[gsi-openssh/f15] Based on openssh-5.6p1-35.fc15
Mattias Ellert
ellert at fedoraproject.org
Tue Feb 28 07:29:46 UTC 2012
commit f69a9589df2b611ff000251cc0e077ca22e52f7f
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Tue Feb 28 06:42:34 2012 +0100
Based on openssh-5.6p1-35.fc15
gsi-openssh.spec | 10 ++++++++--
openssh-5.6p1-getaddrinfo.patch | 21 +++++++++++++++++----
openssh-5.6p1-legacy-certificate.patch | 14 ++++++++++++++
3 files changed, 39 insertions(+), 6 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 0e3ded8..0c847d5 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -32,7 +32,7 @@
%global nologin 1
%global openssh_ver 5.6p1
-%global openssh_rel 4
+%global openssh_rel 5
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -100,6 +100,8 @@ Patch81: openssh-5.6p1-clientloop.patch
Patch82:openssh-5.6p1-getaddrinfo.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1838
Patch83:openssh-5.6p1-linux-oomkiller.patch
+#https://bugzilla.redhat.com//show_bug.cgi?id=784641
+Patch84:openssh-5.6p1-legacy-certificate.patch
# This is the patch that adds GSI support
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-5.6p1.patch
@@ -132,7 +134,7 @@ BuildRequires: krb5-devel
%if %{gsi}
BuildRequires: globus-gss-assist-devel >= 8
BuildRequires: globus-gssapi-gsi >= 10
-BuildRequires: globus-common >= 14
+BuildRequires: globus-common >= 14
BuildRequires: globus-usage-devel >= 3
%endif
@@ -243,6 +245,7 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch81 -p1 -b .clientloop
%patch82 -p1 -b .getaddrinfo
%patch83 -p0 -b .oomkiller
+%patch84 -p1 -b .legacy
%patch98 -p1 -b .gsi
sed 's/sshd.pid/gsisshd.pid/' -i pathnames.h
@@ -442,6 +445,9 @@ fi
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/gsisshd
%changelog
+* Tue Feb 28 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.6p1-5
+- Based on openssh-5.6p1-35.fc15
+
* Sun Jan 22 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.6p1-4
- Drop openssh-5.8p2-unblock-signals.patch - not needed for GT >= 5.2
- Based on openssh-5.6p1-34.fc15.1
diff --git a/openssh-5.6p1-getaddrinfo.patch b/openssh-5.6p1-getaddrinfo.patch
index 6f64067..76deaef 100644
--- a/openssh-5.6p1-getaddrinfo.patch
+++ b/openssh-5.6p1-getaddrinfo.patch
@@ -1,7 +1,20 @@
-diff -up openssh-5.8p1/sshconnect.c.getaddrinfo openssh-5.8p1/sshconnect.c
---- openssh-5.8p1/sshconnect.c.getaddrinfo 2011-04-27 09:51:44.521384633 +0200
-+++ openssh-5.8p1/sshconnect.c 2011-04-27 09:53:21.224443308 +0200
-@@ -355,6 +355,7 @@ ssh_connect(const char *host, struct soc
+diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
+--- openssh-5.6p1/channels.c.getaddrinfo 2012-02-14 16:12:54.427852524 +0100
++++ openssh-5.6p1/channels.c 2012-02-14 16:13:22.818928690 +0100
+@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = IPv4or6;
+ hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif
+ hints.ai_socktype = SOCK_STREAM;
+ snprintf(strport, sizeof strport, "%d", port);
+ if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
+diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
+--- openssh-5.6p1/sshconnect.c.getaddrinfo 2012-02-14 16:09:25.057964291 +0100
++++ openssh-5.6p1/sshconnect.c 2012-02-14 16:09:25.106047007 +0100
+@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
memset(&hints, 0, sizeof(hints));
hints.ai_family = family;
hints.ai_socktype = SOCK_STREAM;
diff --git a/openssh-5.6p1-legacy-certificate.patch b/openssh-5.6p1-legacy-certificate.patch
new file mode 100644
index 0000000..57c512c
--- /dev/null
+++ b/openssh-5.6p1-legacy-certificate.patch
@@ -0,0 +1,14 @@
+diff --git a/key.c b/key.c
+index 57ad9fd..5886d44 100644
+--- a/key.c
++++ b/key.c
+@@ -1517,8 +1517,8 @@ key_certify(Key *k, Key *ca)
+ buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
+
+ /* -v01 certs put nonce first */
++ arc4random_buf(&nonce, sizeof(nonce));
+ if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT) {
+- arc4random_buf(&nonce, sizeof(nonce));
+ buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
+ }
+
More information about the scm-commits
mailing list