[gsi-openssh/el6] Drop openssh-5.3p1-unblock-signals.patch - not needed with GT >= 5.2 Based on openssh-5.3p1-70.el6
Mattias Ellert
ellert at fedoraproject.org
Sun Jan 22 18:06:32 UTC 2012
commit 0e80382a5d3e8d0d0e0c68ea225e7e96147901e9
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Sun Jan 22 18:39:56 2012 +0100
Drop openssh-5.3p1-unblock-signals.patch - not needed with GT >= 5.2
Based on openssh-5.3p1-70.el6
gsi-openssh.spec | 26 ++++--
openssh-5.3p1-askpass-ld.patch | 18 ++++
openssh-5.3p1-biguid.patch | 2 +-
openssh-5.3p1-entropy.patch | 17 +++-
openssh-5.3p1-gsissh.patch | 4 +-
openssh-5.3p1-ipv6man.patch | 48 +++++++++++
openssh-5.3p1-ldap.patch | 81 ++++++++++---------
openssh-5.3p1-manerr.patch | 60 ++++++++++++++
....2p1-sesftp.patch => openssh-5.3p1-sesftp.patch | 35 ++++----
openssh-5.3p1-sftp-chroot.patch | 83 ++++++++++++++++++--
openssh-5.3p1-unblock-signals.patch | 76 ------------------
11 files changed, 294 insertions(+), 156 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index f01c52d..e4badf9 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -2,7 +2,11 @@
# This gsissh specfile is based on the openssh specfile
# Do we want SELinux & Audit
+%if 0%{?!noselinux:1}
%global WITH_SELINUX 1
+%else
+%define WITH_SELINUX 0
+%endif
# OpenSSH privilege separation requires a user & group ID
%global sshd_uid 74
@@ -33,7 +37,7 @@
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
Version: 5.3p1
-Release: 3%{?dist}
+Release: 4%{?dist}
Provides: gsissh = %{version}-%{release}
Obsoletes: gsissh < 5.3p1-3
URL: http://www.openssh.com/portable.html
@@ -55,7 +59,7 @@ Patch5: openssh-5.3p1-engine.patch
Patch12: openssh-5.2p1-selinux.patch
Patch13: openssh-5.3p1-mls.patch
Patch18: openssh-5.0p1-pam_selinux.patch
-Patch19: openssh-5.2p1-sesftp.patch
+Patch19: openssh-5.3p1-sesftp.patch
Patch22: openssh-3.9p1-askpass-keep-above.patch
Patch24: openssh-4.3p1-fromto-remote.patch
Patch27: openssh-5.1p1-log-in-chroot.patch
@@ -88,15 +92,14 @@ Patch86: openssh-5.3p1-keycat.patch
Patch87: openssh-5.3p1-sftp-chroot.patch
Patch88: openssh-5.3p1-entropy.patch
Patch89: openssh-5.3p1-multiple-sighup.patch
+Patch90: openssh-5.3p1-ipv6man.patch
+Patch91: openssh-5.3p1-manerr.patch
+Patch92: openssh-5.3p1-askpass-ld.patch
# This is the patch that adds GSI support
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-5.3p1.patch
Patch98: openssh-5.3p1-gsissh.patch
-# The gsissh server has problems with blocked signals in threaded globus libs
-# This patch from OSG resolves these problems
-Patch99: openssh-5.3p1-unblock-signals.patch
-
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -122,8 +125,10 @@ BuildRequires: krb5-devel
%endif
%if %{gsi}
-BuildRequires: globus-gss-assist-devel
-BuildRequires: globus-usage-devel
+BuildRequires: globus-gss-assist-devel >= 8
+BuildRequires: globus-gssapi-gsi >= 10
+BuildRequires: globus-common >= 14
+BuildRequires: globus-usage-devel >= 3
%endif
%if %{libedit}
@@ -241,7 +246,6 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch88 -p1 -b .entropy
%patch89 -p1 -b .multiple-sighhup
%patch98 -p1 -b .gsi
-%patch99 -p1 -b .signals
sed 's/sshd.pid/gsisshd.pid/' -i pathnames.h
sed 's!$(piddir)/sshd.pid!$(piddir)/gsisshd.pid!' -i Makefile.in
@@ -444,6 +448,10 @@ fi
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/gsisshd
%changelog
+* Sun Jan 22 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.3p1-4
+- Drop openssh-5.3p1-unblock-signals.patch - not needed with GT >= 5.2
+- Based on openssh-5.3p1-70.el6
+
* Thu Oct 06 2011 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.3p1-3
- Change package name gsissh → gsi-openssh
- Based on openssh-5.3p1-52.el6_1.2
diff --git a/openssh-5.3p1-askpass-ld.patch b/openssh-5.3p1-askpass-ld.patch
new file mode 100644
index 0000000..8d4e01a
--- /dev/null
+++ b/openssh-5.3p1-askpass-ld.patch
@@ -0,0 +1,18 @@
+diff -up openssh-5.3p1/contrib/Makefile.askpass-ld openssh-5.3p1/contrib/Makefile
+--- openssh-5.3p1/contrib/Makefile.askpass-ld 2002-09-30 02:44:40.000000000 +0200
++++ openssh-5.3p1/contrib/Makefile 2011-08-22 12:15:17.637420293 +0200
+@@ -2,12 +2,12 @@ all:
+ @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
+
+ gnome-ssh-askpass1: gnome-ssh-askpass1.c
+- $(CC) `gnome-config --cflags gnome gnomeui` \
++ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
+ gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
+ `gnome-config --libs gnome gnomeui`
+
+ gnome-ssh-askpass2: gnome-ssh-askpass2.c
+- $(CC) `pkg-config --cflags gtk+-2.0` \
++ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
+ gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
+ `pkg-config --libs gtk+-2.0`
+
diff --git a/openssh-5.3p1-biguid.patch b/openssh-5.3p1-biguid.patch
index 5892008..dc545e4 100644
--- a/openssh-5.3p1-biguid.patch
+++ b/openssh-5.3p1-biguid.patch
@@ -52,7 +52,7 @@ diff -up openssh-5.6p1/loginrec.c.biguid openssh-5.6p1/loginrec.c
if (S_ISREG(st.st_mode)) {
/* find this uid's offset in the lastlog file */
- offset = (off_t) ((long)li->uid * sizeof(struct lastlog));
-+ offset = (off_t) ((u_long)li->uid * sizeof(struct lastlog));
++ offset = (off_t) ((unsigned long long)li->uid * sizeof(struct lastlog));
if (lseek(*fd, offset, SEEK_SET) != offset) {
logit("%s: %s->lseek(): %s", __func__,
diff --git a/openssh-5.3p1-entropy.patch b/openssh-5.3p1-entropy.patch
index c3d52d6..214702f 100644
--- a/openssh-5.3p1-entropy.patch
+++ b/openssh-5.3p1-entropy.patch
@@ -89,10 +89,12 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.3p1/op
diff -up openssh-5.3p1/ssh.1.entropy openssh-5.3p1/ssh.1
--- openssh-5.3p1/ssh.1.entropy 2009-06-21 09:48:52.000000000 +0200
+++ openssh-5.3p1/ssh.1 2011-05-28 01:28:30.341858350 +0200
-@@ -1252,6 +1252,20 @@ For more information, see the
+@@ -1252,6 +1252,23 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
@@ -107,6 +109,7 @@ diff -up openssh-5.3p1/ssh.1.entropy openssh-5.3p1/ssh.1
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
++.El
.Sh FILES
.Bl -tag -width Ds -compact
.It ~/.rhosts
@@ -137,7 +140,7 @@ diff -up openssh-5.3p1/ssh-add.1.entropy openssh-5.3p1/ssh-add.1
diff -up openssh-5.3p1/ssh-agent.1.entropy openssh-5.3p1/ssh-agent.1
--- openssh-5.3p1/ssh-agent.1.entropy 2009-06-21 09:52:28.000000000 +0200
+++ openssh-5.3p1/ssh-agent.1 2011-05-28 01:28:30.592856618 +0200
-@@ -191,6 +191,23 @@ authentication agent.
+@@ -191,6 +191,24 @@ authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
@@ -158,13 +161,14 @@ diff -up openssh-5.3p1/ssh-agent.1.entropy openssh-5.3p1/ssh-agent.1
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
++.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff -up openssh-5.3p1/sshd.8.entropy openssh-5.3p1/sshd.8
--- openssh-5.3p1/sshd.8.entropy 2009-06-21 09:52:28.000000000 +0200
+++ openssh-5.3p1/sshd.8 2011-05-28 01:28:30.716858123 +0200
-@@ -863,6 +863,23 @@ concurrently for different ports, this c
+@@ -863,6 +863,24 @@ concurrently for different ports, this c
started last).
The content of this file is not sensitive; it can be world-readable.
.El
@@ -185,13 +189,14 @@ diff -up openssh-5.3p1/sshd.8.entropy openssh-5.3p1/sshd.8
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
++.El
.Sh SEE ALSO
.Xr scp 1 ,
.Xr sftp 1 ,
diff -up openssh-5.3p1/ssh-keygen.1.entropy openssh-5.3p1/ssh-keygen.1
--- openssh-5.3p1/ssh-keygen.1.entropy 2011-05-28 01:28:08.141857715 +0200
+++ openssh-5.3p1/ssh-keygen.1 2011-05-28 01:28:30.843857051 +0200
-@@ -452,6 +452,23 @@ Contains Diffie-Hellman groups used for
+@@ -452,6 +452,24 @@ Contains Diffie-Hellman groups used for
The file format is described in
.Xr moduli 5 .
.El
@@ -212,13 +217,14 @@ diff -up openssh-5.3p1/ssh-keygen.1.entropy openssh-5.3p1/ssh-keygen.1
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
++.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff -up openssh-5.3p1/ssh-keysign.8.entropy openssh-5.3p1/ssh-keysign.8
--- openssh-5.3p1/ssh-keysign.8.entropy 2007-06-05 10:27:13.000000000 +0200
+++ openssh-5.3p1/ssh-keysign.8 2011-05-28 01:28:30.954857427 +0200
-@@ -69,6 +69,23 @@ Since they are readable only by root,
+@@ -69,6 +69,24 @@ Since they are readable only by root,
.Nm
must be set-uid root if host-based authentication is used.
.El
@@ -239,6 +245,7 @@ diff -up openssh-5.3p1/ssh-keysign.8.entropy openssh-5.3p1/ssh-keysign.8
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
++.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
diff --git a/openssh-5.3p1-gsissh.patch b/openssh-5.3p1-gsissh.patch
index d63bd2a..298fe8c 100644
--- a/openssh-5.3p1-gsissh.patch
+++ b/openssh-5.3p1-gsissh.patch
@@ -601,8 +601,8 @@ diff -Nur openssh-5.3p1.orig/configure.ac openssh-5.3p1/configure.ac
+ GSSAPI="GSI"
+ fi
+
-+ LIBS="$LIBS `pkg-config --libs globus-gss-assist`"
-+ CPPFLAGS="$CPPFLAGS `pkg-config --cflags globus-gss-assist`"
++ LIBS="$LIBS `pkg-config --libs globus-gss-assist globus-gssapi-gsi globus-common`"
++ CPPFLAGS="$CPPFLAGS `pkg-config --cflags globus-gss-assist globus-gssapi-gsi globus-common`"
+
+ AC_DEFINE(GSSAPI)
+ AC_DEFINE(HAVE_GSSAPI_H)
diff --git a/openssh-5.3p1-ipv6man.patch b/openssh-5.3p1-ipv6man.patch
new file mode 100644
index 0000000..62b9fec
--- /dev/null
+++ b/openssh-5.3p1-ipv6man.patch
@@ -0,0 +1,48 @@
+diff -up openssh-5.3p1/scp.1.ipv6man openssh-5.3p1/scp.1
+--- openssh-5.3p1/scp.1.ipv6man 2011-09-07 10:57:07.674442095 +0200
++++ openssh-5.3p1/scp.1 2011-09-07 11:01:01.693446719 +0200
+@@ -219,6 +219,8 @@ debugging connection, authentication, an
+ .El
+ .Pp
+ .Ex -std scp
++.Sh IPV6
++IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
+ .Xr rcp 1 ,
+ .Xr sftp 1 ,
+diff -up openssh-5.3p1/sftp.1.ipv6man openssh-5.3p1/sftp.1
+--- openssh-5.3p1/sftp.1.ipv6man 2011-09-07 11:05:24.720458419 +0200
++++ openssh-5.3p1/sftp.1 2011-09-07 11:08:23.002567843 +0200
+@@ -450,6 +450,8 @@ Escape to local shell.
+ .It Ic \&?
+ Synonym for help.
+ .El
++.Sh IPV6
++IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
+ .Xr ftp 1 ,
+ .Xr ls 1 ,
+diff -up openssh-5.3p1/ssh.1.ipv6man openssh-5.3p1/ssh.1
+--- openssh-5.3p1/ssh.1.ipv6man 2011-09-07 10:55:13.803453440 +0200
++++ openssh-5.3p1/ssh.1 2011-09-07 10:55:15.645549247 +0200
+@@ -1406,6 +1406,8 @@ See the
+ .Xr sshd 8
+ manual page for more information.
+ .El
++.Sh IPV6
++IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
+diff -up openssh-5.3p1/sshd.8.ipv6man openssh-5.3p1/sshd.8
+--- openssh-5.3p1/sshd.8.ipv6man 2011-09-07 10:55:14.611444938 +0200
++++ openssh-5.3p1/sshd.8 2011-09-07 10:55:15.813502969 +0200
+@@ -881,6 +881,8 @@ This setting is not recommended on the c
+ random generator because insufficient entropy causes the connection to
+ be blocked until enough entropy is available.
+ .El
++.Sh IPV6
++IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
diff --git a/openssh-5.3p1-ldap.patch b/openssh-5.3p1-ldap.patch
index 316909b..ec836cd 100644
--- a/openssh-5.3p1-ldap.patch
+++ b/openssh-5.3p1-ldap.patch
@@ -1,6 +1,6 @@
diff -up openssh-5.3p1/configure.ac.ldap openssh-5.3p1/configure.ac
---- openssh-5.3p1/configure.ac.ldap 2011-03-10 22:39:33.204854859 +0100
-+++ openssh-5.3p1/configure.ac 2011-03-10 22:39:34.913980413 +0100
+--- openssh-5.3p1/configure.ac.ldap 2011-05-28 09:22:48.143856747 +0200
++++ openssh-5.3p1/configure.ac 2011-05-28 09:22:52.868860720 +0200
@@ -1363,6 +1363,109 @@ AC_ARG_WITH(authorized-keys-command,
]
)
@@ -112,8 +112,8 @@ diff -up openssh-5.3p1/configure.ac.ldap openssh-5.3p1/configure.ac
AC_CHECK_FUNCS( \
arc4random \
diff -up openssh-5.3p1/HOWTO.ldap-keys.ldap openssh-5.3p1/HOWTO.ldap-keys
---- openssh-5.3p1/HOWTO.ldap-keys.ldap 2011-03-10 22:39:34.940854648 +0100
-+++ openssh-5.3p1/HOWTO.ldap-keys 2011-03-10 22:39:34.952854376 +0100
+--- openssh-5.3p1/HOWTO.ldap-keys.ldap 2011-05-28 09:22:52.967865560 +0200
++++ openssh-5.3p1/HOWTO.ldap-keys 2011-05-28 09:22:52.973858316 +0200
@@ -0,0 +1,108 @@
+
+HOW TO START
@@ -224,8 +224,8 @@ diff -up openssh-5.3p1/HOWTO.ldap-keys.ldap openssh-5.3p1/HOWTO.ldap-keys
+ Jan F. Chadima <jchadima at redhat.com>
+
diff -up openssh-5.3p1/ldapbody.c.ldap openssh-5.3p1/ldapbody.c
---- openssh-5.3p1/ldapbody.c.ldap 2011-03-10 22:39:34.982980062 +0100
-+++ openssh-5.3p1/ldapbody.c 2011-03-10 22:39:34.995855141 +0100
+--- openssh-5.3p1/ldapbody.c.ldap 2011-05-28 09:22:53.037865268 +0200
++++ openssh-5.3p1/ldapbody.c 2011-05-28 09:22:53.043861843 +0200
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -722,8 +722,8 @@ diff -up openssh-5.3p1/ldapbody.c.ldap openssh-5.3p1/ldapbody.c
+}
+
diff -up openssh-5.3p1/ldapbody.h.ldap openssh-5.3p1/ldapbody.h
---- openssh-5.3p1/ldapbody.h.ldap 2011-03-10 22:39:35.008854699 +0100
-+++ openssh-5.3p1/ldapbody.h 2011-03-10 22:39:35.016854649 +0100
+--- openssh-5.3p1/ldapbody.h.ldap 2011-05-28 09:22:53.112919409 +0200
++++ openssh-5.3p1/ldapbody.h 2011-05-28 09:22:53.117924005 +0200
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -763,8 +763,8 @@ diff -up openssh-5.3p1/ldapbody.h.ldap openssh-5.3p1/ldapbody.h
+#endif /* LDAPBODY_H */
+
diff -up openssh-5.3p1/ldapconf.c.ldap openssh-5.3p1/ldapconf.c
---- openssh-5.3p1/ldapconf.c.ldap 2011-03-10 22:39:35.030979743 +0100
-+++ openssh-5.3p1/ldapconf.c 2011-03-10 22:39:35.039854544 +0100
+--- openssh-5.3p1/ldapconf.c.ldap 2011-05-28 09:22:53.182919207 +0200
++++ openssh-5.3p1/ldapconf.c 2011-05-28 09:22:53.189922758 +0200
@@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1449,8 +1449,8 @@ diff -up openssh-5.3p1/ldapconf.c.ldap openssh-5.3p1/ldapconf.c
+}
+
diff -up openssh-5.3p1/ldapconf.h.ldap openssh-5.3p1/ldapconf.h
---- openssh-5.3p1/ldapconf.h.ldap 2011-03-10 22:39:35.055854552 +0100
-+++ openssh-5.3p1/ldapconf.h 2011-03-10 22:39:35.065855563 +0100
+--- openssh-5.3p1/ldapconf.h.ldap 2011-05-28 09:22:53.256919658 +0200
++++ openssh-5.3p1/ldapconf.h 2011-05-28 09:22:53.263919774 +0200
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1524,8 +1524,8 @@ diff -up openssh-5.3p1/ldapconf.h.ldap openssh-5.3p1/ldapconf.h
+
+#endif /* LDAPCONF_H */
diff -up openssh-5.3p1/ldap.conf.ldap openssh-5.3p1/ldap.conf
---- openssh-5.3p1/ldap.conf.ldap 2011-03-10 22:39:35.079855199 +0100
-+++ openssh-5.3p1/ldap.conf 2011-03-10 22:39:35.087979869 +0100
+--- openssh-5.3p1/ldap.conf.ldap 2011-05-28 09:22:53.330862108 +0200
++++ openssh-5.3p1/ldap.conf 2011-05-28 09:22:53.337859759 +0200
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@@ -1616,8 +1616,8 @@ diff -up openssh-5.3p1/ldap.conf.ldap openssh-5.3p1/ldap.conf
+#tls_key
+
diff -up openssh-5.3p1/ldap-helper.c.ldap openssh-5.3p1/ldap-helper.c
---- openssh-5.3p1/ldap-helper.c.ldap 2011-03-10 22:39:35.102854543 +0100
-+++ openssh-5.3p1/ldap-helper.c 2011-03-10 22:39:35.111854833 +0100
+--- openssh-5.3p1/ldap-helper.c.ldap 2011-05-28 09:22:53.406919574 +0200
++++ openssh-5.3p1/ldap-helper.c 2011-05-28 09:22:53.412919868 +0200
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1775,8 +1775,8 @@ diff -up openssh-5.3p1/ldap-helper.c.ldap openssh-5.3p1/ldap-helper.c
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+
diff -up openssh-5.3p1/ldap-helper.h.ldap openssh-5.3p1/ldap-helper.h
---- openssh-5.3p1/ldap-helper.h.ldap 2011-03-10 22:39:35.126854639 +0100
-+++ openssh-5.3p1/ldap-helper.h 2011-03-10 22:39:35.134854896 +0100
+--- openssh-5.3p1/ldap-helper.h.ldap 2011-05-28 09:22:53.487857455 +0200
++++ openssh-5.3p1/ldap-helper.h 2011-05-28 09:22:53.493862808 +0200
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1811,8 +1811,8 @@ diff -up openssh-5.3p1/ldap-helper.h.ldap openssh-5.3p1/ldap-helper.h
+
+#endif /* LDAP_HELPER_H */
diff -up openssh-5.3p1/ldapincludes.h.ldap openssh-5.3p1/ldapincludes.h
---- openssh-5.3p1/ldapincludes.h.ldap 2011-03-10 22:39:35.147854785 +0100
-+++ openssh-5.3p1/ldapincludes.h 2011-03-10 22:39:35.155979595 +0100
+--- openssh-5.3p1/ldapincludes.h.ldap 2011-05-28 09:22:53.565865885 +0200
++++ openssh-5.3p1/ldapincludes.h 2011-05-28 09:22:53.571920016 +0200
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1856,8 +1856,8 @@ diff -up openssh-5.3p1/ldapincludes.h.ldap openssh-5.3p1/ldapincludes.h
+
+#endif /* LDAPINCLUDES_H */
diff -up openssh-5.3p1/ldapmisc.c.ldap openssh-5.3p1/ldapmisc.c
---- openssh-5.3p1/ldapmisc.c.ldap 2011-03-10 22:39:35.169854892 +0100
-+++ openssh-5.3p1/ldapmisc.c 2011-03-10 22:39:35.177981004 +0100
+--- openssh-5.3p1/ldapmisc.c.ldap 2011-05-28 09:22:53.630856564 +0200
++++ openssh-5.3p1/ldapmisc.c 2011-05-28 09:22:53.635919960 +0200
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@@ -1939,8 +1939,8 @@ diff -up openssh-5.3p1/ldapmisc.c.ldap openssh-5.3p1/ldapmisc.c
+#endif
+
diff -up openssh-5.3p1/ldapmisc.h.ldap openssh-5.3p1/ldapmisc.h
---- openssh-5.3p1/ldapmisc.h.ldap 2011-03-10 22:39:35.192855203 +0100
-+++ openssh-5.3p1/ldapmisc.h 2011-03-10 22:39:35.201854926 +0100
+--- openssh-5.3p1/ldapmisc.h.ldap 2011-05-28 09:22:53.706856962 +0200
++++ openssh-5.3p1/ldapmisc.h 2011-05-28 09:22:53.712920133 +0200
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1978,8 +1978,8 @@ diff -up openssh-5.3p1/ldapmisc.h.ldap openssh-5.3p1/ldapmisc.h
+#endif /* LDAPMISC_H */
+
diff -up openssh-5.3p1/Makefile.in.ldap openssh-5.3p1/Makefile.in
---- openssh-5.3p1/Makefile.in.ldap 2011-03-10 22:39:33.602854839 +0100
-+++ openssh-5.3p1/Makefile.in 2011-03-10 22:39:35.237854870 +0100
+--- openssh-5.3p1/Makefile.in.ldap 2011-05-28 09:22:49.651856957 +0200
++++ openssh-5.3p1/Makefile.in 2011-05-28 09:22:53.835856734 +0200
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
@@ -2066,8 +2066,8 @@ diff -up openssh-5.3p1/Makefile.in.ldap openssh-5.3p1/Makefile.in
tests interop-tests: $(TARGETS)
diff -up openssh-5.3p1/openssh-lpk-openldap.schema.ldap openssh-5.3p1/openssh-lpk-openldap.schema
---- openssh-5.3p1/openssh-lpk-openldap.schema.ldap 2011-03-10 22:39:35.263854862 +0100
-+++ openssh-5.3p1/openssh-lpk-openldap.schema 2011-03-10 22:39:35.271854845 +0100
+--- openssh-5.3p1/openssh-lpk-openldap.schema.ldap 2011-05-28 09:22:53.922861293 +0200
++++ openssh-5.3p1/openssh-lpk-openldap.schema 2011-05-28 09:22:53.928859824 +0200
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2091,8 +2091,8 @@ diff -up openssh-5.3p1/openssh-lpk-openldap.schema.ldap openssh-5.3p1/openssh-lp
+ MUST ( sshPublicKey $ uid )
+ )
diff -up openssh-5.3p1/openssh-lpk-sun.schema.ldap openssh-5.3p1/openssh-lpk-sun.schema
---- openssh-5.3p1/openssh-lpk-sun.schema.ldap 2011-03-10 22:39:35.285854812 +0100
-+++ openssh-5.3p1/openssh-lpk-sun.schema 2011-03-10 22:39:35.295979788 +0100
+--- openssh-5.3p1/openssh-lpk-sun.schema.ldap 2011-05-28 09:22:54.000865350 +0200
++++ openssh-5.3p1/openssh-lpk-sun.schema 2011-05-28 09:22:54.008865109 +0200
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2118,9 +2118,9 @@ diff -up openssh-5.3p1/openssh-lpk-sun.schema.ldap openssh-5.3p1/openssh-lpk-sun
+ MUST ( sshPublicKey $ uid )
+ )
diff -up openssh-5.3p1/ssh-ldap.conf.5.ldap openssh-5.3p1/ssh-ldap.conf.5
---- openssh-5.3p1/ssh-ldap.conf.5.ldap 2011-03-10 22:39:35.310854926 +0100
-+++ openssh-5.3p1/ssh-ldap.conf.5 2011-03-10 22:39:35.319854605 +0100
-@@ -0,0 +1,373 @@
+--- openssh-5.3p1/ssh-ldap.conf.5.ldap 2011-05-28 09:22:54.076856990 +0200
++++ openssh-5.3p1/ssh-ldap.conf.5 2011-05-28 09:30:39.790918625 +0200
+@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
@@ -2164,6 +2164,7 @@ diff -up openssh-5.3p1/ssh-ldap.conf.5.ldap openssh-5.3p1/ssh-ldap.conf.5
+may be incorrect, as the quotes would become part of the value.
+The possible keywords and their meanings are as follows (note that
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
++.Bl -tag -width Ds
+.It Cm URI
+The argument(s) are in the form
+.Pa ldap[si]://[name[:port]]
@@ -2331,7 +2332,7 @@ diff -up openssh-5.3p1/ssh-ldap.conf.5.ldap openssh-5.3p1/ssh-ldap.conf.5
+are the aliases for
+.Dq no .
+If
-+.Dqstart_tls
++.Dq start_tls
+is specified then StartTLS is used rather than raw LDAP over SSL.
+The default for ldap:// is
+.Dq start_tls ,
@@ -2480,11 +2481,13 @@ diff -up openssh-5.3p1/ssh-ldap.conf.5.ldap openssh-5.3p1/ssh-ldap.conf.5
+.It Cm SSH_Filter
+Specifies the user filter applied on the LDAP serch.
+The default is no filter.
++.El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa /etc/ssh/ldap.conf
+Ldap configuration file for
+.Xr ssh-ldap-helper 8 .
++.El
+.Sh "SEE ALSO"
+.Xr ldap.conf 5 ,
+.Xr ssh-ldap-helper 8
@@ -2495,8 +2498,8 @@ diff -up openssh-5.3p1/ssh-ldap.conf.5.ldap openssh-5.3p1/ssh-ldap.conf.5
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima at redhat.com
diff -up openssh-5.3p1/ssh-ldap-helper.8.ldap openssh-5.3p1/ssh-ldap-helper.8
---- openssh-5.3p1/ssh-ldap-helper.8.ldap 2011-03-10 22:39:35.333855077 +0100
-+++ openssh-5.3p1/ssh-ldap-helper.8 2011-03-10 22:39:35.342854887 +0100
+--- openssh-5.3p1/ssh-ldap-helper.8.ldap 2011-05-28 09:22:54.149856901 +0200
++++ openssh-5.3p1/ssh-ldap-helper.8 2011-05-28 09:30:39.913857981 +0200
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@@ -2566,7 +2569,7 @@ diff -up openssh-5.3p1/ssh-ldap-helper.8.ldap openssh-5.3p1/ssh-ldap-helper.8
+.It Fl w
+.Nm
+writes warnings about unknown items in the ldap.conf configuration file.
-+
++.El
+.Sh SEE ALSO
+.Xr sshd 8 ,
+.Xr sshd_config 5 ,
@@ -2578,8 +2581,8 @@ diff -up openssh-5.3p1/ssh-ldap-helper.8.ldap openssh-5.3p1/ssh-ldap-helper.8
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima at redhat.com
diff -up openssh-5.3p1/ssh-ldap-wrapper.ldap openssh-5.3p1/ssh-ldap-wrapper
---- openssh-5.3p1/ssh-ldap-wrapper.ldap 2011-03-10 22:39:35.356855153 +0100
-+++ openssh-5.3p1/ssh-ldap-wrapper 2011-03-10 22:39:35.365854937 +0100
+--- openssh-5.3p1/ssh-ldap-wrapper.ldap 2011-05-28 09:22:54.224857230 +0200
++++ openssh-5.3p1/ssh-ldap-wrapper 2011-05-28 09:22:54.230861451 +0200
@@ -0,0 +1,4 @@
+#!/bin/sh
+
diff --git a/openssh-5.3p1-manerr.patch b/openssh-5.3p1-manerr.patch
new file mode 100644
index 0000000..c631c42
--- /dev/null
+++ b/openssh-5.3p1-manerr.patch
@@ -0,0 +1,60 @@
+diff -up openssh-5.3p1/contrib/ssh-copy-id.1.manerr openssh-5.3p1/contrib/ssh-copy-id.1
+--- openssh-5.3p1/contrib/ssh-copy-id.1.manerr 2009-01-21 10:29:21.000000000 +0100
++++ openssh-5.3p1/contrib/ssh-copy-id.1 2011-08-08 07:18:11.764892034 +0200
+@@ -17,18 +17,18 @@ translations approved by the Free Softwa
+ the original English.
+ ..
+ .TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"
+-.SH NAME
++.SH NAME
+ ssh-copy-id \- install your public key in a remote machine's authorized_keys
+-.SH SYNOPSIS
++.SH SYNOPSIS
+ .B ssh-copy-id [-i [identity_file]]
+ .I "[user@]machine"
+ .br
+-.SH DESCRIPTION
++.SH DESCRIPTION
+ .BR ssh-copy-id
+ is a script that uses ssh to log into a remote machine (presumably
+ using a login password, so password authentication should be enabled,
+ unless you've done some clever use of multiple identities)
+-.PP
++.Pp
+ It also changes the permissions of the remote user's home,
+ .BR ~/.ssh ,
+ and
+@@ -38,7 +38,7 @@ to remove group writability (which would
+ has
+ .B StrictModes
+ set in its configuration).
+-.PP
++.Pp
+ If the
+ .B -i
+ option is given then the identity file (defaults to
+@@ -46,11 +46,11 @@ option is given then the identity file (
+ is used, regardless of whether there are any keys in your
+ .BR ssh-agent .
+ Otherwise, if this:
+-.PP
++.Pp
+ .B " ssh-add -L"
+-.PP
++.Pp
+ provides any output, it uses that in preference to the identity file.
+-.PP
++.Pp
+ If the
+ .B -i
+ option is used, or the
+@@ -60,8 +60,7 @@ file. Once it has one or more fingerpri
+ uses ssh to append them to
+ .B ~/.ssh/authorized_keys
+ on the remote machine (creating the file, and directory, if necessary)
+-
+-.SH "SEE ALSO"
++.SH "SEE ALSO"
+ .BR ssh (1),
+ .BR ssh-agent (1),
+ .BR sshd (8)
diff --git a/openssh-5.2p1-sesftp.patch b/openssh-5.3p1-sesftp.patch
similarity index 58%
rename from openssh-5.2p1-sesftp.patch
rename to openssh-5.3p1-sesftp.patch
index 3470e8f..61e9811 100644
--- a/openssh-5.2p1-sesftp.patch
+++ b/openssh-5.3p1-sesftp.patch
@@ -1,6 +1,6 @@
-diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c
---- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp 2009-08-12 00:29:37.712368892 +0200
-+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-12 00:29:37.732544890 +0200
+diff -up openssh-5.3p1/openbsd-compat/port-linux.c.sesftp openssh-5.3p1/openbsd-compat/port-linux.c
+--- openssh-5.3p1/openbsd-compat/port-linux.c.sesftp 2011-06-20 13:03:45.615457484 +0200
++++ openssh-5.3p1/openbsd-compat/port-linux.c 2011-06-20 13:03:45.741457374 +0200
@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons
freecon(user_ctx);
debug3("%s: done", __func__);
@@ -38,9 +38,9 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-
+ xfree(newctx);
+}
#endif /* WITH_SELINUX */
-diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h
---- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100
-+++ openssh-5.2p1/openbsd-compat/port-linux.h 2009-08-12 00:29:37.733388083 +0200
+diff -up openssh-5.3p1/openbsd-compat/port-linux.h.sesftp openssh-5.3p1/openbsd-compat/port-linux.h
+--- openssh-5.3p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100
++++ openssh-5.3p1/openbsd-compat/port-linux.h 2011-06-20 13:03:45.786457484 +0200
@@ -23,6 +23,7 @@
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
@@ -49,16 +49,17 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-
#endif
#endif /* ! _PORT_LINUX_H */
-diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c
---- openssh-5.2p1/session.c.sesftp 2009-08-12 00:29:37.659250161 +0200
-+++ openssh-5.2p1/session.c 2009-08-12 00:29:37.729578695 +0200
-@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command
- argv[i] = NULL;
- optind = optreset = 1;
- __progname = argv[0];
+diff -up openssh-5.3p1/session.c.sesftp openssh-5.3p1/session.c
+--- openssh-5.3p1/session.c.sesftp 2011-06-20 13:03:45.000000000 +0200
++++ openssh-5.3p1/session.c 2011-06-20 13:06:29.224741978 +0200
+@@ -1533,6 +1533,10 @@ do_setusercontext(struct passwd *pw)
+ free(chroot_path);
+ }
+
+#ifdef WITH_SELINUX
-+ ssh_selinux_change_context("sftpd_t");
++ ssh_selinux_change_context("sshd_sftpd_t");
+#endif
- exit(sftp_server_main(i, argv, s->pw));
- }
-
++
+ #ifdef HAVE_SETPCRED
+ if (setpcred(pw->pw_name, (char **)NULL) == -1)
+ fatal("Failed to set process credentials");
diff --git a/openssh-5.3p1-sftp-chroot.patch b/openssh-5.3p1-sftp-chroot.patch
index 109e8b3..d71a150 100644
--- a/openssh-5.3p1-sftp-chroot.patch
+++ b/openssh-5.3p1-sftp-chroot.patch
@@ -1,6 +1,6 @@
diff -up openssh-5.3p1/channels.c.sftp-chroot openssh-5.3p1/channels.c
---- openssh-5.3p1/channels.c.sftp-chroot 2011-03-03 12:03:43.000000000 +0100
-+++ openssh-5.3p1/channels.c 2011-03-03 12:03:48.000000000 +0100
+--- openssh-5.3p1/channels.c.sftp-chroot 2011-08-25 22:56:05.097081555 +0200
++++ openssh-5.3p1/channels.c 2011-08-25 22:56:17.284027242 +0200
@@ -839,8 +839,9 @@ channel_pre_open(Channel *c, fd_set *rea
if (c->extended_usage == CHAN_EXTENDED_WRITE &&
buffer_len(&c->extended) > 0)
@@ -22,7 +22,7 @@ diff -up openssh-5.3p1/channels.c.sftp-chroot openssh-5.3p1/channels.c
+ } else if (c->efd != -1 &&
+ (c->extended_usage == CHAN_EXTENDED_READ ||
+ c->extended_usage == CHAN_EXTENDED_IGNORE) &&
-+ FD_ISSET(c->efd, readset)) {
++ (c->detach_close || FD_ISSET(c->efd, readset))) {
len = read(c->efd, buf, sizeof(buf));
debug2("channel %d: read %d from efd %d",
c->self, len, c->efd);
@@ -39,9 +39,45 @@ diff -up openssh-5.3p1/channels.c.sftp-chroot openssh-5.3p1/channels.c
}
}
}
+diff -up openssh-5.3p1/openbsd-compat/port-linux.c.sftp-chroot openssh-5.3p1/openbsd-compat/port-linux.c
+--- openssh-5.3p1/openbsd-compat/port-linux.c.sftp-chroot 2011-08-25 22:56:16.941023541 +0200
++++ openssh-5.3p1/openbsd-compat/port-linux.c 2011-08-25 22:56:17.445026125 +0200
+@@ -519,4 +519,21 @@ ssh_selinux_change_context(const char *n
+ xfree(oldctx);
+ xfree(newctx);
+ }
++
++void
++ssh_selinux_copy_context(void)
++{
++ char *ctx;
++
++ if (!ssh_selinux_enabled())
++ return;
++
++ if (getexeccon((security_context_t *)&ctx) < 0) {
++ logit("%s: getcon failed with %s", __func__, strerror (errno));
++ return;
++ }
++ if (setcon(ctx) < 0)
++ logit("%s: setcon failed with %s", __func__, strerror (errno));
++ xfree(ctx);
++}
+ #endif /* WITH_SELINUX */
+diff -up openssh-5.3p1/openbsd-compat/port-linux.h.sftp-chroot openssh-5.3p1/openbsd-compat/port-linux.h
+--- openssh-5.3p1/openbsd-compat/port-linux.h.sftp-chroot 2011-08-25 22:55:48.496222543 +0200
++++ openssh-5.3p1/openbsd-compat/port-linux.h 2011-08-25 22:56:17.603031980 +0200
+@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
+ void ssh_selinux_setup_pty(char *, const char *);
+ void ssh_selinux_setup_exec_context(char *);
+ void ssh_selinux_change_context(const char *);
++void ssh_selinux_chopy_context(void);
+ #endif
+
+ #endif /* ! _PORT_LINUX_H */
diff -up openssh-5.3p1/session.c.sftp-chroot openssh-5.3p1/session.c
---- openssh-5.3p1/session.c.sftp-chroot 2011-03-03 12:03:46.000000000 +0100
-+++ openssh-5.3p1/session.c 2011-03-03 12:03:49.000000000 +0100
+--- openssh-5.3p1/session.c.sftp-chroot 2011-08-25 22:56:11.262030419 +0200
++++ openssh-5.3p1/session.c 2011-08-26 10:01:26.419149592 +0200
@@ -105,7 +105,7 @@
/* func */
@@ -184,7 +220,40 @@ diff -up openssh-5.3p1/session.c.sftp-chroot openssh-5.3p1/session.c
} else {
server_loop(pid, ptyfd, fdout, -1);
/* server_loop _has_ closed ptyfd and fdout. */
-@@ -2342,7 +2316,8 @@ session_input_channel_req(Channel *c, co
+@@ -1568,15 +1542,14 @@ do_setusercontext(struct passwd *pw)
+ pw->pw_uid);
+ chroot_path = percent_expand(tmp, "h", pw->pw_dir,
+ "u", pw->pw_name, (char *)NULL);
++#ifdef WITH_SELINUX
++ ssh_selinux_change_context("chroot_user_t");
++#endif
+ safely_chroot(chroot_path, pw->pw_uid);
+ free(tmp);
+ free(chroot_path);
+ }
+
+-#ifdef WITH_SELINUX
+- ssh_selinux_change_context("sshd_sftpd_t");
+-#endif
+-
+ #ifdef HAVE_SETPCRED
+ if (setpcred(pw->pw_name, (char **)NULL) == -1)
+ fatal("Failed to set process credentials");
+@@ -1832,6 +1805,13 @@ do_child(Session *s, const char *command
+ int i;
+ char *p, *args;
+
++#ifdef WITH_SELINUX
++ if (options.chroot_directory == NULL ||
++ strcasecmp(options.chroot_directory, "none") == 0) {
++ ssh_selinux_copy_context();
++ }
++#endif
++
+ setproctitle("%s@%s", s->pw->pw_name, INTERNAL_SFTP_NAME);
+ args = xstrdup(command ? command : "sftp-server");
+ for (i = 0, (p = strtok(args, " ")); p; (p = strtok(NULL, " ")))
+@@ -2343,7 +2323,8 @@ session_input_channel_req(Channel *c, co
}
void
@@ -194,7 +263,7 @@ diff -up openssh-5.3p1/session.c.sftp-chroot openssh-5.3p1/session.c
{
if (!compat20)
fatal("session_set_fds: called for proto != 2.0");
-@@ -2354,7 +2329,7 @@ session_set_fds(Session *s, int fdin, in
+@@ -2355,7 +2336,7 @@ session_set_fds(Session *s, int fdin, in
fatal("no channel for session %d", s->self);
channel_set_fds(s->chanid,
fdout, fdin, fderr,
More information about the scm-commits
mailing list