From: Marcin Krol Date: Tue, 7 Nov 2017 08:07:54 +0000 (+0000) Subject: - merged 7.6p1 from PLD, updated TLD specific patches X-Git-Url: https://git.tld-linux.org/?a=commitdiff_plain;h=ed904a7eb15944e8a8679c8a81568df7bc44d209;p=packages%2Fopenssh.git - merged 7.6p1 from PLD, updated TLD specific patches --- diff --git a/openssh-bind.patch b/openssh-bind.patch index 718caa6..504eb59 100644 --- a/openssh-bind.patch +++ b/openssh-bind.patch @@ -1,11 +1,11 @@ --- openssh-5.9p1/channels.c~ 2011-06-23 00:31:57.000000000 +0200 +++ openssh-5.9p1/channels.c 2011-11-12 11:37:15.242015675 +0100 -@@ -3301,6 +3301,8 @@ - if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { - debug2("bind port %d: %.100s", port, strerror(errno)); +@@ -4444,6 +4444,8 @@ x11_create_display_inet(struct ssh *ssh, + debug2("%s: bind port %d: %.100s", __func__, + port, strerror(errno)); close(sock); + if (errno == EADDRNOTAVAIL) + continue; - - for (n = 0; n < num_socks; n++) { + for (n = 0; n < num_socks; n++) close(socks[n]); + num_socks = 0; diff --git a/openssh-config.patch b/openssh-config.patch index 51c9878..915d1d7 100644 --- a/openssh-config.patch +++ b/openssh-config.patch @@ -9,30 +9,25 @@ #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -@@ -50,10 +51,13 @@ - #IgnoreUserKnownHosts no - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes -+IgnoreRhosts yes - +@@ -50,6 +51,9 @@ # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no -+PasswordAuthentication yes -+PermitEmptyPasswords no ++ ++# Allow DSA keys ++## PubkeyAcceptedKeyTypes +ssh-dss # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes -@@ -66,6 +67,8 @@ +@@ -66,6 +70,7 @@ # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +GSSAPIAuthentication yes -+GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -89,10 +89,12 @@ +@@ -89,10 +92,12 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. @@ -47,7 +42,7 @@ #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 -@@ -106,6 +109,9 @@ +@@ -106,6 +112,9 @@ # no default banner path #Banner /some/path @@ -57,7 +52,7 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server -@@ -119,6 +130,10 @@ +@@ -119,6 +133,10 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server @@ -70,13 +65,11 @@ # X11Forwarding no --- openssh-4.6p1/ssh_config~ 2006-06-13 05:01:10.000000000 +0200 +++ openssh-4.6p1/ssh_config 2007-10-13 02:00:16.000000000 +0200 -@@ -20,12 +20,15 @@ +@@ -20,10 +20,13 @@ # Host * # ForwardAgent no # ForwardX11 no -+# ForwardX11Trusted yes - # RhostsRSAAuthentication no - # RSAAuthentication yes ++# ForwardX11Trusted no # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no @@ -86,24 +79,23 @@ # BatchMode no # CheckHostIP yes # AddressFamily any -@@ -42,3 +45,19 @@ +@@ -42,3 +45,18 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h + +Host * + GSSAPIAuthentication yes -+ GSSAPIDelegateCredentials no -+ ForwardAgent no -+ ForwardX11 no +# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 display. As virtually no X11 client supports the untrusted -+# mode correctly we set this to yes. -+ ForwardX11Trusted yes -+ StrictHostKeyChecking no ++# to the original X11 server. As some X11 clients don't support the untrusted ++# mode correctly, you might consider changing this to 'yes' or using '-Y'. ++# ForwardX11Trusted no + ServerAliveInterval 60 + ServerAliveCountMax 10 + TCPKeepAlive no ++ # Allow DSA keys ++# PubkeyAcceptedKeyTypes +ssh-dss ++# HostkeyAlgorithms +ssh-dss +# Send locale-related environment variables, also pass some GIT vars + SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL + HashKnownHosts yes diff --git a/openssh-kuserok.patch b/openssh-kuserok.patch index 38df2ed..9778dbb 100644 --- a/openssh-kuserok.patch +++ b/openssh-kuserok.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c ---- openssh-5.8p1/auth-krb5.c.kuserok 2009-12-21 00:49:22.000000000 +0100 -+++ openssh-5.8p1/auth-krb5.c 2011-02-14 09:15:12.000000000 +0100 +diff -urNpa openssh-7.6p1.orig/auth-krb5.c openssh-7.6p1/auth-krb5.c +--- openssh-7.6p1.orig/auth-krb5.c 2017-10-02 19:34:26.000000000 +0000 ++++ openssh-7.6p1/auth-krb5.c 2017-11-07 07:46:03.640125509 +0000 @@ -54,6 +54,20 @@ extern ServerOptions options; @@ -22,7 +22,7 @@ diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c static int krb5_init(void *context) { -@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c +@@ -157,7 +171,7 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; @@ -31,9 +31,9 @@ diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c authctxt->pw->pw_name)) { problem = -1; goto out; -diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c ---- openssh-5.8p1/gss-serv-krb5.c.kuserok 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 09:15:12.000000000 +0100 +diff -urNpa openssh-7.6p1.orig/gss-serv-krb5.c openssh-7.6p1/gss-serv-krb5.c +--- openssh-7.6p1.orig/gss-serv-krb5.c 2017-10-02 19:34:26.000000000 +0000 ++++ openssh-7.6p1/gss-serv-krb5.c 2017-11-07 07:46:03.640125509 +0000 @@ -57,6 +57,7 @@ extern ServerOptions options; #endif @@ -42,7 +42,7 @@ diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ -@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client +@@ -99,7 +100,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client krb5_free_error_message(krb_context, errmsg); return 0; } @@ -51,27 +51,27 @@ diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", name, (char *)client->displayname.value); -diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c ---- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100 -+++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100 -@@ -133,6 +133,7 @@ +diff -urNpa openssh-7.6p1.orig/servconf.c openssh-7.6p1/servconf.c +--- openssh-7.6p1.orig/servconf.c 2017-11-07 07:44:54.000000000 +0000 ++++ openssh-7.6p1/servconf.c 2017-11-07 07:48:00.014118573 +0000 +@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions options->num_accept_env = 0; options->permit_tun = -1; - options->num_permitted_opens = -1; + options->permitted_opens = NULL; + options->use_kuserok = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; options->authorized_keys_command = NULL; -@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption - if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; +@@ -377,6 +378,8 @@ fill_default_server_options(ServerOption + options->num_auth_methods = 0; + } + if (options->use_kuserok == -1) + options->use_kuserok = 1; #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " -@@ -312,7 +315,7 @@ typedef enum { +@@ -399,7 +402,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -80,7 +80,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -381,11 +384,13 @@ static struct { +@@ -484,11 +487,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -94,7 +94,7 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions +@@ -1674,6 +1679,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -105,37 +105,48 @@ diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d - M_CP_INTOPT(ip_qos_bulk); +@@ -2055,6 +2064,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); + M_CP_INTOPT(log_level); + M_CP_INTOPT(use_kuserok); - /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ - #define M_CP_STROPT(n) do {\ -@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); - dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); + /* + * The bind_mask is a mode_t that may be unsigned, so we can't use +@@ -2346,6 +2356,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); + dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h ---- openssh-5.8p1/servconf.h.kuserok 2011-02-14 09:15:12.000000000 +0100 -+++ openssh-5.8p1/servconf.h 2011-02-14 09:15:12.000000000 +0100 -@@ -157,6 +157,7 @@ typedef struct { - - int num_permitted_opens; +diff -urNpa openssh-7.6p1.orig/servconf.h openssh-7.6p1/servconf.h +--- openssh-7.6p1.orig/servconf.h 2017-11-07 07:44:54.000000000 +0000 ++++ openssh-7.6p1/servconf.h 2017-11-07 07:46:03.642125509 +0000 +@@ -180,6 +180,7 @@ typedef struct { + char **permitted_opens; + u_int num_permitted_opens; /* May also be one of PERMITOPEN_* */ + int use_kuserok; char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5 ---- openssh-5.8p1/sshd_config.5.kuserok 2011-02-14 09:15:12.000000000 +0100 -+++ openssh-5.8p1/sshd_config.5 2011-02-14 09:17:11.000000000 +0100 -@@ -836,6 +836,10 @@ +diff -urNpa openssh-7.6p1.orig/sshd_config openssh-7.6p1/sshd_config +--- openssh-7.6p1.orig/sshd_config 2017-11-07 07:44:54.000000000 +0000 ++++ openssh-7.6p1/sshd_config 2017-11-07 07:46:03.642125509 +0000 +@@ -69,6 +69,7 @@ AuthorizedKeysFile .ssh/authorized_keys + #KerberosOrLocalPasswd yes + #KerberosTicketCleanup yes + #KerberosGetAFSToken no ++#KerberosUseKuserok yes + + # GSSAPI options + #GSSAPIAuthentication no +diff -urNpa openssh-7.6p1.orig/sshd_config.5 openssh-7.6p1/sshd_config.5 +--- openssh-7.6p1.orig/sshd_config.5 2017-11-07 07:44:54.000000000 +0000 ++++ openssh-7.6p1/sshd_config.5 2017-11-07 07:48:44.118115944 +0000 +@@ -854,6 +854,10 @@ Specifies whether to automatically destr file on logout. The default is .Cm yes . @@ -146,22 +157,11 @@ diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -1064,6 +1068,7 @@ - .Cm IPQoS , +@@ -1087,6 +1091,7 @@ Available keywords are .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , + .Cm LogLevel , +.Cm KerberosUseKuserok , .Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , -diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config ---- openssh-5.8p1/sshd_config.kuserok 2011-02-14 09:15:12.000000000 +0100 -+++ openssh-5.8p1/sshd_config 2011-02-14 09:15:12.000000000 +0100 -@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no - #KerberosOrLocalPasswd yes - #KerberosTicketCleanup yes - #KerberosGetAFSToken no -+#KerberosUseKuserok yes - - # GSSAPI options - #GSSAPIAuthentication no diff --git a/openssh-ldns.patch b/openssh-ldns.patch new file mode 100644 index 0000000..367c5e8 --- /dev/null +++ b/openssh-ldns.patch @@ -0,0 +1,12 @@ +--- a/configure.ac~ 2017-10-02 21:34:26.000000000 +0200 ++++ b/configure.ac 2017-10-06 08:35:16.756080761 +0200 +@@ -1487,7 +1487,7 @@ AC_ARG_WITH(ldns, + ldns="" + if test "x$withval" = "xyes" ; then + AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no]) +- if test "x$PKGCONFIG" = "xno"; then ++ if test "x$LDNSCONFIG" = "xno"; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + LIBS="-lldns $LIBS" + diff --git a/openssh-no_libnsl.patch b/openssh-no_libnsl.patch deleted file mode 100644 index 2ec9cbb..0000000 --- a/openssh-no_libnsl.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urN openssh-3.0p1.orig/configure.ac openssh-3.0p1/configure.ac ---- openssh-3.0p1.orig/configure.ac Sat Nov 3 20:09:33 2001 -+++ openssh-3.0p1/configure.ac Wed Nov 7 16:22:54 2001 -@@ -123,6 +123,8 @@ - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") - AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) - inet6_default_4in6=yes -+ no_libnsl=1 -+ no_libsocket=1 - case `uname -r` in - 1.*|2.0.*) - AC_DEFINE(BROKEN_CMSG_TYPE) diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch index fccaf42..742640c 100644 --- a/openssh-sigpipe.patch +++ b/openssh-sigpipe.patch @@ -33,12 +33,12 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 -b bind_address --- openssh-5.6p1/ssh.1~ 2010-08-24 14:05:48.000000000 +0300 +++ openssh-5.6p1/ssh.1 2010-08-24 14:06:57.879253682 +0300 -@@ -44,7 +44,7 @@ +@@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh .Bk -words --.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy -+.Op Fl 1246AaBCfGgKkMNnqsTtVvXxYy +-.Op Fl 46AaCfGgKkMNnqsTtVvXxYy ++.Op Fl 46AaBCfGgKkMNnqsTtVvXxYy .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl D Oo Ar bind_address : Oc Ns Ar port @@ -66,15 +66,15 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 /* # of replies received for global requests */ static int client_global_request_id = 0; -@@ -199,7 +199,7 @@ static void +@@ -200,7 +200,7 @@ static void usage(void) { fprintf(stderr, --"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -+"usage: ssh [-1246AaBCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +-"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" ++"usage: ssh [-46AaBCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" " [-F configfile] [-I pkcs11] [-i identity_file]\n" - " [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n" + " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" @@ -330,7 +330,7 @@ main(int ac, char **av) again: diff --git a/openssh-vulnkey-compat.patch b/openssh-vulnkey-compat.patch index 30f5056..6faf184 100644 --- a/openssh-vulnkey-compat.patch +++ b/openssh-vulnkey-compat.patch @@ -20,19 +20,19 @@ diff --git a/readconf.c b/readconf.c index 7613ff2..bcd8cad 100644 --- a/readconf.c +++ b/readconf.c -@@ -172,6 +172,7 @@ static struct { +@@ -226,6 +226,7 @@ static struct { { "passwordauthentication", oPasswordAuthentication }, { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, { "kbdinteractivedevices", oKbdInteractiveDevices }, + { "useblacklistedkeys", oDeprecated }, - { "rsaauthentication", oRSAAuthentication }, { "pubkeyauthentication", oPubkeyAuthentication }, { "dsaauthentication", oPubkeyAuthentication }, /* alias */ + { "hostbasedauthentication", oHostbasedAuthentication }, diff --git a/servconf.c b/servconf.c index 0083cf8..90de888 100644 --- a/servconf.c +++ b/servconf.c -@@ -448,6 +448,7 @@ static struct { +@@ -521,6 +521,7 @@ static struct { { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, diff --git a/openssh.spec b/openssh.spec index ce1e52c..dcb2155 100644 --- a/openssh.spec +++ b/openssh.spec @@ -5,15 +5,16 @@ # # Conditional build: %bcond_without audit # sshd audit support -%bcond_with gnome # with gnome-askpass (GNOME 1.x) utility -%bcond_without gtk # without GTK+ (2.x) -%bcond_without ldap # with ldap support -%bcond_without libedit # without libedit (editline/history support in sftp client) -%bcond_without kerberos5 # without kerberos5 support -%bcond_without selinux # build without SELinux support +%bcond_with gnome # gnome-askpass (GNOME 1.x) utility +%bcond_without gtk # gnome-askpass (GTK+ 2.x) utility +%bcond_without ldap # LDAP support +%bcond_with ldns # DNSSEC support via libldns +%bcond_without libedit # libedit (editline/history support in sftp client) +%bcond_without kerberos5 # Kerberos5 support +%bcond_without selinux # SELinux support %bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel) %bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often) -%bcond_without tests +%bcond_without tests # test suite # gtk2-based gnome-askpass means no gnome1-based %{?with_gtk:%undefine with_gnome} @@ -41,13 +42,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 7.4p1 +Version: 7.6p1 Release: 1 Epoch: 2 License: BSD Group: Applications/Networking Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: b2db2a83caf66a208bb78d6d287cdaa3 +# Source0-md5: 06a88699018e5fef13d4655abfed1f63 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -57,7 +58,7 @@ Source5: ssh-agent.sh Source6: ssh-agent.conf Source7: %{name}-lpk.schema Source8: sshd-keygen -Patch0: %{name}-no_libnsl.patch +Patch0: %{name}-ldns.patch Patch1: %{name}-tests-reuseport.patch Patch2: %{name}-pam_misc.patch Patch3: %{name}-sigpipe.patch @@ -77,7 +78,6 @@ Patch13: %{name}-kuserok.patch Patch14: %{name}-bind.patch Patch15: %{name}-disable_ldap.patch Patch16: libseccomp-sandbox.patch -Patch17: ssh-keygen-no-ssh1.patch URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} %{?with_audit:BuildRequires: audit-libs-devel} @@ -86,11 +86,12 @@ BuildRequires: automake %{?with_gnome:BuildRequires: gnome-libs-devel} %{?with_gtk:BuildRequires: gtk+2-devel} %{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7} +%{?with_ldns:BuildRequires: ldns-devel} %{?with_libedit:BuildRequires: libedit-devel} BuildRequires: libseccomp-devel %{?with_selinux:BuildRequires: libselinux-devel} %{?with_ldap:BuildRequires: openldap-devel} -BuildRequires: openssl-devel >= 0.9.8f +BuildRequires: openssl-devel >= 1.0.1 BuildRequires: pam-devel %{?with_gtk:BuildRequires: pkgconfig} BuildRequires: rpm >= 4.4.9-56 @@ -536,7 +537,6 @@ openldap-a. %patch14 -p1 %{!?with_ldap:%patch15 -p1} %{?with_libseccomp:%patch16 -p1} -%patch17 -p1 # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile* @@ -545,7 +545,7 @@ grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \ %{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,' # prevent being ovewritten by aclocal calls -mv aclocal.m4 acinclude.m4 +%{__mv} aclocal.m4 acinclude.m4 %build cp /usr/share/automake/config.sub . @@ -563,6 +563,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" --with-ipaddr-display \ %{?with_kerberos5:--with-kerberos5=/usr} \ --with-ldap%{!?with_ldap:=no} \ + %{?with_ldns:--with-ldns} \ %{?with_libedit:--with-libedit} \ --with-mantype=man \ --with-md5-passwords \ diff --git a/ssh-keygen-no-ssh1.patch b/ssh-keygen-no-ssh1.patch deleted file mode 100644 index 254bc79..0000000 --- a/ssh-keygen-no-ssh1.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -ur openssh-7.1p1.orig/ssh-keygen.c openssh-7.1p1/ssh-keygen.c ---- openssh-7.1p1.orig/ssh-keygen.c 2015-08-21 04:49:03.000000000 +0000 -+++ openssh-7.1p1/ssh-keygen.c 2015-11-18 08:50:13.050305000 +0000 -@@ -2148,7 +2148,11 @@ - usage(void) - { - fprintf(stderr, -+#ifdef WITH_SSH1 - "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n" -+#else -+ "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n" -+#endif - " [-N new_passphrase] [-C comment] [-f output_keyfile]\n" - " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" - " ssh-keygen -i [-m key_format] [-f input_keyfile]\n"