diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 11 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | debian/openssh-server.postinst | 3 | ||||
| -rw-r--r-- | debian/openssh-server.preinst | 3 | ||||
| -rw-r--r-- | debian/openssh-server.ssh.pam | 3 | ||||
| -rwxr-xr-x | debian/rules | 7 |
6 files changed, 27 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 671a44922..aae858b96 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -2,6 +2,17 @@ openssh (1:4.1p1-4) UNRELEASED; urgency=low | |||
| 2 | 2 | ||
| 3 | * openssh-client and openssh-server conflict with ssh-krb5, as ssh-krb5 | 3 | * openssh-client and openssh-server conflict with ssh-krb5, as ssh-krb5 |
| 4 | only conflicts with ssh (closes: #312475). | 4 | only conflicts with ssh (closes: #312475). |
| 5 | * Manoj Srivastava: | ||
| 6 | - Added SELinux capability, and turned it on be default. Added | ||
| 7 | restorecon calls in preinst and postinst (should not matter if the | ||
| 8 | machine is not SELinux aware). By and large, the changes made should | ||
| 9 | have no effect unless the rules file calls --with-selinux; and even | ||
| 10 | then there should be no performance hit for machines not actively | ||
| 11 | running SELinux. | ||
| 12 | - Modified the preinst and postinst to call restorecon to set the | ||
| 13 | security context for the generated public key files. | ||
| 14 | - Added a comment to /etc/pam.d/ssh to indicate that an SELinux system | ||
| 15 | may want to also include pam_selinux.so. | ||
| 5 | * debconf template translations: | 16 | * debconf template translations: |
| 6 | - Update German (thanks, Jens Seidel; closes: #313949). | 17 | - Update German (thanks, Jens Seidel; closes: #313949). |
| 7 | 18 | ||
diff --git a/debian/control b/debian/control index 4e7cfd1b1..de945cf9c 100644 --- a/debian/control +++ b/debian/control | |||
| @@ -2,7 +2,7 @@ Source: openssh | |||
| 2 | Section: net | 2 | Section: net |
| 3 | Priority: standard | 3 | Priority: standard |
| 4 | Maintainer: Matthew Vernon <matthew@debian.org> | 4 | Maintainer: Matthew Vernon <matthew@debian.org> |
| 5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) [!hurd-i386] | libgnome-dev [!hurd-i386], libedit-dev, groff, debhelper (>= 2), sharutils [!hurd-i386] | 5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) [!hurd-i386] | libgnome-dev [!hurd-i386], libedit-dev, groff, debhelper (>= 2), sharutils [!hurd-i386], libselinux1-dev [alpha amd64 arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc] |
| 6 | Standards-Version: 3.6.1 | 6 | Standards-Version: 3.6.1 |
| 7 | Uploaders: Colin Watson <cjwatson@debian.org> | 7 | Uploaders: Colin Watson <cjwatson@debian.org> |
| 8 | 8 | ||
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 9beb373b7..e6fe65ffa 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst | |||
| @@ -94,6 +94,9 @@ create_key() { | |||
| 94 | echo -n $msg | 94 | echo -n $msg |
| 95 | ssh-keygen -q -f "$file" -N '' "$@" | 95 | ssh-keygen -q -f "$file" -N '' "$@" |
| 96 | echo | 96 | echo |
| 97 | if type restorecon >/dev/null 2>&1; then | ||
| 98 | restorecon "$file.pub" | ||
| 99 | fi | ||
| 97 | fi | 100 | fi |
| 98 | } | 101 | } |
| 99 | 102 | ||
diff --git a/debian/openssh-server.preinst b/debian/openssh-server.preinst index 320d4df2a..1ae85c7e8 100644 --- a/debian/openssh-server.preinst +++ b/debian/openssh-server.preinst | |||
| @@ -72,6 +72,9 @@ EOF | |||
| 72 | # case the key is encrypted, which we need to fix | 72 | # case the key is encrypted, which we need to fix |
| 73 | chmod 600 $key | 73 | chmod 600 $key |
| 74 | ssh-keygen -u -f $key >/dev/null | 74 | ssh-keygen -u -f $key >/dev/null |
| 75 | if type restorecon >/dev/null 2>&1; then | ||
| 76 | restorecon "$key.pub" | ||
| 77 | fi | ||
| 75 | } | 78 | } |
| 76 | fi | 79 | fi |
| 77 | fi | 80 | fi |
diff --git a/debian/openssh-server.ssh.pam b/debian/openssh-server.ssh.pam index 1332a267e..ce33b9347 100644 --- a/debian/openssh-server.ssh.pam +++ b/debian/openssh-server.ssh.pam | |||
| @@ -22,5 +22,8 @@ session optional pam_mail.so standard noenv # [1] | |||
| 22 | # Set up user limits from /etc/security/limits.conf. | 22 | # Set up user limits from /etc/security/limits.conf. |
| 23 | session required pam_limits.so | 23 | session required pam_limits.so |
| 24 | 24 | ||
| 25 | # Set up SELinux capabilities (need modified pam) | ||
| 26 | # session required pam_selinux.so multiple | ||
| 27 | |||
| 25 | # Standard Un*x password updating. | 28 | # Standard Un*x password updating. |
| 26 | @include common-password | 29 | @include common-password |
diff --git a/debian/rules b/debian/rules index 452b7fdbf..772d08f84 100755 --- a/debian/rules +++ b/debian/rules | |||
| @@ -57,6 +57,11 @@ ifeq ($(DEB_HOST_ARCH_OS),hurd) | |||
| 57 | FORCE_LIBS := LIBS=-lcrypt | 57 | FORCE_LIBS := LIBS=-lcrypt |
| 58 | endif | 58 | endif |
| 59 | 59 | ||
| 60 | # SELinux support? | ||
| 61 | ifeq ($(DEB_HOST_ARCH_OS),linux) | ||
| 62 | SELINUX := --with-selinux | ||
| 63 | endif | ||
| 64 | |||
| 60 | # Change the version string to include the Debian version | 65 | # Change the version string to include the Debian version |
| 61 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') | 66 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') |
| 62 | 67 | ||
| @@ -66,7 +71,7 @@ build-deb: build-deb-stamp | |||
| 66 | build-deb-stamp: | 71 | build-deb-stamp: |
| 67 | dh_testdir | 72 | dh_testdir |
| 68 | mkdir -p build-deb | 73 | mkdir -p build-deb |
| 69 | cd build-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit | 74 | cd build-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit $(SELINUX) |
| 70 | 75 | ||
| 71 | ifeq ($(DEB_HOST_ARCH_OS),linux) | 76 | ifeq ($(DEB_HOST_ARCH_OS),linux) |
| 72 | # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). | 77 | # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). |