--- openssh-5.9p1/channels.c~ 2011-06-23 00:31:57.000000000 +0200
+++ openssh-5.9p1/channels.c 2011-11-12 11:37:15.242015675 +0100
-@@ -3301,6 +3301,8 @@
- if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- debug2("bind port %d: %.100s", port, strerror(errno));
+@@ -4444,6 +4444,8 @@ x11_create_display_inet(struct ssh *ssh,
+ debug2("%s: bind port %d: %.100s", __func__,
+ port, strerror(errno));
close(sock);
+ if (errno == EADDRNOTAVAIL)
+ continue;
-
- for (n = 0; n < num_socks; n++) {
+ for (n = 0; n < num_socks; n++)
close(socks[n]);
+ num_socks = 0;
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-@@ -50,10 +51,13 @@
- #IgnoreUserKnownHosts no
- # Don't read the user's ~/.rhosts and ~/.shosts files
- #IgnoreRhosts yes
-+IgnoreRhosts yes
-
+@@ -50,6 +51,9 @@
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
-+PasswordAuthentication yes
-+PermitEmptyPasswords no
++
++# Allow DSA keys
++## PubkeyAcceptedKeyTypes +ssh-dss
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
-@@ -66,6 +67,8 @@
+@@ -66,6 +70,7 @@
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes
-+GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-@@ -89,10 +89,12 @@
+@@ -89,10 +92,12 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
-@@ -106,6 +109,9 @@
+@@ -106,6 +112,9 @@
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
-@@ -119,6 +130,10 @@
+@@ -119,6 +133,10 @@
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# X11Forwarding no
--- openssh-4.6p1/ssh_config~ 2006-06-13 05:01:10.000000000 +0200
+++ openssh-4.6p1/ssh_config 2007-10-13 02:00:16.000000000 +0200
-@@ -20,12 +20,15 @@
+@@ -20,10 +20,13 @@
# Host *
# ForwardAgent no
# ForwardX11 no
-+# ForwardX11Trusted yes
- # RhostsRSAAuthentication no
- # RSAAuthentication yes
++# ForwardX11Trusted no
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-@@ -42,3 +45,19 @@
+@@ -42,3 +45,18 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
+
+Host *
+ GSSAPIAuthentication yes
-+ GSSAPIDelegateCredentials no
-+ ForwardAgent no
-+ ForwardX11 no
+# If this option is set to yes then remote X11 clients will have full access
-+# to the original X11 display. As virtually no X11 client supports the untrusted
-+# mode correctly we set this to yes.
-+ ForwardX11Trusted yes
-+ StrictHostKeyChecking no
++# to the original X11 server. As some X11 clients don't support the untrusted
++# mode correctly, you might consider changing this to 'yes' or using '-Y'.
++# ForwardX11Trusted no
+ ServerAliveInterval 60
+ ServerAliveCountMax 10
+ TCPKeepAlive no
++ # Allow DSA keys
++# PubkeyAcceptedKeyTypes +ssh-dss
++# HostkeyAlgorithms +ssh-dss
+# Send locale-related environment variables, also pass some GIT vars
+ SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
+ HashKnownHosts yes
-diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
---- openssh-5.8p1/auth-krb5.c.kuserok 2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.8p1/auth-krb5.c 2011-02-14 09:15:12.000000000 +0100
+diff -urNpa openssh-7.6p1.orig/auth-krb5.c openssh-7.6p1/auth-krb5.c
+--- openssh-7.6p1.orig/auth-krb5.c 2017-10-02 19:34:26.000000000 +0000
++++ openssh-7.6p1/auth-krb5.c 2017-11-07 07:46:03.640125509 +0000
@@ -54,6 +54,20 @@
extern ServerOptions options;
static int
krb5_init(void *context)
{
-@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -157,7 +171,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
authctxt->pw->pw_name)) {
problem = -1;
goto out;
-diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c
---- openssh-5.8p1/gss-serv-krb5.c.kuserok 2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 09:15:12.000000000 +0100
+diff -urNpa openssh-7.6p1.orig/gss-serv-krb5.c openssh-7.6p1/gss-serv-krb5.c
+--- openssh-7.6p1.orig/gss-serv-krb5.c 2017-10-02 19:34:26.000000000 +0000
++++ openssh-7.6p1/gss-serv-krb5.c 2017-11-07 07:46:03.640125509 +0000
@@ -57,6 +57,7 @@ extern ServerOptions options;
#endif
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -99,7 +100,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
krb5_free_error_message(krb_context, errmsg);
return 0;
}
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
-diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
---- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100
-@@ -133,6 +133,7 @@
+diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c
+--- openssh-7.6p1.orig/servconf.c 2017-11-07 07:44:54.000000000 +0000
++++ openssh-7.6p1/servconf.c 2017-11-07 07:48:00.014118573 +0000
+@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions
options->num_accept_env = 0;
options->permit_tun = -1;
- options->num_permitted_opens = -1;
+ options->permitted_opens = NULL;
+ options->use_kuserok = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
options->authorized_keys_command = NULL;
-@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
- if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
+@@ -377,6 +378,8 @@ fill_default_server_options(ServerOption
+ options->num_auth_methods = 0;
+ }
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
#ifndef HAVE_MMAP
if (use_privsep && options->compression == 1) {
error("This platform does not support both privilege "
-@@ -312,7 +315,7 @@ typedef enum {
+@@ -399,7 +402,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
-@@ -381,11 +384,13 @@ static struct {
+@@ -484,11 +487,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions
+@@ -1674,6 +1679,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d
- M_CP_INTOPT(ip_qos_bulk);
+@@ -2055,6 +2064,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
+ M_CP_INTOPT(log_level);
+ M_CP_INTOPT(use_kuserok);
- /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
- #define M_CP_STROPT(n) do {\
-@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
- dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ /*
+ * The bind_mask is a mode_t that may be unsigned, so we can't use
+@@ -2346,6 +2356,7 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
---- openssh-5.8p1/servconf.h.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/servconf.h 2011-02-14 09:15:12.000000000 +0100
-@@ -157,6 +157,7 @@ typedef struct {
-
- int num_permitted_opens;
+diff -urNpa openssh-7.6p1.orig/servconf.h openssh-7.6p1/servconf.h
+--- openssh-7.6p1.orig/servconf.h 2017-11-07 07:44:54.000000000 +0000
++++ openssh-7.6p1/servconf.h 2017-11-07 07:46:03.642125509 +0000
+@@ -180,6 +180,7 @@ typedef struct {
+ char **permitted_opens;
+ u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */
+ int use_kuserok;
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
-diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
---- openssh-5.8p1/sshd_config.5.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/sshd_config.5 2011-02-14 09:17:11.000000000 +0100
-@@ -836,6 +836,10 @@
+diff -urNpa openssh-7.6p1.orig/sshd_config openssh-7.6p1/sshd_config
+--- openssh-7.6p1.orig/sshd_config 2017-11-07 07:44:54.000000000 +0000
++++ openssh-7.6p1/sshd_config 2017-11-07 07:46:03.642125509 +0000
+@@ -69,6 +69,7 @@ AuthorizedKeysFile .ssh/authorized_keys
+ #KerberosOrLocalPasswd yes
+ #KerberosTicketCleanup yes
+ #KerberosGetAFSToken no
++#KerberosUseKuserok yes
+
+ # GSSAPI options
+ #GSSAPIAuthentication no
+diff -urNpa openssh-7.6p1.orig/sshd_config.5 openssh-7.6p1/sshd_config.5
+--- openssh-7.6p1.orig/sshd_config.5 2017-11-07 07:44:54.000000000 +0000
++++ openssh-7.6p1/sshd_config.5 2017-11-07 07:48:44.118115944 +0000
+@@ -854,6 +854,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Cm yes .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-@@ -1064,6 +1068,7 @@
- .Cm IPQoS ,
+@@ -1087,6 +1091,7 @@ Available keywords are
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+ .Cm LogLevel ,
+.Cm KerberosUseKuserok ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
-diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config
---- openssh-5.8p1/sshd_config.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/sshd_config 2011-02-14 09:15:12.000000000 +0100
-@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
-+#KerberosUseKuserok yes
-
- # GSSAPI options
- #GSSAPIAuthentication no
--- /dev/null
+--- a/configure.ac~ 2017-10-02 21:34:26.000000000 +0200
++++ b/configure.ac 2017-10-06 08:35:16.756080761 +0200
+@@ -1487,7 +1487,7 @@ AC_ARG_WITH(ldns,
+ ldns=""
+ if test "x$withval" = "xyes" ; then
+ AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
+- if test "x$PKGCONFIG" = "xno"; then
++ if test "x$LDNSCONFIG" = "xno"; then
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ LDFLAGS="$LDFLAGS -L${withval}/lib"
+ LIBS="-lldns $LIBS"
+
+++ /dev/null
-diff -urN openssh-3.0p1.orig/configure.ac openssh-3.0p1/configure.ac
---- openssh-3.0p1.orig/configure.ac Sat Nov 3 20:09:33 2001
-+++ openssh-3.0p1/configure.ac Wed Nov 7 16:22:54 2001
-@@ -123,6 +123,8 @@
- AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
- AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
- inet6_default_4in6=yes
-+ no_libnsl=1
-+ no_libsocket=1
- case `uname -r` in
- 1.*|2.0.*)
- AC_DEFINE(BROKEN_CMSG_TYPE)
-b bind_address
--- openssh-5.6p1/ssh.1~ 2010-08-24 14:05:48.000000000 +0300
+++ openssh-5.6p1/ssh.1 2010-08-24 14:06:57.879253682 +0300
-@@ -44,7 +44,7 @@
+@@ -43,7 +43,7 @@
.Sh SYNOPSIS
.Nm ssh
.Bk -words
--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
-+.Op Fl 1246AaBCfGgKkMNnqsTtVvXxYy
+-.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
++.Op Fl 46AaBCfGgKkMNnqsTtVvXxYy
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
/* # of replies received for global requests */
static int client_global_request_id = 0;
-@@ -199,7 +199,7 @@ static void
+@@ -200,7 +200,7 @@ static void
usage(void)
{
fprintf(stderr,
--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-+"usage: ssh [-1246AaBCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
+-"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++"usage: ssh [-46AaBCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
" [-F configfile] [-I pkcs11] [-i identity_file]\n"
- " [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n"
+ " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
@@ -330,7 +330,7 @@ main(int ac, char **av)
again:
index 7613ff2..bcd8cad 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -172,6 +172,7 @@ static struct {
+@@ -226,6 +226,7 @@ static struct {
{ "passwordauthentication", oPasswordAuthentication },
{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
{ "kbdinteractivedevices", oKbdInteractiveDevices },
+ { "useblacklistedkeys", oDeprecated },
- { "rsaauthentication", oRSAAuthentication },
{ "pubkeyauthentication", oPubkeyAuthentication },
{ "dsaauthentication", oPubkeyAuthentication }, /* alias */
+ { "hostbasedauthentication", oHostbasedAuthentication },
diff --git a/servconf.c b/servconf.c
index 0083cf8..90de888 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -448,6 +448,7 @@ static struct {
+@@ -521,6 +521,7 @@ static struct {
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
#
# Conditional build:
%bcond_without audit # sshd audit support
-%bcond_with gnome # with gnome-askpass (GNOME 1.x) utility
-%bcond_without gtk # without GTK+ (2.x)
-%bcond_without ldap # with ldap support
-%bcond_without libedit # without libedit (editline/history support in sftp client)
-%bcond_without kerberos5 # without kerberos5 support
-%bcond_without selinux # build without SELinux support
+%bcond_with gnome # gnome-askpass (GNOME 1.x) utility
+%bcond_without gtk # gnome-askpass (GTK+ 2.x) utility
+%bcond_without ldap # LDAP support
+%bcond_with ldns # DNSSEC support via libldns
+%bcond_without libedit # libedit (editline/history support in sftp client)
+%bcond_without kerberos5 # Kerberos5 support
+%bcond_without selinux # SELinux support
%bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel)
%bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often)
-%bcond_without tests
+%bcond_without tests # test suite
# gtk2-based gnome-askpass means no gnome1-based
%{?with_gtk:%undefine with_gnome}
Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
Name: openssh
-Version: 7.4p1
+Version: 7.6p1
Release: 1
Epoch: 2
License: BSD
Group: Applications/Networking
Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: b2db2a83caf66a208bb78d6d287cdaa3
+# Source0-md5: 06a88699018e5fef13d4655abfed1f63
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: 66943d481cc422512b537bcc2c7400d1
Source2: %{name}d.init
Source6: ssh-agent.conf
Source7: %{name}-lpk.schema
Source8: sshd-keygen
-Patch0: %{name}-no_libnsl.patch
+Patch0: %{name}-ldns.patch
Patch1: %{name}-tests-reuseport.patch
Patch2: %{name}-pam_misc.patch
Patch3: %{name}-sigpipe.patch
Patch14: %{name}-bind.patch
Patch15: %{name}-disable_ldap.patch
Patch16: libseccomp-sandbox.patch
-Patch17: ssh-keygen-no-ssh1.patch
URL: http://www.openssh.com/portable.html
BuildRequires: %{__perl}
%{?with_audit:BuildRequires: audit-libs-devel}
%{?with_gnome:BuildRequires: gnome-libs-devel}
%{?with_gtk:BuildRequires: gtk+2-devel}
%{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7}
+%{?with_ldns:BuildRequires: ldns-devel}
%{?with_libedit:BuildRequires: libedit-devel}
BuildRequires: libseccomp-devel
%{?with_selinux:BuildRequires: libselinux-devel}
%{?with_ldap:BuildRequires: openldap-devel}
-BuildRequires: openssl-devel >= 0.9.8f
+BuildRequires: openssl-devel >= 1.0.1
BuildRequires: pam-devel
%{?with_gtk:BuildRequires: pkgconfig}
BuildRequires: rpm >= 4.4.9-56
%patch14 -p1
%{!?with_ldap:%patch15 -p1}
%{?with_libseccomp:%patch16 -p1}
-%patch17 -p1
# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,'
# prevent being ovewritten by aclocal calls
-mv aclocal.m4 acinclude.m4
+%{__mv} aclocal.m4 acinclude.m4
%build
cp /usr/share/automake/config.sub .
--with-ipaddr-display \
%{?with_kerberos5:--with-kerberos5=/usr} \
--with-ldap%{!?with_ldap:=no} \
+ %{?with_ldns:--with-ldns} \
%{?with_libedit:--with-libedit} \
--with-mantype=man \
--with-md5-passwords \
+++ /dev/null
-diff -ur openssh-7.1p1.orig/ssh-keygen.c openssh-7.1p1/ssh-keygen.c
---- openssh-7.1p1.orig/ssh-keygen.c 2015-08-21 04:49:03.000000000 +0000
-+++ openssh-7.1p1/ssh-keygen.c 2015-11-18 08:50:13.050305000 +0000
-@@ -2148,7 +2148,11 @@
- usage(void)
- {
- fprintf(stderr,
-+#ifdef WITH_SSH1
- "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n"
-+#else
-+ "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n"
-+#endif
- " [-N new_passphrase] [-C comment] [-f output_keyfile]\n"
- " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"
- " ssh-keygen -i [-m key_format] [-f input_keyfile]\n"
TLD / packages / openssh.git / commitdiff