[gsi-openssh/f17] Based on openssh-5.9p1-28.fc17
Mattias Ellert
ellert at fedoraproject.org
Tue Dec 11 03:37:41 UTC 2012
commit 214cc65cae92e1cf308554d8215f5a43eb6e9d92
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Tue Dec 11 03:59:57 2012 +0100
Based on openssh-5.9p1-28.fc17
gsi-openssh.spec | 15 +-
openssh-5.9p1-ipqos.patch | 12 +
openssh-5.9p1-man-moduli.patch | 24 ++
openssh-5.9p1-required-authentications.patch | 394 ++++++++++++++------------
openssh-5.9p1-sftp-chroot.patch | 30 +-
5 files changed, 275 insertions(+), 200 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 4acc5ee..37adeb6 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -32,7 +32,7 @@
%global nologin 1
%global openssh_ver 5.9p1
-%global openssh_rel 8
+%global openssh_rel 9
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -157,10 +157,10 @@ Patch801: openssh-5.8p2-force_krb.patch
Patch900: openssh-5.9p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-5.9p1-kuserok.patch
-#---
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
-# sctp
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1873 => https://bugzilla.redhat.com/show_bug.cgi?id=668993
+#https://bugzilla.redhat.com/show_bug.cgi?id=841065
+Patch902: openssh-5.9p1-man-moduli.patch
+#https://bugzilla.redhat.com/show_bug.cgi?id=861818
+Patch903: openssh-5.9p1-ipqos.patch
# This is the patch that adds GSI support
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-5.9p1.patch
@@ -327,6 +327,8 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok
+%patch902 -p1 -b .man-moduli
+%patch903 -p1 -b .ipqos
%patch98 -p1 -b .gsi
@@ -550,6 +552,9 @@ fi
%attr(0644,root,root) %{_unitdir}/gsisshd.service
%changelog
+* Tue Dec 11 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.9p1-9
+- Based on openssh-5.9p1-28.fc17
+
* Thu Nov 01 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.9p1-8
- Based on openssh-5.9p1-27.fc17
diff --git a/openssh-5.9p1-ipqos.patch b/openssh-5.9p1-ipqos.patch
new file mode 100644
index 0000000..6782876
--- /dev/null
+++ b/openssh-5.9p1-ipqos.patch
@@ -0,0 +1,12 @@
+diff -up openssh-5.9p1/packet.c.ipqos openssh-5.9p1/packet.c
+--- openssh-5.9p1/packet.c.ipqos 2012-11-26 16:15:50.664604385 +0100
++++ openssh-5.9p1/packet.c 2012-11-26 16:15:50.793603960 +0100
+@@ -435,8 +435,6 @@ packet_connection_af(void)
+ if (getsockname(active_state->connection_out, (struct sockaddr *)&to,
+ &tolen) < 0)
+ return 0;
+- if (to.ss_family == AF_INET)
+- return 1;
+ #ifdef IPV4_IN_IPV6
+ if (to.ss_family == AF_INET6 &&
+ IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
diff --git a/openssh-5.9p1-man-moduli.patch b/openssh-5.9p1-man-moduli.patch
new file mode 100644
index 0000000..8874ede
--- /dev/null
+++ b/openssh-5.9p1-man-moduli.patch
@@ -0,0 +1,24 @@
+diff -up openssh-6.1p1/moduli.0.man-moduli openssh-6.1p1/moduli.0
+--- openssh-6.1p1/moduli.0.man-moduli 2012-11-06 09:42:13.677062887 +0100
++++ openssh-6.1p1/moduli.0 2012-11-06 09:42:58.693543381 +0100
+@@ -25,7 +25,7 @@ DESCRIPTION
+
+ 0 Unknown, not tested.
+ 2 "Safe" prime; (p-1)/2 is also prime.
+- 4 Sophie Germain; (p+1)*2 is also prime.
++ 4 Sophie Germain; (p*2)+1 is also prime.
+
+ Moduli candidates initially produced by ssh-keygen(1)
+ are Sophie Germain primes (type 4). Further primality
+diff -up openssh-6.1p1/moduli.5.man-moduli openssh-6.1p1/moduli.5
+--- openssh-6.1p1/moduli.5.man-moduli 2012-11-06 09:42:17.730035388 +0100
++++ openssh-6.1p1/moduli.5 2012-11-06 09:43:31.403180375 +0100
+@@ -61,7 +61,7 @@ Unknown, not tested.
+ .It 2
+ "Safe" prime; (p-1)/2 is also prime.
+ .It 4
+-Sophie Germain; (p+1)*2 is also prime.
++Sophie Germain; (p*2)+1 is also prime.
+ .El
+ .Pp
+ Moduli candidates initially produced by
diff --git a/openssh-5.9p1-required-authentications.patch b/openssh-5.9p1-required-authentications.patch
index cecbffc..76b0d6e 100644
--- a/openssh-5.9p1-required-authentications.patch
+++ b/openssh-5.9p1-required-authentications.patch
@@ -1,128 +1,6 @@
-diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
---- openssh-5.9p1/auth.c.required-authentication 2012-07-27 12:21:41.181601972 +0200
-+++ openssh-5.9p1/auth.c 2012-07-27 12:21:41.203602020 +0200
-@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
- }
-
- void
--auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
-+auth_log(Authctxt *authctxt, int authenticated, const char *method,
-+ const char *submethod, const char *info)
- {
- void (*authlog) (const char *fmt,...) = verbose;
- char *authmsg;
-@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
- else
- authmsg = authenticated ? "Accepted" : "Failed";
-
-- authlog("%s %s for %s%.100s from %.200s port %d%s",
-+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
- authmsg,
- method,
-+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
- authctxt->valid ? "" : "invalid user ",
- authctxt->user,
- get_remote_ipaddr(),
-@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
- * Check whether root logins are disallowed.
- */
- int
--auth_root_allowed(char *method)
-+auth_root_allowed(const char *method)
- {
- switch (options.permit_root_login) {
- case PERMIT_YES:
-@@ -694,3 +696,57 @@ fakepw(void)
-
- return (&fake);
- }
-+
-+int
-+auth_method_in_list(const char *list, const char *method)
-+{
-+ char *cp;
-+
-+ cp = match_list(method, list, NULL);
-+ if (cp != NULL) {
-+ xfree(cp);
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+#define DELIM ","
-+int
-+auth_remove_from_list(char **list, const char *method)
-+{
-+ char *oldlist, *cp, *newlist = NULL;
-+ u_int len = 0, ret = 0;
-+
-+ if (list == NULL || *list == NULL)
-+ return (0);
-+
-+ oldlist = *list;
-+ len = strlen(oldlist) + 1;
-+ newlist = xmalloc(len);
-+ memset(newlist, '\0', len);
-+
-+ /* Remove method from list, if present */
-+ for (;;) {
-+ if ((cp = strsep(&oldlist, DELIM)) == NULL)
-+ break;
-+ if (*cp == '\0')
-+ continue;
-+ if (strcmp(cp, method) != 0) {
-+ if (*newlist != '\0')
-+ strlcat(newlist, DELIM, len);
-+ strlcat(newlist, cp, len);
-+ } else
-+ ret++;
-+ }
-+
-+ /* Return NULL instead of empty list */
-+ if (*newlist == '\0') {
-+ xfree(newlist);
-+ newlist = NULL;
-+ }
-+ xfree(*list);
-+ *list = newlist;
-+
-+ return (ret);
-+}
-diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
---- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p1/auth.h 2012-07-27 12:21:41.204602022 +0200
-@@ -142,10 +142,11 @@ void disable_forwarding(void);
- void do_authentication(Authctxt *);
- void do_authentication2(Authctxt *);
-
--void auth_log(Authctxt *, int, char *, char *);
--void userauth_finish(Authctxt *, int, char *);
-+void auth_log(Authctxt *, int, const char *, const char *, const char *);
-+void userauth_finish(Authctxt *, int, const char *, const char *);
-+int auth_root_allowed(const char *);
-+
- void userauth_send_banner(const char *);
--int auth_root_allowed(char *);
-
- char *auth2_read_banner(void);
-
-@@ -192,6 +193,11 @@ void auth_debug_send(void);
- void auth_debug_reset(void);
-
- struct passwd *fakepw(void);
-+int auth_method_in_list(const char *, const char *);
-+int auth_remove_from_list(char **, const char *);
-+
-+int auth1_check_required(const char *);
-+int auth2_check_required(const char *);
-
- int sys_auth_passwd(Authctxt *, const char *);
-
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.9p1/auth1.c 2012-07-27 12:50:50.708706675 +0200
++++ openssh-5.9p1/auth1.c 2012-11-26 15:36:02.138986418 +0100
@@ -98,6 +98,55 @@ static const struct AuthMethod1
return (NULL);
}
@@ -281,9 +159,22 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
packet_start(SSH_SMSG_FAILURE);
packet_send();
+diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
+--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
++++ openssh-5.9p1/auth2-chall.c 2012-11-26 15:36:02.138986418 +0100
+@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
+ auth2_challenge_start(authctxt);
+ }
+ }
+- userauth_finish(authctxt, authenticated, method);
++ userauth_finish(authctxt, authenticated, "keyboard-interactive",
++ authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
+ xfree(method);
+ }
+
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2.c 2012-07-27 12:51:59.048241612 +0200
++++ openssh-5.9p1/auth2.c 2012-11-26 15:36:02.138986418 +0100
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
{
Authctxt *authctxt = ctxt;
@@ -454,7 +345,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
+
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2-gss.c 2012-07-27 12:21:41.206602026 +0200
++++ openssh-5.9p1/auth2-gss.c 2012-11-26 15:36:02.138986418 +0100
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
}
authctxt->postponed = 0;
@@ -482,22 +373,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
}
Authmethod method_gssapi = {
-diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
---- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
-+++ openssh-5.9p1/auth2-chall.c 2012-07-27 12:21:41.206602026 +0200
-@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
- auth2_challenge_start(authctxt);
- }
- }
-- userauth_finish(authctxt, authenticated, method);
-+ userauth_finish(authctxt, authenticated, "keyboard-interactive",
-+ authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
- xfree(method);
- }
-
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
-+++ openssh-5.9p1/auth2-none.c 2012-07-27 12:21:41.207602028 +0200
++++ openssh-5.9p1/auth2-none.c 2012-11-26 15:36:02.139986402 +0100
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
@@ -507,9 +385,131 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
}
+diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
+--- openssh-5.9p1/auth.c.required-authentication 2012-11-26 15:27:28.134216999 +0100
++++ openssh-5.9p1/auth.c 2012-11-26 15:36:02.137986437 +0100
+@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
+ }
+
+ void
+-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
++auth_log(Authctxt *authctxt, int authenticated, const char *method,
++ const char *submethod, const char *info)
+ {
+ void (*authlog) (const char *fmt,...) = verbose;
+ char *authmsg;
+@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
+ else
+ authmsg = authenticated ? "Accepted" : "Failed";
+
+- authlog("%s %s for %s%.100s from %.200s port %d%s",
++ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
+ authmsg,
+ method,
++ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
+ authctxt->valid ? "" : "invalid user ",
+ authctxt->user,
+ get_remote_ipaddr(),
+@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
+ * Check whether root logins are disallowed.
+ */
+ int
+-auth_root_allowed(char *method)
++auth_root_allowed(const char *method)
+ {
+ switch (options.permit_root_login) {
+ case PERMIT_YES:
+@@ -694,3 +696,57 @@ fakepw(void)
+
+ return (&fake);
+ }
++
++int
++auth_method_in_list(const char *list, const char *method)
++{
++ char *cp;
++
++ cp = match_list(method, list, NULL);
++ if (cp != NULL) {
++ xfree(cp);
++ return 1;
++ }
++
++ return 0;
++}
++
++#define DELIM ","
++int
++auth_remove_from_list(char **list, const char *method)
++{
++ char *oldlist, *cp, *newlist = NULL;
++ u_int len = 0, ret = 0;
++
++ if (list == NULL || *list == NULL)
++ return (0);
++
++ oldlist = *list;
++ len = strlen(oldlist) + 1;
++ newlist = xmalloc(len);
++ memset(newlist, '\0', len);
++
++ /* Remove method from list, if present */
++ for (;;) {
++ if ((cp = strsep(&oldlist, DELIM)) == NULL)
++ break;
++ if (*cp == '\0')
++ continue;
++ if (strcmp(cp, method) != 0) {
++ if (*newlist != '\0')
++ strlcat(newlist, DELIM, len);
++ strlcat(newlist, cp, len);
++ } else
++ ret++;
++ }
++
++ /* Return NULL instead of empty list */
++ if (*newlist == '\0') {
++ xfree(newlist);
++ newlist = NULL;
++ }
++ xfree(*list);
++ *list = newlist;
++
++ return (ret);
++}
+diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
+--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
++++ openssh-5.9p1/auth.h 2012-11-26 15:36:02.138986418 +0100
+@@ -142,10 +142,11 @@ void disable_forwarding(void);
+ void do_authentication(Authctxt *);
+ void do_authentication2(Authctxt *);
+
+-void auth_log(Authctxt *, int, char *, char *);
+-void userauth_finish(Authctxt *, int, char *);
++void auth_log(Authctxt *, int, const char *, const char *, const char *);
++void userauth_finish(Authctxt *, int, const char *, const char *);
++int auth_root_allowed(const char *);
++
+ void userauth_send_banner(const char *);
+-int auth_root_allowed(char *);
+
+ char *auth2_read_banner(void);
+
+@@ -192,6 +193,11 @@ void auth_debug_send(void);
+ void auth_debug_reset(void);
+
+ struct passwd *fakepw(void);
++int auth_method_in_list(const char *, const char *);
++int auth_remove_from_list(char **, const char *);
++
++int auth1_check_required(const char *);
++int auth2_check_required(const char *);
+
+ int sys_auth_passwd(Authctxt *, const char *);
+
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
---- openssh-5.9p1/monitor.c.required-authentication 2012-07-27 12:21:41.161601930 +0200
-+++ openssh-5.9p1/monitor.c 2012-07-27 12:51:18.884927066 +0200
+--- openssh-5.9p1/monitor.c.required-authentication 2012-11-26 15:27:28.128217022 +0100
++++ openssh-5.9p1/monitor.c 2012-11-26 15:36:02.140986390 +0100
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
@@ -708,8 +708,8 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
}
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.required-authentication 2012-07-27 12:21:41.167601942 +0200
-+++ openssh-5.9p1/servconf.c 2012-07-27 12:21:41.209602032 +0200
+--- openssh-5.9p1/servconf.c.required-authentication 2012-11-26 15:27:28.129217018 +0100
++++ openssh-5.9p1/servconf.c 2012-11-26 15:36:02.140986390 +0100
@@ -42,6 +42,8 @@
#include "key.h"
#include "kex.h"
@@ -745,56 +745,77 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
-@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
+@@ -1220,6 +1227,37 @@ process_server_config_line(ServerOptions
options->max_startups = options->max_startups_begin;
break;
+
+ case sRequiredAuthentications1:
-+ charptr = &options->required_auth1;
-+ arg = strdelim(&cp);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.",
-+ filename, linenum);
-+ if (auth1_check_required(arg) != 0)
-+ fatal("%.200s line %d: Invalid required authentication "
-+ "list", filename, linenum);
-+ if (*charptr == NULL)
-+ *charptr = xstrdup(arg);
-+ break;
++ if (*activep && options->required_auth1 == NULL) {
++ charptr = &options->required_auth1;
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing argument.",
++ filename, linenum);
++ if (auth1_check_required(arg) != 0)
++ fatal("%.200s line %d: Invalid required authentication "
++ "list", filename, linenum);
++ if (*charptr == NULL)
++ *charptr = xstrdup(arg);
++ }
++ return 0;
+
+ case sRequiredAuthentications2:
-+ charptr = &options->required_auth2;
-+ arg = strdelim(&cp);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.",
-+ filename, linenum);
-+ if (auth2_check_required(arg) != 0)
-+ fatal("%.200s line %d: Invalid required authentication "
-+ "list", filename, linenum);
-+ if (*charptr == NULL)
-+ *charptr = xstrdup(arg);
-+ break;
++ if (*activep && options->required_auth2 == NULL) {
++ charptr = &options->required_auth2;
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing argument.",
++ filename, linenum);
++ if (auth2_check_required(arg) != 0)
++ fatal("%.200s line %d: Invalid required authentication "
++ "list", filename, linenum);
++ if (*charptr == NULL)
++ *charptr = xstrdup(arg);
++ }
++ return 0;
+
case sMaxAuthTries:
intptr = &options->max_authtries;
goto parse_int;
+@@ -1776,6 +1814,7 @@ dump_config(ServerOptions *o)
+ dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
+ dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
+ dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
++ dump_cfg_string(sRequiredAuthentications2, o->required_auth2);
+
+ /* other arguments */
+ for (i = 0; i < o->num_subsystems; i++)
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.h 2012-07-27 12:21:41.210602035 +0200
++++ openssh-5.9p1/servconf.h 2012-11-26 15:40:11.694443938 +0100
@@ -154,6 +154,9 @@ typedef struct {
u_int num_authkeys_files; /* Files containing public keys */
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
-+ char *required_auth1; /* Required, but not sufficient */
++ char *required_auth1;
+ char *required_auth2;
+
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
+@@ -180,6 +183,8 @@ typedef struct {
+ M_CP_STROPT(revoked_keys_file); \
+ M_CP_STROPT(authorized_principals_file); \
+ M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
++ M_CP_STROPT(required_auth1); \
++ M_CP_STROPT(required_auth2); \
+ } while (0)
+
+ void initialize_server_options(ServerOptions *);
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
-+++ openssh-5.9p1/sshd_config.5 2012-07-27 12:38:47.607222070 +0200
++++ openssh-5.9p1/sshd_config.5 2012-11-26 15:36:02.141986377 +0100
@@ -723,6 +723,8 @@ Available keywords are
.Cm PermitOpen ,
.Cm PermitRootLogin ,
@@ -804,25 +825,36 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
-@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
+@@ -920,6 +922,32 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
+.It Cm RequiredAuthentications[12]
-+ Specifies required methods of authentications that has to succeed before authorizing the connection.
-+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
-+
-+ RequiredAuthentications1 method[,method...]
-+ RequiredAuthentications2 method[,method...]
-+
++Specifies required methods of authentications that has to succeed before
++authorizing the connection. (RequiredAuthentication1 for Protocol version 1,
++and RequiredAuthentication2 for v2)
++.Pp
++.Bl -item -offset indent -compact
++.It
++RequiredAuthentications1 method[,method...]
++.It
++RequiredAuthentications2 method[,method...]
++.El
+.Pp
+Example 1:
-+
-+ RequiredAuthentications2 password,hostbased
-+
++.Bl -item -offset indent -compact
++RequiredAuthentications2 password,hostbased
++.El
+Example 2:
-+ RequiredAuthentications2 publickey,password
-+
++.Bl -item -offset indent -compact
++RequiredAuthentications2 publickey,password
++.El
++.Pp
++Available methods:
++.Bl -item -offset indent -compact
++.It
++password, keyboard-interactive, publickey, hostbased, gssapi-keyex, gssapi-with-mic
++.El
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
diff --git a/openssh-5.9p1-sftp-chroot.patch b/openssh-5.9p1-sftp-chroot.patch
index cfe4366..bdab68a 100644
--- a/openssh-5.9p1-sftp-chroot.patch
+++ b/openssh-5.9p1-sftp-chroot.patch
@@ -1,14 +1,14 @@
-diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.c
---- openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot 2011-09-01 04:12:22.743024608 +0200
-+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-09-01 04:12:23.069088065 +0200
-@@ -503,6 +503,23 @@ ssh_selinux_change_context(const char *n
+diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p1/openbsd-compat/port-linux.c
+--- openssh-5.9p1/openbsd-compat/port-linux.c.sftp-chroot 2012-11-05 16:32:23.932502573 +0100
++++ openssh-5.9p1/openbsd-compat/port-linux.c 2012-11-05 16:34:28.383235006 +0100
+@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
xfree(newctx);
}
+void
+ssh_selinux_copy_context(void)
+{
-+ char *ctx;
++ security_context_t *ctx;
+
+ if (!ssh_selinux_enabled())
+ return;
@@ -17,17 +17,19 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/ope
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
+ return;
+ }
-+ if (setcon(ctx) < 0)
-+ logit("%s: setcon failed with %s", __func__, strerror (errno));
-+ xfree(ctx);
++ if (ctx != NULL) {
++ if (setcon(ctx) < 0)
++ logit("%s: setcon failed with %s", __func__, strerror (errno));
++ freecon(ctx);
++ }
+}
+
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
-diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.h
---- openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot 2011-01-25 02:16:18.000000000 +0100
-+++ openssh-5.9p0/openbsd-compat/port-linux.h 2011-09-01 04:12:23.163088777 +0200
+diff -up openssh-5.9p1/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p1/openbsd-compat/port-linux.h
+--- openssh-5.9p1/openbsd-compat/port-linux.h.sftp-chroot 2011-01-25 02:16:18.000000000 +0100
++++ openssh-5.9p1/openbsd-compat/port-linux.h 2012-11-05 16:32:23.935502591 +0100
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
@@ -36,9 +38,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/ope
void ssh_selinux_setfscreatecon(const char *);
#endif
-diff -up openssh-5.9p0/session.c.sftp-chroot openssh-5.9p0/session.c
---- openssh-5.9p0/session.c.sftp-chroot 2011-09-01 04:12:19.698049195 +0200
-+++ openssh-5.9p0/session.c 2011-09-01 04:40:03.598148719 +0200
+diff -up openssh-5.9p1/session.c.sftp-chroot openssh-5.9p1/session.c
+--- openssh-5.9p1/session.c.sftp-chroot 2012-11-05 16:32:23.913502453 +0100
++++ openssh-5.9p1/session.c 2012-11-05 16:32:23.935502591 +0100
@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
More information about the scm-commits
mailing list