[openssh] another audit improovements
Jan F. Chadima
jfch2222 at fedoraproject.org
Fri Feb 25 08:31:01 UTC 2011
commit 48446f1f1b3c4f00971e097ef7df566e2ae93e75
Author: Jan F <jfch at kerberos.example.com>
Date: Fri Feb 25 09:30:56 2011 +0100
another audit improovements
openssh-5.8p1-audit1a.patch | 39 ---------------------
openssh-5.8p1-fingerprint.patch | 42 ++++++++++++-----------
openssh-5.8p1-fips.patch | 70 +++++++++++++++++++++-----------------
openssh.spec | 8 +++-
4 files changed, 67 insertions(+), 92 deletions(-)
---
diff --git a/openssh-5.8p1-audit1a.patch b/openssh-5.8p1-audit1a.patch
index 0774dba..e69de29 100644
--- a/openssh-5.8p1-audit1a.patch
+++ b/openssh-5.8p1-audit1a.patch
@@ -1,39 +0,0 @@
-diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit1a 2011-02-24 13:16:51.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c 2011-02-24 13:17:17.000000000 +0100
-@@ -143,7 +143,7 @@ audit_connection_from(const char *host,
- void
- audit_run_command(const char *command)
- {
-- if (!user_login_count++)
-+ if (!user_login_count++ && !options.use_pam)
- linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- NULL, "ssh", 1, AUDIT_USER_LOGIN);
- linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
-@@ -155,7 +155,7 @@ audit_end_command(const char *command)
- {
- linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- NULL, "ssh", 1, AUDIT_USER_END);
-- if (!--user_login_count)
-+ if (!--user_login_count && !options.use_pam)
- linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- NULL, "ssh", 1, AUDIT_USER_LOGOUT);
- }
-@@ -163,7 +163,7 @@ audit_end_command(const char *command)
- void
- audit_session_open(struct logininfo *li)
- {
-- if (!user_login_count++)
-+ if (!user_login_count++ && !options.use_pam)
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- NULL, li->line, 1, AUDIT_USER_LOGIN);
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-@@ -175,7 +175,7 @@ audit_session_close(struct logininfo *li
- {
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- NULL, li->line, 1, AUDIT_USER_END);
-- if (!--user_login_count)
-+ if (!--user_login_count && !options.use_pam)
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- NULL, li->line, 1, AUDIT_USER_LOGOUT);
- }
diff --git a/openssh-5.8p1-fingerprint.patch b/openssh-5.8p1-fingerprint.patch
index 180c92a..a0438ff 100644
--- a/openssh-5.8p1-fingerprint.patch
+++ b/openssh-5.8p1-fingerprint.patch
@@ -1,6 +1,6 @@
diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c
--- openssh-5.8p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200
-+++ openssh-5.8p1/auth2-hostbased.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/auth2-hostbased.c 2011-02-25 09:17:18.000000000 +0100
@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
if (host_status == HOST_OK) {
@@ -29,7 +29,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbas
}
diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
--- openssh-5.8p1/auth2-pubkey.c.fingerprint 2010-12-01 01:50:14.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/auth2-pubkey.c 2011-02-25 09:17:18.000000000 +0100
@@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key
continue;
if (!key_is_cert_authority)
@@ -78,7 +78,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
}
diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
--- openssh-5.8p1/auth.c.fingerprint 2010-12-01 02:21:51.000000000 +0100
-+++ openssh-5.8p1/auth.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/auth.c 2011-02-25 09:17:18.000000000 +0100
@@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key)
return 1;
case 1:
@@ -94,7 +94,7 @@ diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
}
diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
--- openssh-5.8p1/auth-rsa.c.fingerprint 2010-12-04 23:01:47.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/auth-rsa.c 2011-02-25 09:17:18.000000000 +0100
@@ -318,9 +318,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
* options; this will be reset if the options cause the
* authentication to be rejected.
@@ -110,20 +110,23 @@ diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
--- openssh-5.8p1/key.c.fingerprint 2011-02-04 01:48:34.000000000 +0100
-+++ openssh-5.8p1/key.c 2011-02-24 10:33:05.000000000 +0100
-@@ -594,6 +594,32 @@ key_fingerprint(Key *k, enum fp_type dgs
++++ openssh-5.8p1/key.c 2011-02-25 09:18:16.000000000 +0100
+@@ -594,6 +594,34 @@ key_fingerprint(Key *k, enum fp_type dgs
return retval;
}
-+int
++enum fp_type
+key_fingerprint_selection(void)
+{
++ static enum fp_type rv;
++ static char rv_defined = 0;
+ char *env;
-+ static int rv = -1;
+
-+ if (rv == -1) {
++ if (!rv_defined) {
+ env = getenv("SSH_FINGERPRINT_TYPE");
-+ rv = env && !strcmp (env, "sha");
++ rv = (env && !strcmp (env, "sha")) ?
++ SSH_FP_SHA1 : SSH_FP_MD5;
++ rv_defined = 1;
+ }
+ return rv;
+}
@@ -131,14 +134,13 @@ diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
+char *
+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
+{
-+ return key_fingerprint(k, key_fingerprint_selection() ?
-+ SSH_FP_SHA1 : SSH_FP_MD5, dgst_rep);
++ return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
+}
+
+char *
+key_fingerprint_prefix(void)
+{
-+ return key_fingerprint_selection() ? "sha1:" : "";
++ return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
+}
+
/*
@@ -146,12 +148,12 @@ diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
* the pointer. The integer must already be initialized. This function is
diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
--- openssh-5.8p1/key.h.fingerprint 2010-11-05 00:19:49.000000000 +0100
-+++ openssh-5.8p1/key.h 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/key.h 2011-02-25 09:17:18.000000000 +0100
@@ -96,6 +96,9 @@ int key_equal_public(const Key *, cons
int key_equal(const Key *, const Key *);
char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *);
-+int key_fingerprint_selection(void);
++enum fp_type key_fingerprint_selection(void);
+char *key_selected_fingerprint(Key *, enum fp_rep);
+char *key_fingerprint_prefix(void);
const char *key_type(const Key *);
@@ -159,7 +161,7 @@ diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
int key_write(const Key *, FILE *);
diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
--- openssh-5.8p1/ssh-add.c.fingerprint 2010-11-11 04:17:02.000000000 +0100
-+++ openssh-5.8p1/ssh-add.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/ssh-add.c 2011-02-25 09:17:18.000000000 +0100
@@ -280,10 +280,10 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
@@ -177,7 +179,7 @@ diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
if (!key_write(key, stdout))
diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
--- openssh-5.8p1/ssh-agent.c.fingerprint 2010-12-01 01:50:35.000000000 +0100
-+++ openssh-5.8p1/ssh-agent.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/ssh-agent.c 2011-02-25 09:17:18.000000000 +0100
@@ -199,9 +199,9 @@ confirm_key(Identity *id)
char *p;
int ret = -1;
@@ -193,7 +195,7 @@ diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
--- openssh-5.8p1/sshconnect2.c.fingerprint 2010-12-01 02:21:51.000000000 +0100
-+++ openssh-5.8p1/sshconnect2.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/sshconnect2.c 2011-02-25 09:17:18.000000000 +0100
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
@@ -220,7 +222,7 @@ diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
--- openssh-5.8p1/sshconnect.c.fingerprint 2011-01-16 13:17:59.000000000 +0100
-+++ openssh-5.8p1/sshconnect.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/sshconnect.c 2011-02-25 09:17:18.000000000 +0100
@@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so
"key for IP address '%.128s' to the list "
"of known hosts.", type, ip);
@@ -316,7 +318,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
xfree(fp);
diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
--- openssh-5.8p1/ssh-keygen.c.fingerprint 2011-01-11 07:20:31.000000000 +0100
-+++ openssh-5.8p1/ssh-keygen.c 2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/ssh-keygen.c 2011-02-25 09:17:18.000000000 +0100
@@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw)
{
FILE *f;
diff --git a/openssh-5.8p1-fips.patch b/openssh-5.8p1-fips.patch
index 6fe3deb..044376e 100644
--- a/openssh-5.8p1-fips.patch
+++ b/openssh-5.8p1-fips.patch
@@ -1,6 +1,6 @@
diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
--- openssh-5.8p1/authfile.c.fips 2010-12-01 02:03:39.000000000 +0100
-+++ openssh-5.8p1/authfile.c 2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/authfile.c 2011-02-25 09:23:19.000000000 +0100
@@ -145,8 +145,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
/* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@@ -35,8 +35,8 @@ diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
buffer_ptr(blob), buffer_len(blob));
cipher_cleanup(&ciphercontext);
diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
---- openssh-5.8p1/cipher.c.fips 2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/cipher.c 2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/cipher.c.fips 2011-02-25 09:23:18.000000000 +0100
++++ openssh-5.8p1/cipher.c 2011-02-25 09:23:19.000000000 +0100
@@ -40,6 +40,7 @@
#include <sys/types.h>
@@ -123,7 +123,7 @@ diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
/*
diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
--- openssh-5.8p1/cipher-ctr.c.fips 2010-10-07 13:06:42.000000000 +0200
-+++ openssh-5.8p1/cipher-ctr.c 2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/cipher-ctr.c 2011-02-25 09:23:19.000000000 +0100
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@@ -135,8 +135,8 @@ diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
return (&aes_ctr);
}
diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
---- openssh-5.8p1/cipher.h.fips 2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/cipher.h 2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/cipher.h.fips 2011-02-25 09:23:18.000000000 +0100
++++ openssh-5.8p1/cipher.h 2011-02-25 09:23:19.000000000 +0100
@@ -87,7 +87,7 @@ void cipher_init(CipherContext *, Ciphe
const u_char *, u_int, int);
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@@ -147,8 +147,8 @@ diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
u_int cipher_keylen(const Cipher *);
u_int cipher_is_cbc(const Cipher *);
diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
---- openssh-5.8p1/key.c.fips 2011-02-24 10:35:39.000000000 +0100
-+++ openssh-5.8p1/key.c 2011-02-24 10:37:20.000000000 +0100
+--- openssh-5.8p1/key.c.fips 2011-02-25 09:23:19.000000000 +0100
++++ openssh-5.8p1/key.c 2011-02-25 09:24:35.000000000 +0100
@@ -40,6 +40,7 @@
#include <sys/types.h>
@@ -157,18 +157,26 @@ diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
#include <openbsd-compat/openssl-compat.h>
#include <stdarg.h>
-@@ -601,6 +602,8 @@ key_fingerprint_selection(void)
- static int rv = -1;
+@@ -602,9 +603,13 @@ key_fingerprint_selection(void)
+ char *env;
- if (rv == -1) {
+ if (!rv_defined) {
+- env = getenv("SSH_FINGERPRINT_TYPE");
+- rv = (env && !strcmp (env, "sha")) ?
+- SSH_FP_SHA1 : SSH_FP_MD5;
+ if (FIPS_mode())
-+ return (rv = 1);
- env = getenv("SSH_FINGERPRINT_TYPE");
- rv = env && !strcmp (env, "sha");
++ rv = SSH_FP_SHA1;
++ else {
++ env = getenv("SSH_FINGERPRINT_TYPE");
++ rv = (env && !strcmp (env, "sha")) ?
++ SSH_FP_SHA1 : SSH_FP_MD5;
++ }
+ rv_defined = 1;
}
+ return rv;
diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
---- openssh-5.8p1/mac.c.fips 2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/mac.c 2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/mac.c.fips 2011-02-25 09:23:18.000000000 +0100
++++ openssh-5.8p1/mac.c 2011-02-25 09:23:19.000000000 +0100
@@ -28,6 +28,7 @@
#include <sys/types.h>
@@ -219,8 +227,8 @@ diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
---- openssh-5.8p1/Makefile.in.fips 2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/Makefile.in 2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/Makefile.in.fips 2011-02-25 09:23:19.000000000 +0100
++++ openssh-5.8p1/Makefile.in 2011-02-25 09:23:19.000000000 +0100
@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
@@ -264,7 +272,7 @@ diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
--- openssh-5.8p1/myproposal.h.fips 2011-01-13 12:00:22.000000000 +0100
-+++ openssh-5.8p1/myproposal.h 2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/myproposal.h 2011-02-25 09:23:19.000000000 +0100
@@ -81,7 +81,12 @@
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
@@ -281,7 +289,7 @@ diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
KEX_DEFAULT_KEX,
diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c 2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c 2011-02-25 09:23:19.000000000 +0100
@@ -39,6 +39,7 @@
static int rc4_ready = 0;
static RC4_KEY rc4;
@@ -325,7 +333,7 @@ diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbs
#ifndef HAVE_ARC4RANDOM_BUF
diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
--- openssh-5.8p1/ssh.c.fips 2011-02-04 01:42:15.000000000 +0100
-+++ openssh-5.8p1/ssh.c 2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/ssh.c 2011-02-25 09:23:19.000000000 +0100
@@ -73,6 +73,8 @@
#include <openssl/evp.h>
@@ -389,8 +397,8 @@ diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
---- openssh-5.8p1/sshconnect2.c.fips 2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/sshconnect2.c 2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/sshconnect2.c.fips 2011-02-25 09:23:18.000000000 +0100
++++ openssh-5.8p1/sshconnect2.c 2011-02-25 09:23:19.000000000 +0100
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@@ -424,8 +432,8 @@ diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms;
diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.fips 2011-02-24 10:34:41.000000000 +0100
-+++ openssh-5.8p1/sshd.c 2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/sshd.c.fips 2011-02-25 09:23:19.000000000 +0100
++++ openssh-5.8p1/sshd.c 2011-02-25 09:23:19.000000000 +0100
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -435,7 +443,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
-@@ -1363,6 +1365,12 @@ main(int ac, char **av)
+@@ -1364,6 +1366,12 @@ main(int ac, char **av)
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
@@ -448,7 +456,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
init_rng();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1524,8 +1532,6 @@ main(int ac, char **av)
+@@ -1525,8 +1533,6 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@@ -457,7 +465,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
/*
* Force logging to stderr until we have loaded the private host
* key (unless started from inetd)
-@@ -1644,6 +1650,10 @@ main(int ac, char **av)
+@@ -1645,6 +1651,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, key->type,
key_type(key));
}
@@ -468,7 +476,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
-@@ -1808,6 +1818,10 @@ main(int ac, char **av)
+@@ -1809,6 +1819,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */
arc4random_stir();
@@ -479,7 +487,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
chdir("/");
-@@ -2349,6 +2363,9 @@ do_ssh2_kex(void)
+@@ -2350,6 +2364,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -489,7 +497,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2358,6 +2375,9 @@ do_ssh2_kex(void)
+@@ -2359,6 +2376,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
diff --git a/openssh.spec b/openssh.spec
index 420a265..ec0b24a 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -71,7 +71,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.8p1
-%define openssh_rel 8
+%define openssh_rel 9
%define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 30
@@ -619,11 +619,15 @@ fi
%endif
%changelog
+* Fri Feb 25 2011 Jan F. Chadima <jchadima at redhat.com> - 5.8p1-9 + 0.9.2-30
+- another audit improovements
+
* Thu Feb 24 2011 Jan F. Chadima <jchadima at redhat.com> - 5.8p1-8 + 0.9.2-30
- another audit improovements
+- switchable fingerprint mode
* Thu Feb 17 2011 Jan F. Chadima <jchadima at redhat.com> - 5.8p1-4 + 0.9.2-30
-- improve audit of server ket management
+- improve audit of server key management
* Wed Feb 16 2011 Jan F. Chadima <jchadima at redhat.com> - 5.8p1-3 + 0.9.2-30
- improve audit of logins and auths
More information about the scm-commits
mailing list