diff --git a/.cvsignore b/.cvsignore index f41a76f..f169a74 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssh-4.7p1-noacss.tar.bz2 +openssh-5.0p1-noacss.tar.bz2 diff --git a/openssh-3.9p1-skip-used.patch b/openssh-3.9p1-skip-used.patch deleted file mode 100644 index 95ba3d1..0000000 --- a/openssh-3.9p1-skip-used.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- openssh-3.9p1/channels.c.skip-used 2005-07-08 22:42:35.000000000 +0200 -+++ openssh-3.9p1/channels.c 2005-07-25 21:34:29.000000000 +0200 -@@ -2653,9 +2653,6 @@ - debug2("bind port %d: %.100s", port, strerror(errno)); - close(sock); - -- if (ai->ai_next) -- continue; -- - for (n = 0; n < num_socks; n++) { - close(socks[n]); - } diff --git a/openssh-4.2p1-pam-no-stack.patch b/openssh-4.2p1-pam-no-stack.patch deleted file mode 100644 index 7299ac3..0000000 --- a/openssh-4.2p1-pam-no-stack.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- openssh-4.2p1/contrib/redhat/sshd.pam.stack 2004-07-21 03:01:41.000000000 +0200 -+++ openssh-4.2p1/contrib/redhat/sshd.pam 2005-10-07 14:18:50.000000000 +0200 -@@ -1,6 +1,8 @@ - #%PAM-1.0 --auth required pam_stack.so service=system-auth --auth required pam_nologin.so --account required pam_stack.so service=system-auth --password required pam_stack.so service=system-auth --session required pam_stack.so service=system-auth -+auth include system-auth -+account required pam_nologin.so -+account include system-auth -+password include system-auth -+session optional pam_keyinit.so force revoke -+session include system-auth -+session required pam_loginuid.so diff --git a/openssh-4.3p2-initscript.patch b/openssh-4.3p2-initscript.patch deleted file mode 100644 index a75106b..0000000 --- a/openssh-4.3p2-initscript.patch +++ /dev/null @@ -1,66 +0,0 @@ ---- openssh-4.5p1/contrib/redhat/sshd.init.initscript 2006-04-22 13:26:08.000000000 +0200 -+++ openssh-4.5p1/contrib/redhat/sshd.init 2007-07-25 18:26:50.000000000 +0200 -@@ -29,6 +29,8 @@ - DSA_KEY=/etc/ssh/ssh_host_dsa_key - PID_FILE=/var/run/sshd.pid - -+runlevel=$(set -- $(runlevel); eval "echo \$$#" ) -+ - do_rsa1_keygen() { - if [ ! -s $RSA1_KEY ]; then - echo -n $"Generating SSH1 RSA host key: " -@@ -99,12 +101,14 @@ - start() - { - # Create keys if necessary -- do_rsa1_keygen -- do_rsa_keygen -- do_dsa_keygen -+ if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then -+ do_rsa1_keygen -+ do_rsa_keygen -+ do_dsa_keygen -+ fi - -- echo -n $"Starting $prog:" -- initlog -c "$SSHD $OPTIONS" && success || failure -+ echo -n $"Starting $prog: " -+ $SSHD $OPTIONS && success || failure - RETVAL=$? - [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd - echo -@@ -112,17 +116,30 @@ - - stop() - { -- echo -n $"Stopping $prog:" -- killproc $SSHD -TERM -+ echo -n $"Stopping $prog: " -+ if [ -n "`pidfileofproc $SSHD`" ] ; then -+ killproc $SSHD -+ else -+ failure $"Stopping $prog" -+ fi - RETVAL=$? -+ # if we are in halt or reboot runlevel kill all running sessions -+ # so the TCP connections are closed cleanly -+ if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then -+ killall $prog 2>/dev/null -+ fi - [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd - echo - } - - reload() - { -- echo -n $"Reloading $prog:" -- killproc $SSHD -HUP -+ echo -n $"Reloading $prog: " -+ if [ -n "`pidfileofproc $SSHD`" ] ; then -+ killproc $SSHD -HUP -+ else -+ failure $"Reloading $prog" -+ fi - RETVAL=$? - echo - } diff --git a/openssh-4.5p1-controlcleanup.patch b/openssh-4.5p1-controlcleanup.patch new file mode 100644 index 0000000..23822c5 --- /dev/null +++ b/openssh-4.5p1-controlcleanup.patch @@ -0,0 +1,15 @@ +--- openssh-4.5p1/ssh.c~ 2007-03-24 16:25:18.000000000 +0000 ++++ openssh-4.5p1/ssh.c 2007-03-24 16:31:06.000000000 +0000 +@@ -1347,7 +1347,11 @@ + } + if (errno == ENOENT) + debug("Control socket \"%.100s\" does not exist", path); +- else { ++ else if (errno == ECONNREFUSED) { ++ debug("Control socket connect(%.100s): %s", path, ++ strerror(errno)); ++ unlink(path); ++ } else { + error("Control socket connect(%.100s): %s", path, + strerror(errno)); + } diff --git a/openssh-4.7p1-master-race.patch b/openssh-4.7p1-master-race.patch new file mode 100644 index 0000000..8662c43 --- /dev/null +++ b/openssh-4.7p1-master-race.patch @@ -0,0 +1,85 @@ +--- openssh-4.7p1/ssh.c.masterrace 2008-03-06 13:55:11.000000000 +0000 ++++ openssh-4.7p1/ssh.c 2008-03-06 13:55:19.000000000 +0000 +@@ -1065,7 +1065,7 @@ client_global_request_reply_fwd(int type + } + } + +-static void ++static int + ssh_control_listener(void) + { + struct sockaddr_un addr; +@@ -1073,10 +1073,11 @@ ssh_control_listener(void) + int addr_len; + + if (options.control_path == NULL || +- options.control_master == SSHCTL_MASTER_NO) +- return; ++ options.control_master == SSHCTL_MASTER_NO || ++ control_fd != -1) ++ return 1; + +- debug("setting up multiplex master socket"); ++ debug("trying to set up multiplex master socket"); + + memset(&addr, '\0', sizeof(addr)); + addr.sun_family = AF_UNIX; +@@ -1093,11 +1094,9 @@ ssh_control_listener(void) + old_umask = umask(0177); + if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) { + control_fd = -1; +- if (errno == EINVAL || errno == EADDRINUSE) +- fatal("ControlSocket %s already exists", +- options.control_path); +- else ++ if (errno != EINVAL && errno != EADDRINUSE) + fatal("%s bind(): %s", __func__, strerror(errno)); ++ return 0; + } + umask(old_umask); + +@@ -1105,6 +1104,9 @@ ssh_control_listener(void) + fatal("%s listen(): %s", __func__, strerror(errno)); + + set_nonblock(control_fd); ++ ++ debug("control master listening on %s", options.control_path); ++ return 1; + } + + /* request pty/x11/agent/tcpfwd/shell for channel */ +@@ -1196,7 +1198,9 @@ ssh_session2(void) + ssh_init_forwarding(); + + /* Start listening for multiplex clients */ +- ssh_control_listener(); ++ if (!ssh_control_listener()) ++ fatal("control master socket %s already exists", ++ options.control_path); + + /* + * If we are the control master, and if control_persist is set, +@@ -1375,7 +1379,13 @@ control_client(const char *path) + switch (options.control_master) { + case SSHCTL_MASTER_AUTO: + case SSHCTL_MASTER_AUTO_ASK: +- debug("auto-mux: Trying existing master"); ++ /* see if we can create a control master socket ++ to avoid a race between two auto clients */ ++ if (mux_command == SSHMUX_COMMAND_OPEN && ++ ssh_control_listener()) ++ return; ++ debug("trying to connect to control master socket %s", ++ options.control_path); + /* FALLTHROUGH */ + case SSHCTL_MASTER_NO: + break; +@@ -1522,6 +1532,8 @@ control_client(const char *path) + signal(SIGTERM, control_client_sighandler); + signal(SIGWINCH, control_client_sigrelay); + ++ debug("connected to control master; waiting for exit"); ++ + if (tty_flag) + enter_raw_mode(); + diff --git a/openssh-4.7p1-mls.patch b/openssh-4.7p1-mls.patch index 04b83be..48eba4c 100644 --- a/openssh-4.7p1-mls.patch +++ b/openssh-4.7p1-mls.patch @@ -42,12 +42,6 @@ diff -up openssh-4.7p1/session.c.mls openssh-4.7p1/session.c diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-compat/port-linux.c --- openssh-4.7p1/openbsd-compat/port-linux.c.mls 2007-09-06 17:39:28.000000000 +0200 +++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-08-07 17:38:18.000000000 +0200 -@@ -1,4 +1,4 @@ --/* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */ -+/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */ - - /* - * Copyright (c) 2005 Daniel Walsh @@ -33,12 +33,23 @@ #include "key.h" #include "hostfile.h" diff --git a/openssh-4.7p1-packetdefsize.patch b/openssh-4.7p1-packetdefsize.patch deleted file mode 100644 index 391cbe6..0000000 --- a/openssh-4.7p1-packetdefsize.patch +++ /dev/null @@ -1,25 +0,0 @@ -Index: clientloop.c -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh/clientloop.c,v -retrieving revision 1.170 -diff -u -p -r1.170 clientloop.c ---- clientloop.c 28 Dec 2007 15:45:07 -0000 1.170 -+++ clientloop.c 28 Dec 2007 18:14:10 -0000 -@@ -1745,7 +1745,7 @@ client_request_forwarded_tcpip(const cha - } - c = channel_new("forwarded-tcpip", - SSH_CHANNEL_CONNECTING, sock, sock, -1, -- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, -+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, - originator_address, 1); - xfree(originator_address); - xfree(listen_address); -@@ -1803,7 +1803,7 @@ client_request_agent(const char *request - return NULL; - c = channel_new("authentication agent connection", - SSH_CHANNEL_OPEN, sock, sock, -1, -- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, -+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, - "authentication agent connection", 1); - c->force_drain = 1; - return c; diff --git a/openssh-4.7p1-pam-session.patch b/openssh-4.7p1-pam-session.patch deleted file mode 100644 index 8c1c791..0000000 --- a/openssh-4.7p1-pam-session.patch +++ /dev/null @@ -1,137 +0,0 @@ -diff -up openssh-4.7p1/session.c.pam-session openssh-4.7p1/session.c ---- openssh-4.7p1/session.c.pam-session 2007-08-16 15:28:04.000000000 +0200 -+++ openssh-4.7p1/session.c 2007-09-06 17:37:46.000000000 +0200 -@@ -422,11 +422,6 @@ do_exec_no_pty(Session *s, const char *c - - session_proctitle(s); - --#if defined(USE_PAM) -- if (options.use_pam && !use_privsep) -- do_pam_setcred(1); --#endif /* USE_PAM */ -- - /* Fork the child. */ - if ((pid = fork()) == 0) { - is_child = 1; -@@ -557,14 +552,6 @@ do_exec_pty(Session *s, const char *comm - ptyfd = s->ptyfd; - ttyfd = s->ttyfd; - --#if defined(USE_PAM) -- if (options.use_pam) { -- do_pam_set_tty(s->tty); -- if (!use_privsep) -- do_pam_setcred(1); -- } --#endif -- - /* Fork the child. */ - if ((pid = fork()) == 0) { - is_child = 1; -@@ -1300,17 +1287,9 @@ do_setusercontext(struct passwd *pw) - # ifdef __bsdi__ - setpgid(0, 0); - # endif --#ifdef GSSAPI -- if (options.gss_authentication) { -- temporarily_use_uid(pw); -- ssh_gssapi_storecreds(); -- restore_uid(); -- } --#endif - # ifdef USE_PAM - if (options.use_pam) { -- do_pam_session(); -- do_pam_setcred(use_privsep); -+ do_pam_setcred(0); - } - # endif /* USE_PAM */ - if (setusercontext(lc, pw, pw->pw_uid, -@@ -1337,13 +1316,6 @@ do_setusercontext(struct passwd *pw) - exit(1); - } - endgrent(); --#ifdef GSSAPI -- if (options.gss_authentication) { -- temporarily_use_uid(pw); -- ssh_gssapi_storecreds(); -- restore_uid(); -- } --#endif - # ifdef USE_PAM - /* - * PAM credentials may take the form of supplementary groups. -@@ -1351,8 +1323,7 @@ do_setusercontext(struct passwd *pw) - * Reestablish them here. - */ - if (options.use_pam) { -- do_pam_session(); -- do_pam_setcred(use_privsep); -+ do_pam_setcred(0); - } - # endif /* USE_PAM */ - # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) -diff -up openssh-4.7p1/sshd.c.pam-session openssh-4.7p1/sshd.c ---- openssh-4.7p1/sshd.c.pam-session 2007-09-06 17:37:46.000000000 +0200 -+++ openssh-4.7p1/sshd.c 2007-09-06 17:37:46.000000000 +0200 -@@ -1831,7 +1831,21 @@ main(int ac, char **av) - audit_event(SSH_AUTH_SUCCESS); - #endif - -- /* -+#ifdef GSSAPI -+ if (options.gss_authentication) { -+ temporarily_use_uid(authctxt->pw); -+ ssh_gssapi_storecreds(); -+ restore_uid(); -+ } -+#endif -+#ifdef USE_PAM -+ if (options.use_pam) { -+ do_pam_setcred(1); -+ do_pam_session(); -+ } -+#endif -+ -+ /* - * In privilege separation, we fork another child and prepare - * file descriptor passing. - */ -diff -up openssh-4.7p1/monitor.c.pam-session openssh-4.7p1/monitor.c ---- openssh-4.7p1/monitor.c.pam-session 2007-09-06 17:37:46.000000000 +0200 -+++ openssh-4.7p1/monitor.c 2007-09-06 17:37:46.000000000 +0200 -@@ -1566,6 +1566,11 @@ mm_answer_term(int sock, Buffer *req) - /* The child is terminating */ - session_destroy_all(&mm_session_close); - -+#ifdef USE_PAM -+ if (options.use_pam) -+ sshpam_cleanup(); -+#endif -+ - while (waitpid(pmonitor->m_pid, &status, 0) == -1) - if (errno != EINTR) - exit(1); -diff -up openssh-4.7p1/auth-pam.c.pam-session openssh-4.7p1/auth-pam.c ---- openssh-4.7p1/auth-pam.c.pam-session 2007-08-10 06:32:34.000000000 +0200 -+++ openssh-4.7p1/auth-pam.c 2007-09-06 17:37:46.000000000 +0200 -@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { ss - void - sshpam_cleanup(void) - { -- debug("PAM: cleanup"); -- if (sshpam_handle == NULL) -+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) - return; -+ debug("PAM: cleanup"); - pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { -+ debug("PAM: deleting credentials"); - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } - if (sshpam_session_open) { -+ debug("PAM: closing session"); - pam_close_session(sshpam_handle, PAM_SILENT); - sshpam_session_open = 0; - } diff --git a/openssh-4.7p1-sftp-doclose.patch b/openssh-4.7p1-sftp-doclose.patch deleted file mode 100644 index 821b241..0000000 --- a/openssh-4.7p1-sftp-doclose.patch +++ /dev/null @@ -1,13 +0,0 @@ -Without this do_close() I get "Couldn't get handle: Failure" -on every operation after N times through this failure path -where N = 100 on OpenBSD and N = 200 on GNU/Linux. ---- src/usr.bin/ssh/sftp-client.c.orig Sun Sep 16 00:55:52 2007 -+++ src/usr.bin/ssh/sftp-client.c Mon Oct 15 10:12:50 2007 -@@ -813,6 +813,7 @@ do_download(struct sftp_conn *conn, char - if (local_fd == -1) { - error("Couldn't open local file \"%s\" for writing: %s", - local_path, strerror(errno)); -+ do_close(conn, handle, handle_len); - buffer_free(&msg); - xfree(handle); - return(-1); diff --git a/openssh-4.7p1-sftp-drain-acks.patch b/openssh-4.7p1-sftp-drain-acks.patch deleted file mode 100644 index 0664aa9..0000000 --- a/openssh-4.7p1-sftp-drain-acks.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff -up openssh-4.7p1/sftp-client.c.drain-acks openssh-4.7p1/sftp-client.c ---- openssh-4.7p1/sftp-client.c.drain-acks 2007-02-19 12:13:39.000000000 +0100 -+++ openssh-4.7p1/sftp-client.c 2007-09-06 17:54:41.000000000 +0200 -@@ -992,7 +992,8 @@ int - do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, - int pflag) - { -- int local_fd, status; -+ int local_fd; -+ int status = SSH2_FX_OK; - u_int handle_len, id, type; - u_int64_t offset; - char *handle, *data; -@@ -1074,7 +1075,7 @@ do_upload(struct sftp_conn *conn, char * - * Simulate an EOF on interrupt, allowing ACKs from the - * server to drain. - */ -- if (interrupted) -+ if (interrupted || status != SSH2_FX_OK) - len = 0; - else do - len = read(local_fd, data, conn->transfer_buflen); -@@ -1131,18 +1132,6 @@ do_upload(struct sftp_conn *conn, char * - fatal("Can't find request for ID %u", r_id); - TAILQ_REMOVE(&acks, ack, tq); - -- if (status != SSH2_FX_OK) { -- error("Couldn't write to remote file \"%s\": %s", -- remote_path, fx2txt(status)); -- if (showprogress) -- stop_progress_meter(); -- do_close(conn, handle, handle_len); -- close(local_fd); -- xfree(data); -- xfree(ack); -- status = -1; -- goto done; -- } - debug3("In write loop, ack for %u %u bytes at %llu", - ack->id, ack->len, (unsigned long long)ack->offset); - ++ackid; -@@ -1154,21 +1143,25 @@ do_upload(struct sftp_conn *conn, char * - stop_progress_meter(); - xfree(data); - -+ if (status != SSH2_FX_OK) { -+ error("Couldn't write to remote file \"%s\": %s", -+ remote_path, fx2txt(status)); -+ status = -1; -+ } -+ - if (close(local_fd) == -1) { - error("Couldn't close local file \"%s\": %s", local_path, - strerror(errno)); -- do_close(conn, handle, handle_len); - status = -1; -- goto done; - } - - /* Override umask and utimes if asked */ - if (pflag) - do_fsetstat(conn, handle, handle_len, &a); - -- status = do_close(conn, handle, handle_len); -+ if (do_close(conn, handle, handle_len) != SSH2_FX_OK) -+ status = -1; - --done: - xfree(handle); - buffer_free(&msg); - return(status); diff --git a/openssh-4.7p1-sshd-v6only.patch b/openssh-4.7p1-sshd-v6only.patch deleted file mode 100644 index 1f71cea..0000000 --- a/openssh-4.7p1-sshd-v6only.patch +++ /dev/null @@ -1,30 +0,0 @@ ---- sshd.c 2007-06-05 01:22:32.000000000 -0700 -+++ sshd.c.new 2007-11-17 00:07:08.000000000 -0800 -@@ -971,12 +971,27 @@ - } - /* - * Set socket options. -+ */ -+ -+ /* - * Allow local port reuse in TIME_WAIT. - */ - if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, - &on, sizeof(on)) == -1) - error("setsockopt SO_REUSEADDR: %s", strerror(errno)); - -+#ifdef IPV6_V6ONLY -+ if (ai->ai_family == AF_INET6) { -+ /* -+ * Only communicate in IPv6 over AF_INET6 sockets. -+ */ -+ if (setsockopt(listen_sock, IPPROTO_IPV6, IPV6_V6ONLY, -+ &on, sizeof(on)) == -1) -+ error("setsockopt IPV6_V6ONLY: %s", -+ strerror(errno)); -+ } -+#endif -+ - debug("Bind to port %s on %s.", strport, ntop); - - /* Bind the socket to the desired port. */ diff --git a/openssh.spec b/openssh.spec index 644bd84..0051c84 100644 --- a/openssh.spec +++ b/openssh.spec @@ -62,8 +62,8 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh -Version: 4.7p1 -Release: 9%{?dist}%{?rescue_rel} +Version: 5.0p1 +Release: 1%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -72,34 +72,30 @@ URL: http://www.openssh.com/portable.html # the unpacked source directory. Source0: openssh-%{version}-noacss.tar.bz2 Source1: openssh-nukeacss.sh +Source2: sshd.pam +Source3: sshd.init Patch0: openssh-4.7p1-redhat.patch Patch2: openssh-3.8.1p1-skip-initial.patch Patch3: openssh-3.8.1p1-krb5-config.patch Patch4: openssh-4.7p1-vendor.patch -Patch5: openssh-4.3p2-initscript.patch -Patch10: openssh-4.7p1-pam-session.patch Patch12: openssh-4.7p1-selinux.patch Patch13: openssh-4.7p1-mls.patch Patch16: openssh-4.7p1-audit.patch Patch17: openssh-4.3p2-cve-2007-3102.patch Patch22: openssh-3.9p1-askpass-keep-above.patch Patch24: openssh-4.3p1-fromto-remote.patch -Patch26: openssh-4.2p1-pam-no-stack.patch Patch27: openssh-4.7p1-log-in-chroot.patch Patch30: openssh-4.0p1-exit-deadlock.patch -Patch31: openssh-3.9p1-skip-used.patch Patch35: openssh-4.2p1-askpass-progress.patch Patch38: openssh-4.3p2-askpass-grab-info.patch Patch39: openssh-4.3p2-no-v6only.patch Patch44: openssh-4.3p2-allow-ip-opts.patch Patch49: openssh-4.3p2-gssapi-canohost.patch Patch51: openssh-4.7p1-nss-keys.patch -Patch52: openssh-4.7p1-sftp-drain-acks.patch -Patch53: openssh-4.7p1-packetdefsize.patch Patch54: openssh-4.7p1-gssapi-role.patch Patch55: openssh-4.7p1-cloexec.patch -Patch56: openssh-4.7p1-sshd-v6only.patch -Patch57: openssh-4.7p1-sftp-doclose.patch +Patch58: openssh-4.5p1-controlcleanup.patch +Patch59: openssh-4.7p1-master-race.patch License: BSD Group: Applications/Internet @@ -209,9 +205,6 @@ an X11 passphrase dialog for OpenSSH. %patch2 -p1 -b .skip-initial %patch3 -p1 -b .krb5-config %patch4 -p1 -b .vendor -%patch5 -p1 -b .initscript - -%patch10 -p1 -b .pam-session %if %{WITH_SELINUX} #SELinux @@ -223,22 +216,18 @@ an X11 passphrase dialog for OpenSSH. %patch22 -p1 -b .keep-above %patch24 -p1 -b .fromto-remote -%patch26 -p1 -b .stack %patch27 -p1 -b .log-chroot %patch30 -p1 -b .exit-deadlock -%patch31 -p1 -b .skip-used %patch35 -p1 -b .progress %patch38 -p1 -b .grab-info %patch39 -p1 -b .no-v6only %patch44 -p1 -b .ip-opts %patch49 -p1 -b .canohost %patch51 -p1 -b .nss-keys -%patch52 -p1 -b .drain-acks -%patch53 -p0 -b .defsize %patch54 -p0 -b .gssapi-role %patch55 -p1 -b .cloexec -%patch56 -p0 -b .sshd-v6only -%patch57 -p3 -b .doclose +%patch58 -p1 -b .controlcleanup +%patch59 -p1 -b .master-race autoreconf @@ -343,8 +332,8 @@ make install DESTDIR=$RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/rc.d/init.d install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh -install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd -install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd +install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ @@ -489,6 +478,16 @@ fi %endif %changelog +* Mon Apr 7 2008 Tomas Mraz - 5.0p1-1 +- upgrade to new upstream (#441066) +- prevent initscript from killing itself on halt with upstart (#438449) +- initscript status should show that the daemon is running + only when the main daemon is still alive (#430882) + +* Thu Mar 6 2008 Tomas Mraz - 4.7p1-10 +- fix race on control master and cleanup stale control socket (#436311) + patches by David Woodhouse + * Fri Feb 29 2008 Tomas Mraz - 4.7p1-9 - set FD_CLOEXEC on client socket - apply real fix for window size problem (#286181) from upstream diff --git a/sources b/sources index 16f424a..dcc3173 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -21634329a8f1cd0e7a7974ade7280bdc openssh-4.7p1-noacss.tar.bz2 +e39c15a5fb9036bd64256c78a6fbf394 openssh-5.0p1-noacss.tar.bz2 diff --git a/sshd.init b/sshd.init new file mode 100755 index 0000000..981e693 --- /dev/null +++ b/sshd.init @@ -0,0 +1,182 @@ +#!/bin/bash +# +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + +RETVAL=0 +prog="sshd" + +# Some functions to make the below more readable +KEYGEN=/usr/bin/ssh-keygen +SSHD=/usr/sbin/sshd +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key +DSA_KEY=/etc/ssh/ssh_host_dsa_key +PID_FILE=/var/run/sshd.pid + +runlevel=$(set -- $(runlevel); eval "echo \$$#" ) + +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY ]; then + echo -n $"Generating SSH1 RSA host key: " + if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA1_KEY.pub + fi + success $"RSA1 key generation" + echo + else + failure $"RSA1 key generation" + echo + exit 1 + fi + fi +} + +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + echo -n $"Generating SSH2 RSA host key: " + if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA_KEY.pub + fi + success $"RSA key generation" + echo + else + failure $"RSA key generation" + echo + exit 1 + fi + fi +} + +do_dsa_keygen() { + if [ ! -s $DSA_KEY ]; then + echo -n $"Generating SSH2 DSA host key: " + if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $DSA_KEY.pub + fi + success $"DSA key generation" + echo + else + failure $"DSA key generation" + echo + exit 1 + fi + fi +} + +do_restart_sanity_check() +{ + $SSHD -t + RETVAL=$? + if [ ! "$RETVAL" = 0 ]; then + failure $"Configuration file or keys are invalid" + echo + fi +} + +start() +{ + # Create keys if necessary + if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then + do_rsa1_keygen + do_rsa_keygen + do_dsa_keygen + fi + + echo -n $"Starting $prog: " + $SSHD $OPTIONS && success || failure + RETVAL=$? + [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd + echo +} + +stop() +{ + echo -n $"Stopping $prog: " + if [ -n "`pidfileofproc $SSHD`" ] ; then + killproc $SSHD + else + failure $"Stopping $prog" + fi + RETVAL=$? + # if we are in halt or reboot runlevel kill all running sessions + # so the TCP connections are closed cleanly + if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then + trap '' TERM + killall $prog 2>/dev/null + trap TERM + fi + [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd + echo +} + +reload() +{ + echo -n $"Reloading $prog: " + if [ -n "`pidfileofproc $SSHD`" ] ; then + killproc $SSHD -HUP + else + failure $"Reloading $prog" + fi + RETVAL=$? + echo +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + reload) + reload + ;; + condrestart) + if [ -f /var/lock/subsys/sshd ] ; then + do_restart_sanity_check + if [ "$RETVAL" = 0 ] ; then + stop + # avoid race + sleep 3 + start + fi + fi + ;; + status) + status -p $PID_FILE openssh-daemon + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}" + RETVAL=1 +esac +exit $RETVAL diff --git a/sshd.pam b/sshd.pam new file mode 100644 index 0000000..e40d116 --- /dev/null +++ b/sshd.pam @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth include system-auth +account required pam_nologin.so +account include system-auth +password include system-auth +session optional pam_keyinit.so force revoke +session include system-auth +session required pam_loginuid.so