | 165 | then |
| 166 | chmod 777 ${LOCALSTATEDIR}/log/lastlog | 166 | mkdir -p ${LOCALSTATEDIR}/log |
| 167 | elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] | 167 | fi |
| 168 | then | 168 | |
| 169 | cat /dev/null > ${LOCALSTATEDIR}/log/lastlog | 169 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
| 170 | chmod 666 ${LOCALSTATEDIR}/log/lastlog | 170 | then |
| 171 | fi | 171 | echo |
| 172 | echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." | ||
| 173 | echo "Cannot create ssh host configuration." | ||
| 174 | echo | ||
| 175 | exit 1 | ||
| 176 | fi | ||
| 177 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] | ||
| 178 | then | ||
| 179 | cat /dev/null > ${LOCALSTATEDIR}/log/lastlog | ||
| 180 | chmod 644 ${LOCALSTATEDIR}/log/lastlog | ||
| 172 | fi | 181 | fi |
| 173 | 182 | ||
| 174 | # Create /var/empty file used as chroot jail for privilege separation | 183 | # Create /var/empty file used as chroot jail for privilege separation |
| @@ -507,6 +516,7 @@ then | |||
| 507 | fi | 516 | fi |
| 508 | editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && | 517 | editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && |
| 509 | editrights -a SeCreateTokenPrivilege -u sshd_server && | 518 | editrights -a SeCreateTokenPrivilege -u sshd_server && |
| 519 | editrights -a SeTcbPrivilege -u sshd_server && | ||
| 510 | editrights -a SeDenyInteractiveLogonRight -u sshd_server && | 520 | editrights -a SeDenyInteractiveLogonRight -u sshd_server && |
| 511 | editrights -a SeDenyNetworkLogonRight -u sshd_server && | 521 | editrights -a SeDenyNetworkLogonRight -u sshd_server && |
| 512 | editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && | 522 | editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && |
| @@ -578,6 +588,7 @@ then | |||
| 578 | fi | 588 | fi |
| 579 | chown "${_user}" ${SYSCONFDIR}/ssh* | 589 | chown "${_user}" ${SYSCONFDIR}/ssh* |
| 580 | chown "${_user}".544 ${LOCALSTATEDIR}/empty | 590 | chown "${_user}".544 ${LOCALSTATEDIR}/empty |
| 591 | chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog | ||
| 581 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | 592 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] |
| 582 | then | 593 | then |
| 583 | chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log | 594 | chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log |
diff --git a/contrib/findssl.sh b/contrib/findssl.sh index 716abced5..263fd2644 100644 --- a/contrib/findssl.sh +++ b/contrib/findssl.sh | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | #!/bin/sh | 1 | #!/bin/sh |
| 2 | # | 2 | # |
| 3 | # $Id: findssl.sh,v 1.3 2004/12/13 07:08:33 dtucker Exp $ | 3 | # $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $ |
| 4 | # | 4 | # |
| 5 | # findssl.sh | 5 | # findssl.sh |
| 6 | # Search for all instances of OpenSSL headers and libraries | 6 | # Search for all instances of OpenSSL headers and libraries |
| @@ -89,6 +89,25 @@ LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} | |||
| 89 | LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} | 89 | LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} |
| 90 | export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH | 90 | export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH |
| 91 | 91 | ||
| 92 | # not all platforms have a 'which' command | ||
| 93 | if which ls >/dev/null 2>/dev/null; then | ||
| 94 | : which is defined | ||
| 95 | else | ||
| 96 | which () { | ||
| 97 | saveIFS="$IFS" | ||
| 98 | IFS=: | ||
| 99 | for p in $PATH; do | ||
| 100 | if test -x "$p/$1" -a -f "$p/$1"; then | ||
| 101 | IFS="$saveIFS" | ||
| 102 | echo "$p/$1" | ||
| 103 | return 0 | ||
| 104 | fi | ||
| 105 | done | ||
| 106 | IFS="$saveIFS" | ||
| 107 | return 1 | ||
| 108 | } | ||
| 109 | fi | ||
| 110 | |||
| 92 | # | 111 | # |
| 93 | # Search for OpenSSL headers and print versions | 112 | # Search for OpenSSL headers and print versions |
| 94 | # | 113 | # |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index cbdf7bbc7..08515d2b0 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | %define ver 4.3p2 | 1 | %define ver 4.6p1 |
| 2 | %define rel 1 | 2 | %define rel 1 |
| 3 | 3 | ||
| 4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index ffa66cd52..e5d837cbc 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init | |||
| @@ -35,8 +35,8 @@ do_rsa1_keygen() { | |||
| 35 | if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then | 35 | if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then |
| 36 | chmod 600 $RSA1_KEY | 36 | chmod 600 $RSA1_KEY |
| 37 | chmod 644 $RSA1_KEY.pub | 37 | chmod 644 $RSA1_KEY.pub |
| 38 | if type restorecon >/dev/null 2>&1; then | 38 | if [ -x /sbin/restorecon ]; then |
| 39 | restorecon $RSA1_KEY.pub | 39 | /sbin/restorecon $RSA1_KEY.pub |
| 40 | fi | 40 | fi |
| 41 | success $"RSA1 key generation" | 41 | success $"RSA1 key generation" |
| 42 | echo | 42 | echo |
| @@ -54,8 +54,8 @@ do_rsa_keygen() { | |||
| 54 | if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then | 54 | if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then |
| 55 | chmod 600 $RSA_KEY | 55 | chmod 600 $RSA_KEY |
| 56 | chmod 644 $RSA_KEY.pub | 56 | chmod 644 $RSA_KEY.pub |
| 57 | if type restorecon >/dev/null 2>&1; then | 57 | if [ -x /sbin/restorecon ]; then |
| 58 | restorecon $RSA_KEY.pub | 58 | /sbin/restorecon $RSA_KEY.pub |
| 59 | fi | 59 | fi |
| 60 | success $"RSA key generation" | 60 | success $"RSA key generation" |
| 61 | echo | 61 | echo |
| @@ -73,8 +73,8 @@ do_dsa_keygen() { | |||
| 73 | if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then | 73 | if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then |
| 74 | chmod 600 $DSA_KEY | 74 | chmod 600 $DSA_KEY |
| 75 | chmod 644 $DSA_KEY.pub | 75 | chmod 644 $DSA_KEY.pub |
| 76 | if type restorecon >/dev/null 2>&1; then | 76 | if [ -x /sbin/restorecon ]; then |
| 77 | restorecon $DSA_KEY.pub | 77 | /sbin/restorecon $DSA_KEY.pub |
| 78 | fi | 78 | fi |
| 79 | success $"DSA key generation" | 79 | success $"DSA key generation" |
| 80 | echo | 80 | echo |
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index b49e78c65..95b394f18 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
| @@ -13,7 +13,7 @@ | |||
| 13 | 13 | ||
| 14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
| 15 | Name: openssh | 15 | Name: openssh |
| 16 | Version: 4.3p2 | 16 | Version: 4.6p1 |
| 17 | URL: http://www.openssh.com/ | 17 | URL: http://www.openssh.com/ |
| 18 | Release: 1 | 18 | Release: 1 |
| 19 | Source0: openssh-%{version}.tar.gz | 19 | Source0: openssh-%{version}.tar.gz |