From 1a187f1e22057112103b0d22102a697b7765ec67 Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Fri, 6 Feb 2026 19:24:51 +0100 Subject: [PATCH] - repo revived, latest version from PLD, TLDized --- ldap-helper-sigpipe.patch | 2 +- openssh-chroot.patch | 40 +++++++-------- openssh-config.patch | 102 ++++++-------------------------------- openssh-ldap.patch | 47 ++++++++++-------- openssh-sigpipe.patch | 8 +-- openssh.spec | 80 +++++++++++++++++------------- sshd-keygen | 2 - tld_ssh_config | 4 ++ tld_sshd_config | 1 + 9 files changed, 115 insertions(+), 171 deletions(-) create mode 100644 tld_ssh_config create mode 100644 tld_sshd_config diff --git a/ldap-helper-sigpipe.patch b/ldap-helper-sigpipe.patch index cfa2018..7808407 100644 --- a/ldap-helper-sigpipe.patch +++ b/ldap-helper-sigpipe.patch @@ -84,7 +84,7 @@ exit 0 --- openssh-6.6p1/ldap-helper.c~ 2014-05-13 17:04:22.258162978 +0300 +++ openssh-6.6p1/ldap-helper.c 2014-05-13 17:14:08.398824417 +0300 @@ -31,6 +31,7 @@ - #include "ldapbody.h" + #include #include #include +#include diff --git a/openssh-chroot.patch b/openssh-chroot.patch index e166515..e2c01a0 100644 --- a/openssh-chroot.patch +++ b/openssh-chroot.patch @@ -1,38 +1,36 @@ -diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c ---- openssh-8.8p1.org/servconf.c 2021-09-26 16:03:19.000000000 +0200 -+++ openssh-8.8p1/servconf.c 2021-12-09 20:13:16.486586503 +0100 -@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions - - /* Portable-specific options */ +diff -ruNp openssh-9.8p1.orig/servconf.c openssh-9.8p1/servconf.c +--- openssh-9.8p1.orig/servconf.c 2024-07-01 06:36:28.000000000 +0200 ++++ openssh-9.8p1/servconf.c 2024-07-01 11:17:17.929993456 +0200 +@@ -94,6 +94,8 @@ initialize_server_options(ServerOptions options->use_pam = -1; -- -+ + options->pam_service_name = NULL; + + options->use_chroot = -1; -+ ++ /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; -@@ -279,6 +281,9 @@ fill_default_server_options(ServerOption - if (options->use_pam == -1) - options->use_pam = 0; +@@ -299,6 +301,9 @@ fill_default_server_options(ServerOption + if (options->pam_service_name == NULL) + options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); + if (options->use_chroot == -1) + options->use_chroot = 0; -+ ++ /* Standard Options */ if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ -@@ -486,6 +491,7 @@ typedef enum { +@@ -538,6 +543,7 @@ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, + sUsePAM, sPAMServiceName, + sUseChroot, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, -@@ -538,6 +544,11 @@ static struct { - #else +@@ -595,6 +601,11 @@ static struct { { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "pamservicename", sUnsupported, SSHCFG_ALL }, #endif +#ifdef CHROOT + { "usechroot", sUseChroot, SSHCFG_GLOBAL }, @@ -42,9 +40,9 @@ diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ { "port", sPort, SSHCFG_GLOBAL }, -@@ -1332,6 +1343,10 @@ process_server_config_line_depth(ServerO - intptr = &options->use_pam; - goto parse_flag; +@@ -1338,6 +1349,10 @@ process_server_config_line_depth(ServerO + *charptr = xstrdup(arg); + break; + case sUseChroot: + intptr = &options->use_chroot; @@ -113,7 +111,7 @@ diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config +++ openssh-8.8p1/sshd_config 2021-12-09 20:13:16.489919836 +0100 @@ -85,6 +85,10 @@ GSSAPIAuthentication yes # and KbdInteractiveAuthentication to 'no'. - UsePAM yes + #UsePAM no +# Set this to 'yes' to enable support for chrooted user environment. +# You must create such environment before you can use this feature. diff --git a/openssh-config.patch b/openssh-config.patch index 4d34975..1a9d19b 100644 --- a/openssh-config.patch +++ b/openssh-config.patch @@ -1,92 +1,20 @@ -diff -urNp -x '*.orig' openssh-8.8p1.org/ssh_config openssh-8.8p1/ssh_config ---- openssh-8.8p1.org/ssh_config 2021-09-26 16:03:19.000000000 +0200 -+++ openssh-8.8p1/ssh_config 2021-12-09 20:12:26.796586510 +0100 -@@ -20,10 +20,13 @@ - # Host * - # ForwardAgent no - # ForwardX11 no -+# ForwardX11Trusted no - # PasswordAuthentication yes - # HostbasedAuthentication no - # GSSAPIAuthentication no - # GSSAPIDelegateCredentials no -+# GSSAPIKeyExchange no -+# GSSAPITrustDNS no - # BatchMode no - # CheckHostIP no - # AddressFamily any -@@ -44,3 +47,18 @@ +diff -ur openssh-9.5p1.org/ssh_config openssh-9.5p1/ssh_config +--- openssh-9.5p1.org/ssh_config 2023-10-04 06:34:10.000000000 +0200 ++++ openssh-9.5p1/ssh_config 2023-11-28 09:12:00.249971177 +0100 +@@ -44,3 +44,6 @@ # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h # UserKnownHostsFile ~/.ssh/known_hosts.d/%k + -+Host * -+ GSSAPIAuthentication yes -+# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 server. As some X11 clients don't support the untrusted -+# mode correctly, you might consider changing this to 'yes' or using '-Y'. -+# ForwardX11Trusted no -+ ServerAliveInterval 60 -+ ServerAliveCountMax 10 -+ TCPKeepAlive no -+ # Allow DSA keys -+# PubkeyAcceptedKeyTypes +ssh-dss -+# HostkeyAlgorithms +ssh-dss -+# Send locale-related environment variables, also pass some GIT vars -+ SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL -diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config ---- openssh-8.8p1.org/sshd_config 2021-09-26 16:03:19.000000000 +0200 -+++ openssh-8.8p1/sshd_config 2021-12-09 20:12:26.796586510 +0100 -@@ -29,7 +29,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin prohibit-password -+PermitRootLogin no - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 -@@ -57,6 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys - #PasswordAuthentication yes - #PermitEmptyPasswords no - -+# Allow DSA keys -+## PubkeyAcceptedKeyTypes +ssh-dss ++# Put your local config in *.conf files ++Include /etc/ssh/ssh_config.d/*.conf +diff -ur openssh-9.5p1.org/sshd_config openssh-9.5p1/sshd_config +--- openssh-9.5p1.org/sshd_config 2023-10-04 06:34:10.000000000 +0200 ++++ openssh-9.5p1/sshd_config 2023-11-28 09:12:18.119971176 +0100 +@@ -114,3 +114,6 @@ + # AllowTcpForwarding no + # PermitTTY no + # ForceCommand cvs server + - # Change to no to disable s/key passwords - #KbdInteractiveAuthentication yes - -@@ -69,6 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys - # GSSAPI options - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes -+GSSAPIAuthentication yes - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -79,7 +83,7 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --#UsePAM no -+UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes -@@ -105,9 +109,16 @@ AuthorizedKeysFile .ssh/authorized_keys - # no default banner path - #Banner none - -+# Accept locale-related environment variables, also accept some GIT vars -+AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL -+ - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - -+# Uncomment this if you want to use .local domain -+#Host *.local -+# CheckHostIP no -+ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no ++# Put your local config in *.conf files ++Include /etc/ssh/sshd_config.d/*.conf diff --git a/openssh-ldap.patch b/openssh-ldap.patch index cfc7615..d75996c 100644 --- a/openssh-ldap.patch +++ b/openssh-ldap.patch @@ -110,19 +110,19 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/HOWTO.ldap-keys openssh-8.4p1/HOWTO.lda +5) Author + Jan F. Chadima + -diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in ---- openssh-8.4p1.org/Makefile.in 2020-09-27 09:25:01.000000000 +0200 -+++ openssh-8.4p1/Makefile.in 2021-03-01 11:29:31.280956671 +0100 -@@ -23,6 +23,8 @@ SSH_PROGRAM=@bindir@/ssh +diff -ruN openssh-9.8p1.orig/Makefile.in openssh-9.8p1/Makefile.in +--- openssh-9.8p1.orig/Makefile.in 2024-07-01 06:36:28.000000000 +0200 ++++ openssh-9.8p1/Makefile.in 2024-07-01 11:10:26.787664770 +0200 +@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper + SSHD_SESSION=$(libexecdir)/sshd-session + SSHD_AUTH=$(libexecdir)/sshd-auth SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper - SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper - PRIVSEP_PATH=@PRIVSEP_PATH@ -@@ -63,10 +65,11 @@ LDFLAGS_NOPIE=-L. -Lopenbsd-compat/ @LDF +@@ -74,10 +74,11 @@ LDFLAGS_NOPIE=-L. -Lopenbsd-compat/ @LDF EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ MKDIR_P=@MKDIR_P@ @@ -130,12 +130,12 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in .SUFFIXES: .lo --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) $(SK_STANDALONE) - XMSS_OBJS=\ - ssh-xmss.o \ -@@ -150,8 +153,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve + LIBOPENSSH_OBJS=\ + ssh_api.o \ +@@ -163,8 +166,8 @@ SFTP_OBJS= sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS) @@ -146,7 +146,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -230,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) +@@ -241,6 +244,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS) @@ -156,7 +156,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS) -@@ -395,6 +401,10 @@ install-files: +@@ -414,6 +420,10 @@ $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) @@ -167,7 +167,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -@@ -412,6 +422,10 @@ install-files: +@@ -431,6 +441,10 @@ $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 @@ -178,7 +178,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in install-sysconf: $(MKDIR_P) $(DESTDIR)$(sysconfdir) -@@ -435,6 +449,13 @@ install-sysconf: +@@ -454,6 +468,13 @@ else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -192,7 +192,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -473,6 +494,8 @@ uninstall: +@@ -492,6 +513,8 @@ -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) @@ -201,7 +201,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -485,6 +508,7 @@ uninstall: +@@ -504,6 +527,7 @@ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 @@ -318,11 +318,11 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/configure.ac openssh-8.4p1/configure.ac + dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ - Blowfish_initstate \ + auth_hostok \ diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.c openssh-8.4p1/ldap-helper.c --- openssh-8.4p1.org/ldap-helper.c 1970-01-01 01:00:00.000000000 +0100 +++ openssh-8.4p1/ldap-helper.c 2021-03-01 11:29:31.280956671 +0100 -@@ -0,0 +1,155 @@ +@@ -0,0 +1,156 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -354,6 +354,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.c openssh-8.4p1/ldap-helper +#include "xmalloc.h" +#include "ldapconf.h" +#include "ldapbody.h" ++#include +#include +#include + @@ -609,7 +610,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldap.conf openssh-8.4p1/ldap.conf diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.c openssh-8.4p1/ldapbody.c --- openssh-8.4p1.org/ldapbody.c 1970-01-01 01:00:00.000000000 +0100 +++ openssh-8.4p1/ldapbody.c 2021-03-01 11:29:31.280956671 +0100 -@@ -0,0 +1,494 @@ +@@ -0,0 +1,495 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -642,6 +643,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.c openssh-8.4p1/ldapbody.c +#include "ldapmisc.h" +#include "ldapbody.h" +#include ++#include +#include + +#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)" @@ -1148,7 +1150,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.h openssh-8.4p1/ldapbody.h diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.c openssh-8.4p1/ldapconf.c --- openssh-8.4p1.org/ldapconf.c 1970-01-01 01:00:00.000000000 +0100 +++ openssh-8.4p1/ldapconf.c 2021-03-01 11:29:31.280956671 +0100 -@@ -0,0 +1,691 @@ +@@ -0,0 +1,692 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1181,6 +1183,7 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.c openssh-8.4p1/ldapconf.c +#include "xmalloc.h" +#include "ldapconf.h" +#include ++#include +#include + +/* Keyword tokens. */ diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch index 64d8616..8991ecc 100644 --- a/openssh-sigpipe.patch +++ b/openssh-sigpipe.patch @@ -11,15 +11,15 @@ diff -urNp -x '*.orig' openssh-8.4p1.org/clientloop.c openssh-8.4p1/clientloop.c /* * Name of the host we are connecting to. This is the name given on the * command line, or the Hostname specified for the user-supplied name in a -@@ -1301,6 +1304,8 @@ client_loop(struct ssh *ssh, int have_pt +@@ -1518,6 +1518,8 @@ client_loop(struct ssh *ssh, int have_pt ssh_signal(SIGQUIT, signal_handler); if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN) ssh_signal(SIGTERM, signal_handler); + if (enable_sigpipe) -+ signal(SIGPIPE, signal_handler); ++ ssh_signal(SIGPIPE, signal_handler); ssh_signal(SIGWINCH, window_change_handler); - - if (have_pty) + #ifdef SIGINFO + ssh_signal(SIGINFO, siginfo_handler); diff -urNp -x '*.orig' openssh-8.4p1.org/ssh.0 openssh-8.4p1/ssh.0 --- openssh-8.4p1.org/ssh.0 2020-09-27 09:42:10.000000000 +0200 +++ openssh-8.4p1/ssh.0 2021-03-01 11:29:10.909905265 +0100 diff --git a/openssh.spec b/openssh.spec index 1ea45bb..14bb789 100644 --- a/openssh.spec +++ b/openssh.spec @@ -32,13 +32,13 @@ Summary(pt_BR.UTF-8): Implementação livre do SSH Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH) Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH) Name: openssh -Version: 9.7p1 -Release: 1 +Version: 10.2p1 +Release: 4 Epoch: 2 License: BSD Group: Applications/Networking Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz -# Source0-md5: 1100f170ca1bc669038ca3743e074094 +# Source0-md5: 801b5ad6da38e0045de20dd5dd2f6a80 Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source1-md5: 66943d481cc422512b537bcc2c7400d1 Source2: %{name}d.init @@ -48,6 +48,8 @@ Source5: ssh-agent.sh Source6: ssh-agent.conf Source7: %{name}-lpk.schema Source10: sshd-keygen +Source13: tld_ssh_config +Source14: tld_sshd_config Patch100: %{name}-git.patch # Patch100-md5: eb723cc4f21efc32752161d539c9c5e9 Patch0: %{name}-no-pty-tests.patch @@ -83,13 +85,14 @@ BuildRequires: libfido2-devel >= 1.5.0 %{?with_libseccomp:BuildRequires: libseccomp-devel} %{?with_selinux:BuildRequires: libselinux-devel} %{?with_ldap:BuildRequires: openldap-devel} -BuildRequires: openssl-devel >= 1.1.0g +BuildRequires: openssl-devel >= 1.1.1 BuildRequires: pam-devel %{?with_gtk:BuildRequires: pkgconfig} %if %{with tests} && %{with tests_conch} BuildRequires: python-TwistedConch %endif BuildRequires: rpm >= 4.4.9-56 +BuildRequires: rpm-build >= 4.6 BuildRequires: rpmbuild(macros) >= 1.752 BuildRequires: sed >= 4.0 BuildRequires: zlib-devel >= 1.2.3 @@ -101,9 +104,6 @@ BuildRequires: %{name}-server BuildRequires: uname(release) >= 3.5 %endif Requires: zlib >= 1.2.3 -Requires: filesystem >= 3.0-11 -Requires: pam >= %{pam_ver} -Suggests: xorg-app-xauth Obsoletes: ssh BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) @@ -255,11 +255,11 @@ Summary(pt_BR.UTF-8): Clientes do OpenSSH Summary(ru.UTF-8): OpenSSH - клиенты протокола Secure Shell Summary(uk.UTF-8): OpenSSH - клієнти протоколу Secure Shell Group: Applications/Networking -Requires: %{name} +Requires: %{name} = %{epoch}:%{version}-%{release} Suggests: %{name}-clients-helper-fido = %{epoch}:%{version}-%{release} Provides: ssh-clients Obsoletes: ssh-clients -%requires_eq_to openssl openssl-devel +%requires_eq_to openssl%{?_isa} openssl-devel %description clients Ssh (Secure Shell) a program for logging into a remote machine and for @@ -362,7 +362,9 @@ Requires(postun): /usr/sbin/userdel Requires(pre): /bin/id Requires(pre): /usr/sbin/useradd Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: filesystem >= 3.0-11 Requires: pam >= %{pam_ver} +Suggests: xorg-app-xauth Requires: rc-scripts >= 0.4.3.0 %{?with_libseccomp:Requires: uname(release) >= 3.5} Requires: util-linux @@ -371,7 +373,7 @@ Suggests: /bin/login Suggests: xorg-app-xauth Provides: ssh-server Provides: user(sshd) -%requires_eq_to openssl openssl-devel +%requires_eq_to openssl%{?_isa} openssl-devel %description server Ssh (Secure Shell) a program for logging into a remote machine and for @@ -527,26 +529,26 @@ openldap-a. %prep %setup -q -#%%patch100 -p1 +#%%patch -P100 -p1 -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 +%patch -P0 -p1 +%patch -P1 -p1 +%patch -P2 -p1 +%patch -P3 -p1 +%patch -P4 -p1 +%patch -P5 -p1 +%patch -P6 -p1 +%patch -P7 -p1 +%patch -P8 -p1 -%{?with_hpn:%patch9 -p1} +%{?with_hpn:%patch -P9 -p1} -%patch11 -p1 +%patch -P11 -p1 -%patch13 -p1 +%patch -P13 -p1 -%patch14 -p1 -%{!?with_ldap:%patch15 -p1} +%patch -P14 -p1 +%{!?with_ldap:%patch -P15 -p1} # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile* @@ -574,8 +576,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99" --with-ldap%{!?with_ldap:=no} \ %{?with_ldns:--with-ldns} \ %{?with_libedit:--with-libedit} \ - --with-mantype=man \ - --with-md5-passwords \ + --with-mantype=doc \ --with-pam \ --with-pid-dir=%{_localstatedir}/run \ --with-privsep-path=%{_privsepdir} \ @@ -616,6 +617,7 @@ cd contrib rm -rf $RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \ $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir}} +install -d $RPM_BUILD_ROOT%{_sysconfdir}/ssh{,d}_config.d install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d} %{__make} install \ @@ -629,6 +631,8 @@ cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir} +cp -p %{SOURCE13} $RPM_BUILD_ROOT%{_sysconfdir}/ssh_config.d/50-tld.conf +cp -p %{SOURCE14} $RPM_BUILD_ROOT%{_sysconfdir}/sshd_config.d/50-tld.conf cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir} install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen @@ -706,7 +710,7 @@ fi %triggerpostun server -- %{name}-server < 2:7.0p1-2 %banner %{name}-server -e << EOF -!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!! +!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!! ! Starting from openssh 7.0 DSA keys are disabled ! ! on server and client side. You will NOT be able ! ! to use DSA keys for authentication. Please read ! @@ -714,11 +718,11 @@ fi !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! EOF -%triggerpostun server -- %{name}-server < 6.2p1-1 -cp -f %{_sysconfdir}/sshd_config{,.rpmorig} -sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config +if grep -q AuthorizedKeysCommandRunAs %{_sysconfdir}/sshd_config; then + cp -f %{_sysconfdir}/sshd_config{,.rpmorig} + sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config +fi -%triggerpostun server -- %{name}-server < 2:5.9p1-8 # lpk.patch to ldap.patch if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then echo >&2 "Migrating LPK patch to LDAP patch" @@ -748,7 +752,9 @@ fi %defattr(644,root,root,755) %doc TODO README OVERVIEW CREDITS Change* %attr(755,root,root) %{_bindir}/ssh-key* +#%attr(755,root,root) %{_bindir}/ssh-vulnkey* %{_mandir}/man1/ssh-key*.1* +#%{_mandir}/man1/ssh-vulnkey*.1* %dir %{_sysconfdir} %dir %{_libexecdir} @@ -760,7 +766,10 @@ fi %attr(755,root,root) %{_bindir}/ssh-add %attr(755,root,root) %{_bindir}/ssh-copy-id %attr(755,root,root) %{_bindir}/scp +%attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config +%dir %{_sysconfdir}/ssh_config.d +%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config.d/50-tld.conf %config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS %{_mandir}/man1/scp.1* %{_mandir}/man1/ssh.1* @@ -769,6 +778,7 @@ fi %{_mandir}/man1/ssh-add.1* %{_mandir}/man1/ssh-copy-id.1* %{_mandir}/man5/ssh_config.5* +%{_mandir}/man8/ssh-pkcs11-helper.8* %lang(it) %{_mandir}/it/man1/ssh.1* %lang(it) %{_mandir}/it/man5/ssh_config.5* %lang(pl) %{_mandir}/pl/man1/scp.1* @@ -797,15 +807,17 @@ fi %attr(755,root,root) %{_sbindir}/sshd %attr(755,root,root) %{_libexecdir}/sftp-server %attr(755,root,root) %{_libexecdir}/ssh-keysign -%attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper +%attr(755,root,root) %{_libexecdir}/sshd-auth %attr(755,root,root) %{_libexecdir}/sshd-keygen +%attr(755,root,root) %{_libexecdir}/sshd-session %{_mandir}/man8/sshd.8* %{_mandir}/man8/sftp-server.8* %{_mandir}/man8/ssh-keysign.8* -%{_mandir}/man8/ssh-pkcs11-helper.8* %{_mandir}/man5/sshd_config.5* %{_mandir}/man5/moduli.5* %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config +%attr(750,root,root) %dir %{_sysconfdir}/sshd_config.d +%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config.d/50-tld.conf %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sshd %{_sysconfdir}/moduli %attr(754,root,root) /etc/rc.d/init.d/sshd diff --git a/sshd-keygen b/sshd-keygen index a090614..1353fc1 100755 --- a/sshd-keygen +++ b/sshd-keygen @@ -16,6 +16,4 @@ ssh_gen_key() { # generate new keys with empty passwords if they do not exist ssh_gen_key ed25519 /etc/ssh/ssh_host_ed25519_key -ssh_gen_key ecdsa /etc/ssh/ssh_host_ecdsa_key ssh_gen_key rsa /etc/ssh/ssh_host_rsa_key -ssh_gen_key dsa /etc/ssh/ssh_host_dsa_key diff --git a/tld_ssh_config b/tld_ssh_config new file mode 100644 index 0000000..3fa6557 --- /dev/null +++ b/tld_ssh_config @@ -0,0 +1,4 @@ +Host * + ServerAliveInterval 60 + ServerAliveCountMax 10 + TCPKeepAlive no diff --git a/tld_sshd_config b/tld_sshd_config new file mode 100644 index 0000000..7ff52c7 --- /dev/null +++ b/tld_sshd_config @@ -0,0 +1 @@ +PermitRootLogin no -- 2.52.0