From 16c5dc4ec03cc91c9beb0bf75c14ce9fc50a8e72 Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Sat, 29 Feb 2020 20:34:34 +0100 Subject: [PATCH] - updated to 8.2p1, dropped old patches, partial PLD merge --- openssh-bug-2905.patch | 12 +++ openssh-include.patch | 11 --- openssh-kuserok.patch | 167 ----------------------------------- openssh-ldap.patch | 54 +++++------ openssh-sigpipe.patch | 10 +-- openssh-vulnkey-compat.patch | 42 --------- openssh.spec | 24 ++--- 7 files changed, 58 insertions(+), 262 deletions(-) create mode 100644 openssh-bug-2905.patch delete mode 100644 openssh-include.patch delete mode 100644 openssh-kuserok.patch delete mode 100644 openssh-vulnkey-compat.patch diff --git a/openssh-bug-2905.patch b/openssh-bug-2905.patch new file mode 100644 index 0000000..94f34df --- /dev/null +++ b/openssh-bug-2905.patch @@ -0,0 +1,12 @@ +--- openssh-portable/sandbox-seccomp-filter.c.org 2018-09-14 10:56:00.557388954 +0200 ++++ openssh-portable/sandbox-seccomp-filter.c 2018-09-14 11:13:00.051826982 +0200 +@@ -166,6 +166,9 @@ static const struct sock_filter preauth_ + #ifdef __NR_exit_group + SC_ALLOW(__NR_exit_group), + #endif ++#ifdef __NR_futex ++ SC_ALLOW(__NR_futex), ++#endif + #ifdef __NR_geteuid + SC_ALLOW(__NR_geteuid), + #endif diff --git a/openssh-include.patch b/openssh-include.patch deleted file mode 100644 index 801c681..0000000 --- a/openssh-include.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssh-5.9p1/configure.ac~ 2011-09-06 19:31:16.000000000 +0200 -+++ openssh-5.9p1/configure.ac 2011-09-06 19:31:55.291791679 +0200 -@@ -1076,6 +1076,7 @@ - - AC_MSG_CHECKING([for possibly buggy zlib]) - AC_RUN_IFELSE([AC_LANG_PROGRAM([[ -+#include - #include - #include - ]], - diff --git a/openssh-kuserok.patch b/openssh-kuserok.patch deleted file mode 100644 index 8b3773d..0000000 --- a/openssh-kuserok.patch +++ /dev/null @@ -1,167 +0,0 @@ -diff -urpa openssh-7.8p1.orig/auth-krb5.c openssh-7.8p1/auth-krb5.c ---- openssh-7.8p1.orig/auth-krb5.c 2018-08-23 05:41:42.000000000 +0000 -+++ openssh-7.8p1/auth-krb5.c 2018-08-29 09:55:47.547970289 +0000 -@@ -54,6 +54,20 @@ - - extern ServerOptions options; - -+int -+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client) -+{ -+ if (options.use_kuserok) -+ return krb5_kuserok(krb5_ctx, krb5_user, client); -+ else { -+ char kuser[65]; -+ -+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser)) -+ return 0; -+ return strcmp(kuser, client) == 0; -+ } -+} -+ - static int - krb5_init(void *context) - { -@@ -157,7 +171,7 @@ auth_krb5_password(Authctxt *authctxt, c - if (problem) - goto out; - -- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, -+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, - authctxt->pw->pw_name)) { - problem = -1; - goto out; -diff -urpa openssh-7.8p1.orig/gss-serv-krb5.c openssh-7.8p1/gss-serv-krb5.c ---- openssh-7.8p1.orig/gss-serv-krb5.c 2018-08-23 05:41:42.000000000 +0000 -+++ openssh-7.8p1/gss-serv-krb5.c 2018-08-29 09:55:47.547970289 +0000 -@@ -56,6 +56,7 @@ extern ServerOptions options; - #endif - - static krb5_context krb_context = NULL; -+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *); - - /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ - -@@ -98,7 +99,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client - krb5_free_error_message(krb_context, errmsg); - return 0; - } -- if (krb5_kuserok(krb_context, princ, name)) { -+ if (ssh_krb5_kuserok(krb_context, princ, name)) { - retval = 1; - logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", - name, (char *)client->displayname.value); -diff -urpa openssh-7.8p1.orig/servconf.c openssh-7.8p1/servconf.c ---- openssh-7.8p1.orig/servconf.c 2018-08-29 09:49:04.830974823 +0000 -+++ openssh-7.8p1/servconf.c 2018-08-29 09:57:22.452969220 +0000 -@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions - options->permit_tun = -1; - options->permitted_opens = NULL; - options->permitted_listens = NULL; -+ options->use_kuserok = -1; - options->adm_forced_command = NULL; - options->chroot_directory = NULL; - options->authorized_keys_command = NULL; -@@ -449,6 +450,8 @@ fill_default_server_options(ServerOption - options->num_auth_methods = 0; - } - -+ if (options->use_kuserok == -1) -+ options->use_kuserok = 1; - #ifndef HAVE_MMAP - if (use_privsep && options->compression == 1) { - error("This platform does not support both privilege " -@@ -471,7 +474,7 @@ typedef enum { - sPermitRootLogin, sLogFacility, sLogLevel, - sRhostsRSAAuthentication, sRSAAuthentication, - sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, -- sKerberosGetAFSToken, sChallengeResponseAuthentication, -+ sKerberosGetAFSToken, sKerberosUseKuserok, sChallengeResponseAuthentication, - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, - sPrintMotd, sPrintLastLog, sIgnoreRhosts, -@@ -555,11 +558,13 @@ static struct { - #else - { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, - #endif -+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL }, - #else - { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, - { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, - { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, - { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, -+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL }, - #endif - { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, - { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1958,6 +1963,10 @@ process_server_config_line(ServerOptions - } - break; - -+ case sKerberosUseKuserok: -+ intptr = &options->use_kuserok; -+ goto parse_flag; -+ - case sForceCommand: - if (cp == NULL || *cp == '\0') - fatal("%.200s line %d: Missing argument.", filename, -@@ -2302,6 +2311,7 @@ copy_set_server_options(ServerOptions *d - M_CP_INTOPT(rekey_limit); - M_CP_INTOPT(rekey_interval); - M_CP_INTOPT(log_level); -+ M_CP_INTOPT(use_kuserok); - - /* - * The bind_mask is a mode_t that may be unsigned, so we can't use -@@ -2595,6 +2605,7 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); - dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); - dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); -+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); - - /* string arguments */ - dump_cfg_string(sPidFile, o->pid_file); -diff -urpa openssh-7.8p1.orig/servconf.h openssh-7.8p1/servconf.h ---- openssh-7.8p1.orig/servconf.h 2018-08-29 09:49:04.827974823 +0000 -+++ openssh-7.8p1/servconf.h 2018-08-29 09:55:47.548970289 +0000 -@@ -190,6 +190,7 @@ typedef struct { - char **permitted_listens; /* May also be one of PERMITOPEN_* */ - u_int num_permitted_listens; - -+ int use_kuserok; - char *chroot_directory; - char *revoked_keys_file; - char *trusted_user_ca_keys; -diff -urpa openssh-7.8p1.orig/sshd_config openssh-7.8p1/sshd_config ---- openssh-7.8p1.orig/sshd_config 2018-08-29 09:49:04.827974823 +0000 -+++ openssh-7.8p1/sshd_config 2018-08-29 09:55:47.548970289 +0000 -@@ -68,6 +68,7 @@ AuthorizedKeysFile .ssh/authorized_keys - #KerberosOrLocalPasswd yes - #KerberosTicketCleanup yes - #KerberosGetAFSToken no -+#KerberosUseKuserok yes - - # GSSAPI options - #GSSAPIAuthentication no -diff -urpa openssh-7.8p1.orig/sshd_config.5 openssh-7.8p1/sshd_config.5 ---- openssh-7.8p1.orig/sshd_config.5 2018-08-29 09:49:04.828974823 +0000 -+++ openssh-7.8p1/sshd_config.5 2018-08-29 09:55:47.549970289 +0000 -@@ -861,6 +861,10 @@ Specifies whether to automatically destr - file on logout. - The default is - .Cm yes . -+.It Cm KerberosUseKuserok -+Specifies whether to look at .k5login file for user's aliases. -+The default is -+.Dq yes . - .It Cm KexAlgorithms - Specifies the available KEX (Key Exchange) algorithms. - Multiple algorithms must be comma-separated. -@@ -1124,6 +1128,7 @@ Available keywords are - .Cm KbdInteractiveAuthentication , - .Cm KerberosAuthentication , - .Cm LogLevel , -+.Cm KerberosUseKuserok , - .Cm MaxAuthTries , - .Cm MaxSessions , - .Cm PasswordAuthentication , diff --git a/openssh-ldap.patch b/openssh-ldap.patch index 2920eab..fe93879 100644 --- a/openssh-ldap.patch +++ b/openssh-ldap.patch @@ -1995,14 +1995,16 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -61,8 +63,9 @@ +@@ -61,10 +63,11 @@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ MKDIR_P=@MKDIR_P@ +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ + + .SUFFIXES: .lo --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) LIBOPENSSH_OBJS=\ ssh_api.o \ @@ -2010,45 +2012,45 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ sandbox-solaris.o --MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out --MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out -+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 +-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out +-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out ++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -184,6 +187,9 @@ - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +@@ -235,6 +235,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) + ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -311,6 +317,10 @@ - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) +@@ -395,6 +395,10 @@ install-files: $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ -+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ -+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ ++ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ ++ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ + fi $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -@@ -327,6 +337,10 @@ - $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 +@@ -416,6 +416,10 @@ install-files: $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ -+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ -+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ ++ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ ++ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ + fi install-sysconf: - if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ + $(MKDIR_P) $(DESTDIR)$(sysconfdir) @@ -352,6 +366,13 @@ else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ @@ -2063,23 +2065,23 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -392,6 +413,8 @@ - -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) +@@ -488,6 +488,8 @@ uninstall: -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -403,6 +426,7 @@ - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 +@@ -502,6 +502,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 regress-prep: - [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + $(MKDIR_P) `pwd`/regress/unittests/test_helper diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema --- openssh-6.2p1/openssh-lpk-openldap.schema.ldap 2013-03-25 21:27:15.894248110 +0100 +++ openssh-6.2p1/openssh-lpk-openldap.schema 2013-03-25 21:27:15.894248110 +0100 diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch index 3d60ddf..a190b7c 100644 --- a/openssh-sigpipe.patch +++ b/openssh-sigpipe.patch @@ -10,13 +10,13 @@ /* * Flag to indicate that we have received a window change signal which has * not yet been processed. This will cause a message indicating the new -@@ -1236,6 +1239,8 @@ - signal(SIGQUIT, signal_handler); - if (signal(SIGTERM, SIG_IGN) != SIG_IGN) - signal(SIGTERM, signal_handler); +@@ -1317,6 +1317,8 @@ client_loop(struct ssh *ssh, int have_pt + ssh_signal(SIGQUIT, signal_handler); + if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN) + ssh_signal(SIGTERM, signal_handler); + if (enable_sigpipe) + signal(SIGPIPE, signal_handler); - signal(SIGWINCH, window_change_handler); + ssh_signal(SIGWINCH, window_change_handler); if (have_pty) diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 diff --git a/openssh-vulnkey-compat.patch b/openssh-vulnkey-compat.patch deleted file mode 100644 index 6ed3e83..0000000 --- a/openssh-vulnkey-compat.patch +++ /dev/null @@ -1,42 +0,0 @@ -From d422205e757aaf23e8e0e787f842ef37f6a170a2 Mon Sep 17 00:00:00 2001 -From: Colin Watson -Date: Sun, 9 Feb 2014 16:09:50 +0000 -Subject: Accept obsolete ssh-vulnkey configuration options - -These options were used as part of Debian's response to CVE-2008-0166. -Nearly six years later, we no longer need to continue carrying the bulk -of that patch, but we do need to avoid failing when the associated -configuration options are still present. - -Last-Update: 2014-02-09 - -Patch-Name: ssh-vulnkey-compat.patch ---- - readconf.c | 1 + - servconf.c | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/readconf.c b/readconf.c -index 7613ff2..bcd8cad 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -226,6 +226,7 @@ - { "passwordauthentication", oPasswordAuthentication }, - { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, - { "kbdinteractivedevices", oKbdInteractiveDevices }, -+ { "useblacklistedkeys", oDeprecated }, - { "pubkeyauthentication", oPubkeyAuthentication }, - { "dsaauthentication", oPubkeyAuthentication }, /* alias */ - { "hostbasedauthentication", oHostbasedAuthentication }, -diff --git a/servconf.c b/servconf.c -index 0083cf8..90de888 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -572,6 +572,7 @@ - { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, - { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, - { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, -+ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL }, - { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, - { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, - { "uselogin", sDeprecated, SSHCFG_GLOBAL }, diff --git a/openssh.spec b/openssh.spec index 78c1c1f..59e0e15 100644 --- a/openssh.spec +++ b/openssh.spec @@ -43,13 +43,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 8.1p1 +Version: 8.2p1 Release: 1 Epoch: 2 License: BSD Group: Applications/Networking Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 513694343631a99841e815306806edf0 +# Source0-md5: 3076e6413e8dbe56d33848c1054ac091 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -72,13 +72,12 @@ Patch8: ldap-helper-sigpipe.patch # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/ # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz Patch9: %{name}-5.2p1-hpn13v6.diff -Patch10: %{name}-include.patch + Patch11: %{name}-chroot.patch -Patch12: %{name}-vulnkey-compat.patch -Patch13: %{name}-kuserok.patch +Patch12: openssh-bug-2905.patch +Patch13: %{name}-skip-interop-tests.patch Patch14: %{name}-bind.patch Patch15: %{name}-disable_ldap.patch -Patch16: %{name}-skip-interop-tests.patch URL: http://www.openssh.com/portable.html BuildRequires: %{__perl} %{?with_audit:BuildRequires: audit-libs-devel} @@ -89,10 +88,11 @@ BuildRequires: automake %{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7} %{?with_ldns:BuildRequires: ldns-devel} %{?with_libedit:BuildRequires: libedit-devel} +BuildRequires: libfido2-devel BuildRequires: libseccomp-devel %{?with_selinux:BuildRequires: libselinux-devel} %{?with_ldap:BuildRequires: openldap-devel} -BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: openssl-devel >= 1.1.0g BuildRequires: pam-devel %{?with_gtk:BuildRequires: pkgconfig} %if %{with tests} && %{with tests_conch} @@ -524,7 +524,6 @@ openldap-a. %prep %setup -q - %patch0 -p1 %patch1 -p1 %patch2 -p1 @@ -536,13 +535,13 @@ openldap-a. %patch8 -p1 %{?with_hpn:%patch9 -p1} -%patch10 -p1 + %patch11 -p1 %patch12 -p1 %patch13 -p1 + %patch14 -p1 %{!?with_ldap:%patch15 -p1} -%patch16 -p1 # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile* @@ -577,6 +576,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" --with-pid-dir=%{_localstatedir}/run \ --with-privsep-path=%{_privsepdir} \ --with-privsep-user=sshd \ + --with-security-key-builtin \ %{?with_selinux:--with-selinux} \ --with-sandbox=seccomp_filter \ --with-xauth=%{_bindir}/xauth @@ -588,7 +588,7 @@ echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h %if %{with tests} %{__make} -j1 tests \ TEST_SSH_PORT=$((4242 + ${RANDOM:-$$} % 1000)) \ - TEST_SSH_TRACE="yes" + TEST_SSH_TRACE="yes" \ %if %{without tests_conch} SKIP_LTESTS="conch-ciphers" %endif @@ -752,6 +752,7 @@ fi %attr(755,root,root) %{_bindir}/ssh-add %attr(755,root,root) %{_bindir}/ssh-copy-id %attr(755,root,root) %{_bindir}/scp +%attr(755,root,root) %{_libexecdir}/ssh-sk-helper %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config %config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS %{_mandir}/man1/scp.1* @@ -761,6 +762,7 @@ fi %{_mandir}/man1/ssh-add.1* %{_mandir}/man1/ssh-copy-id.1* %{_mandir}/man5/ssh_config.5* +%{_mandir}/man8/ssh-sk-helper.8* %lang(it) %{_mandir}/it/man1/ssh.1* %lang(it) %{_mandir}/it/man5/ssh_config.5* %lang(pl) %{_mandir}/pl/man1/scp.1* -- 2.52.0