diff options
author | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
commit | efd3d4522636ae029488c2e9730b60c88e257d2e (patch) | |
tree | 31e02ac3f16090ce8c53448677356b2b7f423683 /debian/patches/selinux-role.patch | |
parent | bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff) | |
parent | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff) |
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r-- | debian/patches/selinux-role.patch | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index ab343b083..8a7e7c687 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -186,7 +186,7 @@ Index: b/monitor_wrap.c | |||
186 | { | 186 | { |
187 | Buffer m; | 187 | Buffer m; |
188 | 188 | ||
189 | @@ -291,11 +291,29 @@ | 189 | @@ -291,12 +291,30 @@ |
190 | buffer_init(&m); | 190 | buffer_init(&m); |
191 | buffer_put_cstring(&m, service); | 191 | buffer_put_cstring(&m, service); |
192 | buffer_put_cstring(&m, style ? style : ""); | 192 | buffer_put_cstring(&m, style ? style : ""); |
@@ -196,7 +196,7 @@ Index: b/monitor_wrap.c | |||
196 | 196 | ||
197 | buffer_free(&m); | 197 | buffer_free(&m); |
198 | } | 198 | } |
199 | + | 199 | |
200 | +/* Inform the privileged process about role */ | 200 | +/* Inform the privileged process about role */ |
201 | + | 201 | + |
202 | +void | 202 | +void |
@@ -213,9 +213,10 @@ Index: b/monitor_wrap.c | |||
213 | + | 213 | + |
214 | + buffer_free(&m); | 214 | + buffer_free(&m); |
215 | +} | 215 | +} |
216 | 216 | + | |
217 | /* Do the password authentication */ | 217 | /* Do the password authentication */ |
218 | int | 218 | int |
219 | mm_auth_password(Authctxt *authctxt, char *password) | ||
219 | Index: b/monitor_wrap.h | 220 | Index: b/monitor_wrap.h |
220 | =================================================================== | 221 | =================================================================== |
221 | --- a/monitor_wrap.h | 222 | --- a/monitor_wrap.h |
@@ -234,20 +235,20 @@ Index: b/openbsd-compat/port-linux.c | |||
234 | =================================================================== | 235 | =================================================================== |
235 | --- a/openbsd-compat/port-linux.c | 236 | --- a/openbsd-compat/port-linux.c |
236 | +++ b/openbsd-compat/port-linux.c | 237 | +++ b/openbsd-compat/port-linux.c |
237 | @@ -28,6 +28,12 @@ | 238 | @@ -29,6 +29,12 @@ |
238 | #include <string.h> | 239 | #include <string.h> |
240 | #include <stdio.h> | ||
239 | 241 | ||
240 | #ifdef WITH_SELINUX | 242 | +#ifdef WITH_SELINUX |
241 | +#include "key.h" | 243 | +#include "key.h" |
242 | +#include "hostfile.h" | 244 | +#include "hostfile.h" |
243 | +#include "auth.h" | 245 | +#include "auth.h" |
244 | +#ifdef HAVE_GETSEUSERBYNAME | ||
245 | +#include "xmalloc.h" | ||
246 | +#endif | 246 | +#endif |
247 | + | ||
247 | #include "log.h" | 248 | #include "log.h" |
249 | #include "xmalloc.h" | ||
248 | #include "port-linux.h" | 250 | #include "port-linux.h" |
249 | 251 | @@ -38,6 +44,8 @@ | |
250 | @@ -35,6 +41,8 @@ | ||
251 | #include <selinux/flask.h> | 252 | #include <selinux/flask.h> |
252 | #include <selinux/get_context_list.h> | 253 | #include <selinux/get_context_list.h> |
253 | 254 | ||
@@ -256,7 +257,7 @@ Index: b/openbsd-compat/port-linux.c | |||
256 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | 257 | /* Wrapper around is_selinux_enabled() to log its return value once only */ |
257 | int | 258 | int |
258 | ssh_selinux_enabled(void) | 259 | ssh_selinux_enabled(void) |
259 | @@ -53,8 +61,8 @@ | 260 | @@ -56,8 +64,8 @@ |
260 | static security_context_t | 261 | static security_context_t |
261 | ssh_selinux_getctxbyname(char *pwname) | 262 | ssh_selinux_getctxbyname(char *pwname) |
262 | { | 263 | { |
@@ -267,7 +268,7 @@ Index: b/openbsd-compat/port-linux.c | |||
267 | int r; | 268 | int r; |
268 | 269 | ||
269 | #ifdef HAVE_GETSEUSERBYNAME | 270 | #ifdef HAVE_GETSEUSERBYNAME |
270 | @@ -64,11 +72,20 @@ | 271 | @@ -67,11 +75,20 @@ |
271 | sename = pwname; | 272 | sename = pwname; |
272 | lvl = NULL; | 273 | lvl = NULL; |
273 | #endif | 274 | #endif |