[gsi-openssh/f18] Based on openssh-6.1p1-10.fc18
Mattias Ellert
ellert at fedoraproject.org
Tue Nov 26 19:12:13 UTC 2013
commit c7226f4b151cb797ed9357fa122a611eede7f990
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Tue Nov 26 16:27:56 2013 +0100
Based on openssh-6.1p1-10.fc18
.gitignore | 1 +
gsi-openssh.spec | 11 ++-
gsisshd-keygen | 23 +++
openssh-6.1p1-gsissh.patch | 196 ++++++++++++------------
openssh-6.1p1-increase-size-of-DF-groups.patch | 59 +++++++
openssh-6.1p1-ssh_gai_strerror.patch | 23 +++
6 files changed, 217 insertions(+), 96 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e931757..154e823 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
/*.tar.bz2
+/*.tar.gz
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 03bb460..f4516ee 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -32,7 +32,7 @@
%global nologin 1
%global openssh_ver 6.1p1
-%global openssh_rel 7
+%global openssh_rel 8
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -155,6 +155,10 @@ Patch903: openssh-6.1p1-required-authentications.patch
Patch904: openssh-6.1p1-change-max-startups.patch
# make sftp's libedit interface marginally multibyte aware (#841771)
Patch908: openssh-6.1p1-sftp-multibyte.patch
+# don't show Success for EAI_SYSTEM (#985964)
+Patch909: openssh-6.1p1-ssh_gai_strerror.patch
+# increase the size of the Diffie-Hellman groups (#1010607)
+Patch910: openssh-6.1p1-increase-size-of-DF-groups.patch
# This is the patch that adds GSI support
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.1p1.patch
@@ -319,6 +323,8 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch903 -p1 -b .required-authentication
%patch904 -p1 -b .max-startups
%patch908 -p1 -b .sftp-multibyte
+%patch909 -p1 -b .ssh_gai_strerror
+%patch910 -p1 -b .dh
%patch98 -p1 -b .gsi
@@ -532,6 +538,9 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/gsisshd.service
%changelog
+* Tue Nov 26 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.1p1-8
+- Based on openssh-6.1p1-10.fc18
+
* Mon Jun 24 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.1p1-7
- Based on openssh-6.1p1-9.fc18
diff --git a/gsisshd-keygen b/gsisshd-keygen
index e3fc330..6062362 100644
--- a/gsisshd-keygen
+++ b/gsisshd-keygen
@@ -13,6 +13,7 @@ KEYGEN=/usr/bin/gsissh-keygen
RSA1_KEY=/etc/gsissh/ssh_host_key
RSA_KEY=/etc/gsissh/ssh_host_rsa_key
DSA_KEY=/etc/gsissh/ssh_host_dsa_key
+ECDSA_KEY=/etc/gsissh/ssh_host_ecdsa_key
# pull in sysconfig settings
[ -f /etc/sysconfig/gsisshd ] && . /etc/sysconfig/gsisshd
@@ -88,11 +89,33 @@ do_dsa_keygen() {
fi
}
+do_ecdsa_keygen() {
+ if [ ! -s $ECDSA_KEY ]; then
+ echo -n $"Generating SSH2 ECDSA host key: "
+ rm -f $ECDSA_KEY
+ if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
+ chgrp ssh_keys $ECDSA_KEY
+ chmod 600 $ECDSA_KEY
+ chmod 644 $ECDSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $ECDSA_KEY.pub
+ fi
+ success $"ECDSA key generation"
+ echo
+ else
+ failure $"ECDSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
# Create keys if necessary
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
do_rsa_keygen
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
do_rsa1_keygen
do_dsa_keygen
+ do_ecdsa_keygen
fi
fi
diff --git a/openssh-6.1p1-gsissh.patch b/openssh-6.1p1-gsissh.patch
index 558d299..1263f28 100644
--- a/openssh-6.1p1-gsissh.patch
+++ b/openssh-6.1p1-gsissh.patch
@@ -1,6 +1,6 @@
diff -Nur openssh-6.1p1.orig/auth2.c openssh-6.1p1/auth2.c
---- openssh-6.1p1.orig/auth2.c 2012-12-10 21:40:40.360366296 +0100
-+++ openssh-6.1p1/auth2.c 2012-12-10 22:07:32.275549373 +0100
+--- openssh-6.1p1.orig/auth2.c 2013-11-26 16:18:45.957671239 +0100
++++ openssh-6.1p1/auth2.c 2013-11-26 16:16:04.321627537 +0100
@@ -231,7 +231,27 @@
user = packet_get_cstring(NULL);
service = packet_get_cstring(NULL);
@@ -97,8 +97,8 @@ diff -Nur openssh-6.1p1.orig/auth2.c openssh-6.1p1/auth2.c
authctxt->user, authctxt->service, user, service);
}
diff -Nur openssh-6.1p1.orig/auth2-gss.c openssh-6.1p1/auth2-gss.c
---- openssh-6.1p1.orig/auth2-gss.c 2012-12-10 21:40:40.361366305 +0100
-+++ openssh-6.1p1/auth2-gss.c 2012-12-10 21:41:54.847907713 +0100
+--- openssh-6.1p1.orig/auth2-gss.c 2013-11-26 16:18:45.958671227 +0100
++++ openssh-6.1p1/auth2-gss.c 2013-11-26 16:16:04.321627537 +0100
@@ -47,6 +47,7 @@
extern ServerOptions options;
@@ -280,8 +280,8 @@ diff -Nur openssh-6.1p1.orig/auth2-gss.c openssh-6.1p1/auth2-gss.c
"gssapi-keyex",
userauth_gsskeyex,
diff -Nur openssh-6.1p1.orig/auth.c openssh-6.1p1/auth.c
---- openssh-6.1p1.orig/auth.c 2012-12-10 21:40:40.205365036 +0100
-+++ openssh-6.1p1/auth.c 2012-12-10 21:41:54.849907729 +0100
+--- openssh-6.1p1.orig/auth.c 2013-11-26 16:18:45.958671227 +0100
++++ openssh-6.1p1/auth.c 2013-11-26 16:16:04.321627537 +0100
@@ -72,6 +72,9 @@
#include "authfile.h"
#include "monitor_wrap.h"
@@ -346,8 +346,8 @@ diff -Nur openssh-6.1p1.orig/auth.c openssh-6.1p1/auth.c
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
diff -Nur openssh-6.1p1.orig/auth.h openssh-6.1p1/auth.h
---- openssh-6.1p1.orig/auth.h 2012-12-10 21:40:40.206365043 +0100
-+++ openssh-6.1p1/auth.h 2012-12-10 21:41:54.850907738 +0100
+--- openssh-6.1p1.orig/auth.h 2013-11-26 16:18:45.959671214 +0100
++++ openssh-6.1p1/auth.h 2013-11-26 16:16:04.321627537 +0100
@@ -155,6 +155,7 @@
const char *);
void userauth_finish(Authctxt *, int, const char *, const char *);
@@ -357,8 +357,8 @@ diff -Nur openssh-6.1p1.orig/auth.h openssh-6.1p1/auth.h
void userauth_send_banner(const char *);
diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
---- openssh-6.1p1.orig/auth-pam.c 2012-12-10 21:40:40.182364849 +0100
-+++ openssh-6.1p1/auth-pam.c 2012-12-10 21:41:54.851907747 +0100
+--- openssh-6.1p1.orig/auth-pam.c 2013-11-26 16:18:45.960671202 +0100
++++ openssh-6.1p1/auth-pam.c 2013-11-26 16:16:04.322627525 +0100
@@ -122,6 +122,10 @@
*/
typedef pthread_t sp_pthread_t;
@@ -422,7 +422,7 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
void
sshpam_password_change_required(int reqd)
{
-@@ -299,7 +346,7 @@
+@@ -299,7 +348,7 @@
static void
import_environments(Buffer *b)
{
@@ -431,7 +431,7 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
u_int i, num_env;
int err;
-@@ -309,6 +356,15 @@
+@@ -309,6 +358,15 @@
/* Import variables set by do_pam_account */
sshpam_account_status = buffer_get_int(b);
sshpam_password_change_required(buffer_get_int(b));
@@ -447,7 +447,7 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
/* Import environment from subprocess */
num_env = buffer_get_int(b);
-@@ -474,6 +530,9 @@
+@@ -474,6 +532,9 @@
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
@@ -457,7 +457,7 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
if (compat20) {
if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
-@@ -494,6 +553,9 @@
+@@ -494,6 +555,9 @@
/* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status);
buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
@@ -467,7 +467,7 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
/* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++)
-@@ -912,6 +974,12 @@
+@@ -912,6 +976,12 @@
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err));
@@ -480,7 +480,7 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
sshpam_account_status = 0;
return (sshpam_account_status);
-@@ -1211,6 +1279,9 @@
+@@ -1211,6 +1281,9 @@
pam_strerror(sshpam_handle, sshpam_err));
sshpam_err = pam_authenticate(sshpam_handle, flags);
@@ -491,8 +491,8 @@ diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
diff -Nur openssh-6.1p1.orig/auth-pam.h openssh-6.1p1/auth-pam.h
---- openssh-6.1p1.orig/auth-pam.h 2012-12-10 21:40:40.183364857 +0100
-+++ openssh-6.1p1/auth-pam.h 2012-12-10 21:41:54.852907755 +0100
+--- openssh-6.1p1.orig/auth-pam.h 2013-11-26 16:18:45.960671202 +0100
++++ openssh-6.1p1/auth-pam.h 2013-11-26 16:16:04.322627525 +0100
@@ -46,5 +46,6 @@
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
@@ -501,8 +501,8 @@ diff -Nur openssh-6.1p1.orig/auth-pam.h openssh-6.1p1/auth-pam.h
#endif /* USE_PAM */
diff -Nur openssh-6.1p1.orig/canohost.c openssh-6.1p1/canohost.c
---- openssh-6.1p1.orig/canohost.c 2012-12-10 21:40:40.243365345 +0100
-+++ openssh-6.1p1/canohost.c 2012-12-10 21:41:54.853907762 +0100
+--- openssh-6.1p1.orig/canohost.c 2013-11-26 16:18:45.961671190 +0100
++++ openssh-6.1p1/canohost.c 2013-11-26 16:16:04.322627525 +0100
@@ -16,6 +16,7 @@
#include <sys/types.h>
@@ -546,8 +546,8 @@ diff -Nur openssh-6.1p1.orig/canohost.c openssh-6.1p1/canohost.c
+ }
+}
diff -Nur openssh-6.1p1.orig/canohost.h openssh-6.1p1/canohost.h
---- openssh-6.1p1.orig/canohost.h 2009-06-21 11:50:08.000000000 +0200
-+++ openssh-6.1p1/canohost.h 2012-12-10 21:41:54.853907762 +0100
+--- openssh-6.1p1.orig/canohost.h 2013-11-26 16:18:45.961671190 +0100
++++ openssh-6.1p1/canohost.h 2013-11-26 16:16:04.322627525 +0100
@@ -26,4 +26,6 @@
int get_sock_port(int, int);
void clear_cached_addr(void);
@@ -556,8 +556,8 @@ diff -Nur openssh-6.1p1.orig/canohost.h openssh-6.1p1/canohost.h
+
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
diff -Nur openssh-6.1p1.orig/configure.ac openssh-6.1p1/configure.ac
---- openssh-6.1p1.orig/configure.ac 2012-12-10 21:40:40.366366345 +0100
-+++ openssh-6.1p1/configure.ac 2012-12-10 21:41:54.856907786 +0100
+--- openssh-6.1p1.orig/configure.ac 2013-11-26 16:18:45.962671178 +0100
++++ openssh-6.1p1/configure.ac 2013-11-26 16:16:04.323627513 +0100
@@ -3753,6 +3753,14 @@
AC_CHECK_HEADER([gssapi_krb5.h], ,
[ CPPFLAGS="$oldCPP" ])
@@ -625,8 +625,8 @@ diff -Nur openssh-6.1p1.orig/configure.ac openssh-6.1p1/configure.ac
PRIVSEP_PATH=/var/empty
diff -Nur openssh-6.1p1.orig/gss-genr.c openssh-6.1p1/gss-genr.c
---- openssh-6.1p1.orig/gss-genr.c 2012-12-10 21:40:40.368366363 +0100
-+++ openssh-6.1p1/gss-genr.c 2012-12-10 21:41:54.857907794 +0100
+--- openssh-6.1p1.orig/gss-genr.c 2013-11-26 16:18:45.963671166 +0100
++++ openssh-6.1p1/gss-genr.c 2013-11-26 16:16:04.324627501 +0100
@@ -38,6 +38,7 @@
#include "xmalloc.h"
#include "buffer.h"
@@ -664,9 +664,9 @@ diff -Nur openssh-6.1p1.orig/gss-genr.c openssh-6.1p1/gss-genr.c
return (ctx->major);
}
diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
---- openssh-6.1p1.orig/gss-serv.c 2012-12-10 21:40:40.370366377 +0100
-+++ openssh-6.1p1/gss-serv.c 2012-12-10 21:41:54.858907803 +0100
-@@ -52,6 +52,7 @@
+--- openssh-6.1p1.orig/gss-serv.c 2013-11-26 16:18:45.963671166 +0100
++++ openssh-6.1p1/gss-serv.c 2013-11-26 16:23:39.608119371 +0100
+@@ -52,10 +52,12 @@
#include "monitor_wrap.h"
extern ServerOptions options;
@@ -674,7 +674,13 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-@@ -63,14 +64,23 @@
+- GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0};
++ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL},
++ GSS_C_NO_CONTEXT, 0, 0};
+
+ ssh_gssapi_mech gssapi_null_mech =
+ { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
+@@ -63,14 +65,23 @@
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
#endif
@@ -698,7 +704,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
/*
* Acquire credentials for a server running on the current host.
-@@ -159,7 +169,8 @@
+@@ -159,7 +170,8 @@
gss_create_empty_oid_set(&min_status, oidset);
@@ -708,7 +714,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
return;
while (supported_mechs[i]->name != NULL) {
-@@ -212,6 +223,10 @@
+@@ -212,6 +224,10 @@
(*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
if (ssh_gssapi_getclient(ctx, &gssapi_client))
fatal("Couldn't convert client name");
@@ -719,7 +725,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
}
return (status);
-@@ -231,6 +246,17 @@
+@@ -231,6 +247,17 @@
tok = ename->value;
@@ -737,7 +743,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
/*
* Check that ename is long enough for all of the fixed length
* header, and that the initial ID bytes are correct
-@@ -298,8 +324,11 @@
+@@ -298,8 +325,11 @@
return GSS_S_COMPLETE;
}
@@ -751,7 +757,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
NULL, NULL, NULL))) {
ssh_gssapi_error(ctx);
return (ctx->major);
-@@ -342,9 +371,12 @@
+@@ -342,9 +372,12 @@
if (client->mech == NULL)
return GSS_S_FAILURE;
@@ -766,7 +772,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
ssh_gssapi_error(ctx);
return (ctx->major);
}
-@@ -371,6 +403,10 @@
+@@ -371,6 +404,10 @@
/* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
@@ -777,7 +783,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
return (ctx->major);
}
-@@ -413,6 +449,11 @@
+@@ -413,6 +450,11 @@
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
@@ -789,7 +795,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
(*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
-@@ -436,8 +477,9 @@
+@@ -436,8 +478,9 @@
}
/* Privileged */
@@ -800,7 +806,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
{
OM_uint32 lmin;
-@@ -446,6 +488,12 @@
+@@ -446,6 +489,12 @@
debug("No suitable client data");
return 0;
}
@@ -813,7 +819,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
if (gssapi_client.mech && gssapi_client.mech->userok)
if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
gssapi_client.used = 1;
-@@ -464,6 +512,24 @@
+@@ -464,6 +513,24 @@
return (0);
}
@@ -838,7 +844,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
/* These bits are only used for rekeying. The unpriviledged child is running
* as the user, the monitor is root.
*
-@@ -490,6 +556,7 @@
+@@ -490,6 +557,7 @@
pam_handle_t *pamh = NULL;
struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
char *envstr;
@@ -846,7 +852,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
#endif
if (gssapi_client.store.filename == NULL &&
-@@ -519,6 +586,18 @@
+@@ -519,6 +587,18 @@
if (ret)
return;
@@ -865,7 +871,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
gssapi_client.store.envval);
-@@ -550,4 +629,13 @@
+@@ -550,4 +630,13 @@
return ok;
}
@@ -881,7 +887,7 @@ diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
#endif
diff -Nur openssh-6.1p1.orig/gss-serv-gsi.c openssh-6.1p1/gss-serv-gsi.c
--- openssh-6.1p1.orig/gss-serv-gsi.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.1p1/gss-serv-gsi.c 2012-12-10 21:41:54.859907812 +0100
++++ openssh-6.1p1/gss-serv-gsi.c 2013-11-26 16:16:04.324627501 +0100
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1122,8 +1128,8 @@ diff -Nur openssh-6.1p1.orig/gss-serv-gsi.c openssh-6.1p1/gss-serv-gsi.c
+#endif /* GSI */
+#endif /* GSSAPI */
diff -Nur openssh-6.1p1.orig/gss-serv-krb5.c openssh-6.1p1/gss-serv-krb5.c
---- openssh-6.1p1.orig/gss-serv-krb5.c 2012-12-10 21:40:40.410366704 +0100
-+++ openssh-6.1p1/gss-serv-krb5.c 2012-12-10 21:41:54.862907835 +0100
+--- openssh-6.1p1.orig/gss-serv-krb5.c 2013-11-26 16:18:45.964671154 +0100
++++ openssh-6.1p1/gss-serv-krb5.c 2013-11-26 16:16:04.324627501 +0100
@@ -262,6 +262,34 @@
return found_principal;
}
@@ -1178,8 +1184,8 @@ diff -Nur openssh-6.1p1.orig/gss-serv-krb5.c openssh-6.1p1/gss-serv-krb5.c
&ssh_gssapi_krb5_updatecreds
};
diff -Nur openssh-6.1p1.orig/kexgsss.c openssh-6.1p1/kexgsss.c
---- openssh-6.1p1.orig/kexgsss.c 2012-12-10 21:40:40.373366403 +0100
-+++ openssh-6.1p1/kexgsss.c 2012-12-10 21:41:54.862907835 +0100
+--- openssh-6.1p1.orig/kexgsss.c 2013-11-26 16:18:45.964671154 +0100
++++ openssh-6.1p1/kexgsss.c 2013-11-26 16:16:04.325627489 +0100
@@ -44,6 +44,7 @@
#include "monitor_wrap.h"
#include "servconf.h"
@@ -1241,7 +1247,7 @@ diff -Nur openssh-6.1p1.orig/kexgsss.c openssh-6.1p1/kexgsss.c
#endif /* GSSAPI */
diff -Nur openssh-6.1p1.orig/LICENSE.globus_usage openssh-6.1p1/LICENSE.globus_usage
--- openssh-6.1p1.orig/LICENSE.globus_usage 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.1p1/LICENSE.globus_usage 2012-12-10 21:41:54.863907843 +0100
++++ openssh-6.1p1/LICENSE.globus_usage 2013-11-26 16:16:04.325627489 +0100
@@ -0,0 +1,18 @@
+/*
+ * Portions of the Usage Metrics suport code are derived from the
@@ -1262,8 +1268,8 @@ diff -Nur openssh-6.1p1.orig/LICENSE.globus_usage openssh-6.1p1/LICENSE.globus_u
+ * limitations under the License.
+ */
diff -Nur openssh-6.1p1.orig/Makefile.in openssh-6.1p1/Makefile.in
---- openssh-6.1p1.orig/Makefile.in 2012-12-10 21:40:40.376366428 +0100
-+++ openssh-6.1p1/Makefile.in 2012-12-10 21:41:54.863907843 +0100
+--- openssh-6.1p1.orig/Makefile.in 2013-11-26 16:18:45.965671142 +0100
++++ openssh-6.1p1/Makefile.in 2013-11-26 16:16:04.337627344 +0100
@@ -93,8 +93,10 @@
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \
@@ -1276,8 +1282,8 @@ diff -Nur openssh-6.1p1.orig/Makefile.in openssh-6.1p1/Makefile.in
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o
diff -Nur openssh-6.1p1.orig/misc.c openssh-6.1p1/misc.c
---- openssh-6.1p1.orig/misc.c 2012-12-10 21:40:40.184364865 +0100
-+++ openssh-6.1p1/misc.c 2012-12-10 21:41:54.864907851 +0100
+--- openssh-6.1p1.orig/misc.c 2013-11-26 16:18:45.965671142 +0100
++++ openssh-6.1p1/misc.c 2013-11-26 16:16:04.325627489 +0100
@@ -158,11 +158,14 @@
#define WHITESPACE " \t\r\n"
#define QUOTE "\""
@@ -1338,8 +1344,8 @@ diff -Nur openssh-6.1p1.orig/misc.c openssh-6.1p1/misc.c
* Convert ASCII string to TCP/IP port number.
* Port must be >=0 and <=65535.
diff -Nur openssh-6.1p1.orig/misc.h openssh-6.1p1/misc.h
---- openssh-6.1p1.orig/misc.h 2011-05-05 06:14:34.000000000 +0200
-+++ openssh-6.1p1/misc.h 2012-12-10 21:41:54.865907859 +0100
+--- openssh-6.1p1.orig/misc.h 2013-11-26 16:18:45.966671130 +0100
++++ openssh-6.1p1/misc.h 2013-11-26 16:16:04.326627477 +0100
@@ -38,6 +38,7 @@
void sock_set_v6only(int);
@@ -1349,8 +1355,8 @@ diff -Nur openssh-6.1p1.orig/misc.h openssh-6.1p1/misc.h
typedef struct arglist arglist;
diff -Nur openssh-6.1p1.orig/monitor.c openssh-6.1p1/monitor.c
---- openssh-6.1p1.orig/monitor.c 2012-12-10 21:40:40.378366442 +0100
-+++ openssh-6.1p1/monitor.c 2012-12-10 22:11:27.475031650 +0100
+--- openssh-6.1p1.orig/monitor.c 2013-11-26 16:18:45.967671118 +0100
++++ openssh-6.1p1/monitor.c 2013-11-26 16:16:04.326627477 +0100
@@ -187,6 +187,9 @@
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -1543,8 +1549,8 @@ diff -Nur openssh-6.1p1.orig/monitor.c openssh-6.1p1/monitor.c
mm_answer_gss_sign(int socket, Buffer *m)
{
diff -Nur openssh-6.1p1.orig/monitor.h openssh-6.1p1/monitor.h
---- openssh-6.1p1.orig/monitor.h 2012-12-10 21:40:40.379366451 +0100
-+++ openssh-6.1p1/monitor.h 2012-12-10 21:41:54.868907885 +0100
+--- openssh-6.1p1.orig/monitor.h 2013-11-26 16:18:45.967671118 +0100
++++ openssh-6.1p1/monitor.h 2013-11-26 16:16:04.326627477 +0100
@@ -55,6 +55,9 @@
MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
@@ -1556,8 +1562,8 @@ diff -Nur openssh-6.1p1.orig/monitor.h openssh-6.1p1/monitor.h
MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN,
MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS,
diff -Nur openssh-6.1p1.orig/monitor_wrap.c openssh-6.1p1/monitor_wrap.c
---- openssh-6.1p1.orig/monitor_wrap.c 2012-12-10 21:40:40.381366468 +0100
-+++ openssh-6.1p1/monitor_wrap.c 2012-12-10 21:41:54.869907893 +0100
+--- openssh-6.1p1.orig/monitor_wrap.c 2013-11-26 16:18:45.967671118 +0100
++++ openssh-6.1p1/monitor_wrap.c 2013-11-26 16:16:04.327627465 +0100
@@ -1326,12 +1326,13 @@
}
@@ -1658,8 +1664,8 @@ diff -Nur openssh-6.1p1.orig/monitor_wrap.c openssh-6.1p1/monitor_wrap.c
mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
{
diff -Nur openssh-6.1p1.orig/monitor_wrap.h openssh-6.1p1/monitor_wrap.h
---- openssh-6.1p1.orig/monitor_wrap.h 2012-12-10 21:40:40.382366476 +0100
-+++ openssh-6.1p1/monitor_wrap.h 2012-12-10 21:41:54.870907900 +0100
+--- openssh-6.1p1.orig/monitor_wrap.h 2013-11-26 16:18:45.968671106 +0100
++++ openssh-6.1p1/monitor_wrap.h 2013-11-26 16:16:04.327627465 +0100
@@ -62,9 +62,13 @@
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -1676,8 +1682,8 @@ diff -Nur openssh-6.1p1.orig/monitor_wrap.h openssh-6.1p1/monitor_wrap.h
#endif
diff -Nur openssh-6.1p1.orig/readconf.c openssh-6.1p1/readconf.c
---- openssh-6.1p1.orig/readconf.c 2012-12-10 21:40:40.383366484 +0100
-+++ openssh-6.1p1/readconf.c 2012-12-10 21:41:54.871907908 +0100
+--- openssh-6.1p1.orig/readconf.c 2013-11-26 16:18:45.968671106 +0100
++++ openssh-6.1p1/readconf.c 2013-11-26 16:16:04.327627465 +0100
@@ -1274,13 +1274,13 @@
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
@@ -1697,8 +1703,8 @@ diff -Nur openssh-6.1p1.orig/readconf.c openssh-6.1p1/readconf.c
options->gss_renewal_rekey = 0;
if (options->password_authentication == -1)
diff -Nur openssh-6.1p1.orig/readconf.h openssh-6.1p1/readconf.h
---- openssh-6.1p1.orig/readconf.h 2012-12-10 21:40:40.383366484 +0100
-+++ openssh-6.1p1/readconf.h 2012-12-10 21:41:54.872907917 +0100
+--- openssh-6.1p1.orig/readconf.h 2013-11-26 16:18:45.968671106 +0100
++++ openssh-6.1p1/readconf.h 2013-11-26 16:16:04.328627453 +0100
@@ -88,6 +88,8 @@
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
@@ -1709,8 +1715,8 @@ diff -Nur openssh-6.1p1.orig/readconf.h openssh-6.1p1/readconf.h
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
diff -Nur openssh-6.1p1.orig/servconf.c openssh-6.1p1/servconf.c
---- openssh-6.1p1.orig/servconf.c 2012-12-10 21:40:40.425366824 +0100
-+++ openssh-6.1p1/servconf.c 2012-12-10 21:53:56.046920158 +0100
+--- openssh-6.1p1.orig/servconf.c 2013-11-26 16:18:45.969671093 +0100
++++ openssh-6.1p1/servconf.c 2013-11-26 16:16:04.328627453 +0100
@@ -67,6 +67,7 @@
/* Portable-specific options */
@@ -1914,8 +1920,8 @@ diff -Nur openssh-6.1p1.orig/servconf.c openssh-6.1p1/servconf.c
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);
diff -Nur openssh-6.1p1.orig/servconf.h openssh-6.1p1/servconf.h
---- openssh-6.1p1.orig/servconf.h 2012-12-10 21:40:40.412366720 +0100
-+++ openssh-6.1p1/servconf.h 2012-12-10 21:41:54.876907949 +0100
+--- openssh-6.1p1.orig/servconf.h 2013-11-26 16:18:45.969671093 +0100
++++ openssh-6.1p1/servconf.h 2013-11-26 16:16:04.328627453 +0100
@@ -103,9 +103,12 @@
* file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if
@@ -1949,8 +1955,8 @@ diff -Nur openssh-6.1p1.orig/servconf.h openssh-6.1p1/servconf.h
char *trusted_user_ca_keys;
char *authorized_principals_file;
diff -Nur openssh-6.1p1.orig/ssh.1 openssh-6.1p1/ssh.1
---- openssh-6.1p1.orig/ssh.1 2012-12-10 21:40:40.323365996 +0100
-+++ openssh-6.1p1/ssh.1 2012-12-10 21:41:54.877907957 +0100
+--- openssh-6.1p1.orig/ssh.1 2013-11-26 16:18:45.970671081 +0100
++++ openssh-6.1p1/ssh.1 2013-11-26 16:16:04.329627441 +0100
@@ -1255,6 +1255,18 @@
on to new connections).
.It Ev USER
@@ -1971,8 +1977,8 @@ diff -Nur openssh-6.1p1.orig/ssh.1 openssh-6.1p1/ssh.1
.Pp
Additionally,
diff -Nur openssh-6.1p1.orig/ssh.c openssh-6.1p1/ssh.c
---- openssh-6.1p1.orig/ssh.c 2012-12-10 21:40:40.284365678 +0100
-+++ openssh-6.1p1/ssh.c 2012-12-10 21:41:54.878907965 +0100
+--- openssh-6.1p1.orig/ssh.c 2013-11-26 16:18:45.970671081 +0100
++++ openssh-6.1p1/ssh.c 2013-11-26 16:16:04.329627441 +0100
@@ -690,6 +690,32 @@
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
@@ -2021,8 +2027,8 @@ diff -Nur openssh-6.1p1.orig/ssh.c openssh-6.1p1/ssh.c
/* Get default port if port has not been set. */
if (options.port == 0) {
diff -Nur openssh-6.1p1.orig/ssh_config openssh-6.1p1/ssh_config
---- openssh-6.1p1.orig/ssh_config 2012-12-10 21:40:40.387366516 +0100
-+++ openssh-6.1p1/ssh_config 2012-12-10 21:41:54.879907973 +0100
+--- openssh-6.1p1.orig/ssh_config 2013-11-26 16:18:45.970671081 +0100
++++ openssh-6.1p1/ssh_config 2013-11-26 16:16:04.329627441 +0100
@@ -24,10 +24,10 @@
# RSAAuthentication yes
# PasswordAuthentication yes
@@ -2039,8 +2045,8 @@ diff -Nur openssh-6.1p1.orig/ssh_config openssh-6.1p1/ssh_config
# CheckHostIP yes
# AddressFamily any
diff -Nur openssh-6.1p1.orig/ssh_config.5 openssh-6.1p1/ssh_config.5
---- openssh-6.1p1.orig/ssh_config.5 2012-12-10 21:40:40.386366508 +0100
-+++ openssh-6.1p1/ssh_config.5 2012-12-10 21:41:54.880907981 +0100
+--- openssh-6.1p1.orig/ssh_config.5 2013-11-26 16:18:45.971671069 +0100
++++ openssh-6.1p1/ssh_config.5 2013-11-26 16:16:04.330627428 +0100
@@ -55,6 +55,12 @@
user's configuration file
.Pq Pa ~/.ssh/config
@@ -2055,8 +2061,8 @@ diff -Nur openssh-6.1p1.orig/ssh_config.5 openssh-6.1p1/ssh_config.5
.Pq Pa /etc/ssh/ssh_config
.El
diff -Nur openssh-6.1p1.orig/sshconnect2.c openssh-6.1p1/sshconnect2.c
---- openssh-6.1p1.orig/sshconnect2.c 2012-12-10 21:40:40.407366679 +0100
-+++ openssh-6.1p1/sshconnect2.c 2012-12-10 21:41:54.882907997 +0100
+--- openssh-6.1p1.orig/sshconnect2.c 2013-11-26 16:18:45.971671069 +0100
++++ openssh-6.1p1/sshconnect2.c 2013-11-26 16:16:04.330627428 +0100
@@ -701,6 +701,11 @@
int ok = 0;
const char *gss_host = NULL;
@@ -2119,8 +2125,8 @@ diff -Nur openssh-6.1p1.orig/sshconnect2.c openssh-6.1p1/sshconnect2.c
packet_put_cstring(authctxt->method->name);
packet_put_string(mic.value, mic.length);
diff -Nur openssh-6.1p1.orig/sshd.8 openssh-6.1p1/sshd.8
---- openssh-6.1p1.orig/sshd.8 2012-12-10 21:40:40.400366621 +0100
-+++ openssh-6.1p1/sshd.8 2012-12-10 21:41:54.883908006 +0100
+--- openssh-6.1p1.orig/sshd.8 2013-11-26 16:18:45.971671069 +0100
++++ openssh-6.1p1/sshd.8 2013-11-26 16:16:04.330627428 +0100
@@ -762,6 +762,44 @@
# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
@@ -2167,8 +2173,8 @@ diff -Nur openssh-6.1p1.orig/sshd.8 openssh-6.1p1/sshd.8
.Bl -tag -width Ds -compact
.It Pa ~/.hushlogin
diff -Nur openssh-6.1p1.orig/sshd.c openssh-6.1p1/sshd.c
---- openssh-6.1p1.orig/sshd.c 2012-12-10 21:40:40.391366549 +0100
-+++ openssh-6.1p1/sshd.c 2012-12-10 21:41:54.886908030 +0100
+--- openssh-6.1p1.orig/sshd.c 2013-11-26 16:18:45.972671057 +0100
++++ openssh-6.1p1/sshd.c 2013-11-26 16:16:04.331627416 +0100
@@ -123,6 +123,7 @@
#include "audit.h"
#include "ssh-sandbox.h"
@@ -2201,8 +2207,8 @@ diff -Nur openssh-6.1p1.orig/sshd.c openssh-6.1p1/sshd.c
ssh_gssapi_storecreds();
restore_uid();
diff -Nur openssh-6.1p1.orig/sshd_config openssh-6.1p1/sshd_config
---- openssh-6.1p1.orig/sshd_config 2012-12-10 21:40:40.415366744 +0100
-+++ openssh-6.1p1/sshd_config 2012-12-10 21:41:54.887908038 +0100
+--- openssh-6.1p1.orig/sshd_config 2013-11-26 16:18:45.972671057 +0100
++++ openssh-6.1p1/sshd_config 2013-11-26 16:16:04.331627416 +0100
@@ -86,12 +86,11 @@
#KerberosUseKuserok yes
@@ -2239,8 +2245,8 @@ diff -Nur openssh-6.1p1.orig/sshd_config openssh-6.1p1/sshd_config
+#UsageStatsTargets usage-stats.cilogon.org:4810
+#DisableUsageStats no
diff -Nur openssh-6.1p1.orig/sshd_config.5 openssh-6.1p1/sshd_config.5
---- openssh-6.1p1.orig/sshd_config.5 2012-12-10 21:40:40.416366752 +0100
-+++ openssh-6.1p1/sshd_config.5 2012-12-10 21:41:54.889908054 +0100
+--- openssh-6.1p1.orig/sshd_config.5 2013-11-26 16:18:45.973671045 +0100
++++ openssh-6.1p1/sshd_config.5 2013-11-26 16:16:04.332627404 +0100
@@ -418,6 +418,15 @@
in
.Xr ssh_config 5
@@ -2428,7 +2434,7 @@ diff -Nur openssh-6.1p1.orig/sshd_config.5 openssh-6.1p1/sshd_config.5
.Xr sshd 8
diff -Nur openssh-6.1p1.orig/ssh-globus-usage.c openssh-6.1p1/ssh-globus-usage.c
--- openssh-6.1p1.orig/ssh-globus-usage.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.1p1/ssh-globus-usage.c 2012-12-10 21:41:54.890908062 +0100
++++ openssh-6.1p1/ssh-globus-usage.c 2013-11-26 16:16:04.332627404 +0100
@@ -0,0 +1,396 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2828,7 +2834,7 @@ diff -Nur openssh-6.1p1.orig/ssh-globus-usage.c openssh-6.1p1/ssh-globus-usage.c
+}
diff -Nur openssh-6.1p1.orig/ssh-globus-usage.h openssh-6.1p1/ssh-globus-usage.h
--- openssh-6.1p1.orig/ssh-globus-usage.h 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.1p1/ssh-globus-usage.h 2012-12-10 21:41:54.891908071 +0100
++++ openssh-6.1p1/ssh-globus-usage.h 2013-11-26 16:16:04.332627404 +0100
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2877,8 +2883,8 @@ diff -Nur openssh-6.1p1.orig/ssh-globus-usage.h openssh-6.1p1/ssh-globus-usage.h
+
+#endif /* __SSH_GLOBUS_USAGE_H */
diff -Nur openssh-6.1p1.orig/ssh-gss.h openssh-6.1p1/ssh-gss.h
---- openssh-6.1p1.orig/ssh-gss.h 2012-12-10 21:40:40.403366647 +0100
-+++ openssh-6.1p1/ssh-gss.h 2012-12-10 21:41:54.891908071 +0100
+--- openssh-6.1p1.orig/ssh-gss.h 2013-11-26 16:18:45.973671045 +0100
++++ openssh-6.1p1/ssh-gss.h 2013-11-26 16:16:04.332627404 +0100
@@ -90,6 +90,7 @@
gss_name_t name;
struct ssh_gssapi_mech_struct *mech;
@@ -2924,8 +2930,8 @@ diff -Nur openssh-6.1p1.orig/ssh-gss.h openssh-6.1p1/ssh-gss.h
#endif /* _SSH_GSS_H */
diff -Nur openssh-6.1p1.orig/version.h openssh-6.1p1/version.h
---- openssh-6.1p1.orig/version.h 2012-07-31 04:23:16.000000000 +0200
-+++ openssh-6.1p1/version.h 2012-12-10 21:41:54.892908079 +0100
+--- openssh-6.1p1.orig/version.h 2013-11-26 16:18:45.974671033 +0100
++++ openssh-6.1p1/version.h 2013-11-26 16:16:04.333627392 +0100
@@ -1,6 +1,21 @@
/* $OpenBSD: version.h,v 1.65 2012/07/22 18:19:21 markus Exp $ */
diff --git a/openssh-6.1p1-increase-size-of-DF-groups.patch b/openssh-6.1p1-increase-size-of-DF-groups.patch
new file mode 100644
index 0000000..decabd3
--- /dev/null
+++ b/openssh-6.1p1-increase-size-of-DF-groups.patch
@@ -0,0 +1,59 @@
+diff -U0 openssh-6.2p2/ChangeLog.dh openssh-6.2p2/ChangeLog
+--- openssh-6.2p2/ChangeLog.dh 2013-11-18 12:14:09.662240103 +0100
++++ openssh-6.2p2/ChangeLog 2013-11-18 12:14:09.665240089 +0100
+@@ -0,0 +1,8 @@
++20131010
++ - dtucker at cvs.openbsd.org 2013/10/08 11:42:13
++ [dh.c dh.h]
++ Increase the size of the Diffie-Hellman groups requested for a each
++ symmetric key size. New values from NIST Special Publication 800-57 with
++ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
++ djm at .
++
+diff -up openssh-6.2p2/dh.c.dh openssh-6.2p2/dh.c
+--- openssh-6.2p2/dh.c.dh 2011-12-19 00:52:52.000000000 +0100
++++ openssh-6.2p2/dh.c 2013-11-18 12:14:09.665240089 +0100
+@@ -332,17 +332,20 @@ dh_new_group14(void)
+
+ /*
+ * Estimates the group order for a Diffie-Hellman group that has an
+- * attack complexity approximately the same as O(2**bits). Estimate
+- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
++ * attack complexity approximately the same as O(2**bits).
++ * Values from NIST Special Publication 800-57: Recommendation for Key
++ * Management Part 1 (rev 3) limited by the recommended maximum value
++ * from RFC4419 section 3.
+ */
+
+ int
+ dh_estimate(int bits)
+ {
+-
++ if (bits <= 112)
++ return 2048;
+ if (bits <= 128)
+- return (1024); /* O(2**86) */
++ return 3072;
+ if (bits <= 192)
+- return (2048); /* O(2**116) */
+- return (4096); /* O(2**156) */
++ return 7680;
++ return 8192;
+ }
+diff -up openssh-6.2p2/dh.h.dh openssh-6.2p2/dh.h
+--- openssh-6.2p2/dh.h.dh 2008-06-29 14:47:04.000000000 +0200
++++ openssh-6.2p2/dh.h 2013-11-18 12:14:09.665240089 +0100
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
++/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
+
+ /*
+ * Copyright (c) 2000 Niels Provos. All rights reserved.
+@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
+
+ int dh_estimate(int);
+
++/* Min and max values from RFC4419. */
+ #define DH_GRP_MIN 1024
+ #define DH_GRP_MAX 8192
+
diff --git a/openssh-6.1p1-ssh_gai_strerror.patch b/openssh-6.1p1-ssh_gai_strerror.patch
new file mode 100644
index 0000000..0e433fa
--- /dev/null
+++ b/openssh-6.1p1-ssh_gai_strerror.patch
@@ -0,0 +1,23 @@
+diff -U0 openssh-6.2p2/ChangeLog.ssh_gai_strerror openssh-6.2p2/ChangeLog
+--- openssh-6.2p2/ChangeLog.ssh_gai_strerror 2013-07-23 12:03:41.467902339 +0200
++++ openssh-6.2p2/ChangeLog 2013-07-23 12:06:03.414281151 +0200
+@@ -0,0 +1,7 @@
++20130718
++ - djm at cvs.openbsd.org 2013/07/12 00:43:50
++ [misc.c]
++ in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
++ errno == 0. Avoids confusing error message in some broken resolver
++ cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
++
+diff -up openssh-6.2p2/misc.c.ssh_gai_strerror openssh-6.2p2/misc.c
+--- openssh-6.2p2/misc.c.ssh_gai_strerror 2013-07-23 12:03:41.321902978 +0200
++++ openssh-6.2p2/misc.c 2013-07-23 12:03:41.467902339 +0200
+@@ -127,7 +127,7 @@ unset_nonblock(int fd)
+ const char *
+ ssh_gai_strerror(int gaierr)
+ {
+- if (gaierr == EAI_SYSTEM)
++ if (gaierr == EAI_SYSTEM && errno != 0)
+ return strerror(errno);
+ return gai_strerror(gaierr);
+ }
More information about the scm-commits
mailing list