- repo revived, latest version from PLD, TLDized

diff --git a/ldap-helper-sigpipe.patch b/ldap-helper-sigpipe.patch
index cfa20180368e8bff568c6e9df18905aa3d4868dc..78084079557ab6dc8c0ae081c2dcc5b7f105472b 100644 (file)
--- a/ldap-helper-sigpipe.patch
+++ b/ldap-helper-sigpipe.patch
@@ -84,7 +84,7 @@ exit 0
 --- openssh-6.6p1/ldap-helper.c~       2014-05-13 17:04:22.258162978 +0300
 +++ openssh-6.6p1/ldap-helper.c        2014-05-13 17:14:08.398824417 +0300
 @@ -31,6 +31,7 @@
 --- openssh-6.6p1/ldap-helper.c~       2014-05-13 17:04:22.258162978 +0300
 +++ openssh-6.6p1/ldap-helper.c        2014-05-13 17:14:08.398824417 +0300
 @@ -31,6 +31,7 @@

- #include "ldapbody.h"
+ #include <stdlib.h>

  #include <string.h>
  #include <unistd.h>
 +#include <signal.h>
  #include <string.h>
  #include <unistd.h>
 +#include <signal.h>

diff --git a/openssh-chroot.patch b/openssh-chroot.patch
index e166515c101506fa319f47ee842e1936c5749302..e2c01a0d0bf7ac171124c88b44070739ddd102a8 100644 (file)
--- a/openssh-chroot.patch
+++ b/openssh-chroot.patch
@@ -1,38 +1,36 @@
-diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c
---- openssh-8.8p1.org/servconf.c       2021-09-26 16:03:19.000000000 +0200
-+++ openssh-8.8p1/servconf.c   2021-12-09 20:13:16.486586503 +0100
-@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions
- 
-       /* Portable-specific options */
+diff -ruNp openssh-9.8p1.orig/servconf.c openssh-9.8p1/servconf.c
+--- openssh-9.8p1.orig/servconf.c      2024-07-01 06:36:28.000000000 +0200
++++ openssh-9.8p1/servconf.c   2024-07-01 11:17:17.929993456 +0200
+@@ -94,6 +94,8 @@ initialize_server_options(ServerOptions

        options->use_pam = -1;
        options->use_pam = -1;

--
-+      
+       options->pam_service_name = NULL;
+ 

 +      options->use_chroot = -1;
 +      options->use_chroot = -1;

-+      
++

        /* Standard Options */
        options->num_ports = 0;
        options->ports_from_cmdline = 0;
        /* Standard Options */
        options->num_ports = 0;
        options->ports_from_cmdline = 0;

-@@ -279,6 +281,9 @@ fill_default_server_options(ServerOption
-       if (options->use_pam == -1)
-               options->use_pam = 0;
+@@ -299,6 +301,9 @@ fill_default_server_options(ServerOption
+       if (options->pam_service_name == NULL)
+               options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);

  
 +      if (options->use_chroot == -1)
 +              options->use_chroot = 0;
  
 +      if (options->use_chroot == -1)
 +              options->use_chroot = 0;

-+      
++

        /* Standard Options */
        if (options->num_host_key_files == 0) {
                /* fill default hostkeys for protocols */
        /* Standard Options */
        if (options->num_host_key_files == 0) {
                /* fill default hostkeys for protocols */

-@@ -486,6 +491,7 @@ typedef enum {
+@@ -538,6 +543,7 @@ typedef enum {

        sBadOption,             /* == unknown option */
        /* Portable-specific options */
        sBadOption,             /* == unknown option */
        /* Portable-specific options */

-       sUsePAM,
+       sUsePAM, sPAMServiceName,

 +      sUseChroot,
        /* Standard Options */
        sPort, sHostKeyFile, sLoginGraceTime,
        sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 +      sUseChroot,
        /* Standard Options */
        sPort, sHostKeyFile, sLoginGraceTime,
        sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,

-@@ -538,6 +544,11 @@ static struct {
- #else
+@@ -595,6 +601,11 @@ static struct {

        { "usepam", sUnsupported, SSHCFG_GLOBAL },
        { "usepam", sUnsupported, SSHCFG_GLOBAL },

+       { "pamservicename", sUnsupported, SSHCFG_ALL },

  #endif
 +#ifdef CHROOT
 +      { "usechroot", sUseChroot, SSHCFG_GLOBAL },
  #endif
 +#ifdef CHROOT
 +      { "usechroot", sUseChroot, SSHCFG_GLOBAL },


@@ -42,9 +40,9 @@ diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c
        { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
        /* Standard Options */
        { "port", sPort, SSHCFG_GLOBAL },
        { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
        /* Standard Options */
        { "port", sPort, SSHCFG_GLOBAL },

-@@ -1332,6 +1343,10 @@ process_server_config_line_depth(ServerO
-               intptr = &options->use_pam;
-               goto parse_flag;
+@@ -1338,6 +1349,10 @@ process_server_config_line_depth(ServerO
+                       *charptr = xstrdup(arg);
+               break;

  
 +      case sUseChroot:
 +              intptr = &options->use_chroot;
  
 +      case sUseChroot:
 +              intptr = &options->use_chroot;


@@ -113,7 +111,7 @@ diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config
 +++ openssh-8.8p1/sshd_config  2021-12-09 20:13:16.489919836 +0100
 @@ -85,6 +85,10 @@ GSSAPIAuthentication yes
  # and KbdInteractiveAuthentication to 'no'.
 +++ openssh-8.8p1/sshd_config  2021-12-09 20:13:16.489919836 +0100
 @@ -85,6 +85,10 @@ GSSAPIAuthentication yes
  # and KbdInteractiveAuthentication to 'no'.

- UsePAM yes
+ #UsePAM no

  
 +# Set this to 'yes' to enable support for chrooted user environment.
 +# You must create such environment before you can use this feature.
  
 +# Set this to 'yes' to enable support for chrooted user environment.
 +# You must create such environment before you can use this feature.

diff --git a/openssh-config.patch b/openssh-config.patch
index 4d34975155637d5c1e544a81883fe43cebb917b9..1a9d19b329c6036041a9949b0edab91521e28e2d 100644 (file)
--- a/openssh-config.patch
+++ b/openssh-config.patch
@@ -1,92 +1,20 @@
-diff -urNp -x '*.orig' openssh-8.8p1.org/ssh_config openssh-8.8p1/ssh_config
---- openssh-8.8p1.org/ssh_config       2021-09-26 16:03:19.000000000 +0200
-+++ openssh-8.8p1/ssh_config   2021-12-09 20:12:26.796586510 +0100
-@@ -20,10 +20,13 @@
- # Host *
- #   ForwardAgent no
- #   ForwardX11 no
-+#   ForwardX11Trusted no
- #   PasswordAuthentication yes
- #   HostbasedAuthentication no
- #   GSSAPIAuthentication no
- #   GSSAPIDelegateCredentials no
-+#   GSSAPIKeyExchange no
-+#   GSSAPITrustDNS no
- #   BatchMode no
- #   CheckHostIP no
- #   AddressFamily any
-@@ -44,3 +47,18 @@
+diff -ur openssh-9.5p1.org/ssh_config openssh-9.5p1/ssh_config
+--- openssh-9.5p1.org/ssh_config       2023-10-04 06:34:10.000000000 +0200
++++ openssh-9.5p1/ssh_config   2023-11-28 09:12:00.249971177 +0100
+@@ -44,3 +44,6 @@

  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  #   RekeyLimit 1G 1h
  #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
 +
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  #   RekeyLimit 1G 1h
  #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
 +

-+Host *
-+      GSSAPIAuthentication yes
-+# If this option is set to yes then remote X11 clients will have full access
-+# to the original X11 server. As some X11 clients don't support the untrusted
-+# mode correctly, you might consider changing this to 'yes' or using '-Y'.
-+#     ForwardX11Trusted no
-+      ServerAliveInterval 60
-+      ServerAliveCountMax 10
-+      TCPKeepAlive no
-+      # Allow DSA keys
-+#     PubkeyAcceptedKeyTypes +ssh-dss
-+#     HostkeyAlgorithms +ssh-dss
-+# Send locale-related environment variables, also pass some GIT vars
-+      SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
-diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config
---- openssh-8.8p1.org/sshd_config      2021-09-26 16:03:19.000000000 +0200
-+++ openssh-8.8p1/sshd_config  2021-12-09 20:12:26.796586510 +0100
-@@ -29,7 +29,7 @@
- # Authentication:
- 
- #LoginGraceTime 2m
--#PermitRootLogin prohibit-password
-+PermitRootLogin no
- #StrictModes yes
- #MaxAuthTries 6
- #MaxSessions 10
-@@ -57,6 +57,9 @@ AuthorizedKeysFile   .ssh/authorized_keys
- #PasswordAuthentication yes
- #PermitEmptyPasswords no
- 
-+# Allow DSA keys
-+## PubkeyAcceptedKeyTypes +ssh-dss
++# Put your local config in *.conf files
++Include /etc/ssh/ssh_config.d/*.conf
+diff -ur openssh-9.5p1.org/sshd_config openssh-9.5p1/sshd_config
+--- openssh-9.5p1.org/sshd_config      2023-10-04 06:34:10.000000000 +0200
++++ openssh-9.5p1/sshd_config  2023-11-28 09:12:18.119971176 +0100
+@@ -114,3 +114,6 @@
+ #     AllowTcpForwarding no
+ #     PermitTTY no
+ #     ForceCommand cvs server

 +
 +

- # Change to no to disable s/key passwords
- #KbdInteractiveAuthentication yes
- 
-@@ -69,6 +72,7 @@ AuthorizedKeysFile   .ssh/authorized_keys
- # GSSAPI options
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-+GSSAPIAuthentication yes
- 
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
-@@ -79,7 +83,7 @@ AuthorizedKeysFile   .ssh/authorized_keys
- # If you just want the PAM account and session checks to run without
- # PAM authentication, then enable this but set PasswordAuthentication
- # and KbdInteractiveAuthentication to 'no'.
--#UsePAM no
-+UsePAM yes
- 
- #AllowAgentForwarding yes
- #AllowTcpForwarding yes
-@@ -105,9 +109,16 @@ AuthorizedKeysFile        .ssh/authorized_keys
- # no default banner path
- #Banner none
- 
-+# Accept locale-related environment variables, also accept some GIT vars
-+AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
-+
- # override default of no subsystems
- Subsystem     sftp    /usr/libexec/sftp-server
- 
-+# Uncomment this if you want to use .local domain
-+#Host *.local
-+#     CheckHostIP no
-+
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- #     X11Forwarding no
++# Put your local config in *.conf files
++Include /etc/ssh/sshd_config.d/*.conf

diff --git a/openssh-ldap.patch b/openssh-ldap.patch
index cfc761558816daab1c7fd73ac419fe0f8fde3eaa..d75996c26caae22186c2e084a6a1dc84e2a38bd7 100644 (file)
--- a/openssh-ldap.patch
+++ b/openssh-ldap.patch
@@ -110,19 +110,19 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/HOWTO.ldap-keys openssh-8.4p1/HOWTO.lda
 +5) Author
 +    Jan F. Chadima <jchadima@redhat.com>
 +
 +5) Author
 +    Jan F. Chadima <jchadima@redhat.com>
 +

-diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
---- openssh-8.4p1.org/Makefile.in      2020-09-27 09:25:01.000000000 +0200
-+++ openssh-8.4p1/Makefile.in  2021-03-01 11:29:31.280956671 +0100
-@@ -23,6 +23,8 @@ SSH_PROGRAM=@bindir@/ssh
+diff -ruN openssh-9.8p1.orig/Makefile.in openssh-9.8p1/Makefile.in
+--- openssh-9.8p1.orig/Makefile.in     2024-07-01 06:36:28.000000000 +0200
++++ openssh-9.8p1/Makefile.in  2024-07-01 11:10:26.787664770 +0200
+@@ -24,6 +24,8 @@

  ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
  ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper

+ SSHD_SESSION=$(libexecdir)/sshd-session
+ SSHD_AUTH=$(libexecdir)/sshd-auth

  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper

- SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
- PRIVSEP_PATH=@PRIVSEP_PATH@
-@@ -63,10 +65,11 @@ LDFLAGS_NOPIE=-L. -Lopenbsd-compat/ @LDF
+@@ -74,10 +74,11 @@ LDFLAGS_NOPIE=-L. -Lopenbsd-compat/ @LDF

  EXEEXT=@EXEEXT@
  MANFMT=@MANFMT@
  MKDIR_P=@MKDIR_P@
  EXEEXT=@EXEEXT@
  MANFMT=@MANFMT@
  MKDIR_P=@MKDIR_P@


@@ -130,12 +130,12 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
  
  .SUFFIXES: .lo
  
  
  .SUFFIXES: .lo
  

--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) $(SK_STANDALONE)

  
  

- XMSS_OBJS=\
-       ssh-xmss.o \
-@@ -150,8 +153,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
+ LIBOPENSSH_OBJS=\
+       ssh_api.o \
+@@ -163,8 +166,8 @@

  
  SFTP_OBJS=    sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
  
  
  SFTP_OBJS=    sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
  


@@ -146,7 +146,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
  MANTYPE               = @MANTYPE@
  
  CONFIGFILES=sshd_config.out ssh_config.out moduli.out
  MANTYPE               = @MANTYPE@
  
  CONFIGFILES=sshd_config.out ssh_config.out moduli.out

-@@ -230,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+@@ -241,6 +244,9 @@

  ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
        $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
  
  ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
        $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
  


@@ -156,7 +156,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
        $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
  
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
        $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
  

-@@ -395,6 +401,10 @@ install-files:
+@@ -414,6 +420,10 @@

        $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
        $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)


@@ -167,7 +167,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
        $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
        $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1

-@@ -412,6 +422,10 @@ install-files:
+@@ -431,6 +441,10 @@

        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8


@@ -178,7 +178,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
  
  install-sysconf:
        $(MKDIR_P) $(DESTDIR)$(sysconfdir)
  
  install-sysconf:
        $(MKDIR_P) $(DESTDIR)$(sysconfdir)

-@@ -435,6 +449,13 @@ install-sysconf:
+@@ -454,6 +468,13 @@

        else \
                echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
        fi
        else \
                echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
        fi


@@ -192,7 +192,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
  
  host-key: ssh-keygen$(EXEEXT)
        @if [ -z "$(DESTDIR)" ] ; then \
  
  host-key: ssh-keygen$(EXEEXT)
        @if [ -z "$(DESTDIR)" ] ; then \

-@@ -473,6 +494,8 @@ uninstall:
+@@ -492,6 +513,8 @@

        -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
        -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
        -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
        -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
        -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
        -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)


@@ -201,7 +201,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1

-@@ -485,6 +508,7 @@ uninstall:
+@@ -504,6 +527,7 @@

        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8


@@ -318,11 +318,11 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/configure.ac openssh-8.4p1/configure.ac
 +
  dnl    Checks for library functions. Please keep in alphabetical order
  AC_CHECK_FUNCS([ \
 +
  dnl    Checks for library functions. Please keep in alphabetical order
  AC_CHECK_FUNCS([ \

-       Blowfish_initstate \
+       auth_hostok \

 diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.c openssh-8.4p1/ldap-helper.c
 --- openssh-8.4p1.org/ldap-helper.c    1970-01-01 01:00:00.000000000 +0100
 +++ openssh-8.4p1/ldap-helper.c        2021-03-01 11:29:31.280956671 +0100
 diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.c openssh-8.4p1/ldap-helper.c
 --- openssh-8.4p1.org/ldap-helper.c    1970-01-01 01:00:00.000000000 +0100
 +++ openssh-8.4p1/ldap-helper.c        2021-03-01 11:29:31.280956671 +0100

-@@ -0,0 +1,155 @@
+@@ -0,0 +1,156 @@

 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.


@@ -354,6 +354,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.c openssh-8.4p1/ldap-helper
 +#include "xmalloc.h"
 +#include "ldapconf.h"
 +#include "ldapbody.h"
 +#include "xmalloc.h"
 +#include "ldapconf.h"
 +#include "ldapbody.h"

++#include <stdlib.h>

 +#include <string.h>
 +#include <unistd.h>
 +
 +#include <string.h>
 +#include <unistd.h>
 +


@@ -609,7 +610,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldap.conf openssh-8.4p1/ldap.conf
 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.c openssh-8.4p1/ldapbody.c
 --- openssh-8.4p1.org/ldapbody.c       1970-01-01 01:00:00.000000000 +0100
 +++ openssh-8.4p1/ldapbody.c   2021-03-01 11:29:31.280956671 +0100
 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.c openssh-8.4p1/ldapbody.c
 --- openssh-8.4p1.org/ldapbody.c       1970-01-01 01:00:00.000000000 +0100
 +++ openssh-8.4p1/ldapbody.c   2021-03-01 11:29:31.280956671 +0100

-@@ -0,0 +1,494 @@
+@@ -0,0 +1,495 @@

 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.


@@ -642,6 +643,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.c openssh-8.4p1/ldapbody.c
 +#include "ldapmisc.h"
 +#include "ldapbody.h"
 +#include <stdio.h>
 +#include "ldapmisc.h"
 +#include "ldapbody.h"
 +#include <stdio.h>

++#include <stdlib.h>

 +#include <unistd.h>
 +
 +#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
 +#include <unistd.h>
 +
 +#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"


@@ -1148,7 +1150,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.h openssh-8.4p1/ldapbody.h
 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.c openssh-8.4p1/ldapconf.c
 --- openssh-8.4p1.org/ldapconf.c       1970-01-01 01:00:00.000000000 +0100
 +++ openssh-8.4p1/ldapconf.c   2021-03-01 11:29:31.280956671 +0100
 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.c openssh-8.4p1/ldapconf.c
 --- openssh-8.4p1.org/ldapconf.c       1970-01-01 01:00:00.000000000 +0100
 +++ openssh-8.4p1/ldapconf.c   2021-03-01 11:29:31.280956671 +0100

-@@ -0,0 +1,691 @@
+@@ -0,0 +1,692 @@

 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.


@@ -1181,6 +1183,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.c openssh-8.4p1/ldapconf.c
 +#include "xmalloc.h"
 +#include "ldapconf.h"
 +#include <unistd.h>
 +#include "xmalloc.h"
 +#include "ldapconf.h"
 +#include <unistd.h>

++#include <stdlib.h>

 +#include <string.h>
 +
 +/* Keyword tokens. */
 +#include <string.h>
 +
 +/* Keyword tokens. */

diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch
index 64d8616f58fcb491ae564e3dc182df100e5fd3e6..8991ecc660300d7e5c36df2ab3f819ef93da14f6 100644 (file)
--- a/openssh-sigpipe.patch
+++ b/openssh-sigpipe.patch
@@ -11,15 +11,15 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/clientloop.c openssh-8.4p1/clientloop.c
  /*
   * Name of the host we are connecting to.  This is the name given on the
   * command line, or the Hostname specified for the user-supplied name in a
  /*
   * Name of the host we are connecting to.  This is the name given on the
   * command line, or the Hostname specified for the user-supplied name in a

-@@ -1301,6 +1304,8 @@ client_loop(struct ssh *ssh, int have_pt
+@@ -1518,6 +1518,8 @@ client_loop(struct ssh *ssh, int have_pt

                ssh_signal(SIGQUIT, signal_handler);
        if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN)
                ssh_signal(SIGTERM, signal_handler);
 +      if (enable_sigpipe)
                ssh_signal(SIGQUIT, signal_handler);
        if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN)
                ssh_signal(SIGTERM, signal_handler);
 +      if (enable_sigpipe)

-+              signal(SIGPIPE, signal_handler);
++              ssh_signal(SIGPIPE, signal_handler);

        ssh_signal(SIGWINCH, window_change_handler);
        ssh_signal(SIGWINCH, window_change_handler);

- 
-       if (have_pty)
+ #ifdef SIGINFO
+       ssh_signal(SIGINFO, siginfo_handler);

 diff -urNp -x '*.orig' openssh-8.4p1.org/ssh.0 openssh-8.4p1/ssh.0
 --- openssh-8.4p1.org/ssh.0    2020-09-27 09:42:10.000000000 +0200
 +++ openssh-8.4p1/ssh.0        2021-03-01 11:29:10.909905265 +0100
 diff -urNp -x '*.orig' openssh-8.4p1.org/ssh.0 openssh-8.4p1/ssh.0
 --- openssh-8.4p1.org/ssh.0    2020-09-27 09:42:10.000000000 +0200
 +++ openssh-8.4p1/ssh.0        2021-03-01 11:29:10.909905265 +0100

diff --git a/openssh.spec b/openssh.spec
index 1ea45bbfbc5843fc3bff042a3c4cdce624c0c880..14bb789fb6ef7ab1f8394091be2625da797c314b 100644 (file)
--- a/openssh.spec
+++ b/openssh.spec
@@ -32,13 +32,13 @@ Summary(pt_BR.UTF-8):       Implementação livre do SSH
 Summary(ru.UTF-8):     OpenSSH - свободная реализация протокола Secure Shell (SSH)
 Summary(uk.UTF-8):     OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
 Name:          openssh
 Summary(ru.UTF-8):     OpenSSH - свободная реализация протокола Secure Shell (SSH)
 Summary(uk.UTF-8):     OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
 Name:          openssh

-Version:       9.7p1
-Release:       1
+Version:       10.2p1
+Release:       4

 Epoch:         2
 License:       BSD
 Group:         Applications/Networking
 Source0:       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
 Epoch:         2
 License:       BSD
 Group:         Applications/Networking
 Source0:       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz

-# Source0-md5: 1100f170ca1bc669038ca3743e074094
+# Source0-md5: 801b5ad6da38e0045de20dd5dd2f6a80

 Source1:       http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
 # Source1-md5: 66943d481cc422512b537bcc2c7400d1
 Source2:       %{name}d.init
 Source1:       http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
 # Source1-md5: 66943d481cc422512b537bcc2c7400d1
 Source2:       %{name}d.init


@@ -48,6 +48,8 @@ Source5:      ssh-agent.sh
 Source6:       ssh-agent.conf
 Source7:       %{name}-lpk.schema
 Source10:      sshd-keygen
 Source6:       ssh-agent.conf
 Source7:       %{name}-lpk.schema
 Source10:      sshd-keygen

+Source13:       tld_ssh_config
+Source14:       tld_sshd_config

 Patch100:      %{name}-git.patch
 # Patch100-md5:        eb723cc4f21efc32752161d539c9c5e9
 Patch0:                %{name}-no-pty-tests.patch
 Patch100:      %{name}-git.patch
 # Patch100-md5:        eb723cc4f21efc32752161d539c9c5e9
 Patch0:                %{name}-no-pty-tests.patch


@@ -83,13 +85,14 @@ BuildRequires:      libfido2-devel >= 1.5.0
 %{?with_libseccomp:BuildRequires:      libseccomp-devel}
 %{?with_selinux:BuildRequires: libselinux-devel}
 %{?with_ldap:BuildRequires:    openldap-devel}
 %{?with_libseccomp:BuildRequires:      libseccomp-devel}
 %{?with_selinux:BuildRequires: libselinux-devel}
 %{?with_ldap:BuildRequires:    openldap-devel}

-BuildRequires: openssl-devel >= 1.1.0g
+BuildRequires: openssl-devel >= 1.1.1

 BuildRequires: pam-devel
 %{?with_gtk:BuildRequires:     pkgconfig}
 %if %{with tests} && %{with tests_conch}
 BuildRequires: python-TwistedConch
 %endif
 BuildRequires: rpm >= 4.4.9-56
 BuildRequires: pam-devel
 %{?with_gtk:BuildRequires:     pkgconfig}
 %if %{with tests} && %{with tests_conch}
 BuildRequires: python-TwistedConch
 %endif
 BuildRequires: rpm >= 4.4.9-56

+BuildRequires: rpm-build >= 4.6

 BuildRequires: rpmbuild(macros) >= 1.752
 BuildRequires: sed >= 4.0
 BuildRequires: zlib-devel >= 1.2.3
 BuildRequires: rpmbuild(macros) >= 1.752
 BuildRequires: sed >= 4.0
 BuildRequires: zlib-devel >= 1.2.3


@@ -101,9 +104,6 @@ BuildRequires:      %{name}-server
 BuildRequires: uname(release) >= 3.5
 %endif
 Requires:      zlib >= 1.2.3
 BuildRequires: uname(release) >= 3.5
 %endif
 Requires:      zlib >= 1.2.3

-Requires:      filesystem >= 3.0-11
-Requires:      pam >= %{pam_ver}
-Suggests:      xorg-app-xauth

 Obsoletes:     ssh
 BuildRoot:     %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
 
 Obsoletes:     ssh
 BuildRoot:     %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
 


@@ -255,11 +255,11 @@ Summary(pt_BR.UTF-8):     Clientes do OpenSSH
 Summary(ru.UTF-8):     OpenSSH - клиенты протокола Secure Shell
 Summary(uk.UTF-8):     OpenSSH - клієнти протоколу Secure Shell
 Group:         Applications/Networking
 Summary(ru.UTF-8):     OpenSSH - клиенты протокола Secure Shell
 Summary(uk.UTF-8):     OpenSSH - клієнти протоколу Secure Shell
 Group:         Applications/Networking

-Requires:      %{name}
+Requires:      %{name} = %{epoch}:%{version}-%{release}

 Suggests:      %{name}-clients-helper-fido = %{epoch}:%{version}-%{release}
 Provides:      ssh-clients
 Obsoletes:     ssh-clients
 Suggests:      %{name}-clients-helper-fido = %{epoch}:%{version}-%{release}
 Provides:      ssh-clients
 Obsoletes:     ssh-clients

-%requires_eq_to        openssl openssl-devel
+%requires_eq_to        openssl%{?_isa} openssl-devel

 
 %description clients
 Ssh (Secure Shell) a program for logging into a remote machine and for
 
 %description clients
 Ssh (Secure Shell) a program for logging into a remote machine and for


@@ -362,7 +362,9 @@ Requires(postun):   /usr/sbin/userdel
 Requires(pre): /bin/id
 Requires(pre): /usr/sbin/useradd
 Requires:      %{name} = %{epoch}:%{version}-%{release}
 Requires(pre): /bin/id
 Requires(pre): /usr/sbin/useradd
 Requires:      %{name} = %{epoch}:%{version}-%{release}

+Requires:      filesystem >= 3.0-11

 Requires:      pam >= %{pam_ver}
 Requires:      pam >= %{pam_ver}

+Suggests:      xorg-app-xauth

 Requires:      rc-scripts >= 0.4.3.0
 %{?with_libseccomp:Requires:   uname(release) >= 3.5}
 Requires:      util-linux
 Requires:      rc-scripts >= 0.4.3.0
 %{?with_libseccomp:Requires:   uname(release) >= 3.5}
 Requires:      util-linux


@@ -371,7 +373,7 @@ Suggests:   /bin/login
 Suggests:      xorg-app-xauth
 Provides:      ssh-server
 Provides:      user(sshd)
 Suggests:      xorg-app-xauth
 Provides:      ssh-server
 Provides:      user(sshd)

-%requires_eq_to        openssl openssl-devel
+%requires_eq_to        openssl%{?_isa} openssl-devel

 
 %description server
 Ssh (Secure Shell) a program for logging into a remote machine and for
 
 %description server
 Ssh (Secure Shell) a program for logging into a remote machine and for


@@ -527,26 +529,26 @@ openldap-a.
 
 %prep
 %setup -q
 
 %prep
 %setup -q

-#%%patch100 -p1
+#%%patch -P100 -p1

 
 

-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
+%patch -P0 -p1
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
+%patch -P5 -p1
+%patch -P6 -p1
+%patch -P7 -p1
+%patch -P8 -p1

 
 

-%{?with_hpn:%patch9 -p1}
+%{?with_hpn:%patch -P9 -p1}

 
 

-%patch11 -p1
+%patch -P11 -p1

 
 

-%patch13 -p1
+%patch -P13 -p1

 
 

-%patch14 -p1
-%{!?with_ldap:%patch15 -p1}
+%patch -P14 -p1
+%{!?with_ldap:%patch -P15 -p1}

 
 # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
 sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
 
 # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
 sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*


@@ -574,8 +576,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99"
        --with-ldap%{!?with_ldap:=no} \
        %{?with_ldns:--with-ldns} \
        %{?with_libedit:--with-libedit} \
        --with-ldap%{!?with_ldap:=no} \
        %{?with_ldns:--with-ldns} \
        %{?with_libedit:--with-libedit} \

-       --with-mantype=man \
-       --with-md5-passwords \
+       --with-mantype=doc \

        --with-pam \
        --with-pid-dir=%{_localstatedir}/run \
        --with-privsep-path=%{_privsepdir} \
        --with-pam \
        --with-pid-dir=%{_localstatedir}/run \
        --with-privsep-path=%{_privsepdir} \


@@ -616,6 +617,7 @@ cd contrib
 rm -rf $RPM_BUILD_ROOT
 install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \
        $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}}
 rm -rf $RPM_BUILD_ROOT
 install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \
        $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}}

+install -d $RPM_BUILD_ROOT%{_sysconfdir}/ssh{,d}_config.d

 install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}
 
 %{__make} install \
 install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}
 
 %{__make} install \


@@ -629,6 +631,8 @@ cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd
 cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
 ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
 cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
 cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
 ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
 cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}

+cp -p %{SOURCE13} $RPM_BUILD_ROOT%{_sysconfdir}/ssh_config.d/50-tld.conf
+cp -p %{SOURCE14} $RPM_BUILD_ROOT%{_sysconfdir}/sshd_config.d/50-tld.conf

 cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}
 
 install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
 cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}
 
 install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen


@@ -706,7 +710,7 @@ fi
 
 %triggerpostun server -- %{name}-server < 2:7.0p1-2
 %banner %{name}-server -e << EOF
 
 %triggerpostun server -- %{name}-server < 2:7.0p1-2
 %banner %{name}-server -e << EOF

-!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!

 ! Starting from openssh 7.0 DSA keys are disabled !
 ! on server and client side. You will NOT be able !
 ! to use DSA keys for authentication. Please read !
 ! Starting from openssh 7.0 DSA keys are disabled !
 ! on server and client side. You will NOT be able !
 ! to use DSA keys for authentication. Please read !


@@ -714,11 +718,11 @@ fi
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 EOF
 
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 EOF
 

-%triggerpostun server -- %{name}-server < 6.2p1-1
-cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
-sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config
+if grep -q AuthorizedKeysCommandRunAs %{_sysconfdir}/sshd_config; then
+       cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
+       sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config
+fi

 
 

-%triggerpostun server -- %{name}-server < 2:5.9p1-8

 # lpk.patch to ldap.patch
 if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then
        echo >&2 "Migrating LPK patch to LDAP patch"
 # lpk.patch to ldap.patch
 if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then
        echo >&2 "Migrating LPK patch to LDAP patch"


@@ -748,7 +752,9 @@ fi
 %defattr(644,root,root,755)
 %doc TODO README OVERVIEW CREDITS Change*
 %attr(755,root,root) %{_bindir}/ssh-key*
 %defattr(644,root,root,755)
 %doc TODO README OVERVIEW CREDITS Change*
 %attr(755,root,root) %{_bindir}/ssh-key*

+#%attr(755,root,root) %{_bindir}/ssh-vulnkey*

 %{_mandir}/man1/ssh-key*.1*
 %{_mandir}/man1/ssh-key*.1*

+#%{_mandir}/man1/ssh-vulnkey*.1*

 %dir %{_sysconfdir}
 %dir %{_libexecdir}
 
 %dir %{_sysconfdir}
 %dir %{_libexecdir}
 


@@ -760,7 +766,10 @@ fi
 %attr(755,root,root) %{_bindir}/ssh-add
 %attr(755,root,root) %{_bindir}/ssh-copy-id
 %attr(755,root,root) %{_bindir}/scp
 %attr(755,root,root) %{_bindir}/ssh-add
 %attr(755,root,root) %{_bindir}/ssh-copy-id
 %attr(755,root,root) %{_bindir}/scp

+%attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper

 %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config
 %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config

+%dir %{_sysconfdir}/ssh_config.d
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config.d/50-tld.conf

 %config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
 %{_mandir}/man1/scp.1*
 %{_mandir}/man1/ssh.1*
 %config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
 %{_mandir}/man1/scp.1*
 %{_mandir}/man1/ssh.1*


@@ -769,6 +778,7 @@ fi
 %{_mandir}/man1/ssh-add.1*
 %{_mandir}/man1/ssh-copy-id.1*
 %{_mandir}/man5/ssh_config.5*
 %{_mandir}/man1/ssh-add.1*
 %{_mandir}/man1/ssh-copy-id.1*
 %{_mandir}/man5/ssh_config.5*

+%{_mandir}/man8/ssh-pkcs11-helper.8*

 %lang(it) %{_mandir}/it/man1/ssh.1*
 %lang(it) %{_mandir}/it/man5/ssh_config.5*
 %lang(pl) %{_mandir}/pl/man1/scp.1*
 %lang(it) %{_mandir}/it/man1/ssh.1*
 %lang(it) %{_mandir}/it/man5/ssh_config.5*
 %lang(pl) %{_mandir}/pl/man1/scp.1*


@@ -797,15 +807,17 @@ fi
 %attr(755,root,root) %{_sbindir}/sshd
 %attr(755,root,root) %{_libexecdir}/sftp-server
 %attr(755,root,root) %{_libexecdir}/ssh-keysign
 %attr(755,root,root) %{_sbindir}/sshd
 %attr(755,root,root) %{_libexecdir}/sftp-server
 %attr(755,root,root) %{_libexecdir}/ssh-keysign

-%attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper
+%attr(755,root,root) %{_libexecdir}/sshd-auth

 %attr(755,root,root) %{_libexecdir}/sshd-keygen
 %attr(755,root,root) %{_libexecdir}/sshd-keygen

+%attr(755,root,root) %{_libexecdir}/sshd-session

 %{_mandir}/man8/sshd.8*
 %{_mandir}/man8/sftp-server.8*
 %{_mandir}/man8/ssh-keysign.8*
 %{_mandir}/man8/sshd.8*
 %{_mandir}/man8/sftp-server.8*
 %{_mandir}/man8/ssh-keysign.8*

-%{_mandir}/man8/ssh-pkcs11-helper.8*

 %{_mandir}/man5/sshd_config.5*
 %{_mandir}/man5/moduli.5*
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config
 %{_mandir}/man5/sshd_config.5*
 %{_mandir}/man5/moduli.5*
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config

+%attr(750,root,root) %dir %{_sysconfdir}/sshd_config.d
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config.d/50-tld.conf

 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sshd
 %{_sysconfdir}/moduli
 %attr(754,root,root) /etc/rc.d/init.d/sshd
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sshd
 %{_sysconfdir}/moduli
 %attr(754,root,root) /etc/rc.d/init.d/sshd

diff --git a/sshd-keygen b/sshd-keygen
index a09061427521f89b8522f48a7a7af92800395e8b..1353fc1f593251ff802e57763742094bdc2ea147 100755 (executable)
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -16,6 +16,4 @@ ssh_gen_key() {
 
 # generate new keys with empty passwords if they do not exist
 ssh_gen_key ed25519 /etc/ssh/ssh_host_ed25519_key
 
 # generate new keys with empty passwords if they do not exist
 ssh_gen_key ed25519 /etc/ssh/ssh_host_ed25519_key

-ssh_gen_key ecdsa /etc/ssh/ssh_host_ecdsa_key

 ssh_gen_key rsa /etc/ssh/ssh_host_rsa_key
 ssh_gen_key rsa /etc/ssh/ssh_host_rsa_key

-ssh_gen_key dsa /etc/ssh/ssh_host_dsa_key

diff --git a/tld_ssh_config b/tld_ssh_config
new file mode 100644 (file)
index 0000000..3fa6557
--- /dev/null
+++ b/tld_ssh_config
@@ -0,0 +1,4 @@
+Host *
+       ServerAliveInterval 60
+       ServerAliveCountMax 10
+       TCPKeepAlive no

diff --git a/tld_sshd_config b/tld_sshd_config
new file mode 100644 (file)
index 0000000..7ff52c7
--- /dev/null
+++ b/tld_sshd_config
@@ -0,0 +1 @@
+PermitRootLogin no