diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/changelog | 11 | ||||
-rw-r--r-- | debian/control | 2 | ||||
-rw-r--r-- | debian/openssh-server.postinst | 3 | ||||
-rw-r--r-- | debian/openssh-server.preinst | 3 | ||||
-rw-r--r-- | debian/openssh-server.ssh.pam | 3 | ||||
-rwxr-xr-x | debian/rules | 7 |
6 files changed, 27 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 671a44922..aae858b96 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -2,6 +2,17 @@ openssh (1:4.1p1-4) UNRELEASED; urgency=low | |||
2 | 2 | ||
3 | * openssh-client and openssh-server conflict with ssh-krb5, as ssh-krb5 | 3 | * openssh-client and openssh-server conflict with ssh-krb5, as ssh-krb5 |
4 | only conflicts with ssh (closes: #312475). | 4 | only conflicts with ssh (closes: #312475). |
5 | * Manoj Srivastava: | ||
6 | - Added SELinux capability, and turned it on be default. Added | ||
7 | restorecon calls in preinst and postinst (should not matter if the | ||
8 | machine is not SELinux aware). By and large, the changes made should | ||
9 | have no effect unless the rules file calls --with-selinux; and even | ||
10 | then there should be no performance hit for machines not actively | ||
11 | running SELinux. | ||
12 | - Modified the preinst and postinst to call restorecon to set the | ||
13 | security context for the generated public key files. | ||
14 | - Added a comment to /etc/pam.d/ssh to indicate that an SELinux system | ||
15 | may want to also include pam_selinux.so. | ||
5 | * debconf template translations: | 16 | * debconf template translations: |
6 | - Update German (thanks, Jens Seidel; closes: #313949). | 17 | - Update German (thanks, Jens Seidel; closes: #313949). |
7 | 18 | ||
diff --git a/debian/control b/debian/control index 4e7cfd1b1..de945cf9c 100644 --- a/debian/control +++ b/debian/control | |||
@@ -2,7 +2,7 @@ Source: openssh | |||
2 | Section: net | 2 | Section: net |
3 | Priority: standard | 3 | Priority: standard |
4 | Maintainer: Matthew Vernon <matthew@debian.org> | 4 | Maintainer: Matthew Vernon <matthew@debian.org> |
5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) [!hurd-i386] | libgnome-dev [!hurd-i386], libedit-dev, groff, debhelper (>= 2), sharutils [!hurd-i386] | 5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) [!hurd-i386] | libgnome-dev [!hurd-i386], libedit-dev, groff, debhelper (>= 2), sharutils [!hurd-i386], libselinux1-dev [alpha amd64 arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc] |
6 | Standards-Version: 3.6.1 | 6 | Standards-Version: 3.6.1 |
7 | Uploaders: Colin Watson <cjwatson@debian.org> | 7 | Uploaders: Colin Watson <cjwatson@debian.org> |
8 | 8 | ||
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 9beb373b7..e6fe65ffa 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst | |||
@@ -94,6 +94,9 @@ create_key() { | |||
94 | echo -n $msg | 94 | echo -n $msg |
95 | ssh-keygen -q -f "$file" -N '' "$@" | 95 | ssh-keygen -q -f "$file" -N '' "$@" |
96 | echo | 96 | echo |
97 | if type restorecon >/dev/null 2>&1; then | ||
98 | restorecon "$file.pub" | ||
99 | fi | ||
97 | fi | 100 | fi |
98 | } | 101 | } |
99 | 102 | ||
diff --git a/debian/openssh-server.preinst b/debian/openssh-server.preinst index 320d4df2a..1ae85c7e8 100644 --- a/debian/openssh-server.preinst +++ b/debian/openssh-server.preinst | |||
@@ -72,6 +72,9 @@ EOF | |||
72 | # case the key is encrypted, which we need to fix | 72 | # case the key is encrypted, which we need to fix |
73 | chmod 600 $key | 73 | chmod 600 $key |
74 | ssh-keygen -u -f $key >/dev/null | 74 | ssh-keygen -u -f $key >/dev/null |
75 | if type restorecon >/dev/null 2>&1; then | ||
76 | restorecon "$key.pub" | ||
77 | fi | ||
75 | } | 78 | } |
76 | fi | 79 | fi |
77 | fi | 80 | fi |
diff --git a/debian/openssh-server.ssh.pam b/debian/openssh-server.ssh.pam index 1332a267e..ce33b9347 100644 --- a/debian/openssh-server.ssh.pam +++ b/debian/openssh-server.ssh.pam | |||
@@ -22,5 +22,8 @@ session optional pam_mail.so standard noenv # [1] | |||
22 | # Set up user limits from /etc/security/limits.conf. | 22 | # Set up user limits from /etc/security/limits.conf. |
23 | session required pam_limits.so | 23 | session required pam_limits.so |
24 | 24 | ||
25 | # Set up SELinux capabilities (need modified pam) | ||
26 | # session required pam_selinux.so multiple | ||
27 | |||
25 | # Standard Un*x password updating. | 28 | # Standard Un*x password updating. |
26 | @include common-password | 29 | @include common-password |
diff --git a/debian/rules b/debian/rules index 452b7fdbf..772d08f84 100755 --- a/debian/rules +++ b/debian/rules | |||
@@ -57,6 +57,11 @@ ifeq ($(DEB_HOST_ARCH_OS),hurd) | |||
57 | FORCE_LIBS := LIBS=-lcrypt | 57 | FORCE_LIBS := LIBS=-lcrypt |
58 | endif | 58 | endif |
59 | 59 | ||
60 | # SELinux support? | ||
61 | ifeq ($(DEB_HOST_ARCH_OS),linux) | ||
62 | SELINUX := --with-selinux | ||
63 | endif | ||
64 | |||
60 | # Change the version string to include the Debian version | 65 | # Change the version string to include the Debian version |
61 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') | 66 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') |
62 | 67 | ||
@@ -66,7 +71,7 @@ build-deb: build-deb-stamp | |||
66 | build-deb-stamp: | 71 | build-deb-stamp: |
67 | dh_testdir | 72 | dh_testdir |
68 | mkdir -p build-deb | 73 | mkdir -p build-deb |
69 | cd build-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit | 74 | cd build-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit $(SELINUX) |
70 | 75 | ||
71 | ifeq ($(DEB_HOST_ARCH_OS),linux) | 76 | ifeq ($(DEB_HOST_ARCH_OS),linux) |
72 | # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). | 77 | # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). |