From 6163350eb97774e7f780d5cc9df6164a6803aa0c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 12 Feb 2006 16:48:56 +1100 Subject: - (dtucker) [README version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version strings to match 4.3p2 release. --- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'contrib') diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 077b86b3a..77fc51897 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 4.3p1 + %define version 4.3p2 %define cvs %{nil} %define release 1 %else @@ -357,4 +357,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.56 2006/02/01 11:10:48 djm Exp $ +$Id: openssh.spec,v 1.57 2006/02/12 05:48:56 dtucker Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 545e27b64..cbdf7bbc7 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 4.3p1 +%define ver 4.3p2 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index e7739bd91..b49e78c65 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 4.3p1 +Version: 4.3p2 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From 18614c254d83466ab706ffd0d4f58a8a018dcddf Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 4 Mar 2006 08:50:31 +1100 Subject: - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a file rather than directory, required as Cygwin will be importing lastlog(1). Also tightens up permissions on the file. Patch from vinschen@redhat.com. --- ChangeLog | 7 ++++++- contrib/cygwin/ssh-host-config | 40 +++++++++++++++++++++++++--------------- 2 files changed, 31 insertions(+), 16 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 09d74de42..f714b84e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20060304 + - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a + file rather than directory, required as Cygwin will be importing lastlog(1). + Also tightens up permissions on the file. Patch from vinschen@redhat.com. + 20060226 - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY patch from kraai at ftbfs.org. @@ -3885,4 +3890,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4135 2006/02/26 01:31:48 dtucker Exp $ +$Id: ChangeLog,v 1.4136 2006/03/03 21:50:31 dtucker Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 0540890e6..09cc3fcf0 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -153,22 +153,31 @@ fi # Create /var/log and /var/log/lastlog if not already existing -if [ -f ${LOCALSTATEDIR}/log ] +if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ] then - echo "Creating ${LOCALSTATEDIR}/log failed!" -else - if [ ! -d ${LOCALSTATEDIR}/log ] - then - mkdir -p ${LOCALSTATEDIR}/log - fi - if [ -d ${LOCALSTATEDIR}/log/lastlog ] - then - chmod 777 ${LOCALSTATEDIR}/log/lastlog - elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] - then - cat /dev/null > ${LOCALSTATEDIR}/log/lastlog - chmod 666 ${LOCALSTATEDIR}/log/lastlog - fi + echo + echo "${LOCALSTATEDIR}/log is existant but not a directory." + echo "Cannot create ssh host configuration." + echo + exit 1 +fi +if [ ! -e ${LOCALSTATEDIR}/log ] +then + mkdir -p ${LOCALSTATEDIR}/log +fi + +if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] +then + echo + echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." + echo "Cannot create ssh host configuration." + echo + exit 1 +fi +if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] +then + cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + chmod 644 ${LOCALSTATEDIR}/log/lastlog fi # Create /var/empty file used as chroot jail for privilege separation @@ -578,6 +587,7 @@ then fi chown "${_user}" ${SYSCONFDIR}/ssh* chown "${_user}".544 ${LOCALSTATEDIR}/empty + chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog if [ -f ${LOCALSTATEDIR}/log/sshd.log ] then chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log -- cgit v1.2.3 From 73b42d2bb058da914828b53f2951954560a5b6eb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 22 Apr 2006 21:26:08 +1000 Subject: - (djm) [Makefile.in configure.ac session.c sshpty.c] [contrib/redhat/sshd.init openbsd-compat/Makefile.in] [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c] [openbsd-compat/port-linux.h] Add support for SELinux, setting the execution and TTY contexts. based on patch from Daniel Walsh, bz #880; ok dtucker@ --- ChangeLog | 14 +++- Makefile.in | 5 +- configure.ac | 22 +++++- contrib/redhat/sshd.init | 9 +++ openbsd-compat/Makefile.in | 4 +- openbsd-compat/openbsd-compat.h | 3 +- openbsd-compat/port-linux.c | 165 ++++++++++++++++++++++++++++++++++++++++ openbsd-compat/port-linux.h | 27 +++++++ session.c | 4 + sshpty.c | 4 + 10 files changed, 247 insertions(+), 10 deletions(-) create mode 100644 openbsd-compat/port-linux.c create mode 100644 openbsd-compat/port-linux.h (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 5328aa9c4..92a2f25d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,14 @@ +20060421 + - (djm) [Makefile.in configure.ac session.c sshpty.c] + [contrib/redhat/sshd.init openbsd-compat/Makefile.in] + [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c] + [openbsd-compat/port-linux.h] Add support for SELinux, setting + the execution and TTY contexts. based on patch from Daniel Walsh, + bz #880; ok dtucker@ + 20060418 - - (djm) Reorder IP options check so that it isn't broken by - mapped addresses; bz #1179 reported by markw wtech-llc.com; + - (djm) [canohost.c] Reorder IP options check so that it isn't broken + by mapped addresses; bz #1179 reported by markw wtech-llc.com; ok dtucker@ 20060331 @@ -4500,4 +4508,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4301 2006/04/18 05:13:16 djm Exp $ +$Id: ChangeLog,v 1.4302 2006/04/22 11:26:08 djm Exp $ diff --git a/Makefile.in b/Makefile.in index 57475f003..9bc25e7a7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.276 2006/03/15 02:09:18 djm Exp $ +# $Id: Makefile.in,v 1.277 2006/04/22 11:26:08 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -43,6 +43,7 @@ LD=@LD@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +LIBSELINUX=@LIBSELINUX@ LIBEDIT=@LIBEDIT@ LIBPAM=@LIBPAM@ LIBWRAP=@LIBWRAP@ @@ -136,7 +137,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/configure.ac b/configure.ac index 9e037ab0e..093c17643 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.338 2006/03/15 21:14:34 dtucker Exp $ +# $Id: configure.ac,v 1.339 2006/04/22 11:26:08 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.338 $) +AC_REVISION($Revision: 1.339 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -3000,6 +3000,23 @@ int main() [#include ]) ]) +# Check whether user wants SELinux support +SELINUX_MSG="no" +LIBSELINUX="" +AC_ARG_WITH(selinux, + [ --with-selinux Enable SELinux support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) + SELINUX_MSG="yes" + AC_CHECK_HEADER([selinux/selinux.h], , + AC_MSG_ERROR(SELinux support requires selinux.h header)) + AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], + AC_MSG_ERROR(SELinux support requires libselinux library)) + AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) + fi ] +) +AC_SUBST(LIBSELINUX) + # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, @@ -3818,6 +3835,7 @@ fi echo " Manpage format: $MANTYPE" echo " PAM support: $PAM_MSG" echo " KerberosV support: $KRB5_MSG" +echo " SELinux support: $SELINUX_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index 4ee8630c3..e5d837cbc 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init @@ -35,6 +35,9 @@ do_rsa1_keygen() { if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then chmod 600 $RSA1_KEY chmod 644 $RSA1_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA1_KEY.pub + fi success $"RSA1 key generation" echo else @@ -51,6 +54,9 @@ do_rsa_keygen() { if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then chmod 600 $RSA_KEY chmod 644 $RSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA_KEY.pub + fi success $"RSA key generation" echo else @@ -67,6 +73,9 @@ do_dsa_keygen() { if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then chmod 600 $DSA_KEY chmod 644 $DSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $DSA_KEY.pub + fi success $"DSA key generation" echo else diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index f1a706241..67e521bfe 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.38 2006/03/15 02:09:20 djm Exp $ +# $Id: Makefile.in,v 1.39 2006/04/22 11:26:08 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgroupl COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o -PORTS=port-irix.o port-aix.o port-uw.o port-tun.o +PORTS=port-irix.o port-linux.o port-aix.o port-uw.o port-tun.o .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 432b183e7..eda9c49eb 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.35 2006/03/15 11:25:55 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.36 2006/04/22 11:26:08 djm Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -185,6 +185,7 @@ char *shadow_pw(struct passwd *pw); #include "bsd-cray.h" #include "bsd-cygwin_util.h" #include "port-irix.h" +#include "port-linux.h" #include "port-aix.h" #include "port-uw.h" #include "port-tun.h" diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c new file mode 100644 index 000000000..54ec2910e --- /dev/null +++ b/openbsd-compat/port-linux.c @@ -0,0 +1,165 @@ +/* $Id: port-linux.c,v 1.1 2006/04/22 11:26:08 djm Exp $ */ + +/* + * Copyright (c) 2005 Daniel Walsh + * Copyright (c) 2006 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Linux-specific portability code - just SELinux support at present + */ + +#include "includes.h" + +#ifdef WITH_SELINUX +#include "log.h" +#include "port-linux.h" + +#include +#include +#include + +/* Wrapper around is_selinux_enabled() to log its return value once only */ +static int +ssh_selinux_enabled(void) +{ + static int enabled = -1; + + if (enabled == -1) { + enabled = is_selinux_enabled(); + debug("SELinux support %s", enabled ? "enabled" : "disabled"); + } + + return (enabled); +} + +/* Return the default security context for the given username */ +static security_context_t +ssh_selinux_getctxbyname(char *pwname) +{ + security_context_t sc; + char *sename = NULL, *lvl = NULL; + int r; + +#ifdef HAVE_GETSEUSERBYNAME + if (getseuserbyname(pwname, &sename, &lvl) != 0) + return NULL; +#else + sename = pwname; + lvl = NULL; +#endif + +#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL + r = get_default_context_with_level(sename, lvl, NULL, &sc); +#else + r = get_default_context(sename, NULL, &sc); +#endif + + if (r != 0) { + switch (security_getenforce()) { + case -1: + fatal("%s: ssh_selinux_getctxbyname: " + "security_getenforce() failed", __func__); + case 0: + error("%s: Failed to get default SELinux security " + "context for %s", __func__, pwname); + default: + fatal("%s: Failed to get default SELinux security " + "context for %s (in enforcing mode)", + __func__, pwname); + } + } + +#ifdef HAVE_GETSEUSERBYNAME + if (sename != NULL) + xfree(sename); + if (lvl != NULL) + xfree(lvl); +#endif + + return (sc); +} + +/* Set the execution context to the default for the specified user */ +void +ssh_selinux_setup_exec_context(char *pwname) +{ + security_context_t user_ctx = NULL; + + if (!ssh_selinux_enabled()) + return; + + debug3("%s: setting execution context", __func__); + + user_ctx = ssh_selinux_getctxbyname(pwname); + if (setexeccon(user_ctx) != 0) { + switch (security_getenforce()) { + case -1: + fatal("%s: security_getenforce() failed", __func__); + case 0: + error("%s: Failed to set SELinux execution " + "context for %s", __func__, pwname); + default: + fatal("%s: Failed to set SELinux execution context " + "for %s (in enforcing mode)", __func__, pwname); + } + } + if (user_ctx != NULL) + freecon(user_ctx); + + debug3("%s: done", __func__); +} + +/* Set the TTY context for the specified user */ +void +ssh_selinux_setup_pty(char *pwname, const char *tty) +{ + security_context_t new_tty_ctx = NULL; + security_context_t user_ctx = NULL; + security_context_t old_tty_ctx = NULL; + + if (!ssh_selinux_enabled()) + return; + + debug3("%s: setting TTY context on %s", __func__, tty); + + user_ctx = ssh_selinux_getctxbyname(pwname); + + /* XXX: should these calls fatal() upon failure in enforcing mode? */ + + if (getfilecon(tty, &old_tty_ctx) == -1) { + error("%s: getfilecon: %s", __func__, strerror(errno)); + goto out; + } + + if (security_compute_relabel(user_ctx, old_tty_ctx, + SECCLASS_CHR_FILE, &new_tty_ctx) != 0) { + error("%s: security_compute_relabel: %s", + __func__, strerror(errno)); + goto out; + } + + if (setfilecon(tty, new_tty_ctx) != 0) + error("%s: setfilecon: %s", __func__, strerror(errno)); + out: + if (new_tty_ctx != NULL) + freecon(new_tty_ctx); + if (old_tty_ctx != NULL) + freecon(old_tty_ctx); + if (user_ctx != NULL) + freecon(user_ctx); + debug3("%s: done", __func__); +} +#endif /* WITH_SELINUX */ diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h new file mode 100644 index 000000000..05e520e1c --- /dev/null +++ b/openbsd-compat/port-linux.h @@ -0,0 +1,27 @@ +/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */ + +/* + * Copyright (c) 2006 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _PORT_LINUX_H +#define _PORT_LINUX_H + +#ifdef WITH_SELINUX +void ssh_selinux_setup_pty(char *, const char *); +void ssh_selinux_setup_exec_context(char *); +#endif + +#endif /* ! _PORT_LINUX_H */ diff --git a/session.c b/session.c index 8b837d07d..bba3fa21f 100644 --- a/session.c +++ b/session.c @@ -1352,6 +1352,10 @@ do_setusercontext(struct passwd *pw) #endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); + +#ifdef WITH_SELINUX + ssh_selinux_setup_exec_context(pw->pw_name); +#endif } static void diff --git a/sshpty.c b/sshpty.c index a15df0414..0e49e9a16 100644 --- a/sshpty.c +++ b/sshpty.c @@ -210,6 +210,10 @@ pty_setowner(struct passwd *pw, const char *tty) fatal("stat(%.100s) failed: %.100s", tty, strerror(errno)); +#ifdef WITH_SELINUX + ssh_selinux_setup_pty(pw->pw_name, tty); +#endif + if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (chown(tty, pw->pw_uid, gid) < 0) { if (errno == EROFS && -- cgit v1.2.3 From 288cbbd59ed70dc137f83588a9ded946069776cc Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 31 Aug 2006 11:28:49 +1000 Subject: - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege while setting up the ssh service account. Patch from Corinna Vinschen. --- ChangeLog | 4 +++- contrib/cygwin/ssh-host-config | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 0a702d3fb..bef6b0538 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ [openbsd-compat/port-solaris.h] Add support for Solaris process contracts, enabled with --use-solaris-contracts. Patch from Chad Mynhier, tweaked by dtucker@ and myself; ok dtucker@ + - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege + while setting up the ssh service account. Patch from Corinna Vinschen. 20060830 - (djm) OpenBSD CVS Sync @@ -5346,4 +5348,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4519 2006/08/30 17:24:41 djm Exp $ +$Id: ChangeLog,v 1.4520 2006/08/31 01:28:49 dtucker Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 09cc3fcf0..e2ad69f19 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -516,6 +516,7 @@ then fi editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && editrights -a SeCreateTokenPrivilege -u sshd_server && + editrights -a SeTcbPrivilege -u sshd_server && editrights -a SeDenyInteractiveLogonRight -u sshd_server && editrights -a SeDenyNetworkLogonRight -u sshd_server && editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && -- cgit v1.2.3 From 9fdeb66f67ebdadc1d558736bce99a7d4909713c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 1 Sep 2006 21:32:53 +1000 Subject: - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank versions. --- ChangeLog | 4 +++- README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 5 files changed, 9 insertions(+), 7 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 0cbd4b627..fb9f971a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,8 @@ Stops sftp from segfaulting when attempting to get a nonexistent file on Cygwin (previous versions of OpenSSH didn't use the native glob). Partly from and tested by Corinna Vinschen. + - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank + versions. 20060831 - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ] @@ -5375,4 +5377,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4524 2006/09/01 10:29:10 dtucker Exp $ +$Id: ChangeLog,v 1.4525 2006/09/01 11:32:53 dtucker Exp $ diff --git a/README b/README index 9b05205b8..d0bacc564 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-4.3p2 for the release notes. +See http://www.openssh.com/txt/release-4.4 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.62 2006/02/12 05:48:56 dtucker Exp $ +$Id: README,v 1.63 2006/09/01 11:32:53 dtucker Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 77fc51897..60d0fb311 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 4.3p2 + %define version 4.4p1 %define cvs %{nil} %define release 1 %else @@ -357,4 +357,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.57 2006/02/12 05:48:56 dtucker Exp $ +$Id: openssh.spec,v 1.58 2006/09/01 11:32:53 dtucker Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index cbdf7bbc7..58be31f4c 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 4.3p2 +%define ver 4.4p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index b49e78c65..8c1da610c 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 4.3p2 +Version: 4.4p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From 19a66dbf4f929c0d9aa89af5b2282470cfb5726b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 9 Sep 2006 20:34:15 +1000 Subject: - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user. --- ChangeLog | 3 ++- contrib/aix/buildbff.sh | 44 ++++++++++++++++++++------------------------ 2 files changed, 22 insertions(+), 25 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index ead33c85b..5791ec255 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ 20060909 - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h. + - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user. 20060908 - (dtucker) [auth-sia.c] Add includes required for build on Tru64. Patch @@ -5418,4 +5419,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4538 2006/09/09 05:59:43 dtucker Exp $ +$Id: ChangeLog,v 1.4539 2006/09/09 10:34:15 dtucker Exp $ diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index 09b9c118c..03f0d6048 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh @@ -1,7 +1,7 @@ #!/bin/sh # # buildbff.sh: Create AIX SMIT-installable OpenSSH packages -# $Id: buildbff.sh,v 1.8 2005/03/29 13:24:12 dtucker Exp $ +# $Id: buildbff.sh,v 1.9 2006/09/09 10:34:15 dtucker Exp $ # # Author: Darren Tucker (dtucker at zip dot com dot au) # This file is placed in the public domain and comes with absolutely @@ -200,33 +200,29 @@ do done echo -# Create PrivSep user if PrivSep not disabled in config -echo Creating PrivSep prereqs if required. -if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +# Create PrivilegeSeparation user and group if not present +echo Checking for PrivilegeSeparation user and group. +if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then - echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user," - echo "group or chroot directory." + echo "PrivSep group $SSH_PRIVSEP_USER already exists." else - echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." - - # create group if required - if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null - then - echo "PrivSep group $SSH_PRIVSEP_USER already exists." - else - echo "Creating PrivSep group $SSH_PRIVSEP_USER." - mkgroup -A $SSH_PRIVSEP_USER - fi + echo "Creating PrivSep group $SSH_PRIVSEP_USER." + mkgroup -A $SSH_PRIVSEP_USER +fi - # Create user if required - if lsuser "$SSH_PRIVSEP_USER" >/dev/null - then - echo "PrivSep user $SSH_PRIVSEP_USER already exists." - else - echo "Creating PrivSep user $SSH_PRIVSEP_USER." - mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER - fi +# Create user if required +if lsuser "$SSH_PRIVSEP_USER" >/dev/null +then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." +else + echo "Creating PrivSep user $SSH_PRIVSEP_USER." + mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER +fi +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +then + echo UsePrivilegeSeparation not enabled, privsep directory not required. +else # create chroot directory if required if [ -d $PRIVSEP_PATH ] then -- cgit v1.2.3 From f376669328e6df2dc78936786787150d98a1df80 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 10 Sep 2006 13:24:18 +1000 Subject: - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available. --- ChangeLog | 5 ++++- contrib/aix/buildbff.sh | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 0ebeee281..b746504c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20060910 + - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available. + 20060909 - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h. - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user. @@ -5420,4 +5423,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4540 2006/09/09 10:41:25 dtucker Exp $ +$Id: ChangeLog,v 1.4541 2006/09/10 03:24:18 dtucker Exp $ diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index 03f0d6048..97a7cbbba 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh @@ -1,7 +1,7 @@ #!/bin/sh # # buildbff.sh: Create AIX SMIT-installable OpenSSH packages -# $Id: buildbff.sh,v 1.9 2006/09/09 10:34:15 dtucker Exp $ +# $Id: buildbff.sh,v 1.10 2006/09/10 03:24:19 dtucker Exp $ # # Author: Darren Tucker (dtucker at zip dot com dot au) # This file is placed in the public domain and comes with absolutely @@ -23,6 +23,8 @@ umask 022 startdir=`pwd` +perl -v >/dev/null || (echo perl required; exit 1) + # Path to inventory.sh: same place as buildbff.sh if echo $0 | egrep '^/' then -- cgit v1.2.3 From c2820c5822a974e21b82d45739abdaeaee5e183e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 7 Nov 2006 23:25:45 +1100 Subject: - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump versions. --- ChangeLog | 4 +++- README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 5 files changed, 9 insertions(+), 7 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index 075ba5359..7ec76986a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@ + - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump + versions. 20061105 - (djm) OpenBSD CVS Sync @@ -2602,4 +2604,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4586 2006/11/07 12:16:08 dtucker Exp $ +$Id: ChangeLog,v 1.4587 2006/11/07 12:25:45 dtucker Exp $ diff --git a/README b/README index d0bacc564..fb53b554b 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-4.4 for the release notes. +See http://www.openssh.com/txt/release-4.5 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.63 2006/09/01 11:32:53 dtucker Exp $ +$Id: README,v 1.64 2006/11/07 12:25:45 dtucker Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 60d0fb311..15d95195b 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 4.4p1 + %define version 4.5p1 %define cvs %{nil} %define release 1 %else @@ -357,4 +357,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.58 2006/09/01 11:32:53 dtucker Exp $ +$Id: openssh.spec,v 1.59 2006/11/07 12:25:45 dtucker Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 58be31f4c..52e867623 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 4.4p1 +%define ver 4.5p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 8c1da610c..797964cd2 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 4.4p1 +Version: 4.5p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From 53ced25d6185b4a02305e9d4bf648113155dde07 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 19 Feb 2007 22:44:25 +1100 Subject: - (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some platforms don't have it. Patch from dleonard at vintela.com. --- ChangeLog | 4 +++- contrib/findssl.sh | 21 ++++++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index ec16391eb..6f01b02a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,8 @@ authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@ + - (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some + platforms don't have it. Patch from dleonard at vintela.com. 20070128 - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52) @@ -2736,4 +2738,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4617 2007/02/19 11:25:37 dtucker Exp $ +$Id: ChangeLog,v 1.4618 2007/02/19 11:44:25 dtucker Exp $ diff --git a/contrib/findssl.sh b/contrib/findssl.sh index 716abced5..263fd2644 100644 --- a/contrib/findssl.sh +++ b/contrib/findssl.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# $Id: findssl.sh,v 1.3 2004/12/13 07:08:33 dtucker Exp $ +# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $ # # findssl.sh # Search for all instances of OpenSSL headers and libraries @@ -89,6 +89,25 @@ LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH +# not all platforms have a 'which' command +if which ls >/dev/null 2>/dev/null; then + : which is defined +else + which () { + saveIFS="$IFS" + IFS=: + for p in $PATH; do + if test -x "$p/$1" -a -f "$p/$1"; then + IFS="$saveIFS" + echo "$p/$1" + return 0 + fi + done + IFS="$saveIFS" + return 1 + } +fi + # # Search for OpenSSL headers and print versions # -- cgit v1.2.3 From d91cfab08801f89717e13016121154a8aabc791c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 6 Mar 2007 21:23:24 +1100 Subject: - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] crank spec files for release --- ChangeLog | 4 +++- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) (limited to 'contrib') diff --git a/ChangeLog b/ChangeLog index c74a826f0..122de9eb5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ - djm@cvs.openbsd.org 2007/03/06 10:13:14 [version.h] openssh-4.6; "please" deraadt@ + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] crank spec files for release 20070304 - (djm) [configure.ac] add a --without-openssl-header-check option to @@ -2812,4 +2814,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4633 2007/03/06 10:21:37 djm Exp $ +$Id: ChangeLog,v 1.4634 2007/03/06 10:23:24 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 15d95195b..3d756eb7f 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 4.5p1 + %define version 4.6p1 %define cvs %{nil} %define release 1 %else @@ -357,4 +357,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.59 2006/11/07 12:25:45 dtucker Exp $ +$Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 52e867623..08515d2b0 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 4.5p1 +%define ver 4.6p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 797964cd2..95b394f18 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 4.5p1 +Version: 4.6p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3