From 85dec7346395fcc14887a8cff91b81dc4d2e5304 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 3 Nov 2008 20:16:01 +1100 Subject: - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd] Make example scripts generate keys with default sizes rather than fixed, non-default 1024 bits; patch from imorgan AT nas.nasa.gov --- contrib/caldera/ssh-host-keygen | 10 +++++----- contrib/suse/rc.sshd | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) (limited to 'contrib') diff --git a/contrib/caldera/ssh-host-keygen b/contrib/caldera/ssh-host-keygen index 3c5c17182..86382ddfb 100755 --- a/contrib/caldera/ssh-host-keygen +++ b/contrib/caldera/ssh-host-keygen @@ -1,6 +1,6 @@ #! /bin/sh # -# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $ +# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $ # # This script is normally run only *once* for a given host # (in a given period of time) -- on updates/upgrades/recovery @@ -15,16 +15,16 @@ if [ -f $keydir/ssh_host_key -o \ -f $keydir/ssh_host_key.pub ]; then echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." else - echo "Generating 1024 bit SSH1 RSA host key." - $keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N '' + echo "Generating SSH1 RSA host key." + $keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N '' fi if [ -f $keydir/ssh_host_rsa_key -o \ -f $keydir/ssh_host_rsa_key.pub ]; then echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." else - echo "Generating 1024 bit SSH2 RSA host key." - $keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N '' + echo "Generating SSH2 RSA host key." + $keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N '' fi if [ -f $keydir/ssh_host_dsa_key -o \ diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd index 573960bfa..4d4880d7e 100644 --- a/contrib/suse/rc.sshd +++ b/contrib/suse/rc.sshd @@ -45,17 +45,17 @@ case "$1" in start) if ! test -f /etc/ssh/ssh_host_key ; then echo Generating /etc/ssh/ssh_host_key. - ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N '' + ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' fi if ! test -f /etc/ssh/ssh_host_dsa_key ; then echo Generating /etc/ssh/ssh_host_dsa_key. - ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N '' + ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' fi if ! test -f /etc/ssh/ssh_host_rsa_key ; then echo Generating /etc/ssh/ssh_host_rsa_key. - ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N '' + ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' fi echo -n "Starting SSH daemon" ## Start daemon with startproc(8). If this fails -- cgit v1.2.3 From 250071fd776ecc8ef6b87b6aa9e75c28adaf7e06 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 3 Nov 2008 20:18:12 +1100 Subject: - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam] [contrib/redhat/sshd.pam] Move pam_nologin to account group from incorrect auth group in example files; patch from imorgan AT nas.nasa.gov --- ChangeLog | 6 +++++- contrib/caldera/sshd.pam | 2 +- contrib/redhat/sshd.pam | 2 +- contrib/sshd.pam.generic | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index d2f3b1841..c9fec8bf9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -109,6 +109,10 @@ - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd] Make example scripts generate keys with default sizes rather than fixed, non-default 1024 bits; patch from imorgan AT nas.nasa.gov + - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam] + [contrib/redhat/sshd.pam] Move pam_nologin to account group from + incorrect auth group in example files; + patch from imorgan AT nas.nasa.gov 20080906 - (dtucker) [config.guess config.sub] Update to latest versions from @@ -4843,4 +4847,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5126 2008/11/03 09:16:01 djm Exp $ +$Id: ChangeLog,v 1.5127 2008/11/03 09:18:12 djm Exp $ diff --git a/contrib/caldera/sshd.pam b/contrib/caldera/sshd.pam index 26dcb34d9..f050a9aee 100644 --- a/contrib/caldera/sshd.pam +++ b/contrib/caldera/sshd.pam @@ -1,6 +1,6 @@ #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nodelay -auth required /lib/security/pam_nologin.so +account required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok diff --git a/contrib/redhat/sshd.pam b/contrib/redhat/sshd.pam index e48607766..ffa5adbe5 100644 --- a/contrib/redhat/sshd.pam +++ b/contrib/redhat/sshd.pam @@ -1,6 +1,6 @@ #%PAM-1.0 auth required pam_stack.so service=system-auth -auth required pam_nologin.so +account required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth diff --git a/contrib/sshd.pam.generic b/contrib/sshd.pam.generic index cf5af3024..215f0fe30 100644 --- a/contrib/sshd.pam.generic +++ b/contrib/sshd.pam.generic @@ -1,6 +1,6 @@ #%PAM-1.0 auth required /lib/security/pam_unix.so shadow nodelay -auth required /lib/security/pam_nologin.so +account required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_unix.so shadow nullok use_authtok -- cgit v1.2.3 From 83795d61d277df3f090f12336ea3e21b6946ef4f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 1 Dec 2008 21:34:28 +1100 Subject: - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files and tweak the is-sshd-running check in ssh-host-config. Patch from vinschen at redhat com. --- ChangeLog | 7 ++++++- contrib/cygwin/Makefile | 4 +++- contrib/cygwin/ssh-host-config | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 8fd643146..13fd17889 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20081201 + - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files + and tweak the is-sshd-running check in ssh-host-config. Patch from + vinschen at redhat com. + 20081123 - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some declarations, removing an unnecessary union member and adding whitespace. @@ -4931,5 +4936,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5144 2008/11/23 08:05:53 dtucker Exp $ +$Id: ChangeLog,v 1.5145 2008/12/01 10:34:28 dtucker Exp $ diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile index 3e2d26404..2ebd143dc 100644 --- a/contrib/cygwin/Makefile +++ b/contrib/cygwin/Makefile @@ -38,11 +38,13 @@ install-sshdoc: $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + $(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard - $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index bbb6da4c4..2d367d314 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -456,7 +456,7 @@ done # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running -if ps -ef | grep -v grep | grep -q ssh +if ps -ef | grep -q '/sshd\?$' then echo csih_error "There are still ssh processes running. Please shut them down first." -- cgit v1.2.3 From 0266677f0feb72b092f87480a4c8695c71db9684 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2009 20:29:20 +1100 Subject: - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity" key). Patch from cjwatson AT debian.org --- ChangeLog | 5 ++++- contrib/ssh-copy-id | 4 ++-- contrib/ssh-copy-id.1 | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index f2c556c1a..d19ae7235 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked; ok dtucker@ + - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make + ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity" + key). Patch from cjwatson AT debian.org 20090107 - (tim) [configure.ac defines.h openbsd-compat/port-uw.c @@ -5003,5 +5006,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5159 2009/01/21 05:46:26 djm Exp $ +$Id: ChangeLog,v 1.5160 2009/01/21 09:29:20 djm Exp $ diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index acd36d398..df74d25c8 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -1,11 +1,11 @@ #!/bin/sh -# Shell script to install your identity.pub on a remote machine +# Shell script to install your public key on a remote machine # Takes the remote machine name as an argument. # Obviously, the remote machine must accept password authentication, # or one of the other keys in your ssh-agent, for this to work. -ID_FILE="${HOME}/.ssh/identity.pub" +ID_FILE="${HOME}/.ssh/id_rsa.pub" if [ "-i" = "$1" ]; then shift diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 index b331fa149..f25ed01f2 100644 --- a/contrib/ssh-copy-id.1 +++ b/contrib/ssh-copy-id.1 @@ -18,7 +18,7 @@ the original English. .. .TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" .SH NAME -ssh-copy-id \- install your identity.pub in a remote machine's authorized_keys +ssh-copy-id \- install your public key in a remote machine's authorized_keys .SH SYNOPSIS .B ssh-copy-id [-i [identity_file]] .I "[user@]machine" @@ -42,7 +42,7 @@ set in its configuration). If the .B -i option is given then the identity file (defaults to -.BR ~/.ssh/identity.pub ) +.BR ~/.ssh/id_rsa.pub ) is used, regardless of whether there are any keys in your .BR ssh-agent . Otherwise, if this: -- cgit v1.2.3 From ca3692d1a9f8c384d3cf799369dcb9c54bb5ec55 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 28 Jan 2009 12:50:04 -0800 Subject: - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. The information given for the setting of the CYGWIN environment variable is wrong for both releases so I just removed it, together with the unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. --- ChangeLog | 9 ++++++++- contrib/cygwin/ssh-host-config | 6 ++---- 2 files changed, 10 insertions(+), 5 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 8584ff316..25ce43ed1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20090128 + - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. + Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. + The information given for the setting of the CYGWIN environment variable + is wrong for both releases so I just removed it, together with the + unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. + 20081228 - (djm) OpenBSD CVS Sync - stevesk@cvs.openbsd.org 2008/12/09 03:20:42 @@ -5095,5 +5102,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5179 2009/01/28 05:38:41 djm Exp $ +$Id: ChangeLog,v 1.5180 2009/01/28 20:50:04 tim Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 2d367d314..d4f5f32d0 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -25,7 +25,7 @@ source ${CSIH_SCRIPT} port_number=22 privsep_configured=no privsep_used=yes -cygwin_value="ntsec" +cygwin_value="" password_value= # ====================================================================== @@ -76,7 +76,7 @@ update_services_file() { fi _serv_tmp="${_my_etcdir}/srv.out.$$" - mount -t -f "${_win_etcdir}" "${_my_etcdir}" + mount -o text -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=`cygpath -w "${_services}"` @@ -278,8 +278,6 @@ install_service() { echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" if csih_request "(Say \"no\" if it is already installed as a service)" then - csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\"" - csih_inform "for sshd to be able to change user context without password." csih_get_cygenv "${cygwin_value}" if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) -- cgit v1.2.3 From 6a3253496843abf7b10d1aadb46847e8b11039ec Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 29 Jan 2009 12:30:01 -0800 Subject: - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. If the CYGWIN environment variable is empty, the installer script should not install the service with an empty CYGWIN variable, but rather without setting CYGWNI entirely. --- ChangeLog | 8 +++++++- contrib/cygwin/ssh-host-config | 13 +++++++++---- 2 files changed, 16 insertions(+), 5 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 25ce43ed1..affb5e501 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20090129 + - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. + If the CYGWIN environment variable is empty, the installer script + should not install the service with an empty CYGWIN variable, but + rather without setting CYGWNI entirely. + 20090128 - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. @@ -5102,5 +5108,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5180 2009/01/28 20:50:04 tim Exp $ +$Id: ChangeLog,v 1.5181 2009/01/29 20:30:01 tim Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index d4f5f32d0..ec03f163d 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -314,10 +314,14 @@ install_service() { csih_check_user "${run_service_as}" + if [ -n "${csih_cygenv}" ] + then + cygwin_env="-e CYGWIN=\"${csih_cygenv}\"" + fi if [ -z "${password}" ] then - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ - -e CYGWIN="${csih_cygenv}" + if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ + -a "-D" -y tcpip ${cygwin_env} then echo csih_inform "The sshd service has been installed under the LocalSystem" @@ -326,8 +330,9 @@ install_service() { csih_inform "will start automatically after the next reboot." fi else - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ - -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}" + if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ + -a "-D" -y tcpip ${cygwin_env} \ + -u "${run_service_as}" -w "${password}" then echo csih_inform "The sshd service has been installed under the '${run_service_as}'" -- cgit v1.2.3 From 0d8f2f3afa1663386ac80a0b7835b6776d5bcae1 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 29 Jan 2009 12:40:30 -0800 Subject: - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes. --- ChangeLog | 3 +- contrib/cygwin/ssh-host-config | 218 ++++++++++++++++++++--------------------- 2 files changed, 111 insertions(+), 110 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index affb5e501..abb2f7bf5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ If the CYGWIN environment variable is empty, the installer script should not install the service with an empty CYGWIN variable, but rather without setting CYGWNI entirely. + - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes. 20090128 - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. @@ -5108,5 +5109,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5181 2009/01/29 20:30:01 tim Exp $ +$Id: ChangeLog,v 1.5182 2009/01/29 20:40:30 tim Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index ec03f163d..57e728fbc 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -37,13 +37,13 @@ create_host_keys() { csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null fi - + if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null fi - + if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" @@ -75,12 +75,12 @@ update_services_file() { _spaces=" # " fi _serv_tmp="${_my_etcdir}/srv.out.$$" - + mount -o text -f "${_win_etcdir}" "${_my_etcdir}" - + # Depends on the above mount _wservices=`cygpath -w "${_services}"` - + # Remove sshd 22/port from services if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] then @@ -89,16 +89,16 @@ update_services_file() { then if mv "${_serv_tmp}" "${_services}" then - csih_inform "Removing sshd from ${_wservices}" + csih_inform "Removing sshd from ${_wservices}" else - csih_warning "Removing sshd from ${_wservices} failed!" + csih_warning "Removing sshd from ${_wservices} failed!" fi rm -f "${_serv_tmp}" else csih_warning "Removing sshd from ${_wservices} failed!" fi fi - + # Add ssh 22/tcp and ssh 22/udp to services if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then @@ -106,9 +106,9 @@ update_services_file() { then if mv "${_serv_tmp}" "${_services}" then - csih_inform "Added ssh to ${_wservices}" + csih_inform "Added ssh to ${_wservices}" else - csih_warning "Adding ssh to ${_wservices} failed!" + csih_warning "Adding ssh to ${_wservices} failed!" fi rm -f "${_serv_tmp}" else @@ -134,16 +134,16 @@ sshd_privsep() { csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." if csih_request "Should privilege separation be used?" then - privsep_used=yes - if ! csih_create_unprivileged_user sshd - then + privsep_used=yes + if ! csih_create_unprivileged_user sshd + then csih_warning "Couldn't create user 'sshd'!" - csih_warning "Privilege separation set to 'no' again!" - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + csih_warning "Privilege separation set to 'no' again!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" privsep_used=no - fi + fi else - privsep_used=no + privsep_used=no fi else # On 9x don't use privilege separation. Since security isn't @@ -151,7 +151,7 @@ sshd_privsep() { privsep_used=no fi fi - + # Create default sshd_config from skeleton files in /etc/defaults/etc or # modify to add the missing privsep configuration option if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 @@ -161,8 +161,8 @@ sshd_privsep() { sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ s/^#Port 22/Port ${port_number}/ s/^#StrictModes yes/StrictModes no/" \ - < ${SYSCONFDIR}/sshd_config \ - > "${sshdconfig_tmp}" + < ${SYSCONFDIR}/sshd_config \ + > "${sshdconfig_tmp}" mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config elif [ "${privsep_configured}" != "yes" ] then @@ -193,19 +193,19 @@ update_inetd_conf() { # will be replaced by a file in inetd.d/ if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] then - grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" - if [ -f "${_inetcnf_tmp}" ] - then - if mv "${_inetcnf_tmp}" "${_inetcnf}" - then + grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if mv "${_inetcnf_tmp}" "${_inetcnf}" + then csih_inform "Removed ssh[d] from ${_inetcnf}" - else + else csih_warning "Removing ssh[d] from ${_inetcnf} failed!" - fi - rm -f "${_inetcnf_tmp}" - else - csih_warning "Removing ssh[d] from ${_inetcnf} failed!" - fi + fi + rm -f "${_inetcnf_tmp}" + else + csih_warning "Removing ssh[d] from ${_inetcnf} failed!" + fi fi fi @@ -214,13 +214,13 @@ update_inetd_conf() { then if [ "${_with_comment}" -eq 0 ] then - sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" else - sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" fi mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" csih_inform "Updated ${_sshd_inetd_conf}" - fi + fi elif [ -f "${_inetcnf}" ] then @@ -233,26 +233,26 @@ update_inetd_conf() { grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then - if mv "${_inetcnf_tmp}" "${_inetcnf}" - then + if mv "${_inetcnf_tmp}" "${_inetcnf}" + then csih_inform "Removed sshd from ${_inetcnf}" - else + else csih_warning "Removing sshd from ${_inetcnf} failed!" - fi - rm -f "${_inetcnf_tmp}" + fi + rm -f "${_inetcnf_tmp}" else - csih_warning "Removing sshd from ${_inetcnf} failed!" + csih_warning "Removing sshd from ${_inetcnf} failed!" fi fi - + # Add ssh line to inetd.conf if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] then if [ "${_with_comment}" -eq 0 ] then - echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" else - echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" fi csih_inform "Added ssh to ${_inetcnf}" fi @@ -278,83 +278,83 @@ install_service() { echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" if csih_request "(Say \"no\" if it is already installed as a service)" then - csih_get_cygenv "${cygwin_value}" - - if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) - then - csih_inform "On Windows Server 2003, Windows Vista, and above, the" - csih_inform "SYSTEM account cannot setuid to other users -- a capability" - csih_inform "sshd requires. You need to have or to create a privileged" - csih_inform "account. This script will help you do so." - echo - if ! csih_create_privileged_user "${password_value}" - then - csih_error_recoverable "There was a serious problem creating a privileged user." - csih_request "Do you want to proceed anyway?" || exit 1 - fi - fi - - # never returns empty if NT or above - run_service_as=$(csih_service_should_run_as) - - if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] - then - password="${csih_PRIVILEGED_PASSWORD}" - if [ -z "${password}" ] - then - csih_get_value "Please enter the password for user '${run_service_as}':" "-s" - password="${csih_value}" - fi - fi - - # at this point, we either have $run_service_as = "system" and $password is empty, - # or $run_service_as is some privileged user and (hopefully) $password contains - # the correct password. So, from here out, we use '-z "${password}"' to discriminate - # the two cases. - - csih_check_user "${run_service_as}" + csih_get_cygenv "${cygwin_value}" + + if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) + then + csih_inform "On Windows Server 2003, Windows Vista, and above, the" + csih_inform "SYSTEM account cannot setuid to other users -- a capability" + csih_inform "sshd requires. You need to have or to create a privileged" + csih_inform "account. This script will help you do so." + echo + if ! csih_create_privileged_user "${password_value}" + then + csih_error_recoverable "There was a serious problem creating a privileged user." + csih_request "Do you want to proceed anyway?" || exit 1 + fi + fi + + # never returns empty if NT or above + run_service_as=$(csih_service_should_run_as) + + if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] + then + password="${csih_PRIVILEGED_PASSWORD}" + if [ -z "${password}" ] + then + csih_get_value "Please enter the password for user '${run_service_as}':" "-s" + password="${csih_value}" + fi + fi + + # at this point, we either have $run_service_as = "system" and $password is empty, + # or $run_service_as is some privileged user and (hopefully) $password contains + # the correct password. So, from here out, we use '-z "${password}"' to discriminate + # the two cases. + + csih_check_user "${run_service_as}" if [ -n "${csih_cygenv}" ] then cygwin_env="-e CYGWIN=\"${csih_cygenv}\"" fi - if [ -z "${password}" ] - then + if [ -z "${password}" ] + then if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ -a "-D" -y tcpip ${cygwin_env} - then - echo - csih_inform "The sshd service has been installed under the LocalSystem" - csih_inform "account (also known as SYSTEM). To start the service now, call" - csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" - csih_inform "will start automatically after the next reboot." - fi - else + then + echo + csih_inform "The sshd service has been installed under the LocalSystem" + csih_inform "account (also known as SYSTEM). To start the service now, call" + csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" + csih_inform "will start automatically after the next reboot." + fi + else if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ -a "-D" -y tcpip ${cygwin_env} \ -u "${run_service_as}" -w "${password}" - then + then echo csih_inform "The sshd service has been installed under the '${run_service_as}'" csih_inform "account. To start the service now, call \`net start sshd' or" - csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" - csih_inform "after the next reboot." - fi - fi - - # now, if successfully installed, set ownership of the affected files - if cygrunsrv -Q sshd >/dev/null 2>&1 - then - chown "${run_service_as}" ${SYSCONFDIR}/ssh* - chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty - chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog - if [ -f ${LOCALSTATEDIR}/log/sshd.log ] - then + csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" + csih_inform "after the next reboot." + fi + fi + + # now, if successfully installed, set ownership of the affected files + if cygrunsrv -Q sshd >/dev/null 2>&1 + then + chown "${run_service_as}" ${SYSCONFDIR}/ssh* + chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty + chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log - fi - else - csih_warning "Something went wrong installing the sshd service." - fi + fi + else + csih_warning "Something went wrong installing the sshd service." + fi fi # user allowed us to install as service fi # service not yet installed fi # csih_is_nt @@ -478,9 +478,9 @@ setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" # Create /var/log/lastlog if not already exists if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] then - echo + echo csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ - "Cannot create ssh host configuration." + "Cannot create ssh host configuration." fi if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] then @@ -523,7 +523,7 @@ sshd_privsep -update_services_file +update_services_file update_inetd_conf install_service -- cgit v1.2.3 From 7691e5fa44a54b193f00380634c3978a961480d2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 21 Feb 2009 18:03:04 +1100 Subject: - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Prepare for 5.2p1 --- ChangeLog | 4 +++- contrib/caldera/openssh.spec | 8 ++++---- contrib/redhat/openssh.spec | 4 ++-- contrib/suse/openssh.spec | 4 ++-- 4 files changed, 11 insertions(+), 9 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 3bad0fc03..e1de4ed4a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ [schnorr.c] signature should hash over the entire group, not just the generator (this is still disabled code) + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Prepare for 5.2p1 20090216 - (djm) [regress/conch-ciphers.sh regress/putty-ciphers.sh] @@ -5181,5 +5183,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5199 2009/02/21 01:45:18 djm Exp $ +$Id: ChangeLog,v 1.5200 2009/02/21 07:03:04 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 32d175d4b..42dbcfeeb 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,11 +17,11 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 5.1p1 + %define version 5.2p1 %define cvs %{nil} %define release 1 %else - %define version 5.1p1 + %define version 5.2p1 %define cvs cvs20050315 %define release 0r1 %endif @@ -251,7 +251,7 @@ install -m 0755 contrib/caldera/ssh-host-keygen $SKG # install remaining docs DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}" mkdir -p $DocD/%{askpass} -cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $DocD +cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD install -p -m 0444 %{SOURCE3} $DocD/faq.html cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass} %if %{use_stable} @@ -358,4 +358,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.65 2008/07/21 08:21:53 djm Exp $ +$Id: openssh.spec,v 1.66 2009/02/21 07:03:05 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index bb9e4d616..10bdc1989 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 5.1p1 +%define ver 5.2p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID @@ -333,7 +333,7 @@ fi %files %defattr(-,root,root) -%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING* %attr(0755,root,root) %{_bindir}/scp %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0755,root,root) %dir %{_sysconfdir}/ssh diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 7bd9e0569..62f43e137 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 5.1p1 +Version: 5.2p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz @@ -200,7 +200,7 @@ fi %files %defattr(-,root,root) -%doc ChangeLog OVERVIEW README* +%doc ChangeLog OVERVIEW README* PROTOCOL* %doc TODO CREDITS LICENCE %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -- cgit v1.2.3