summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-01-01 23:53:30 +0000
committerColin Watson <cjwatson@debian.org>2010-01-01 23:53:30 +0000
commitdf03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree1aab079441dff9615274769b19f2d734ddf508dd /contrib
parent6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)
* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out
for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
Diffstat (limited to 'contrib')
-rw-r--r--contrib/caldera/openssh.spec8
-rwxr-xr-xcontrib/caldera/ssh-host-keygen10
-rw-r--r--contrib/caldera/sshd.pam2
-rw-r--r--contrib/cygwin/Makefile4
-rw-r--r--contrib/cygwin/ssh-host-config241
-rw-r--r--contrib/redhat/openssh.spec4
-rw-r--r--contrib/redhat/sshd.pam2
-rw-r--r--contrib/sshd.pam.generic2
-rw-r--r--contrib/suse/openssh.spec4
-rw-r--r--contrib/suse/rc.sshd6
10 files changed, 144 insertions, 139 deletions
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 32d175d4b..42dbcfeeb 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,11 +17,11 @@
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%if %{use_stable} 19%if %{use_stable}
20 %define version 5.1p1 20 %define version 5.2p1
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
23%else 23%else
24 %define version 5.1p1 24 %define version 5.2p1
25 %define cvs cvs20050315 25 %define cvs cvs20050315
26 %define release 0r1 26 %define release 0r1
27%endif 27%endif
@@ -251,7 +251,7 @@ install -m 0755 contrib/caldera/ssh-host-keygen $SKG
251# install remaining docs 251# install remaining docs
252DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}" 252DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
253mkdir -p $DocD/%{askpass} 253mkdir -p $DocD/%{askpass}
254cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $DocD 254cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD
255install -p -m 0444 %{SOURCE3} $DocD/faq.html 255install -p -m 0444 %{SOURCE3} $DocD/faq.html
256cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass} 256cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass}
257%if %{use_stable} 257%if %{use_stable}
@@ -358,4 +358,4 @@ fi
358* Mon Jan 01 1998 ... 358* Mon Jan 01 1998 ...
359Template Version: 1.31 359Template Version: 1.31
360 360
361$Id: openssh.spec,v 1.65 2008/07/21 08:21:53 djm Exp $ 361$Id: openssh.spec,v 1.66 2009/02/21 07:03:05 djm Exp $
diff --git a/contrib/caldera/ssh-host-keygen b/contrib/caldera/ssh-host-keygen
index 3c5c17182..86382ddfb 100755
--- a/contrib/caldera/ssh-host-keygen
+++ b/contrib/caldera/ssh-host-keygen
@@ -1,6 +1,6 @@
1#! /bin/sh 1#! /bin/sh
2# 2#
3# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $ 3# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $
4# 4#
5# This script is normally run only *once* for a given host 5# This script is normally run only *once* for a given host
6# (in a given period of time) -- on updates/upgrades/recovery 6# (in a given period of time) -- on updates/upgrades/recovery
@@ -15,16 +15,16 @@ if [ -f $keydir/ssh_host_key -o \
15 -f $keydir/ssh_host_key.pub ]; then 15 -f $keydir/ssh_host_key.pub ]; then
16 echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." 16 echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
17else 17else
18 echo "Generating 1024 bit SSH1 RSA host key." 18 echo "Generating SSH1 RSA host key."
19 $keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N '' 19 $keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
20fi 20fi
21 21
22if [ -f $keydir/ssh_host_rsa_key -o \ 22if [ -f $keydir/ssh_host_rsa_key -o \
23 -f $keydir/ssh_host_rsa_key.pub ]; then 23 -f $keydir/ssh_host_rsa_key.pub ]; then
24 echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." 24 echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
25else 25else
26 echo "Generating 1024 bit SSH2 RSA host key." 26 echo "Generating SSH2 RSA host key."
27 $keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N '' 27 $keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
28fi 28fi
29 29
30if [ -f $keydir/ssh_host_dsa_key -o \ 30if [ -f $keydir/ssh_host_dsa_key -o \
diff --git a/contrib/caldera/sshd.pam b/contrib/caldera/sshd.pam
index 26dcb34d9..f050a9aee 100644
--- a/contrib/caldera/sshd.pam
+++ b/contrib/caldera/sshd.pam
@@ -1,6 +1,6 @@
1#%PAM-1.0 1#%PAM-1.0
2auth required /lib/security/pam_pwdb.so shadow nodelay 2auth required /lib/security/pam_pwdb.so shadow nodelay
3auth required /lib/security/pam_nologin.so 3account required /lib/security/pam_nologin.so
4account required /lib/security/pam_pwdb.so 4account required /lib/security/pam_pwdb.so
5password required /lib/security/pam_cracklib.so 5password required /lib/security/pam_cracklib.so
6password required /lib/security/pam_pwdb.so shadow nullok use_authtok 6password required /lib/security/pam_pwdb.so shadow nullok use_authtok
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile
index 3e2d26404..2ebd143dc 100644
--- a/contrib/cygwin/Makefile
+++ b/contrib/cygwin/Makefile
@@ -38,11 +38,13 @@ install-sshdoc:
38 $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog 38 $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
39 $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE 39 $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
40 $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW 40 $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
41 $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
42 $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
41 $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README 43 $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
42 $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns 44 $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
45 $(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
43 $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep 46 $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
44 $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard 47 $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
45 $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff
46 $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO 48 $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
47 $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG 49 $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
48 50
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index bbb6da4c4..57e728fbc 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -25,7 +25,7 @@ source ${CSIH_SCRIPT}
25port_number=22 25port_number=22
26privsep_configured=no 26privsep_configured=no
27privsep_used=yes 27privsep_used=yes
28cygwin_value="ntsec" 28cygwin_value=""
29password_value= 29password_value=
30 30
31# ====================================================================== 31# ======================================================================
@@ -37,13 +37,13 @@ create_host_keys() {
37 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" 37 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
38 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null 38 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
39 fi 39 fi
40 40
41 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] 41 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
42 then 42 then
43 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" 43 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
44 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null 44 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
45 fi 45 fi
46 46
47 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 47 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
48 then 48 then
49 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" 49 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
@@ -75,12 +75,12 @@ update_services_file() {
75 _spaces=" # " 75 _spaces=" # "
76 fi 76 fi
77 _serv_tmp="${_my_etcdir}/srv.out.$$" 77 _serv_tmp="${_my_etcdir}/srv.out.$$"
78 78
79 mount -t -f "${_win_etcdir}" "${_my_etcdir}" 79 mount -o text -f "${_win_etcdir}" "${_my_etcdir}"
80 80
81 # Depends on the above mount 81 # Depends on the above mount
82 _wservices=`cygpath -w "${_services}"` 82 _wservices=`cygpath -w "${_services}"`
83 83
84 # Remove sshd 22/port from services 84 # Remove sshd 22/port from services
85 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] 85 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
86 then 86 then
@@ -89,16 +89,16 @@ update_services_file() {
89 then 89 then
90 if mv "${_serv_tmp}" "${_services}" 90 if mv "${_serv_tmp}" "${_services}"
91 then 91 then
92 csih_inform "Removing sshd from ${_wservices}" 92 csih_inform "Removing sshd from ${_wservices}"
93 else 93 else
94 csih_warning "Removing sshd from ${_wservices} failed!" 94 csih_warning "Removing sshd from ${_wservices} failed!"
95 fi 95 fi
96 rm -f "${_serv_tmp}" 96 rm -f "${_serv_tmp}"
97 else 97 else
98 csih_warning "Removing sshd from ${_wservices} failed!" 98 csih_warning "Removing sshd from ${_wservices} failed!"
99 fi 99 fi
100 fi 100 fi
101 101
102 # Add ssh 22/tcp and ssh 22/udp to services 102 # Add ssh 22/tcp and ssh 22/udp to services
103 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 103 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
104 then 104 then
@@ -106,9 +106,9 @@ update_services_file() {
106 then 106 then
107 if mv "${_serv_tmp}" "${_services}" 107 if mv "${_serv_tmp}" "${_services}"
108 then 108 then
109 csih_inform "Added ssh to ${_wservices}" 109 csih_inform "Added ssh to ${_wservices}"
110 else 110 else
111 csih_warning "Adding ssh to ${_wservices} failed!" 111 csih_warning "Adding ssh to ${_wservices} failed!"
112 fi 112 fi
113 rm -f "${_serv_tmp}" 113 rm -f "${_serv_tmp}"
114 else 114 else
@@ -134,16 +134,16 @@ sshd_privsep() {
134 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." 134 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
135 if csih_request "Should privilege separation be used?" 135 if csih_request "Should privilege separation be used?"
136 then 136 then
137 privsep_used=yes 137 privsep_used=yes
138 if ! csih_create_unprivileged_user sshd 138 if ! csih_create_unprivileged_user sshd
139 then 139 then
140 csih_warning "Couldn't create user 'sshd'!" 140 csih_warning "Couldn't create user 'sshd'!"
141 csih_warning "Privilege separation set to 'no' again!" 141 csih_warning "Privilege separation set to 'no' again!"
142 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 142 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
143 privsep_used=no 143 privsep_used=no
144 fi 144 fi
145 else 145 else
146 privsep_used=no 146 privsep_used=no
147 fi 147 fi
148 else 148 else
149 # On 9x don't use privilege separation. Since security isn't 149 # On 9x don't use privilege separation. Since security isn't
@@ -151,7 +151,7 @@ sshd_privsep() {
151 privsep_used=no 151 privsep_used=no
152 fi 152 fi
153 fi 153 fi
154 154
155 # Create default sshd_config from skeleton files in /etc/defaults/etc or 155 # Create default sshd_config from skeleton files in /etc/defaults/etc or
156 # modify to add the missing privsep configuration option 156 # modify to add the missing privsep configuration option
157 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 157 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
@@ -161,8 +161,8 @@ sshd_privsep() {
161 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 161 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
162 s/^#Port 22/Port ${port_number}/ 162 s/^#Port 22/Port ${port_number}/
163 s/^#StrictModes yes/StrictModes no/" \ 163 s/^#StrictModes yes/StrictModes no/" \
164 < ${SYSCONFDIR}/sshd_config \ 164 < ${SYSCONFDIR}/sshd_config \
165 > "${sshdconfig_tmp}" 165 > "${sshdconfig_tmp}"
166 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config 166 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
167 elif [ "${privsep_configured}" != "yes" ] 167 elif [ "${privsep_configured}" != "yes" ]
168 then 168 then
@@ -193,19 +193,19 @@ update_inetd_conf() {
193 # will be replaced by a file in inetd.d/ 193 # will be replaced by a file in inetd.d/
194 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 194 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
195 then 195 then
196 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 196 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
197 if [ -f "${_inetcnf_tmp}" ] 197 if [ -f "${_inetcnf_tmp}" ]
198 then 198 then
199 if mv "${_inetcnf_tmp}" "${_inetcnf}" 199 if mv "${_inetcnf_tmp}" "${_inetcnf}"
200 then 200 then
201 csih_inform "Removed ssh[d] from ${_inetcnf}" 201 csih_inform "Removed ssh[d] from ${_inetcnf}"
202 else 202 else
203 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 203 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
204 fi 204 fi
205 rm -f "${_inetcnf_tmp}" 205 rm -f "${_inetcnf_tmp}"
206 else 206 else
207 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 207 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
208 fi 208 fi
209 fi 209 fi
210 fi 210 fi
211 211
@@ -214,13 +214,13 @@ update_inetd_conf() {
214 then 214 then
215 if [ "${_with_comment}" -eq 0 ] 215 if [ "${_with_comment}" -eq 0 ]
216 then 216 then
217 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 217 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
218 else 218 else
219 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 219 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
220 fi 220 fi
221 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 221 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
222 csih_inform "Updated ${_sshd_inetd_conf}" 222 csih_inform "Updated ${_sshd_inetd_conf}"
223 fi 223 fi
224 224
225 elif [ -f "${_inetcnf}" ] 225 elif [ -f "${_inetcnf}" ]
226 then 226 then
@@ -233,26 +233,26 @@ update_inetd_conf() {
233 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 233 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
234 if [ -f "${_inetcnf_tmp}" ] 234 if [ -f "${_inetcnf_tmp}" ]
235 then 235 then
236 if mv "${_inetcnf_tmp}" "${_inetcnf}" 236 if mv "${_inetcnf_tmp}" "${_inetcnf}"
237 then 237 then
238 csih_inform "Removed sshd from ${_inetcnf}" 238 csih_inform "Removed sshd from ${_inetcnf}"
239 else 239 else
240 csih_warning "Removing sshd from ${_inetcnf} failed!" 240 csih_warning "Removing sshd from ${_inetcnf} failed!"
241 fi 241 fi
242 rm -f "${_inetcnf_tmp}" 242 rm -f "${_inetcnf_tmp}"
243 else 243 else
244 csih_warning "Removing sshd from ${_inetcnf} failed!" 244 csih_warning "Removing sshd from ${_inetcnf} failed!"
245 fi 245 fi
246 fi 246 fi
247 247
248 # Add ssh line to inetd.conf 248 # Add ssh line to inetd.conf
249 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 249 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
250 then 250 then
251 if [ "${_with_comment}" -eq 0 ] 251 if [ "${_with_comment}" -eq 0 ]
252 then 252 then
253 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 253 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
254 else 254 else
255 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 255 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
256 fi 256 fi
257 csih_inform "Added ssh to ${_inetcnf}" 257 csih_inform "Added ssh to ${_inetcnf}"
258 fi 258 fi
@@ -278,80 +278,83 @@ install_service() {
278 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 278 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
279 if csih_request "(Say \"no\" if it is already installed as a service)" 279 if csih_request "(Say \"no\" if it is already installed as a service)"
280 then 280 then
281 csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\"" 281 csih_get_cygenv "${cygwin_value}"
282 csih_inform "for sshd to be able to change user context without password." 282
283 csih_get_cygenv "${cygwin_value}" 283 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
284 284 then
285 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 285 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
286 then 286 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
287 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 287 csih_inform "sshd requires. You need to have or to create a privileged"
288 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 288 csih_inform "account. This script will help you do so."
289 csih_inform "sshd requires. You need to have or to create a privileged" 289 echo
290 csih_inform "account. This script will help you do so." 290 if ! csih_create_privileged_user "${password_value}"
291 echo 291 then
292 if ! csih_create_privileged_user "${password_value}" 292 csih_error_recoverable "There was a serious problem creating a privileged user."
293 then 293 csih_request "Do you want to proceed anyway?" || exit 1
294 csih_error_recoverable "There was a serious problem creating a privileged user." 294 fi
295 csih_request "Do you want to proceed anyway?" || exit 1 295 fi
296 fi 296
297 fi 297 # never returns empty if NT or above
298 298 run_service_as=$(csih_service_should_run_as)
299 # never returns empty if NT or above 299
300 run_service_as=$(csih_service_should_run_as) 300 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
301 301 then
302 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 302 password="${csih_PRIVILEGED_PASSWORD}"
303 then 303 if [ -z "${password}" ]
304 password="${csih_PRIVILEGED_PASSWORD}" 304 then
305 if [ -z "${password}" ] 305 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
306 then 306 password="${csih_value}"
307 csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 307 fi
308 password="${csih_value}" 308 fi
309 fi 309
310 fi 310 # at this point, we either have $run_service_as = "system" and $password is empty,
311 311 # or $run_service_as is some privileged user and (hopefully) $password contains
312 # at this point, we either have $run_service_as = "system" and $password is empty, 312 # the correct password. So, from here out, we use '-z "${password}"' to discriminate
313 # or $run_service_as is some privileged user and (hopefully) $password contains 313 # the two cases.
314 # the correct password. So, from here out, we use '-z "${password}"' to discriminate 314
315 # the two cases. 315 csih_check_user "${run_service_as}"
316 316
317 csih_check_user "${run_service_as}" 317 if [ -n "${csih_cygenv}" ]
318 318 then
319 if [ -z "${password}" ] 319 cygwin_env="-e CYGWIN=\"${csih_cygenv}\""
320 then 320 fi
321 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ 321 if [ -z "${password}" ]
322 -e CYGWIN="${csih_cygenv}" 322 then
323 then 323 if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
324 echo 324 -a "-D" -y tcpip ${cygwin_env}
325 csih_inform "The sshd service has been installed under the LocalSystem" 325 then
326 csih_inform "account (also known as SYSTEM). To start the service now, call" 326 echo
327 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" 327 csih_inform "The sshd service has been installed under the LocalSystem"
328 csih_inform "will start automatically after the next reboot." 328 csih_inform "account (also known as SYSTEM). To start the service now, call"
329 fi 329 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
330 else 330 csih_inform "will start automatically after the next reboot."
331 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ 331 fi
332 -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}" 332 else
333 then 333 if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
334 -a "-D" -y tcpip ${cygwin_env} \
335 -u "${run_service_as}" -w "${password}"
336 then
334 echo 337 echo
335 csih_inform "The sshd service has been installed under the '${run_service_as}'" 338 csih_inform "The sshd service has been installed under the '${run_service_as}'"
336 csih_inform "account. To start the service now, call \`net start sshd' or" 339 csih_inform "account. To start the service now, call \`net start sshd' or"
337 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" 340 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
338 csih_inform "after the next reboot." 341 csih_inform "after the next reboot."
339 fi 342 fi
340 fi 343 fi
341 344
342 # now, if successfully installed, set ownership of the affected files 345 # now, if successfully installed, set ownership of the affected files
343 if cygrunsrv -Q sshd >/dev/null 2>&1 346 if cygrunsrv -Q sshd >/dev/null 2>&1
344 then 347 then
345 chown "${run_service_as}" ${SYSCONFDIR}/ssh* 348 chown "${run_service_as}" ${SYSCONFDIR}/ssh*
346 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty 349 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
347 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog 350 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
348 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 351 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
349 then 352 then
350 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log 353 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
351 fi 354 fi
352 else 355 else
353 csih_warning "Something went wrong installing the sshd service." 356 csih_warning "Something went wrong installing the sshd service."
354 fi 357 fi
355 fi # user allowed us to install as service 358 fi # user allowed us to install as service
356 fi # service not yet installed 359 fi # service not yet installed
357 fi # csih_is_nt 360 fi # csih_is_nt
@@ -456,7 +459,7 @@ done
456 459
457# Check for running ssh/sshd processes first. Refuse to do anything while 460# Check for running ssh/sshd processes first. Refuse to do anything while
458# some ssh processes are still running 461# some ssh processes are still running
459if ps -ef | grep -v grep | grep -q ssh 462if ps -ef | grep -q '/sshd\?$'
460then 463then
461 echo 464 echo
462 csih_error "There are still ssh processes running. Please shut them down first." 465 csih_error "There are still ssh processes running. Please shut them down first."
@@ -475,9 +478,9 @@ setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
475# Create /var/log/lastlog if not already exists 478# Create /var/log/lastlog if not already exists
476if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 479if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
477then 480then
478 echo 481 echo
479 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 482 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
480 "Cannot create ssh host configuration." 483 "Cannot create ssh host configuration."
481fi 484fi
482if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 485if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
483then 486then
@@ -520,7 +523,7 @@ sshd_privsep
520 523
521 524
522 525
523update_services_file 526update_services_file
524update_inetd_conf 527update_inetd_conf
525install_service 528install_service
526 529
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index bb9e4d616..10bdc1989 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 5.1p1 1%define ver 5.2p1
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
@@ -333,7 +333,7 @@ fi
333 333
334%files 334%files
335%defattr(-,root,root) 335%defattr(-,root,root)
336%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* 336%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING*
337%attr(0755,root,root) %{_bindir}/scp 337%attr(0755,root,root) %{_bindir}/scp
338%attr(0644,root,root) %{_mandir}/man1/scp.1* 338%attr(0644,root,root) %{_mandir}/man1/scp.1*
339%attr(0755,root,root) %dir %{_sysconfdir}/ssh 339%attr(0755,root,root) %dir %{_sysconfdir}/ssh
diff --git a/contrib/redhat/sshd.pam b/contrib/redhat/sshd.pam
index e48607766..ffa5adbe5 100644
--- a/contrib/redhat/sshd.pam
+++ b/contrib/redhat/sshd.pam
@@ -1,6 +1,6 @@
1#%PAM-1.0 1#%PAM-1.0
2auth required pam_stack.so service=system-auth 2auth required pam_stack.so service=system-auth
3auth required pam_nologin.so 3account required pam_nologin.so
4account required pam_stack.so service=system-auth 4account required pam_stack.so service=system-auth
5password required pam_stack.so service=system-auth 5password required pam_stack.so service=system-auth
6session required pam_stack.so service=system-auth 6session required pam_stack.so service=system-auth
diff --git a/contrib/sshd.pam.generic b/contrib/sshd.pam.generic
index cf5af3024..215f0fe30 100644
--- a/contrib/sshd.pam.generic
+++ b/contrib/sshd.pam.generic
@@ -1,6 +1,6 @@
1#%PAM-1.0 1#%PAM-1.0
2auth required /lib/security/pam_unix.so shadow nodelay 2auth required /lib/security/pam_unix.so shadow nodelay
3auth required /lib/security/pam_nologin.so 3account required /lib/security/pam_nologin.so
4account required /lib/security/pam_unix.so 4account required /lib/security/pam_unix.so
5password required /lib/security/pam_cracklib.so 5password required /lib/security/pam_cracklib.so
6password required /lib/security/pam_unix.so shadow nullok use_authtok 6password required /lib/security/pam_unix.so shadow nullok use_authtok
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 7bd9e0569..62f43e137 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
13 13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh 15Name: openssh
16Version: 5.1p1 16Version: 5.2p1
17URL: http://www.openssh.com/ 17URL: http://www.openssh.com/
18Release: 1 18Release: 1
19Source0: openssh-%{version}.tar.gz 19Source0: openssh-%{version}.tar.gz
@@ -200,7 +200,7 @@ fi
200 200
201%files 201%files
202%defattr(-,root,root) 202%defattr(-,root,root)
203%doc ChangeLog OVERVIEW README* 203%doc ChangeLog OVERVIEW README* PROTOCOL*
204%doc TODO CREDITS LICENCE 204%doc TODO CREDITS LICENCE
205%attr(0755,root,root) %dir %{_sysconfdir}/ssh 205%attr(0755,root,root) %dir %{_sysconfdir}/ssh
206%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config 206%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd
index 573960bfa..4d4880d7e 100644
--- a/contrib/suse/rc.sshd
+++ b/contrib/suse/rc.sshd
@@ -45,17 +45,17 @@ case "$1" in
45 start) 45 start)
46 if ! test -f /etc/ssh/ssh_host_key ; then 46 if ! test -f /etc/ssh/ssh_host_key ; then
47 echo Generating /etc/ssh/ssh_host_key. 47 echo Generating /etc/ssh/ssh_host_key.
48 ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N '' 48 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ''
49 fi 49 fi
50 if ! test -f /etc/ssh/ssh_host_dsa_key ; then 50 if ! test -f /etc/ssh/ssh_host_dsa_key ; then
51 echo Generating /etc/ssh/ssh_host_dsa_key. 51 echo Generating /etc/ssh/ssh_host_dsa_key.
52 52
53 ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N '' 53 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
54 fi 54 fi
55 if ! test -f /etc/ssh/ssh_host_rsa_key ; then 55 if ! test -f /etc/ssh/ssh_host_rsa_key ; then
56 echo Generating /etc/ssh/ssh_host_rsa_key. 56 echo Generating /etc/ssh/ssh_host_rsa_key.
57 57
58 ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N '' 58 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
59 fi 59 fi
60 echo -n "Starting SSH daemon" 60 echo -n "Starting SSH daemon"
61 ## Start daemon with startproc(8). If this fails 61 ## Start daemon with startproc(8). If this fails
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-28 11:01:21 +0000