* New upstream release (http://www.openssh.com/txt/release-6.2).

- Add support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option (closes: #195716). - Fix Sophie Germain formula in moduli(5) (closes: #698612). - Update ssh-copy-id to Phil Hands' greatly revised version (closes: #99785, #322228, #620428; LP: #518883, #835901, #1074798).
author: Colin Watson <cjwatson@debian.org> 2013-05-07 11:47:26 +0100
committer: Colin Watson <cjwatson@debian.org> 2013-05-07 11:47:26 +0100
commit: 2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch)
tree: c4fb7d1f51fa51e7677232de806aae150e29e2ac /debian/patches/selinux-role.patch
parent: f5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff)
parent: ecebda56da46a03dafff923d91c382f31faa9eec (diff)
1 files changed, 28 insertions, 28 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 80fe3247b..f2f8fcd21 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles
 Author: Manoj Srivastava <srivasta@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2010-02-27
+Last-Update: 2013-05-07
 Index: b/auth.h
 ===================================================================
@@ -23,7 +23,7 @@ Index: b/auth1.c
 ===================================================================
 --- a/auth1.c
 +++ b/auth1.c
-@@ -383,7 +383,7 @@
+@@ -385,7 +385,7 @@
 do_authentication(Authctxt *authctxt)
 {
        u_int ulen;
@@ -32,7 +32,7 @@ Index: b/auth1.c
 
        /* Get the name of the user that we wish to log in as. */
        packet_read_expect(SSH_CMSG_USER);
-@@ -392,11 +392,17 @@
+@@ -394,11 +394,17 @@
        user = packet_get_cstring(&ulen);
        packet_check_eom();
 
@@ -54,7 +54,7 @@ Index: b/auth2.c
 ===================================================================
 --- a/auth2.c
 +++ b/auth2.c
-@@ -217,7 +217,7 @@
+@@ -219,7 +219,7 @@
 {
        Authctxt *authctxt = ctxt;
        Authmethod *m = NULL;
@@ -63,7 +63,7 @@ Index: b/auth2.c
        int authenticated = 0;
 
        if (authctxt == NULL)
-@@ -229,8 +229,13 @@
+@@ -231,8 +231,13 @@
        debug("userauth-request for user %s service %s method %s", user, service, method);
        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
@@ -77,7 +77,7 @@ Index: b/auth2.c
 
        if (authctxt->attempt++ == 0) {
                /* setup auth context */
-@@ -254,8 +259,9 @@
+@@ -256,8 +261,9 @@
                    use_privsep ? " [net]" : "");
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
@@ -86,8 +86,8 @@ Index: b/auth2.c
 -                       mm_inform_authserv(service, style);
 +                       mm_inform_authserv(service, style, role);
                userauth_banner();
-        } else if (strcmp(user, authctxt->user) != 0 ||
+                if (auth2_setup_methods_lists(authctxt) != 0)
-            strcmp(service, authctxt->service) != 0) {
+                        packet_disconnect("no authentication methods enabled");
 Index: b/monitor.c
 ===================================================================
 --- a/monitor.c
@@ -100,7 +100,7 @@ Index: b/monitor.c
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -225,6 +226,7 @@
+@@ -226,6 +227,7 @@
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +108,7 @@ Index: b/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -808,6 +810,7 @@
+@@ -837,6 +839,7 @@
        else {
                /* Allow service/style information on the auth context */
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
        }
 #ifdef USE_PAM
-@@ -840,14 +843,37 @@
+@@ -869,14 +872,37 @@
 
        authctxt->service = buffer_get_string(m, NULL);
        authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +156,7 @@ Index: b/monitor.c
        return (0);
 }
 
-@@ -1435,7 +1461,7 @@
+@@ -1471,7 +1497,7 @@
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
@@ -169,15 +169,15 @@ Index: b/monitor.h
 ===================================================================
 --- a/monitor.h
 +++ b/monitor.h
-@@ -30,7 +30,7 @@
+@@ -73,6 +73,8 @@
- 
+        MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
- enum monitor_reqtype {
+        MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
-        MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
+ 
-       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+       MONITOR_REQ_AUTHROLE = 300,
-+       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
+
-        MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
+ };
-        MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
+ 
-        MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
+ struct mm_master;
 Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
@@ -369,12 +369,12 @@ Index: b/platform.h
 +void platform_setusercontext_post_groups(struct passwd *, const char *);
 char *platform_get_krb5_client(const char *);
 char *platform_krb5_get_principal_name(const char *);
- 
+ int platform_sys_dir_uid(uid_t);
 Index: b/session.c
 ===================================================================
 --- a/session.c
 +++ b/session.c
-@@ -1471,7 +1471,7 @@
+@@ -1474,7 +1474,7 @@
 
 /* Set login name, uid, gid, and groups. */
 void
@@ -383,7 +383,7 @@ Index: b/session.c
 {
        char *chroot_path, *tmp;
 
-@@ -1499,7 +1499,7 @@
+@@ -1502,7 +1502,7 @@
                endgrent();
 #endif
 
@@ -392,7 +392,7 @@ Index: b/session.c
 
                if (options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1625,7 +1625,7 @@
+@@ -1633,7 +1633,7 @@
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
@@ -401,7 +401,7 @@ Index: b/session.c
                child_close_fds();
                do_pwchange(s);
                exit(1);
-@@ -1652,7 +1652,7 @@
+@@ -1660,7 +1660,7 @@
                /* When PAM is enabled we rely on it to do the nologin check */
                if (!options.use_pam)
                        do_nologin(pw);
@@ -410,7 +410,7 @@ Index: b/session.c
                /*
                 * PAM session modules in do_setusercontext may have
                 * generated messages, so if this in an interactive
-@@ -2064,7 +2064,7 @@
+@@ -2072,7 +2072,7 @@
        tty_parse_modes(s->ttyfd, &n_bytes);
 
        if (!use_privsep)
@@ -436,7 +436,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -736,7 +736,7 @@
+@@ -745,7 +745,7 @@
        RAND_seed(rnd, sizeof(rnd));
 
        /* Drop privileges */
author	Colin Watson <cjwatson@debian.org>	2013-05-07 11:47:26 +0100
committer	Colin Watson <cjwatson@debian.org>	2013-05-07 11:47:26 +0100
commit	2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch)
tree	c4fb7d1f51fa51e7677232de806aae150e29e2ac /debian/patches/selinux-role.patch
parent	f5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff)
parent	ecebda56da46a03dafff923d91c382f31faa9eec (diff)

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 80fe3247b..f2f8fcd21 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles
5	Author: Manoj Srivastava <srivasta@debian.org>	5	Author: Manoj Srivastava <srivasta@debian.org>
6	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641	6	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
7	Bug-Debian: http://bugs.debian.org/394795	7	Bug-Debian: http://bugs.debian.org/394795
8	Last-Update: 2010-02-27	8	Last-Update: 2013-05-07
9		9
10	Index: b/auth.h	10	Index: b/auth.h
11	===================================================================	11	===================================================================
@@ -23,7 +23,7 @@ Index: b/auth1.c
23	===================================================================	23	===================================================================
24	--- a/auth1.c	24	--- a/auth1.c
25	+++ b/auth1.c	25	+++ b/auth1.c
26	@@ -383,7 +383,7 @@	26	@@ -385,7 +385,7 @@
27	do_authentication(Authctxt *authctxt)	27	do_authentication(Authctxt *authctxt)
28	{	28	{
29	u_int ulen;	29	u_int ulen;
@@ -32,7 +32,7 @@ Index: b/auth1.c
32		32
33	/* Get the name of the user that we wish to log in as. */	33	/* Get the name of the user that we wish to log in as. */
34	packet_read_expect(SSH_CMSG_USER);	34	packet_read_expect(SSH_CMSG_USER);
35	@@ -392,11 +392,17 @@	35	@@ -394,11 +394,17 @@
36	user = packet_get_cstring(&ulen);	36	user = packet_get_cstring(&ulen);
37	packet_check_eom();	37	packet_check_eom();
38		38
@@ -54,7 +54,7 @@ Index: b/auth2.c
54	===================================================================	54	===================================================================
55	--- a/auth2.c	55	--- a/auth2.c
56	+++ b/auth2.c	56	+++ b/auth2.c
57	@@ -217,7 +217,7 @@	57	@@ -219,7 +219,7 @@
58	{	58	{
59	Authctxt *authctxt = ctxt;	59	Authctxt *authctxt = ctxt;
60	Authmethod *m = NULL;	60	Authmethod *m = NULL;
@@ -63,7 +63,7 @@ Index: b/auth2.c
63	int authenticated = 0;	63	int authenticated = 0;
64		64
65	if (authctxt == NULL)	65	if (authctxt == NULL)
66	@@ -229,8 +229,13 @@	66	@@ -231,8 +231,13 @@
67	debug("userauth-request for user %s service %s method %s", user, service, method);	67	debug("userauth-request for user %s service %s method %s", user, service, method);
68	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);	68	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
69		69
@@ -77,7 +77,7 @@ Index: b/auth2.c
77		77
78	if (authctxt->attempt++ == 0) {	78	if (authctxt->attempt++ == 0) {
79	/* setup auth context */	79	/* setup auth context */
80	@@ -254,8 +259,9 @@	80	@@ -256,8 +261,9 @@
81	use_privsep ? " [net]" : "");	81	use_privsep ? " [net]" : "");
82	authctxt->service = xstrdup(service);	82	authctxt->service = xstrdup(service);
83	authctxt->style = style ? xstrdup(style) : NULL;	83	authctxt->style = style ? xstrdup(style) : NULL;
@@ -86,8 +86,8 @@ Index: b/auth2.c
86	- mm_inform_authserv(service, style);	86	- mm_inform_authserv(service, style);
87	+ mm_inform_authserv(service, style, role);	87	+ mm_inform_authserv(service, style, role);
88	userauth_banner();	88	userauth_banner();
89	} else if (strcmp(user, authctxt->user) != 0 \|\|	89	if (auth2_setup_methods_lists(authctxt) != 0)
90	strcmp(service, authctxt->service) != 0) {	90	packet_disconnect("no authentication methods enabled");
91	Index: b/monitor.c	91	Index: b/monitor.c
92	===================================================================	92	===================================================================
93	--- a/monitor.c	93	--- a/monitor.c
@@ -100,7 +100,7 @@ Index: b/monitor.c
100	int mm_answer_authpassword(int, Buffer *);	100	int mm_answer_authpassword(int, Buffer *);
101	int mm_answer_bsdauthquery(int, Buffer *);	101	int mm_answer_bsdauthquery(int, Buffer *);
102	int mm_answer_bsdauthrespond(int, Buffer *);	102	int mm_answer_bsdauthrespond(int, Buffer *);
103	@@ -225,6 +226,7 @@	103	@@ -226,6 +227,7 @@
104	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	104	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
105	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	105	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
106	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	106	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +108,7 @@ Index: b/monitor.c
108	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	108	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
109	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	109	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
110	#ifdef USE_PAM	110	#ifdef USE_PAM
111	@@ -808,6 +810,7 @@	111	@@ -837,6 +839,7 @@
112	else {	112	else {
113	/* Allow service/style information on the auth context */	113	/* Allow service/style information on the auth context */
114	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);	114	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
116	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	116	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
117	}	117	}
118	#ifdef USE_PAM	118	#ifdef USE_PAM
119	@@ -840,14 +843,37 @@	119	@@ -869,14 +872,37 @@
120		120
121	authctxt->service = buffer_get_string(m, NULL);	121	authctxt->service = buffer_get_string(m, NULL);
122	authctxt->style = buffer_get_string(m, NULL);	122	authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +156,7 @@ Index: b/monitor.c
156	return (0);	156	return (0);
157	}	157	}
158		158
159	@@ -1435,7 +1461,7 @@	159	@@ -1471,7 +1497,7 @@
160	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));	160	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161	if (res == 0)	161	if (res == 0)
162	goto error;	162	goto error;
@@ -169,15 +169,15 @@ Index: b/monitor.h
169	===================================================================	169	===================================================================
170	--- a/monitor.h	170	--- a/monitor.h
171	+++ b/monitor.h	171	+++ b/monitor.h
172	@@ -30,7 +30,7 @@	172	@@ -73,6 +73,8 @@
173		173	MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
174	enum monitor_reqtype {	174	MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
175	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,	175
176	- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,	176	+ MONITOR_REQ_AUTHROLE = 300,
177	+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,	177	+
178	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,	178	};
179	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,	179
180	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,	180	struct mm_master;
181	Index: b/monitor_wrap.c	181	Index: b/monitor_wrap.c
182	===================================================================	182	===================================================================
183	--- a/monitor_wrap.c	183	--- a/monitor_wrap.c
@@ -369,12 +369,12 @@ Index: b/platform.h
369	+void platform_setusercontext_post_groups(struct passwd , const char );	369	+void platform_setusercontext_post_groups(struct passwd , const char );
370	char platform_get_krb5_client(const char );	370	char platform_get_krb5_client(const char );
371	char platform_krb5_get_principal_name(const char );	371	char platform_krb5_get_principal_name(const char );
372		372	int platform_sys_dir_uid(uid_t);
373	Index: b/session.c	373	Index: b/session.c
374	===================================================================	374	===================================================================
375	--- a/session.c	375	--- a/session.c
376	+++ b/session.c	376	+++ b/session.c
377	@@ -1471,7 +1471,7 @@	377	@@ -1474,7 +1474,7 @@
378		378
379	/* Set login name, uid, gid, and groups. */	379	/* Set login name, uid, gid, and groups. */
380	void	380	void
@@ -383,7 +383,7 @@ Index: b/session.c
383	{	383	{
384	char chroot_path, tmp;	384	char chroot_path, tmp;
385		385
386	@@ -1499,7 +1499,7 @@	386	@@ -1502,7 +1502,7 @@
387	endgrent();	387	endgrent();
388	#endif	388	#endif
389		389
@@ -392,7 +392,7 @@ Index: b/session.c
392		392
393	if (options.chroot_directory != NULL &&	393	if (options.chroot_directory != NULL &&
394	strcasecmp(options.chroot_directory, "none") != 0) {	394	strcasecmp(options.chroot_directory, "none") != 0) {
395	@@ -1625,7 +1625,7 @@	395	@@ -1633,7 +1633,7 @@
396		396
397	/* Force a password change */	397	/* Force a password change */
398	if (s->authctxt->force_pwchange) {	398	if (s->authctxt->force_pwchange) {
@@ -401,7 +401,7 @@ Index: b/session.c
401	child_close_fds();	401	child_close_fds();
402	do_pwchange(s);	402	do_pwchange(s);
403	exit(1);	403	exit(1);
404	@@ -1652,7 +1652,7 @@	404	@@ -1660,7 +1660,7 @@
405	/* When PAM is enabled we rely on it to do the nologin check */	405	/* When PAM is enabled we rely on it to do the nologin check */
406	if (!options.use_pam)	406	if (!options.use_pam)
407	do_nologin(pw);	407	do_nologin(pw);
@@ -410,7 +410,7 @@ Index: b/session.c
410	/*	410	/*
411	* PAM session modules in do_setusercontext may have	411	* PAM session modules in do_setusercontext may have
412	* generated messages, so if this in an interactive	412	* generated messages, so if this in an interactive
413	@@ -2064,7 +2064,7 @@	413	@@ -2072,7 +2072,7 @@
414	tty_parse_modes(s->ttyfd, &n_bytes);	414	tty_parse_modes(s->ttyfd, &n_bytes);
415		415
416	if (!use_privsep)	416	if (!use_privsep)
@@ -436,7 +436,7 @@ Index: b/sshd.c
436	===================================================================	436	===================================================================
437	--- a/sshd.c	437	--- a/sshd.c
438	+++ b/sshd.c	438	+++ b/sshd.c
439	@@ -736,7 +736,7 @@	439	@@ -745,7 +745,7 @@
440	RAND_seed(rnd, sizeof(rnd));	440	RAND_seed(rnd, sizeof(rnd));
441		441
442	/* Drop privileges */	442	/* Drop privileges */