rpms/openssh/devel openssh-5.5p1-gsskex.patch, NONE, 1.1 openssh-5.5p1-pka-ldap.patch, NONE, 1.1 openssh-5.5p1-stderr.patch, NONE, 1.1 openssh-5.5p1-fips.patch, 1.1, 1.2 openssh.spec, 1.205, 1.206 openssh-5.5p1-ldap.patch, 1.1, NONE
Jan F. Chadima
jfch2222 at fedoraproject.org
Mon May 3 13:32:47 UTC 2010
Author: jfch2222
Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv17132
Modified Files:
openssh-5.5p1-fips.patch openssh.spec
Added Files:
openssh-5.5p1-gsskex.patch openssh-5.5p1-pka-ldap.patch
openssh-5.5p1-stderr.patch
Removed Files:
openssh-5.5p1-ldap.patch
Log Message:
* Mon May 3 2010 Jan F. Chadima <jchadima at redhat.com> - 5.5p1-5 + 0.9.2-26
- Create separate ldap package
- Tweak the ldap patch
- Rename stderr patch properly
openssh-5.5p1-gsskex.patch:
ChangeLog.gssapi | 95 +++++++++++++++
Makefile.in | 6
auth-krb5.c | 17 ++
auth.h | 1
auth2-gss.c | 50 +++++++-
auth2.c | 6
clientloop.c | 11 +
configure.ac | 24 +++
gss-genr.c | 274 ++++++++++++++++++++++++++++++++++++++++++++-
gss-serv-krb5.c | 84 ++++++++++++-
gss-serv.c | 220 +++++++++++++++++++++++++++++++-----
kex.c | 18 ++
kex.h | 14 ++
kexgssc.c | 334 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
kexgsss.c | 288 +++++++++++++++++++++++++++++++++++++++++++++++
key.c | 2
key.h | 1
monitor.c | 108 +++++++++++++++++
monitor.h | 2
monitor_wrap.c | 47 +++++++
monitor_wrap.h | 4
readconf.c | 35 +++++
readconf.h | 4
servconf.c | 31 ++++-
servconf.h | 3
ssh-gss.h | 39 +++++-
ssh_config | 2
ssh_config.5 | 29 ++++
sshconnect2.c | 119 ++++++++++++++++++-
sshd.c | 110 ++++++++++++++++++
sshd_config | 2
sshd_config.5 | 28 ++++
32 files changed, 1949 insertions(+), 59 deletions(-)
--- NEW FILE openssh-5.5p1-gsskex.patch ---
diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c
--- openssh-5.4p1/auth2.c.gsskex 2010-03-01 18:14:24.000000000 +0100
+++ openssh-5.4p1/auth2.c 2010-03-01 18:14:28.000000000 +0100
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
#ifdef GSSAPI
+extern Authmethod method_gsskeyex;
extern Authmethod method_gssapi;
#endif
#ifdef JPAKE
@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
&method_none,
&method_pubkey,
#ifdef GSSAPI
+ &method_gsskeyex,
&method_gssapi,
#endif
#ifdef JPAKE
@@ -289,6 +291,7 @@ input_userauth_request(int type, u_int32
#endif
authctxt->postponed = 0;
+ authctxt->server_caused_failure = 0;
/* try to authenticate user */
m = authmethod_lookup(method);
@@ -361,7 +364,8 @@ userauth_finish(Authctxt *authctxt, int
} else {
/* Allow initial try of "none" auth without failure penalty */
- if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+ if (!authctxt->server_caused_failure &&
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0))
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c
--- openssh-5.4p1/auth2-gss.c.gsskex 2010-03-01 18:14:24.000000000 +0100
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *);
+/*
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(Authctxt *authctxt)
+{
+ int authenticated = 0;
+ Buffer b;
+ gss_buffer_desc mic, gssbuf;
+ u_int len;
+
+ mic.value = packet_get_string(&len);
+ mic.length = len;
+
+ packet_check_eom();
+
+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+ "gssapi-keyex");
+
+ gssbuf.value = buffer_ptr(&b);
+ gssbuf.length = buffer_len(&b);
+
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
+ &gssbuf, &mic))))
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+ authctxt->pw));
+
+ buffer_free(&b);
+ xfree(mic.value);
+
+ return (authenticated);
+}
+
/*
* We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
@@ -102,6 +136,7 @@ userauth_gssapi(Authctxt *authctxt)
if (!present) {
xfree(doid);
+ authctxt->server_caused_failure = 1;
return (0);
}
@@ -109,6 +144,7 @@ userauth_gssapi(Authctxt *authctxt)
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
xfree(doid);
+ authctxt->server_caused_failure = 1;
return (0);
}
@@ -242,7 +278,8 @@ input_gssapi_exchange_complete(int type,
packet_check_eom();
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+ authctxt->pw));
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -284,7 +321,8 @@ input_gssapi_mic(int type, u_int32_t ple
gssbuf.length = buffer_len(&b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+ authenticated =
+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
else
logit("GSSAPI MIC check failed");
@@ -301,6 +339,12 @@ input_gssapi_mic(int type, u_int32_t ple
userauth_finish(authctxt, authenticated, "gssapi-with-mic");
}
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
+
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h
--- openssh-5.4p1/auth.h.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/auth.h 2010-03-01 18:14:28.000000000 +0100
@@ -53,6 +53,7 @@ struct Authctxt {
int valid; /* user exists and is allowed to login */
int attempt;
int failures;
+ int server_caused_failure;
int force_pwchange;
char *user; /* username sent by the client */
char *service;
diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c
--- openssh-5.4p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100
+++ openssh-5.4p1/auth-krb5.c 2010-03-01 18:14:28.000000000 +0100
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
+ authctxt->krb5_ticket_file);
+#else
snprintf(authctxt->krb5_ccname, len, "FILE:%s",
authctxt->krb5_ticket_file);
+#endif
#ifdef USE_PAM
if (options.use_pam)
@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret;
+ int ret;
char ccname[40];
mode_t old_umask;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
+ int tmpfd;
+#endif
ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ cctemplate, geteuid());
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
+#ifndef USE_CCAPI
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
return errno;
}
close(tmpfd);
+#endif
return (krb5_cc_resolve(ctx, ccname, ccache));
[...2534 lines suppressed...]
+
+ if (options.gss_keyex)
+ gss = ssh_gssapi_server_mechanisms();
+ else
+ gss = NULL;
+
+ if (gss && orig)
+ xasprintf(&newstr, "%s,%s", gss, orig);
+ else if (gss)
+ newstr = gss;
+ else if (orig)
+ newstr = orig;
+
+ /*
+ * If we've got GSSAPI mechanisms, then we've got the 'null' host
+ * key alg, but we can't tell people about it unless its the only
+ * host key algorithm we support
+ */
+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
+
+ if (newstr)
+ myproposal[PROPOSAL_KEX_ALGS] = newstr;
+ else
+ fatal("No supported key exchange algorithms");
+ }
+#endif
+
/* start key exchange */
kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+ }
+#endif
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5
--- openssh-5.4p1/sshd_config.5.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/sshd_config.5 2010-03-01 18:14:29.000000000 +0100
@@ -379,12 +379,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If
+.Dq no
+then the client may authenticate against any service key stored in the
+machine's default store. This facility is provided to assist with operation
+on multi homed machines.
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
+.Dq no .
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config
--- openssh-5.4p1/sshd_config.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/sshd_config 2010-03-01 18:14:29.000000000 +0100
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h
--- openssh-5.4p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.4p1/ssh-gss.h 2010-03-01 18:14:30.000000000 +0100
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -60,10 +60,22 @@
#define SSH_GSS_OIDTYPE 0x06
+#define SSH2_MSG_KEXGSS_INIT 30
+#define SSH2_MSG_KEXGSS_CONTINUE 31
+#define SSH2_MSG_KEXGSS_COMPLETE 32
+#define SSH2_MSG_KEXGSS_HOSTKEY 33
+#define SSH2_MSG_KEXGSS_ERROR 34
+#define SSH2_MSG_KEXGSS_GROUPREQ 40
+#define SSH2_MSG_KEXGSS_GROUP 41
+#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
+#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
+#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
+
typedef struct {
char *filename;
char *envvar;
char *envval;
+ struct passwd *owner;
void *data;
} ssh_gssapi_ccache;
@@ -71,8 +83,11 @@ typedef struct {
gss_buffer_desc displayname;
gss_buffer_desc exportedname;
gss_cred_id_t creds;
+ gss_name_t name;
struct ssh_gssapi_mech_struct *mech;
ssh_gssapi_ccache store;
+ int used;
+ int updated;
} ssh_gssapi_client;
typedef struct ssh_gssapi_mech_struct {
@@ -83,6 +98,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
void (*storecreds) (ssh_gssapi_client *);
+ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
typedef struct {
@@ -93,10 +109,11 @@ typedef struct {
gss_OID oid; /* client */
gss_cred_id_t creds; /* server */
gss_name_t client; /* server */
- gss_cred_id_t client_creds; /* server */
+ gss_cred_id_t client_creds; /* both */
} Gssctxt;
extern ssh_gssapi_mech *supported_mechs[];
+extern Gssctxt *gss_kex_context;
int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
@@ -116,16 +133,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
+int ssh_gssapi_credentials_updated(Gssctxt *);
/* In the server */
+typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
+ const char *);
+char *ssh_gssapi_client_mechanisms(const char *, const char *);
+char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
+ const char *);
+gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
+int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
+ const char *);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-int ssh_gssapi_userok(char *name);
+int ssh_gssapi_userok(char *name, struct passwd *);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
void ssh_gssapi_storecreds(void);
+char *ssh_gssapi_server_mechanisms(void);
+int ssh_gssapi_oid_table_ok();
+
+int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
openssh-5.5p1-pka-ldap.patch:
Makefile.in | 18 -
README.lpk | 268 +++++++++++++++++
auth2-pubkey.c | 158 +++++++++-
config.h.in | 81 +++++
configure.ac | 114 +++++++
ldap-helper.c | 154 ++++++++++
ldap-helper.h | 32 ++
ldapbody.c | 494 ++++++++++++++++++++++++++++++++
ldapbody.h | 37 ++
ldapconf.c | 665 ++++++++++++++++++++++++++++++++++++++++++++
ldapconf.h | 71 ++++
ldapincludes.h | 41 ++
ldapmisc.c | 79 +++++
ldapmisc.h | 35 ++
lpk-user-example.txt | 117 +++++++
openssh-lpk-openldap.schema | 21 +
openssh-lpk-sun.schema | 23 +
servconf.c | 28 +
servconf.h | 2
ssh-ldap-helper.8 | 78 +++++
sshd_config | 2
sshd_config.0 | 14
sshd_config.5 | 13
23 files changed, 2520 insertions(+), 25 deletions(-)
--- NEW FILE openssh-5.5p1-pka-ldap.patch ---
diff -up openssh-5.5p1/auth2-pubkey.c.pka openssh-5.5p1/auth2-pubkey.c
--- openssh-5.5p1/auth2-pubkey.c.pka 2010-03-21 19:51:21.000000000 +0100
+++ openssh-5.5p1/auth2-pubkey.c 2010-04-29 11:08:25.000000000 +0200
@@ -178,27 +178,15 @@ done:
/* return 1 if user allows given key */
static int
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
char line[SSH_MAX_PUBKEY_BYTES];
const char *reason;
int found_key = 0;
- FILE *f;
u_long linenum = 0;
Key *found;
char *fp;
- /* Temporarily use the user's uid. */
- temporarily_use_uid(pw);
-
- debug("trying public key file %s", file);
- f = auth_openkeyfile(file, pw, options.strict_modes);
-
- if (!f) {
- restore_uid();
- return 0;
- }
-
found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -273,8 +261,6 @@ user_key_allowed2(struct passwd *pw, Key
break;
}
}
- restore_uid();
- fclose(f);
key_free(found);
if (!found_key)
debug2("key not found");
@@ -321,13 +307,153 @@ user_cert_trusted_ca(struct passwd *pw,
return ret;
}
-/* check whether given key is in .ssh/authorized_keys* */
+/* return 1 if user allows given key */
+static int
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
+{
+ FILE *f;
+ int found_key = 0;
+
+ /* Temporarily use the user's uid. */
+ temporarily_use_uid(pw);
+
+ debug("trying public key file %s", file);
+ f = auth_openkeyfile(file, pw, options.strict_modes);
+
+ if (f) {
+ found_key = user_search_key_in_file (f, file, key, pw);
+ fclose(f);
+ }
+
+ restore_uid();
+ return found_key;
+}
+
+#ifdef WITH_PUBKEY_AGENT
+
+#define WHITESPACE " \t\r\n"
+
+/* return 1 if user allows given key */
+static int
+user_key_via_agent_allowed2(struct passwd *pw, Key *key)
+{
+ FILE *f;
+ int found_key = 0;
+ char *pubkey_agent_string = NULL;
+ char *tmp_pubkey_agent_string = NULL;
+ char *progname;
+ char *cp;
+ struct passwd *runas_pw;
+ struct stat st;
+
+ if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
+ return -1;
+
+ /* get the run as identity from config */
+ runas_pw = (options.pubkey_agent_runas == NULL)? pw
+ : getpwnam (options.pubkey_agent_runas);
+ if (!runas_pw) {
+ error("%s: getpwnam(\"%s\"): %s", __func__,
+ options.pubkey_agent_runas, strerror(errno));
+ return 0;
+ }
+
+ /* Temporarily use the specified uid. */
+ if (runas_pw->pw_uid != 0)
+ temporarily_use_uid(runas_pw);
+
+ pubkey_agent_string = percent_expand(options.pubkey_agent,
+ "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
+
+ /* Test whether agent can be modified by non root user */
+ tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
+ progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
+
+ debug3("%s: checking program '%s'", __func__, progname);
+
+ if (stat (progname, &st) < 0) {
+ error("%s: stat(\"%s\"): %s", __func__,
+ progname, strerror(errno));
+ goto go_away;
+ }
+
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
+ error("bad ownership or modes for pubkey agent \"%s\"",
+ progname);
+ goto go_away;
+ }
+
+ if (!S_ISREG(st.st_mode)) {
+ error("pubkey agent \"%s\" is not a regular file",
+ progname);
+ goto go_away;
+ }
+
+ /*
+ * Descend the path, checking that each component is a
+ * root-owned directory with strict permissions.
+ */
+ do {
+ if ((cp = strrchr(progname, '/')) == NULL)
+ break;
+ else
+ *cp = '\0';
+
+ debug3("%s: checking component '%s'", __func__, progname);
+
+ if (stat(progname, &st) != 0) {
+ error("%s: stat(\"%s\"): %s", __func__,
+ progname, strerror(errno));
+ goto go_away;
+ }
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
+ error("bad ownership or modes for pubkey agent path component \"%s\"",
+ progname);
+ goto go_away;
+ }
+ if (!S_ISDIR(st.st_mode)) {
+ error("pubkey agent path component \"%s\" is not a directory",
+ progname);
+ goto go_away;
+ }
+ } while (0);
+
+ /* open the pipe and read the keys */
+ f = popen (pubkey_agent_string, "r");
+ if (!f) {
+ error("%s: popen (\"%s\", \"r\"): %s", __func__,
+ pubkey_agent_string, strerror (errno));
+ goto go_away;
+ }
+
+ found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
+ pclose (f);
+
+go_away:
+ if (tmp_pubkey_agent_string)
+ xfree (tmp_pubkey_agent_string);
+ if (pubkey_agent_string)
+ xfree (pubkey_agent_string);
+
+ if (runas_pw->pw_uid != 0)
+ restore_uid();
+ return found_key;
+}
+#endif
+
+/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
int success;
char *file;
+#ifdef WITH_PUBKEY_AGENT
+ success = user_key_via_agent_allowed2(pw, key);
+ if (success >= 0)
+ return success;
+#endif
+
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -up openssh-5.5p1/config.h.in.pka openssh-5.5p1/config.h.in
--- openssh-5.5p1/config.h.in.pka 2010-04-16 02:17:09.000000000 +0200
+++ openssh-5.5p1/config.h.in 2010-04-29 09:40:17.000000000 +0200
[...2461 lines suppressed...]
+ if (*activep && options->pubkey_agent == NULL)
+ options->pubkey_agent = xstrdup(cp + len);
+ return 0;
+
+ case sPubkeyAgentRunAs:
+ charptr = &options->pubkey_agent_runas;
+
+ arg = strdelim(&cp);
+ if (*activep && *charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
+
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1438,6 +1462,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
+ M_CP_STROPT(pubkey_agent);
+ M_CP_STROPT(pubkey_agent_runas);
M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication);
M_CP_INTOPT(kbd_interactive_authentication);
@@ -1682,6 +1708,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
+ dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
+ dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.5p1/servconf.h.pka openssh-5.5p1/servconf.h
--- openssh-5.5p1/servconf.h.pka 2010-03-04 11:53:35.000000000 +0100
+++ openssh-5.5p1/servconf.h 2010-04-29 11:08:25.000000000 +0200
@@ -156,6 +156,8 @@ typedef struct {
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
+ char *pubkey_agent;
+ char *pubkey_agent_runas;
} ServerOptions;
void initialize_server_options(ServerOptions *);
diff -up openssh-5.5p1/sshd_config.0.pka openssh-5.5p1/sshd_config.0
--- openssh-5.5p1/sshd_config.0.pka 2010-04-16 02:17:12.000000000 +0200
+++ openssh-5.5p1/sshd_config.0 2010-04-29 11:08:25.000000000 +0200
@@ -352,7 +352,8 @@ DESCRIPTION
KbdInteractiveAuthentication, KerberosAuthentication,
MaxAuthTries, MaxSessions, PasswordAuthentication,
PermitEmptyPasswords, PermitOpen, PermitRootLogin,
- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
+ PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
+ RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding and X11UseLocalHost.
MaxAuthTries
@@ -467,6 +468,17 @@ DESCRIPTION
this file is not readable, then public key authentication will be
refused for all users.
+ PubkeyAgent
+ Specifies which agent is used for lookup of the user's public
+ keys. Empty string means to use the authorized_keys file. By
+ default there is no PubkeyAgent set. Note that this option has
+ an effect only with PubkeyAuthentication switched on.
+
+ PubkeyAgentRunAs
+ Specifies the user under whose account the PubkeyAgent is run.
+ Empty string (the default value) means the user being authorized
+ is used.
+
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to-
gether with successful RSA host authentication is allowed. The
diff -up openssh-5.5p1/sshd_config.5.pka openssh-5.5p1/sshd_config.5
--- openssh-5.5p1/sshd_config.5.pka 2010-03-05 00:41:45.000000000 +0100
+++ openssh-5.5p1/sshd_config.5 2010-04-29 11:08:25.000000000 +0200
@@ -618,6 +618,9 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
+.Cm PubkeyAuthentication ,
+.Cm PubkeyAgent ,
+.Cm PubkeyAgentRunAs ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
@@ -819,6 +822,16 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
++.It Cm PubkeyAgent
++Specifies which agent is used for lookup of the user's public
++keys. Empty string means to use the authorized_keys file.
++By default there is no PubkeyAgent set.
++Note that this option has an effect only with PubkeyAuthentication
++switched on.
++.It Cm PubkeyAgentRunAs
++Specifies the user under whose account the PubkeyAgent is run. Empty
++string (the default value) means the user being authorized is used.
++.Dq
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
diff -up openssh-5.5p1/sshd_config.pka openssh-5.5p1/sshd_config
--- openssh-5.5p1/sshd_config.pka 2009-10-11 12:51:09.000000000 +0200
+++ openssh-5.5p1/sshd_config 2010-04-29 11:08:25.000000000 +0200
@@ -44,6 +44,8 @@
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+#PubkeyAgent none
+#PubkeyAgentRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
diff -up openssh-5.5p1/ssh-ldap-helper.8.pka openssh-5.5p1/ssh-ldap-helper.8
--- openssh-5.5p1/ssh-ldap-helper.8.pka 2010-04-29 11:08:26.000000000 +0200
+++ openssh-5.5p1/ssh-ldap-helper.8 2010-04-29 11:08:26.000000000 +0200
@@ -0,0 +1,78 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: April 29 2010 $
+.Dt SSH-LDAP-HELPER 8
+.Os
+.Sh NAME
+.Nm ssh-ldap-helper
+.Nd sshd helper program for ldap support
+.Sh SYNOPSIS
+.Nm ssh-ldap-helper
+.Op Fl devw
+.Op Fl f Ar file
+.Op Fl s Ar user
+.Sh DESCRIPTION
+.Nm
+is used by
+.Xr sshd 1
+to access keys provided by a LDAP.
+.Nm
+is disabled by default and can only be enabled in the
+sshd configuration file
+.Pa /etc/ssh/sshd_config
+by setting
+.Cm PubkeyAgent
+to
+.Dq /usr/libexec/ssh-ldap-helper -s %u .
+.Pp
+.Nm
+is not intended to be invoked by the user, but from
+.Xr sshd 8 .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl d
+Set the debug mode,
+.Nm
+prints all logs to stderr instead of syslog.
+.It Fl e
+Implies \-w
+.Nm
+halt when an unknown item is found in the ldap.conf file.
+.It Fl f
+Default /etc/ldap.conf.
+.Nm
+uses this file as a ldap configuration file.
+.It Fl s
+.Nm
+print out the keys of the user on stdout and exits.
+.It Fl v
+Implies \-d
+increases verbosity.
+.It Fl w
+.Nm
+writes warnings about unknown items in the ldap.conf file.
+
+.Sh SEE ALSO
+.Xr sshd 8 ,
+.Xr sshd_config 5 ,
+.Sh HISTORY
+.Nm
+first appeared in
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima at redhat.com
openssh-5.5p1-stderr.patch:
session.c | 81 +++++++++++++++++++++++++++++++++++++++++---------------------
1 file changed, 54 insertions(+), 27 deletions(-)
--- NEW FILE openssh-5.5p1-stderr.patch ---
diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c
--- openssh-5.5p1/session.c.stderr 2010-04-26 10:35:35.000000000 +0200
+++ openssh-5.5p1/session.c 2010-04-26 10:41:11.000000000 +0200
@@ -47,6 +47,7 @@
#include <arpa/inet.h>
#include <errno.h>
+#include <fcntl.h>
#include <grp.h>
#ifdef HAVE_PATHS_H
#include <paths.h>
@@ -447,6 +448,9 @@ do_exec_no_pty(Session *s, const char *c
#ifdef USE_PIPES
int pin[2], pout[2], perr[2];
+ if (s == NULL)
+ fatal("do_exec_no_pty: no session");
+
/* Allocate pipes for communicating with the program. */
if (pipe(pin) < 0) {
error("%s: pipe in: %.100s", __func__, strerror(errno));
@@ -458,33 +462,59 @@ do_exec_no_pty(Session *s, const char *c
close(pin[1]);
return -1;
}
- if (pipe(perr) < 0) {
- error("%s: pipe err: %.100s", __func__, strerror(errno));
- close(pin[0]);
- close(pin[1]);
- close(pout[0]);
- close(pout[1]);
- return -1;
+ if (s->is_subsystem) {
+ if ((perr[1] = open(_PATH_DEVNULL, O_WRONLY)) == -1) {
+ error("%s: open(%s): %s", __func__, _PATH_DEVNULL,
+ strerror(errno));
+ close(pin[0]);
+ close(pin[1]);
+ close(pout[0]);
+ close(pout[1]);
+ return -1;
+ }
+ perr[0] = -1;
+ } else {
+ if (pipe(perr) < 0) {
+ error("%s: pipe err: %.100s", __func__,
+ strerror(errno));
+ close(pin[0]);
+ close(pin[1]);
+ close(pout[0]);
+ close(pout[1]);
+ return -1;
+ }
}
#else
int inout[2], err[2];
+ if (s == NULL)
+ fatal("do_exec_no_pty: no session");
+
/* Uses socket pairs to communicate with the program. */
if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) {
error("%s: socketpair #1: %.100s", __func__, strerror(errno));
return -1;
}
- if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) {
- error("%s: socketpair #2: %.100s", __func__, strerror(errno));
- close(inout[0]);
- close(inout[1]);
- return -1;
+ if (s->is_subsystem) {
+ if ((err[0] = open(_PATH_DEVNULL, O_WRONLY)) == -1) {
+ error("%s: open(%s): %s", __func__, _PATH_DEVNULL,
+ strerror(errno));
+ close(inout[0]);
+ close(inout[1]);
+ return -1;
+ }
+ err[1] = -1;
+ } else {
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) {
+ error("%s: socketpair #2: %.100s", __func__,
+ strerror(errno));
+ close(inout[0]);
+ close(inout[1]);
+ return -1;
+ }
}
#endif
- if (s == NULL)
- fatal("do_exec_no_pty: no session");
-
session_proctitle(s);
/* Fork the child. */
@@ -496,13 +526,15 @@ do_exec_no_pty(Session *s, const char *c
close(pin[1]);
close(pout[0]);
close(pout[1]);
- close(perr[0]);
+ if (perr[0] != -1)
+ close(perr[0]);
close(perr[1]);
#else
close(inout[0]);
close(inout[1]);
close(err[0]);
- close(err[1]);
+ if (err[1] != -1)
+ close(err[1]);
#endif
return -1;
case 0:
@@ -536,7 +568,8 @@ do_exec_no_pty(Session *s, const char *c
close(pout[1]);
/* Redirect stderr. */
- close(perr[0]);
+ if (perr[0] != -1)
+ close(perr[0]);
if (dup2(perr[1], 2) < 0)
perror("dup2 stderr");
close(perr[1]);
@@ -547,7 +580,8 @@ do_exec_no_pty(Session *s, const char *c
* seem to depend on it.
*/
close(inout[1]);
- close(err[1]);
+ if (err[1] != -1)
+ close(err[1]);
if (dup2(inout[0], 0) < 0) /* stdin */
perror("dup2 stdin");
if (dup2(inout[0], 1) < 0) /* stdout (same as stdin) */
@@ -595,10 +629,6 @@ do_exec_no_pty(Session *s, const char *c
close(perr[1]);
if (compat20) {
- if (s->is_subsystem) {
- close(perr[0]);
- perr[0] = -1;
- }
session_set_fds(s, pin[1], pout[0], perr[0], 0);
} else {
/* Enter the interactive session. */
@@ -615,10 +645,7 @@ do_exec_no_pty(Session *s, const char *c
* handle the case that fdin and fdout are the same.
*/
if (compat20) {
- session_set_fds(s, inout[1], inout[1],
- s->is_subsystem ? -1 : err[1], 0);
- if (s->is_subsystem)
- close(err[1]);
+ session_set_fds(s, inout[1], inout[1], err[1], 0);
} else {
server_loop(pid, inout[1], inout[1], err[1]);
/* server_loop has closed inout[1] and err[1]. */
openssh-5.5p1-fips.patch:
Makefile.in | 14 +++++++-------
auth2-pubkey.c | 3 ++-
authfile.c | 20 ++++++++++++++++----
cipher-ctr.c | 3 ++-
cipher.c | 29 ++++++++++++++++++++++++-----
cipher.h | 2 +-
mac.c | 12 ++++++++++--
myproposal.h | 7 ++++++-
openbsd-compat/bsd-arc4random.c | 27 +++++++++++++++++++++++++++
ssh-add.c | 3 ++-
ssh-agent.c | 7 ++++---
ssh-keygen.c | 12 +++++++-----
ssh.c | 20 +++++++++++++++++++-
sshconnect.c | 27 ++++++++++++++++-----------
sshconnect2.c | 14 ++++++++++++--
sshd.c | 24 ++++++++++++++++++++++--
16 files changed, 177 insertions(+), 47 deletions(-)
Index: openssh-5.5p1-fips.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.5p1-fips.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- openssh-5.5p1-fips.patch 16 Apr 2010 08:09:49 -0000 1.1
+++ openssh-5.5p1-fips.patch 3 May 2010 13:32:34 -0000 1.2
@@ -222,7 +222,7 @@ diff -up openssh-5.5p1/mac.c.fips openss
diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in
--- openssh-5.5p1/Makefile.in.fips 2010-03-13 22:41:34.000000000 +0100
+++ openssh-5.5p1/Makefile.in 2010-04-16 09:48:16.000000000 +0200
-@@ -139,31 +139,31 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -141,25 +141,25 @@
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -254,6 +254,8 @@ diff -up openssh-5.5p1/Makefile.in.fips
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+@@ -168,7 +168,7 @@
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.205
retrieving revision 1.206
diff -u -p -r1.205 -r1.206
--- openssh.spec 28 Apr 2010 11:07:03 -0000 1.205
+++ openssh.spec 3 May 2010 13:32:38 -0000 1.206
@@ -70,7 +70,7 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_rel 4
+%define openssh_rel 5
%define openssh_ver 5.5p1
%define pam_ssh_agent_rel 26
%define pam_ssh_agent_ver 0.9.2
@@ -111,12 +111,11 @@ Patch62: openssh-5.1p1-scp-manpage.patch
Patch65: openssh-5.5p1-fips.patch
Patch69: openssh-5.3p1-selabel.patch
Patch71: openssh-5.2p1-edns.patch
-Patch72: openssh-5.4p1-pka.patch
-Patch73: openssh-5.4p1-gsskex.patch
+Patch72: openssh-5.5p1-pka-ldap.patch
+Patch73: openssh-5.5p1-gsskex.patch
Patch74: openssh-5.3p1-randclean.patch
Patch76: openssh-5.4p1-staterr.patch
-Patch77: openssh-5.5p1-stderr.diff
-Patch78: openssh-5.5p1-ldap.patch
+Patch77: openssh-5.5p1-stderr.patch
License: BSD
Group: Applications/Internet
@@ -184,6 +183,13 @@ Requires(post): chkconfig >= 0.9, /sbin/
Requires(pre): /usr/sbin/useradd
Requires: pam >= 1.0.1-3
+%if %{ldap}
+%package ldap
+Summary: A LDAP support for open source SSH server daemon
+Requires: openssh = %{version}-%{release}
+Group: System Environment/Daemons
+%endif
+
%package askpass
Summary: A passphrase dialog for OpenSSH and X
Group: Applications/Internet
@@ -223,6 +229,12 @@ into and executing commands on a remote
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server.
+%if %{ldap}
+%description ldap
+OpenSSH LDAP backend is a way how to distribute the authorized tokens
+among the servers in the network.
+%endif
+
%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
@@ -258,6 +270,7 @@ popd
%patch18 -p1 -b .pam_selinux
%endif
+%patch72 -p1 -b .pka
%patch24 -p1 -b .fromto-remote
%patch27 -p1 -b .log-chroot
%patch30 -p1 -b .exit-deadlock
@@ -269,14 +282,10 @@ popd
%patch65 -p1 -b .fips
%patch69 -p1 -b .selabel
%patch71 -p1 -b .edns
-%patch72 -p1 -b .pka
%patch73 -p1 -b .gsskex
%patch74 -p1 -b .randclean
%patch76 -p1 -b .staterr
%patch77 -p1 -b .stderr
-%if %{ldap}
-%patch78 -p1 -b .ldap
-%endif
autoreconf
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -515,28 +524,27 @@ fi
%if ! %{rescue}
%files server
%defattr(-,root,root)
-%if %{ldap}
-%doc README.lpk lpk-user-example.txt openssh-lpk-openldap.schema openssh-lpk-sun.schema
-%endif
%dir %attr(0711,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0644,root,root) %{_sbindir}/.sshd.hmac
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
-%if %{ldap}
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
-%endif
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
-%if %{ldap}
-%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
-%endif
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) /etc/rc.d/init.d/sshd
%endif
+%if %{ldap}
+%files ldap
+%defattr(-,root,root)
+%doc README.lpk lpk-user-example.txt openssh-lpk-openldap.schema openssh-lpk-sun.schema
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
+%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
+%endif
+
%if ! %{no_gnome_askpass}
%files askpass
%defattr(-,root,root)
@@ -554,6 +562,11 @@ fi
%endif
%changelog
+* Mon May 3 2010 Jan F. Chadima <jchadima at redhat.com> - 5.5p1-5 + 0.9.2-26
+- Create separate ldap package
+- Tweak the ldap patch
+- Rename stderr patch properly
+
* Wed Apr 29 2010 Jan F. Chadima <jchadima at redhat.com> - 5.5p1-4 + 0.9.2-26
- Added LDAP support
--- openssh-5.5p1-ldap.patch DELETED ---
More information about the scm-commits
mailing list