--- /dev/null
+--- openssh-portable/sandbox-seccomp-filter.c.org 2018-09-14 10:56:00.557388954 +0200
++++ openssh-portable/sandbox-seccomp-filter.c 2018-09-14 11:13:00.051826982 +0200
+@@ -166,6 +166,9 @@ static const struct sock_filter preauth_
+ #ifdef __NR_exit_group
+ SC_ALLOW(__NR_exit_group),
+ #endif
++#ifdef __NR_futex
++ SC_ALLOW(__NR_futex),
++#endif
+ #ifdef __NR_geteuid
+ SC_ALLOW(__NR_geteuid),
+ #endif
+++ /dev/null
---- openssh-5.9p1/configure.ac~ 2011-09-06 19:31:16.000000000 +0200
-+++ openssh-5.9p1/configure.ac 2011-09-06 19:31:55.291791679 +0200
-@@ -1076,6 +1076,7 @@
-
- AC_MSG_CHECKING([for possibly buggy zlib])
- AC_RUN_IFELSE([AC_LANG_PROGRAM([[
-+#include <stdlib.h>
- #include <stdio.h>
- #include <zlib.h>
- ]],
-
+++ /dev/null
-diff -urpa openssh-7.8p1.orig/auth-krb5.c openssh-7.8p1/auth-krb5.c
---- openssh-7.8p1.orig/auth-krb5.c 2018-08-23 05:41:42.000000000 +0000
-+++ openssh-7.8p1/auth-krb5.c 2018-08-29 09:55:47.547970289 +0000
-@@ -54,6 +54,20 @@
-
- extern ServerOptions options;
-
-+int
-+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
-+{
-+ if (options.use_kuserok)
-+ return krb5_kuserok(krb5_ctx, krb5_user, client);
-+ else {
-+ char kuser[65];
-+
-+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
-+ return 0;
-+ return strcmp(kuser, client) == 0;
-+ }
-+}
-+
- static int
- krb5_init(void *context)
- {
-@@ -157,7 +171,7 @@ auth_krb5_password(Authctxt *authctxt, c
- if (problem)
- goto out;
-
-- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->pw->pw_name)) {
- problem = -1;
- goto out;
-diff -urpa openssh-7.8p1.orig/gss-serv-krb5.c openssh-7.8p1/gss-serv-krb5.c
---- openssh-7.8p1.orig/gss-serv-krb5.c 2018-08-23 05:41:42.000000000 +0000
-+++ openssh-7.8p1/gss-serv-krb5.c 2018-08-29 09:55:47.547970289 +0000
-@@ -56,6 +56,7 @@ extern ServerOptions options;
- #endif
-
- static krb5_context krb_context = NULL;
-+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
-
- /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-
-@@ -98,7 +99,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
- krb5_free_error_message(krb_context, errmsg);
- return 0;
- }
-- if (krb5_kuserok(krb_context, princ, name)) {
-+ if (ssh_krb5_kuserok(krb_context, princ, name)) {
- retval = 1;
- logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- name, (char *)client->displayname.value);
-diff -urpa openssh-7.8p1.orig/servconf.c openssh-7.8p1/servconf.c
---- openssh-7.8p1.orig/servconf.c 2018-08-29 09:49:04.830974823 +0000
-+++ openssh-7.8p1/servconf.c 2018-08-29 09:57:22.452969220 +0000
-@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions
- options->permit_tun = -1;
- options->permitted_opens = NULL;
- options->permitted_listens = NULL;
-+ options->use_kuserok = -1;
- options->adm_forced_command = NULL;
- options->chroot_directory = NULL;
- options->authorized_keys_command = NULL;
-@@ -449,6 +450,8 @@ fill_default_server_options(ServerOption
- options->num_auth_methods = 0;
- }
-
-+ if (options->use_kuserok == -1)
-+ options->use_kuserok = 1;
- #ifndef HAVE_MMAP
- if (use_privsep && options->compression == 1) {
- error("This platform does not support both privilege "
-@@ -471,7 +474,7 @@ typedef enum {
- sPermitRootLogin, sLogFacility, sLogLevel,
- sRhostsRSAAuthentication, sRSAAuthentication,
- sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-- sKerberosGetAFSToken, sChallengeResponseAuthentication,
-+ sKerberosGetAFSToken, sKerberosUseKuserok, sChallengeResponseAuthentication,
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
- sPrintMotd, sPrintLastLog, sIgnoreRhosts,
-@@ -555,11 +558,13 @@ static struct {
- #else
- { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
- #endif
-+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
- #else
- { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
- { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
- { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
- { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
-+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
- #endif
- { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
- { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1958,6 +1963,10 @@ process_server_config_line(ServerOptions
- }
- break;
-
-+ case sKerberosUseKuserok:
-+ intptr = &options->use_kuserok;
-+ goto parse_flag;
-+
- case sForceCommand:
- if (cp == NULL || *cp == '\0')
- fatal("%.200s line %d: Missing argument.", filename,
-@@ -2302,6 +2311,7 @@ copy_set_server_options(ServerOptions *d
- M_CP_INTOPT(rekey_limit);
- M_CP_INTOPT(rekey_interval);
- M_CP_INTOPT(log_level);
-+ M_CP_INTOPT(use_kuserok);
-
- /*
- * The bind_mask is a mode_t that may be unsigned, so we can't use
-@@ -2595,6 +2605,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
- dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
- dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
-+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
-
- /* string arguments */
- dump_cfg_string(sPidFile, o->pid_file);
-diff -urpa openssh-7.8p1.orig/servconf.h openssh-7.8p1/servconf.h
---- openssh-7.8p1.orig/servconf.h 2018-08-29 09:49:04.827974823 +0000
-+++ openssh-7.8p1/servconf.h 2018-08-29 09:55:47.548970289 +0000
-@@ -190,6 +190,7 @@ typedef struct {
- char **permitted_listens; /* May also be one of PERMITOPEN_* */
- u_int num_permitted_listens;
-
-+ int use_kuserok;
- char *chroot_directory;
- char *revoked_keys_file;
- char *trusted_user_ca_keys;
-diff -urpa openssh-7.8p1.orig/sshd_config openssh-7.8p1/sshd_config
---- openssh-7.8p1.orig/sshd_config 2018-08-29 09:49:04.827974823 +0000
-+++ openssh-7.8p1/sshd_config 2018-08-29 09:55:47.548970289 +0000
-@@ -68,6 +68,7 @@ AuthorizedKeysFile .ssh/authorized_keys
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
-+#KerberosUseKuserok yes
-
- # GSSAPI options
- #GSSAPIAuthentication no
-diff -urpa openssh-7.8p1.orig/sshd_config.5 openssh-7.8p1/sshd_config.5
---- openssh-7.8p1.orig/sshd_config.5 2018-08-29 09:49:04.828974823 +0000
-+++ openssh-7.8p1/sshd_config.5 2018-08-29 09:55:47.549970289 +0000
-@@ -861,6 +861,10 @@ Specifies whether to automatically destr
- file on logout.
- The default is
- .Cm yes .
-+.It Cm KerberosUseKuserok
-+Specifies whether to look at .k5login file for user's aliases.
-+The default is
-+.Dq yes .
- .It Cm KexAlgorithms
- Specifies the available KEX (Key Exchange) algorithms.
- Multiple algorithms must be comma-separated.
-@@ -1124,6 +1128,7 @@ Available keywords are
- .Cm KbdInteractiveAuthentication ,
- .Cm KerberosAuthentication ,
- .Cm LogLevel ,
-+.Cm KerberosUseKuserok ,
- .Cm MaxAuthTries ,
- .Cm MaxSessions ,
- .Cm PasswordAuthentication ,
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -61,8 +63,9 @@
+@@ -61,10 +63,11 @@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
MKDIR_P=@MKDIR_P@
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
+
+ .SUFFIXES: .lo
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
LIBOPENSSH_OBJS=\
ssh_api.o \
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o
--MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
--MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
-+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
-+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
+-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
+-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -184,6 +187,9 @@
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -235,6 +235,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -311,6 +317,10 @@
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+@@ -395,6 +395,10 @@ install-files:
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
-+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
++ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
++ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ fi
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-@@ -327,6 +337,10 @@
- $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+@@ -416,6 +416,10 @@ install-files:
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
-+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
++ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
++ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
+ fi
install-sysconf:
- if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
+ $(MKDIR_P) $(DESTDIR)$(sysconfdir)
@@ -352,6 +366,13 @@
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
-@@ -392,6 +413,8 @@
- -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+@@ -488,6 +488,8 @@ uninstall:
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -403,6 +426,7 @@
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+@@ -502,6 +502,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
regress-prep:
- [ -d `pwd`/regress ] || mkdir -p `pwd`/regress
+ $(MKDIR_P) `pwd`/regress/unittests/test_helper
diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
--- openssh-6.2p1/openssh-lpk-openldap.schema.ldap 2013-03-25 21:27:15.894248110 +0100
+++ openssh-6.2p1/openssh-lpk-openldap.schema 2013-03-25 21:27:15.894248110 +0100
/*
* Flag to indicate that we have received a window change signal which has
* not yet been processed. This will cause a message indicating the new
-@@ -1236,6 +1239,8 @@
- signal(SIGQUIT, signal_handler);
- if (signal(SIGTERM, SIG_IGN) != SIG_IGN)
- signal(SIGTERM, signal_handler);
+@@ -1317,6 +1317,8 @@ client_loop(struct ssh *ssh, int have_pt
+ ssh_signal(SIGQUIT, signal_handler);
+ if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN)
+ ssh_signal(SIGTERM, signal_handler);
+ if (enable_sigpipe)
+ signal(SIGPIPE, signal_handler);
- signal(SIGWINCH, window_change_handler);
+ ssh_signal(SIGWINCH, window_change_handler);
if (have_pty)
diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
+++ /dev/null
-From d422205e757aaf23e8e0e787f842ef37f6a170a2 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@ubuntu.com>
-Date: Sun, 9 Feb 2014 16:09:50 +0000
-Subject: Accept obsolete ssh-vulnkey configuration options
-
-These options were used as part of Debian's response to CVE-2008-0166.
-Nearly six years later, we no longer need to continue carrying the bulk
-of that patch, but we do need to avoid failing when the associated
-configuration options are still present.
-
-Last-Update: 2014-02-09
-
-Patch-Name: ssh-vulnkey-compat.patch
----
- readconf.c | 1 +
- servconf.c | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/readconf.c b/readconf.c
-index 7613ff2..bcd8cad 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -226,6 +226,7 @@
- { "passwordauthentication", oPasswordAuthentication },
- { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
- { "kbdinteractivedevices", oKbdInteractiveDevices },
-+ { "useblacklistedkeys", oDeprecated },
- { "pubkeyauthentication", oPubkeyAuthentication },
- { "dsaauthentication", oPubkeyAuthentication }, /* alias */
- { "hostbasedauthentication", oHostbasedAuthentication },
-diff --git a/servconf.c b/servconf.c
-index 0083cf8..90de888 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -572,6 +572,7 @@
- { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
- { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
- { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
-+ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL },
- { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
- { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
- { "uselogin", sDeprecated, SSHCFG_GLOBAL },
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 8.1p1
+Version: 8.2p1
Release: 1
Epoch: 2
License: BSD
Group: Applications/Networking
Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: 513694343631a99841e815306806edf0
+# Source0-md5: 3076e6413e8dbe56d33848c1054ac091
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
# High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
# http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
Patch9: %{name}-5.2p1-hpn13v6.diff
-Patch10: %{name}-include.patch
+
Patch11: %{name}-chroot.patch
-Patch12: %{name}-vulnkey-compat.patch
-Patch13: %{name}-kuserok.patch
+Patch12: openssh-bug-2905.patch
+Patch13: %{name}-skip-interop-tests.patch
Patch14: %{name}-bind.patch
Patch15: %{name}-disable_ldap.patch
-Patch16: %{name}-skip-interop-tests.patch
URL: http://www.openssh.com/portable.html
BuildRequires: %{__perl}
%{?with_audit:BuildRequires: audit-libs-devel}
%{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7}
%{?with_ldns:BuildRequires: ldns-devel}
%{?with_libedit:BuildRequires: libedit-devel}
+BuildRequires: libfido2-devel
BuildRequires: libseccomp-devel
%{?with_selinux:BuildRequires: libselinux-devel}
%{?with_ldap:BuildRequires: openldap-devel}
-BuildRequires: openssl-devel >= 1.0.1
+BuildRequires: openssl-devel >= 1.1.0g
BuildRequires: pam-devel
%{?with_gtk:BuildRequires: pkgconfig}
%if %{with tests} && %{with tests_conch}
%prep
%setup -q
-
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch8 -p1
%{?with_hpn:%patch9 -p1}
-%patch10 -p1
+
%patch11 -p1
%patch12 -p1
%patch13 -p1
+
%patch14 -p1
%{!?with_ldap:%patch15 -p1}
-%patch16 -p1
# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
--with-pid-dir=%{_localstatedir}/run \
--with-privsep-path=%{_privsepdir} \
--with-privsep-user=sshd \
+ --with-security-key-builtin \
%{?with_selinux:--with-selinux} \
--with-sandbox=seccomp_filter \
--with-xauth=%{_bindir}/xauth
%if %{with tests}
%{__make} -j1 tests \
TEST_SSH_PORT=$((4242 + ${RANDOM:-$$} % 1000)) \
- TEST_SSH_TRACE="yes"
+ TEST_SSH_TRACE="yes" \
%if %{without tests_conch}
SKIP_LTESTS="conch-ciphers"
%endif
%attr(755,root,root) %{_bindir}/ssh-add
%attr(755,root,root) %{_bindir}/ssh-copy-id
%attr(755,root,root) %{_bindir}/scp
+%attr(755,root,root) %{_libexecdir}/ssh-sk-helper
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config
%config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
%{_mandir}/man1/scp.1*
%{_mandir}/man1/ssh-add.1*
%{_mandir}/man1/ssh-copy-id.1*
%{_mandir}/man5/ssh_config.5*
+%{_mandir}/man8/ssh-sk-helper.8*
%lang(it) %{_mandir}/it/man1/ssh.1*
%lang(it) %{_mandir}/it/man5/ssh_config.5*
%lang(pl) %{_mandir}/pl/man1/scp.1*
TLD / packages / openssh.git / commitdiff