rpms/openssh/F-12 .cvsignore, 1.24, 1.25 openssh-5.3p1-audit.patch, 1.1, 1.2 openssh.spec, 1.174, 1.175 sshd.init, 1.5, 1.6
Jan F. Chadima
jfch2222 at fedoraproject.org
Mon Dec 21 11:38:06 UTC 2009
- Previous message: rpms/gdb/F-12 gdb-empty-namespace.patch, NONE, 1.1 gdb-ppc-hw-watchpoint-twice.patch, NONE, 1.1 gdb-rhel5-compat.patch, NONE, 1.1 gdb-rhel5-gcc44.patch, NONE, 1.1 gdb-7.0-upstream.patch, 1.3, 1.4 gdb.spec, 1.403, 1.404 gdb-rhel5-fortran44.patch, 1.1, NONE
- Next message: rpms/valgrind/F-12 valgrind-3.5.0-adjtimex.patch, 1.1, 1.2 valgrind.spec, 1.77, 1.78
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jfch2222
Update of /cvs/pkgs/rpms/openssh/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5526
Modified Files:
.cvsignore openssh-5.3p1-audit.patch openssh.spec sshd.init
Log Message:
updated, nss3, audit, init script
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/F-12/.cvsignore,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -p -r1.24 -r1.25
--- .cvsignore 10 Mar 2009 12:17:53 -0000 1.24
+++ .cvsignore 21 Dec 2009 11:38:04 -0000 1.25
@@ -1 +1,2 @@
-openssh-5.2p1-noacss.tar.bz2
+openssh-5.3p1-noacss.tar.bz2
+pam_ssh_agent_auth-0.9.tar.bz2
openssh-5.3p1-audit.patch:
auth.c | 10 ++++++++++
configure.ac | 13 +++++++++++++
loginrec.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
loginrec.h | 4 ++++
4 files changed, 79 insertions(+)
Index: openssh-5.3p1-audit.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/F-12/openssh-5.3p1-audit.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- openssh-5.3p1-audit.patch 20 Nov 2009 17:01:48 -0000 1.1
+++ openssh-5.3p1-audit.patch 21 Dec 2009 11:38:04 -0000 1.2
@@ -1,15 +1,15 @@
diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
--- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
-+++ openssh-5.3p1/auth.c 2009-10-11 13:02:47.000000000 +0200
++++ openssh-5.3p1/auth.c 2009-12-21 08:50:12.000000000 +0100
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
+#if HAVE_LINUX_AUDIT
-+ if (authenticated == 0 && !authctxt->postponed) {
-+ linux_audit_record_event(-1, authctxt->user, NULL,
-+ get_remote_ipaddr(), "sshd", 0);
-+ }
++ if (authenticated == 0 && !authctxt->postponed) {
++ linux_audit_record_event(-1, authctxt->user, NULL,
++ get_remote_ipaddr(), "sshd", 0);
++ }
+#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
@@ -19,79 +19,35 @@ diff -up openssh-5.3p1/auth.c.audit open
get_canonical_hostname(options.use_dns), "ssh");
#endif
+#ifdef HAVE_LINUX_AUDIT
-+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
-+ "sshd", 0);
++ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
++ "sshd", 0);
+#endif
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.3p1/config.h.in.audit openssh-5.3p1/config.h.in
---- openssh-5.3p1/config.h.in.audit 2009-09-26 08:31:14.000000000 +0200
-+++ openssh-5.3p1/config.h.in 2009-10-11 13:09:41.000000000 +0200
-@@ -533,6 +533,9 @@
- /* Define to 1 if you have the <lastlog.h> header file. */
- #undef HAVE_LASTLOG_H
-
-+/* Define to 1 if you have the <libaudit.h> header file. */
-+#undef HAVE_LIBAUDIT_H
-+
- /* Define to 1 if you have the `bsm' library (-lbsm). */
- #undef HAVE_LIBBSM
-
-@@ -572,6 +575,9 @@
- /* Define to 1 if you have the <limits.h> header file. */
- #undef HAVE_LIMITS_H
-
-+/* Define if you want Linux audit support. */
-+#undef HAVE_LINUX_AUDIT
-+
- /* Define to 1 if you have the <linux/if_tun.h> header file. */
- #undef HAVE_LINUX_IF_TUN_H
-
-@@ -768,6 +774,9 @@
- /* Define to 1 if you have the `setgroups' function. */
- #undef HAVE_SETGROUPS
-
-+/* Define to 1 if you have the `setkeycreatecon' function. */
-+#undef HAVE_SETKEYCREATECON
-+
- /* Define to 1 if you have the `setlogin' function. */
- #undef HAVE_SETLOGIN
-
-@@ -1348,6 +1357,10 @@
- /* Prepend the address family to IP tunnel traffic */
- #undef SSH_TUN_PREPEND_AF
-
-+/* Define to your vendor patch level, if it has been modified from the
-+ upstream source release. */
-+#undef SSH_VENDOR_PATCHLEVEL
-+
- /* Define to 1 if you have the ANSI C header files. */
- #undef STDC_HEADERS
-
diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
---- openssh-5.3p1/configure.ac.audit 2009-09-11 06:56:08.000000000 +0200
-+++ openssh-5.3p1/configure.ac 2009-10-11 13:08:03.000000000 +0200
-@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux,
+--- openssh-5.3p1/configure.ac.audit 2009-12-21 08:48:59.000000000 +0100
++++ openssh-5.3p1/configure.ac 2009-12-21 08:51:47.000000000 +0100
+@@ -3409,6 +3409,18 @@ AC_ARG_WITH(selinux,
fi ]
)
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+AC_ARG_WITH(linux-audit,
-+ [ --with-linux-audit Enable Linux audit support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
-+ LINUX_AUDIT_MSG="yes"
-+ AC_CHECK_HEADERS(libaudit.h)
-+ SSHDLIBS="$SSHDLIBS -laudit"
-+ fi ]
++ [ --with-linux-audit Enable Linux audit support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
++ LINUX_AUDIT_MSG="yes"
++ AC_CHECK_HEADERS(libaudit.h)
++ SSHDLIBS="$SSHDLIBS -laudit"
++ fi ]
+)
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
-@@ -4226,6 +4238,7 @@ echo " PAM support
+@@ -4234,6 +4246,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
@@ -101,7 +57,7 @@ diff -up openssh-5.3p1/configure.ac.audi
echo " TCP Wrappers support: $TCPW_MSG"
diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
--- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
-+++ openssh-5.3p1/loginrec.c 2009-10-11 13:06:16.000000000 +0200
++++ openssh-5.3p1/loginrec.c 2009-12-21 08:54:17.000000000 +0100
@@ -176,6 +176,10 @@
#include "auth.h"
#include "buffer.h"
@@ -128,94 +84,54 @@ diff -up openssh-5.3p1/loginrec.c.audit
/* set the timestamp */
login_set_current_time(li);
+#ifdef HAVE_LINUX_AUDIT
-+ if (linux_audit_write_entry(li) == 0)
-+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
++ if (linux_audit_write_entry(li) == 0)
++ fatal("linux_audit_write_entry failed: %s", strerror(errno));
+#endif
#ifdef USE_LOGIN
syslogin_write_entry(li);
#endif
-@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
+@@ -1394,6 +1405,47 @@ wtmpx_get_entry(struct logininfo *li)
}
#endif /* USE_WTMPX */
+#ifdef HAVE_LINUX_AUDIT
-+static void
-+_audit_hexscape(const char *what, char *where, unsigned int size)
-+{
-+ const char *ptr = what;
-+ const char *hex = "0123456789ABCDEF";
-+
-+ while (*ptr) {
-+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
-+ unsigned int i;
-+ ptr = what;
-+ for (i = 0; *ptr && i+2 < size; i += 2) {
-+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
-+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
-+ ptr++;
-+ }
-+ where[i] = '\0';
-+ return;
-+ }
-+ ptr++;
-+ }
-+ where[0] = '"';
-+ if ((unsigned)(ptr - what) < size - 3)
-+ {
-+ size = ptr - what + 3;
-+ }
-+ strncpy(where + 1, what, size - 3);
-+ where[size-2] = '"';
-+ where[size-1] = '\0';
-+}
-+
-+#define AUDIT_LOG_SIZE 128
-+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
-+
+int
+linux_audit_record_event(int uid, const char *username,
-+ const char *hostname, const char *ip, const char *ttyn, int success)
++ const char *hostname, const char *ip, const char *ttyn, int success)
+{
-+ char buf[AUDIT_LOG_SIZE];
-+ int audit_fd, rc;
++ int audit_fd, rc;
+
-+ audit_fd = audit_open();
-+ if (audit_fd < 0) {
-+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-+ errno == EAFNOSUPPORT)
-+ return 1; /* No audit support in kernel */
-+ else
-+ return 0; /* Must prevent login */
-+ }
-+ if (username == NULL)
-+ snprintf(buf, sizeof(buf), "uid=%d", uid);
-+ else {
-+ char encoded[AUDIT_ACCT_SIZE];
-+ _audit_hexscape(username, encoded, sizeof(encoded));
-+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
-+ }
-+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
-+ buf, hostname, ip, ttyn, success);
-+ close(audit_fd);
-+ if (rc >= 0)
-+ return 1;
-+ else
-+ return 0;
++ audit_fd = audit_open();
++ if (audit_fd < 0) {
++ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++ errno == EAFNOSUPPORT)
++ return 1; /* No audit support in kernel */
++ else
++ return 0; /* Must prevent login */
++ }
++ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
++ NULL, "login", username ? username : "(unknown)",
++ username == NULL ? uid : -1, hostname, ip, ttyn, success);
++ close(audit_fd);
++ if (rc >= 0)
++ return 1;
++ else
++ return 0;
+}
+
+int
+linux_audit_write_entry(struct logininfo *li)
+{
-+ switch(li->type) {
-+ case LTYPE_LOGIN:
-+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
-+ NULL, li->line, 1));
-+ case LTYPE_LOGOUT:
-+ return (1); /* We only care about logins */
-+ default:
-+ logit("%s: invalid type field", __func__);
-+ return (0);
-+ }
++ switch(li->type) {
++ case LTYPE_LOGIN:
++ return (linux_audit_record_event(li->uid, NULL, li->hostname,
++ NULL, li->line, 1));
++ case LTYPE_LOGOUT:
++ return (1); /* We only care about logins */
++ default:
++ logit("%s: invalid type field", __func__);
++ return (0);
++ }
+}
+#endif /* HAVE_LINUX_AUDIT */
+
@@ -224,14 +140,14 @@ diff -up openssh-5.3p1/loginrec.c.audit
**/
diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
--- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
-+++ openssh-5.3p1/loginrec.h 2009-10-11 13:04:28.000000000 +0200
++++ openssh-5.3p1/loginrec.h 2009-12-21 08:48:59.000000000 +0100
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
char *line_abbrevname(char *dst, const char *src, int dstsize);
void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
-+ const char *hostname, const char *ip, const char *ttyn, int success);
++ const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/F-12/openssh.spec,v
retrieving revision 1.174
retrieving revision 1.175
diff -u -p -r1.174 -r1.175
--- openssh.spec 30 Nov 2009 10:09:11 -0000 1.174
+++ openssh.spec 21 Dec 2009 11:38:04 -0000 1.175
@@ -69,7 +69,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.3p1
-Release: 11%{?dist}%{?rescue_rel}
+Release: 13%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#URL1: http://pamsshauth.sourceforge.net
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -525,6 +525,11 @@ fi
%endif
%changelog
+* Mon Dec 21 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-13
+- Update the audit patch
+- Add possibility to autocreate only RSA key into initscript (#533339)
+- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
+
* Mon Nov 30 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-11
- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
Index: sshd.init
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/F-12/sshd.init,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -p -r1.5 -r1.6
--- sshd.init 29 Oct 2009 12:19:37 -0000 1.5
+++ sshd.init 21 Dec 2009 11:38:04 -0000 1.6
@@ -122,9 +122,11 @@ start()
[ -f /etc/ssh/sshd_config ] || exit 6
# Create keys if necessary
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
- do_rsa1_keygen
do_rsa_keygen
- do_dsa_keygen
+ if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
+ do_rsa1_keygen
+ do_dsa_keygen
+ fi
fi
echo -n $"Starting $prog: "
- Previous message: rpms/gdb/F-12 gdb-empty-namespace.patch, NONE, 1.1 gdb-ppc-hw-watchpoint-twice.patch, NONE, 1.1 gdb-rhel5-compat.patch, NONE, 1.1 gdb-rhel5-gcc44.patch, NONE, 1.1 gdb-7.0-upstream.patch, 1.3, 1.4 gdb.spec, 1.403, 1.404 gdb-rhel5-fortran44.patch, 1.1, NONE
- Next message: rpms/valgrind/F-12 valgrind-3.5.0-adjtimex.patch, 1.1, 1.2 valgrind.spec, 1.77, 1.78
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list