Hello community,
here is the log from the commit of package openssh for openSUSE:Factory
checked in at Fri Sep 9 11:48:41 CEST 2011.
--------
--- openssh/openssh.changes 2011-02-04 13:08:17.000000000 +0100
+++ /mounts/work_src_done/STABLE/openssh/openssh.changes 2011-08-30
01:54:30.000000000 +0200
@@ -1,0 +2,19 @@
+Mon Aug 29 23:47:58 UTC 2011 - crrodrig...@opensuse.org
+
+- Update to verison 5.8p2
+* Fixed vuln in systems without dev/random, we arenot affected
+* Fixes problems building with selinux enabled
+- Fix build with as-needed and no-add-needed
+
+-------------------------------------------------------------------
+Sat Aug 13 20:46:17 UTC 2011 - crrodrig...@opensuse.org
+
+- Enable libedit/autocompletion support in sftp
+
+-------------------------------------------------------------------
+Tue May 10 15:08:17 UTC 2011 - meiss...@novell.com
+
+- Change default keysizes of rsa and dsa from 1024 to 2048
+ to match ssh-keygen manpage recommendations.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
openssh-5.8p1-syntax-error.diff
openssh-5.8p1.tar.bz2
New:
----
converter-linking.patch
openssh-5.8p2.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.DfLjpj/_old 2011-09-09 11:48:34.000000000 +0200
+++ /var/tmp/diff_new_pack.DfLjpj/_new 2011-09-09 11:48:34.000000000 +0200
@@ -22,7 +22,7 @@
BuildRequires: gtk2-devel krb5-devel openssh openssl-devel pam-devel
tcpd-devel update-desktop-files
License: BSD3c(or similar)
Group: Productivity/Networking/SSH
-Version: 5.8p1
+Version: 5.8p2
Release: 1
Requires: openssh = %{version} openssh-askpass = %{version}
AutoReqProv: on
@@ -30,14 +30,14 @@
Url: http://www.openssh.com/
%define _name openssh
Source: %{_name}-%{version}.tar.bz2
-Patch: %{_name}-%{version}-sshd_config.diff
-Patch1: %{_name}-%{version}-pam-fix2.diff
-Patch2: %{_name}-%{version}-saveargv-fix.diff
-Patch3: %{_name}-%{version}-pam-fix3.diff
-Patch4: %{_name}-%{version}-gssapimitm.patch
-Patch5: %{_name}-%{version}-eal3.diff
-Patch6: %{_name}-%{version}-engines.diff
-Patch7: %{_name}-%{version}-blocksigalrm.diff
+Patch: %{_name}-5.8p1-sshd_config.diff
+Patch1: %{_name}-5.8p1-pam-fix2.diff
+Patch2: %{_name}-5.8p1-saveargv-fix.diff
+Patch3: %{_name}-5.8p1-pam-fix3.diff
+Patch4: %{_name}-5.8p1-gssapimitm.patch
+Patch5: %{_name}-5.8p1-eal3.diff
+Patch6: %{_name}-5.8p1-engines.diff
+Patch7: %{_name}-5.8p1-blocksigalrm.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.DfLjpj/_old 2011-09-09 11:48:34.000000000 +0200
+++ /var/tmp/diff_new_pack.DfLjpj/_new 2011-09-09 11:48:34.000000000 +0200
@@ -23,13 +23,14 @@
%define _appdefdir %{_prefix}/share/X11/app-defaults
BuildRequires: audit-devel krb5-devel openssl-devel pam-devel tcpd-devel
xorg-x11-devel
BuildRequires: libselinux-devel
+BuildRequires: libedit-devel
License: BSD3c(or similar) ; MIT License (or similar)
Group: Productivity/Networking/SSH
Requires: /bin/netstat
PreReq: pwdutils %insserv_prereq %fillup_prereq coreutils
Conflicts: nonfreessh
AutoReqProv: on
-Version: 5.8p1
+Version: 5.8p2
Release: 1
%define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program)
@@ -44,25 +45,25 @@
Source7: ssh.reg
Source8: ssh-askpass
Source9: sshd.fw
-Patch: %{name}-%{version}-sshd_config.diff
-Patch1: %{name}-%{version}-askpass-fix.diff
-Patch2: %{name}-%{version}-pam-fix2.diff
-Patch3: %{name}-%{version}-saveargv-fix.diff
-Patch4: %{name}-%{version}-pam-fix3.diff
-Patch5: %{name}-%{version}-gssapimitm.patch
-Patch6: %{name}-%{version}-eal3.diff
-Patch7: %{name}-%{version}-engines.diff
-Patch8: %{name}-%{version}-blocksigalrm.diff
-Patch9: %{name}-%{version}-send_locale.diff
-Patch10: %{name}-%{version}-xauthlocalhostname.diff
-Patch12: %{name}-%{version}-xauth.diff
-Patch14: %{name}-%{version}-default-protocol.diff
-Patch15: %{name}-%{version}-audit.patch
-Patch16: %{name}-%{version}-pts.diff
-Patch17: %{name}-%{version}-homechroot.patch
-Patch18: %{name}-%{version}-sshconfig-knownhostschanges.diff
-Patch19: %{name}-%{version}-host_ident.diff
-Patch20: %{name}-%{version}-syntax-error.diff
+Patch: %{name}-5.8p1-sshd_config.diff
+Patch1: %{name}-5.8p1-askpass-fix.diff
+Patch2: %{name}-5.8p1-pam-fix2.diff
+Patch3: %{name}-5.8p1-saveargv-fix.diff
+Patch4: %{name}-5.8p1-pam-fix3.diff
+Patch5: %{name}-5.8p1-gssapimitm.patch
+Patch6: %{name}-5.8p1-eal3.diff
+Patch7: %{name}-5.8p1-engines.diff
+Patch8: %{name}-5.8p1-blocksigalrm.diff
+Patch9: %{name}-5.8p1-send_locale.diff
+Patch10: %{name}-5.8p1-xauthlocalhostname.diff
+Patch12: %{name}-5.8p1-xauth.diff
+Patch14: %{name}-5.8p1-default-protocol.diff
+Patch15: %{name}-5.8p1-audit.patch
+Patch16: %{name}-5.8p1-pts.diff
+Patch17: %{name}-5.8p1-homechroot.patch
+Patch18: %{name}-5.8p1-sshconfig-knownhostschanges.diff
+Patch19: %{name}-5.8p1-host_ident.diff
+Patch20: converter-linking.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%package askpass
@@ -107,29 +108,24 @@
%patch17
%patch18
%patch19 -p1
-%patch20 -p1
+%patch20
cp -v %{SOURCE4} .
cp -v %{SOURCE6} .
cd ../x11-ssh-askpass-%{xversion}
%patch1
%build
-# This package failed when testing with -Wl,-as-needed being default.
-# So we disable it here, if you want to retest, just delete this comment and
the line below.
-export SUSE_ASNEEDED=0
-%{?suse_update_config:%{suse_update_config}}
-aclocal
-autoheader
-autoconf
+autoreconf -fiv
%ifarch s390 s390x %sparc
PIEFLAGS="-fPIE"
%else
PIEFLAGS="-fpie"
%endif
-#Obsoleted CFLAGS="-DUSE_POSIX_THREADS $RPM_OPT_FLAGS"
CXXFLAGS="-DUSE_POSIX_THREADS $RPM_O \
-#Obsoleted LDFLAGS="-lpthread" \
LDFLAGS="-pie" CFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector"
CXXFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" \
./configure --with-ssl-engine \
+%if 0%{suse_version} >= 1140
+ --with-libedit \
+%endif
--mandir=%{_mandir} \
--prefix=%{prefix} \
--infodir=%{_infodir} \
++++++ converter-linking.patch ++++++
--- converter/Makefile.orig
+++ converter/Makefile
@@ -8,7 +8,7 @@ ssh-keyconverter.o: ssh-keyconverter.c .
gcc $(RPM_OPT_FLAGS) -c -I../ $< -o $@
ssh-keyconverter: ssh-keyconverter.o ../libssh.a
../openbsd-compat/libopenbsd-compat.a
- gcc $< -L../ -L../openbsd-compat/ -lssh -lopenbsd-compat -lssh -lpam
-ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@
+ gcc -Wl,--no-as-needed $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ $<
-lssl -lcrypto -lssh -lopenbsd-compat -lssl -lssh -lpam -ldl -lwrap -lutil -lz
-lnsl -lcrypt -o $@
install: ssh-keyconverter ssh-keyconverter.1
if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755
$(DESTDIR)$(bindir); fi
++++++ openssh-5.8p1.tar.bz2 -> openssh-5.8p2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/ChangeLog new/openssh-5.8p2/ChangeLog
--- old/openssh-5.8p1/ChangeLog 2011-02-04 01:57:48.000000000 +0100
+++ new/openssh-5.8p2/ChangeLog 2011-05-05 03:56:53.000000000 +0200
@@ -1,3 +1,30 @@
+20110403
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Prepare for 5.8p2 release.
+ - (djm) [version.h] crank version
+ - Release 5.8p2
+
+20110329
+ - (djm) [entropy.c] closefrom() before running ssh-rand-helper; leftover fds
+ noticed by tmraz AT redhat.com
+
+20110221
+ - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
+ Cygwin-specific service installer script ssh-host-config. The actual
+ functionality is the same, the revisited version is just more
+ exact when it comes to check for problems which disallow to run
+ certain aspects of the script. So, part of this script and the also
+ rearranged service helper script library "csih" is to check if all
+ the tools required to run the script are available on the system.
+ The new script also is more thorough to inform the user why the
+ script failed. Patch from vinschen at redhat com.
+
+20110206
+ - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in
+ selinux code. Patch from Leonardo Chiquitto
+ - (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key
+ generation and simplify. Patch from Corinna Vinschen.
+
20110204
- OpenBSD CVS Sync
- d...@cvs.openbsd.org 2011/01/31 21:42:15
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/README new/openssh-5.8p2/README
--- old/openssh-5.8p1/README 2011-02-04 01:57:50.000000000 +0100
+++ new/openssh-5.8p2/README 2011-05-03 02:04:21.000000000 +0200
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.8 for the release notes.
+See http://www.openssh.com/txt/release-5.8p2 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
-$Id: README,v 1.75.4.1 2011/02/04 00:57:50 djm Exp $
+$Id: README,v 1.75.4.2 2011/05/03 00:04:21 djm Exp $
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/contrib/caldera/openssh.spec
new/openssh-5.8p2/contrib/caldera/openssh.spec
--- old/openssh-5.8p1/contrib/caldera/openssh.spec 2011-02-04
01:57:54.000000000 +0100
+++ new/openssh-5.8p2/contrib/caldera/openssh.spec 2011-05-03
02:04:23.000000000 +0200
@@ -16,7 +16,7 @@
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
-%define version 5.8p1
+%define version 5.8p2
%if %{use_stable}
%define cvs %{nil}
%define release 1
@@ -363,4 +363,4 @@
* Mon Jan 01 1998 ...
Template Version: 1.31
-$Id: openssh.spec,v 1.73.4.1 2011/02/04 00:57:54 djm Exp $
+$Id: openssh.spec,v 1.73.4.2 2011/05/03 00:04:23 djm Exp $
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/contrib/cygwin/ssh-host-config
new/openssh-5.8p2/contrib/cygwin/ssh-host-config
--- old/openssh-5.8p1/contrib/cygwin/ssh-host-config 2010-03-24
03:03:32.000000000 +0100
+++ new/openssh-5.8p2/contrib/cygwin/ssh-host-config 2011-02-21
11:42:01.000000000 +0100
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# ssh-host-config, Copyright 2000-2009 Red Hat Inc.
+# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
@@ -19,12 +19,39 @@
# ======================================================================
# Initialization
# ======================================================================
-PROGNAME=$(basename $0)
-_tdir=$(dirname $0)
-PROGDIR=$(cd $_tdir && pwd)
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
+# List of apps used. This is checkad for existance in csih_sanity_check
+# Don't use *any* transient commands before sourcing the csih helper script,
+# otherwise the sanity checks are short-circuited.
+declare -a csih_required_commands=(
+ /usr/bin/basename coreutils
+ /usr/bin/cat coreutils
+ /usr/bin/chmod coreutils
+ /usr/bin/dirname coreutils
+ /usr/bin/id coreutils
+ /usr/bin/mv coreutils
+ /usr/bin/rm coreutils
+ /usr/bin/cygpath cygwin
+ /usr/bin/mount cygwin
+ /usr/bin/ps cygwin
+ /usr/bin/setfacl cygwin
+ /usr/bin/umount cygwin
+ /usr/bin/cmp diffutils
+ /usr/bin/grep grep
+ /usr/bin/awk gawk
+ /usr/bin/ssh-keygen openssh
+ /usr/sbin/sshd openssh
+ /usr/bin/sed sed
+)
+csih_sanity_check_server=yes
+source ${CSIH_SCRIPT}
+
+PROGNAME=$(/usr/bin/basename $0)
+_tdir=$(/usr/bin/dirname $0)
+PROGDIR=$(cd $_tdir && pwd)
+
# Subdirectory where the new package is being installed
PREFIX=/usr
@@ -32,8 +59,6 @@
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
-source ${CSIH_SCRIPT}
-
port_number=22
privsep_configured=no
privsep_used=yes
@@ -46,23 +71,48 @@
# Routine: create_host_keys
# ======================================================================
create_host_keys() {
+ local ret=0
+
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
- ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
+ if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' >
/dev/null
+ then
+ csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
+ let ++ret
+ fi
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
- ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
+ if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' >
/dev/null
+ then
+ csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
+ let ++ret
+ fi
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
- ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
+ if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' >
/dev/null
+ then
+ csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
+ let ++ret
+ fi
fi
+
+ if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
+ then
+ csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
+ if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N
'' > /dev/null
+ then
+ csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
+ let ++ret
+ fi
+ fi
+ return $ret
} # --- End of create_host_keys --- #
# ======================================================================
@@ -75,61 +125,58 @@
local _spaces
local _serv_tmp
local _wservices
+ local ret=0
- if csih_is_nt
- then
- _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
- _services="${_my_etcdir}/services"
- # On NT, 27 spaces, no space after the hash
- _spaces=" #"
- else
- _win_etcdir="${WINDIR}"
- _services="${_my_etcdir}/SERVICES"
- # On 9x, 18 spaces (95 is very touchy), a space after the hash
- _spaces=" # "
- fi
+ _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
+ _services="${_my_etcdir}/services"
+ _spaces=" #"
_serv_tmp="${_my_etcdir}/srv.out.$$"
- mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
+ /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
- if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
+ if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
- grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
+ /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
- if mv "${_serv_tmp}" "${_services}"
+ if /usr/bin/mv "${_serv_tmp}" "${_services}"
then
csih_inform "Removing sshd from ${_wservices}"
else
csih_warning "Removing sshd from ${_wservices} failed!"
+ let ++ret
fi
- rm -f "${_serv_tmp}"
+ /usr/bin/rm -f "${_serv_tmp}"
else
csih_warning "Removing sshd from ${_wservices} failed!"
+ let ++ret
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
- if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+ if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
- if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh
22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh
22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" >
"${_serv_tmp}"
+ if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh
22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh
22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" >
"${_serv_tmp}"
then
- if mv "${_serv_tmp}" "${_services}"
+ if /usr/bin/mv "${_serv_tmp}" "${_services}"
then
csih_inform "Added ssh to ${_wservices}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
+ let ++ret
fi
- rm -f "${_serv_tmp}"
+ /usr/bin/rm -f "${_serv_tmp}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
+ let ++ret
fi
fi
- umount "${_my_etcdir}"
+ /usr/bin/umount "${_my_etcdir}"
+ return $ret
} # --- End of update_services_file --- #
# ======================================================================
@@ -138,51 +185,57 @@
# ======================================================================
sshd_privsep() {
local sshdconfig_tmp
+ local ret=0
if [ "${privsep_configured}" != "yes" ]
then
- if csih_is_nt
+ csih_inform "Privilege separation is set to yes by default since OpenSSH
3.3."
+ csih_inform "However, this requires a non-privileged account called
'sshd'."
+ csih_inform "For more info on privilege separation read
/usr/share/doc/openssh/README.privsep."
+ if csih_request "Should privilege separation be used?"
then
- csih_inform "Privilege separation is set to yes by default since OpenSSH
3.3."
- csih_inform "However, this requires a non-privileged account called
'sshd'."
- csih_inform "For more info on privilege separation read
/usr/share/doc/openssh/README.privsep."
- if csih_request "Should privilege separation be used?"
+ privsep_used=yes
+ if ! csih_create_unprivileged_user sshd
then
- privsep_used=yes
- if ! csih_create_unprivileged_user sshd
- then
- csih_warning "Couldn't create user 'sshd'!"
- csih_warning "Privilege separation set to 'no' again!"
- csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
- privsep_used=no
- fi
- else
+ csih_error_recoverable "Couldn't create user 'sshd'!"
+ csih_error_recoverable "Privilege separation set to 'no' again!"
+ csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
+ let ++ret
privsep_used=no
fi
else
- # On 9x don't use privilege separation. Since security isn't
- # available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
- if cmp "${SYSCONFDIR}/sshd_config"
"${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
+ if /usr/bin/cmp "${SYSCONFDIR}/sshd_config"
"${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
- sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation
${privsep_used}/
+ /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation
${privsep_used}/
s/^#Port 22/Port ${port_number}/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/sshd_config \
> "${sshdconfig_tmp}"
- mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
+ if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
+ then
+ csih_warning "Setting privilege separation to 'yes' failed!"
+ csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+ let ++ret
+ fi
elif [ "${privsep_configured}" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
- echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
+ if ! echo "UsePrivilegeSeparation ${privsep_used}" >>
${SYSCONFDIR}/sshd_config
+ then
+ csih_warning "Setting privilege separation to 'yes' failed!"
+ csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+ let ++ret
+ fi
fi
+ return $ret
} # --- End of sshd_privsep --- #
# ======================================================================
@@ -195,72 +248,82 @@
local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
local _with_comment=1
+ local ret=0
if [ -d "${_inetcnf_dir}" ]
then
# we have inetutils-1.5 inetd.d support
if [ -f "${_inetcnf}" ]
then
- grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
+ /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
# check for sshd OR ssh in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
- if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
+ if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
then
- grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
+ /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
- if mv "${_inetcnf_tmp}" "${_inetcnf}"
+ if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed ssh[d] from ${_inetcnf}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+ let ++ret
fi
- rm -f "${_inetcnf_tmp}"
+ /usr/bin/rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+ let ++ret
fi
fi
fi
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
- if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}"
>/dev/null 2>&1
+ if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}"
"${_sshd_inetd_conf}" >/dev/null 2>&1
then
if [ "${_with_comment}" -eq 0 ]
then
- sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" >
"${_sshd_inetd_conf_tmp}"
+ /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" >
"${_sshd_inetd_conf_tmp}"
else
- sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" >
"${_sshd_inetd_conf_tmp}"
+ /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" >
"${_sshd_inetd_conf_tmp}"
+ fi
+ if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
+ then
+ csih_inform "Updated ${_sshd_inetd_conf}"
+ else
+ csih_warning "Updating ${_sshd_inetd_conf} failed!"
+ let ++ret
fi
- mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
- csih_inform "Updated ${_sshd_inetd_conf}"
fi
elif [ -f "${_inetcnf}" ]
then
- grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
+ /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
# check for sshd in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
- if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+ if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
- grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+ /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
- if mv "${_inetcnf_tmp}" "${_inetcnf}"
+ if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed sshd from ${_inetcnf}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
+ let ++ret
fi
- rm -f "${_inetcnf_tmp}"
+ /usr/bin/rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
+ let ++ret
fi
fi
# Add ssh line to inetd.conf
- if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
+ if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${_with_comment}" -eq 0 ]
then
@@ -268,115 +331,186 @@
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >>
"${_inetcnf}"
fi
- csih_inform "Added ssh to ${_inetcnf}"
+ if [ $? -eq 0 ]
+ then
+ csih_inform "Added ssh to ${_inetcnf}"
+ else
+ csih_warning "Adding ssh to ${_inetcnf} failed!"
+ let ++ret
+ fi
fi
fi
+ return $ret
} # --- End of update_inetd_conf --- #
# ======================================================================
+# Routine: check_service_files_ownership
+# Checks that the files in /etc and /var belong to the right owner
+# ======================================================================
+check_service_files_ownership() {
+ local run_service_as=$1
+ local ret=0
+
+ if [ -z "${run_service_as}" ]
+ then
+ accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *:
*//gp')
+ if [ "${accnt_name}" = "LocalSystem" ]
+ then
+ # Convert "LocalSystem" to "SYSTEM" as is the correct account name
+ accnt_name="SYSTEM:"
+ elif [[ "${accnt_name}" =~ ^\.\\ ]]
+ then
+ # Convert "." domain to local machine name
+ accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
+ fi
+ run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd |
/usr/bin/awk -F: '{print $1;}')
+ if [ -z "${run_service_as}" ]
+ then
+ csih_warning "Couldn't determine name of user running sshd service from
/etc/passwd!"
+ csih_warning "As a result, this script cannot make sure that the files
used"
+ csih_warning "by the sshd service belong to the user running the
service."
+ csih_warning "Please re-run the mkpasswd tool to make sure the
/etc/passwd"
+ csih_warning "file is in a good shape."
+ return 1
+ fi
+ fi
+ for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config
"${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
+ do
+ if [ -f "$i" ]
+ then
+ if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
+ then
+ csih_warning "Couldn't change owner of $i!"
+ let ++ret
+ fi
+ fi
+ done
+ if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
+ then
+ csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
+ let ++ret
+ fi
+ if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null
2>&1
+ then
+ csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
+ let ++ret
+ fi
+ if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+ then
+ if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
>/dev/null 2>&1
+ then
+ csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
+ let ++ret
+ fi
+ fi
+ if [ $ret -ne 0 ]
+ then
+ csih_warning "Couldn't change owner of important files to
${run_service_as}!"
+ csih_warning "This may cause the sshd service to fail! Please make sure
that"
+ csih_warning "you have suufficient permissions to change the ownership of
files"
+ csih_warning "and try to run the ssh-host-config script again."
+ fi
+ return $ret
+} # --- End of check_service_files_ownership --- #
+
+# ======================================================================
# Routine: install_service
# Install sshd as a service
# ======================================================================
install_service() {
local run_service_as
local password
+ local ret=0
- if csih_is_nt
+ echo
+ if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
then
- if ! cygrunsrv -Q sshd >/dev/null 2>&1
+ csih_inform "Sshd service is already installed."
+ check_service_files_ownership "" || let ret+=$?
+ else
+ echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
+ if csih_request "(Say \"no\" if it is already installed as a service)"
then
- echo
- echo
- csih_warning "The following functions require administrator privileges!"
- echo
- echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
- if csih_request "(Say \"no\" if it is already installed as a service)"
+ csih_get_cygenv "${cygwin_value}"
+
+ if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
then
- csih_get_cygenv "${cygwin_value}"
+ csih_inform "On Windows Server 2003, Windows Vista, and above, the"
+ csih_inform "SYSTEM account cannot setuid to other users -- a
capability"
+ csih_inform "sshd requires. You need to have or to create a privileged"
+ csih_inform "account. This script will help you do so."
+ echo
+
+ [ "${opt_force}" = "yes" ] && opt_f=-f
+ [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
+ csih_select_privileged_username ${opt_f} ${opt_u} sshd
- if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+ if ! csih_create_privileged_user "${password_value}"
then
- csih_inform "On Windows Server 2003, Windows Vista, and above, the"
- csih_inform "SYSTEM account cannot setuid to other users -- a
capability"
- csih_inform "sshd requires. You need to have or to create a
privileged"
- csih_inform "account. This script will help you do so."
- echo
-
- [ "${opt_force}" = "yes" ] && opt_f=-f
- [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
- csih_select_privileged_username ${opt_f} ${opt_u} sshd
-
- if ! csih_create_privileged_user "${password_value}"
- then
- csih_error_recoverable "There was a serious problem creating a
privileged user."
- csih_request "Do you want to proceed anyway?" || exit 1
- fi
+ csih_error_recoverable "There was a serious problem creating a
privileged user."
+ csih_request "Do you want to proceed anyway?" || exit 1
+ let ++ret
fi
+ fi
- # never returns empty if NT or above
- run_service_as=$(csih_service_should_run_as)
+ # Never returns empty if NT or above
+ run_service_as=$(csih_service_should_run_as)
- if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
+ if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
+ then
+ password="${csih_PRIVILEGED_PASSWORD}"
+ if [ -z "${password}" ]
then
- password="${csih_PRIVILEGED_PASSWORD}"
- if [ -z "${password}" ]
- then
- csih_get_value "Please enter the password for user
'${run_service_as}':" "-s"
- password="${csih_value}"
- fi
+ csih_get_value "Please enter the password for user
'${run_service_as}':" "-s"
+ password="${csih_value}"
fi
+ fi
- # at this point, we either have $run_service_as = "system" and
$password is empty,
- # or $run_service_as is some privileged user and (hopefully) $password
contains
- # the correct password. So, from here out, we use '-z "${password}"'
to discriminate
- # the two cases.
+ # At this point, we either have $run_service_as = "system" and
+ # $password is empty, or $run_service_as is some privileged user and
+ # (hopefully) $password contains the correct password. So, from here
+ # out, we use '-z "${password}"' to discriminate the two cases.
- csih_check_user "${run_service_as}"
+ csih_check_user "${run_service_as}"
- if [ -n "${csih_cygenv}" ]
+ if [ -n "${csih_cygenv}" ]
+ then
+ cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
+ fi
+ if [ -z "${password}" ]
+ then
+ if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
+ -a "-D" -y tcpip "${cygwin_env[@]}"
then
- cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
+ echo
+ csih_inform "The sshd service has been installed under the
LocalSystem"
+ csih_inform "account (also known as SYSTEM). To start the service
now, call"
+ csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise,
it"
+ csih_inform "will start automatically after the next reboot."
fi
- if [ -z "${password}" ]
+ else
+ if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
+ -a "-D" -y tcpip "${cygwin_env[@]}" \
+ -u "${run_service_as}" -w "${password}"
then
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
- -a "-D" -y tcpip "${cygwin_env[@]}"
- then
- echo
- csih_inform "The sshd service has been installed under the
LocalSystem"
- csih_inform "account (also known as SYSTEM). To start the service
now, call"
- csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise,
it"
- csih_inform "will start automatically after the next reboot."
- fi
- else
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
- -a "-D" -y tcpip "${cygwin_env[@]}" \
- -u "${run_service_as}" -w "${password}"
- then
- echo
- csih_inform "The sshd service has been installed under the
'${run_service_as}'"
- csih_inform "account. To start the service now, call \`net start
sshd' or"
- csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start
automatically"
- csih_inform "after the next reboot."
- fi
+ echo
+ csih_inform "The sshd service has been installed under the
'${run_service_as}'"
+ csih_inform "account. To start the service now, call \`net start
sshd' or"
+ csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start
automatically"
+ csih_inform "after the next reboot."
fi
+ fi
- # now, if successfully installed, set ownership of the affected files
- if cygrunsrv -Q sshd >/dev/null 2>&1
- then
- chown "${run_service_as}" ${SYSCONFDIR}/ssh*
- chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
- chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
- if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
- then
- chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
- fi
- else
- csih_warning "Something went wrong installing the sshd service."
- fi
- fi # user allowed us to install as service
- fi # service not yet installed
- fi # csih_is_nt
+ if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
+ then
+ check_service_files_ownership "${run_service_as}" || let ret+=$?
+ else
+ csih_error_recoverable "Installing sshd as a service failed!"
+ let ++ret
+ fi
+ fi # user allowed us to install as service
+ fi # service not yet installed
+ return $ret
} # --- End of install_service --- #
# ======================================================================
@@ -488,21 +622,71 @@
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
-if ps -ef | grep -q '/sshd\?$'
+if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
then
echo
csih_error "There are still ssh processes running. Please shut them down
first."
fi
+# Make sure the user is running in an administrative context
+admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
+if [ "${admin}" != "yes" ]
+then
+ echo
+ csih_warning "Running this script typically requires administrator
privileges!"
+ csih_warning "However, it seems your account does not have these privileges."
+ csih_warning "Here's the list of groups in your user token:"
+ echo
+ for i in $(/usr/bin/id -G)
+ do
+ /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
+ done
+ echo
+ csih_warning "This usually means you're running this script from a non-admin"
+ csih_warning "desktop session, or in a non-elevated shell under UAC control."
+ echo
+ csih_warning "Make sure you have the appropriate privileges right now,"
+ csih_warning "otherwise parts of this script will probably fail!"
+ echo
+ echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\"
if you're not sure"
+ if ! csih_request "you have the required privileges)"
+ then
+ echo
+ csih_inform "Ok. Exiting. Make sure to switch to an administrative
account"
+ csih_inform "or to start this script from an elevated shell."
+ exit 1
+ fi
+fi
+
+echo
+
+warning_cnt=0
+
# Check for ${SYSCONFDIR} directory
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
-chmod 775 "${SYSCONFDIR}"
-setfacl -m u:system:rwx "${SYSCONFDIR}"
+if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
+then
+ csih_warning "Can't set permissions on ${SYSCONFDIR}!"
+ let ++warning_cnt
+fi
+if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
+then
+ csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
+ let ++warning_cnt
+fi
# Check for /var/log directory
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
-chmod 775 "${LOCALSTATEDIR}/log"
-setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
+if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
+then
+ csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
+ let ++warning_cnt
+fi
+if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
+then
+ csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
+ let ++warning_cnt
+fi
# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
@@ -513,26 +697,33 @@
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
- cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
- chmod 644 ${LOCALSTATEDIR}/log/lastlog
+ /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
+ if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
+ then
+ csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
+ let ++warning_cnt
+ fi
fi
# Create /var/empty file used as chroot jail for privilege separation
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty
directory."
-chmod 755 "${LOCALSTATEDIR}/empty"
-setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
+if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
+then
+ csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
+ let ++warning_cnt
+fi
+if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
+then
+ csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
+ let ++warning_cnt
+fi
# host keys
-create_host_keys
-
-# use 'cmp' program to determine if a config file is identical
-# to the default version of that config file
-csih_check_program_or_error cmp diffutils
-
+create_host_keys || let warning_cnt+=$?
# handle ssh_config
-csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
-if cmp "${SYSCONFDIR}/ssh_config"
"${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
+csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let
++warning_cnt
+if /usr/bin/cmp "${SYSCONFDIR}/ssh_config"
"${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
then
if [ "${port_number}" != "22" ]
then
@@ -543,19 +734,24 @@
fi
# handle sshd_config (and privsep)
-csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
-if ! cmp "${SYSCONFDIR}/sshd_config"
"${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
+csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" ||
let ++warning_cnt
+if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config"
"${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
- grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config &&
privsep_configured=yes
+ /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config &&
privsep_configured=yes
fi
-sshd_privsep
-
+sshd_privsep || let warning_cnt+=$?
-
-update_services_file
-update_inetd_conf
-install_service
+update_services_file || let warning_cnt+=$?
+update_inetd_conf || let warning_cnt+=$?
+install_service || let warning_cnt+=$?
echo
-csih_inform "Host configuration finished. Have fun!"
-
+if [ $warning_cnt -eq 0 ]
+then
+ csih_inform "Host configuration finished. Have fun!"
+else
+ csih_warning "Host configuration exited with ${warning_cnt} errors or
warnings!"
+ csih_warning "Make sure that all problems reported are fixed,"
+ csih_warning "then re-run ssh-host-config."
+fi
+exit $warning_cnt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/contrib/cygwin/ssh-user-config
new/openssh-5.8p2/contrib/cygwin/ssh-user-config
--- old/openssh-5.8p1/contrib/cygwin/ssh-user-config 2009-07-29
16:21:13.000000000 +0200
+++ new/openssh-5.8p2/contrib/cygwin/ssh-user-config 2011-02-06
03:31:47.000000000 +0100
@@ -39,85 +39,34 @@
with_passphrase=
# ======================================================================
-# Routine: create_ssh1_identity
-# optionally create ~/.ssh/identity[.pub]
+# Routine: create_identity
+# optionally create identity of type argument in ~/.ssh
# optionally add result to ~/.ssh/authorized_keys
# ======================================================================
-create_ssh1_identity() {
- if [ ! -f "${pwdhome}/.ssh/identity" ]
+create_identity() {
+ local file="$1"
+ local type="$2"
+ local name="$3"
+ if [ ! -f "${pwdhome}/.ssh/${file}" ]
then
- if csih_request "Shall I create an SSH1 RSA identity file for you?"
+ if csih_request "Shall I create a ${name} identity file for you?"
then
- csih_inform "Generating ${pwdhome}/.ssh/identity"
+ csih_inform "Generating ${pwdhome}/.ssh/${file}"
if [ "${with_passphrase}" = "yes" ]
then
- ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" >
/dev/null
+ ssh-keygen -t "${type}" -N "${passphrase}" -f
"${pwdhome}/.ssh/${file}" > /dev/null
else
- ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
+ ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null
fi
if csih_request "Do you want to use this identity to login to this
machine?"
then
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
+ cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
} # === End of create_ssh1_identity() === #
-readonly -f create_ssh1_identity
-
-# ======================================================================
-# Routine: create_ssh2_rsa_identity
-# optionally create ~/.ssh/id_rsa[.pub]
-# optionally add result to ~/.ssh/authorized_keys
-# ======================================================================
-create_ssh2_rsa_identity() {
- if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
- then
- if csih_request "Shall I create an SSH2 RSA identity file for you?"
- then
- csih_inform "Generating ${pwdhome}/.ssh/id_rsa"
- if [ "${with_passphrase}" = "yes" ]
- then
- ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" >
/dev/null
- else
- ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
- fi
- if csih_request "Do you want to use this identity to login to this
machine?"
- then
- csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
- fi
- fi
- fi
-} # === End of create_ssh2_rsa_identity() === #
-readonly -f create_ssh2_rsa_identity
-
-# ======================================================================
-# Routine: create_ssh2_dsa_identity
-# optionally create ~/.ssh/id_dsa[.pub]
-# optionally add result to ~/.ssh/authorized_keys
-# ======================================================================
-create_ssh2_dsa_identity() {
- if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
- then
- if csih_request "Shall I create an SSH2 DSA identity file for you?"
- then
- csih_inform "Generating ${pwdhome}/.ssh/id_dsa"
- if [ "${with_passphrase}" = "yes" ]
- then
- ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" >
/dev/null
- else
- ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
- fi
- if csih_request "Do you want to use this identity to login to this
machine?"
- then
- csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
- fi
- fi
- fi
-} # === End of create_ssh2_dsa_identity() === #
-readonly -f create_ssh2_dsa_identity
+readonly -f create_identity
# ======================================================================
# Routine: check_user_homedir
@@ -311,9 +260,10 @@
check_user_homedir
check_user_dot_ssh_dir
-create_ssh1_identity
-create_ssh2_rsa_identity
-create_ssh2_dsa_identity
+create_identity id_rsa rsa "SSH2 RSA"
+create_identity id_dsa dsa "SSH2 DSA"
+create_identity id_ecdsa ecdsa "SSH2 ECDSA"
+create_identity identity rsa1 "(deprecated) SSH1 RSA"
fix_authorized_keys_perms
echo
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/contrib/redhat/openssh.spec
new/openssh-5.8p2/contrib/redhat/openssh.spec
--- old/openssh-5.8p1/contrib/redhat/openssh.spec 2011-02-04
01:57:56.000000000 +0100
+++ new/openssh-5.8p2/contrib/redhat/openssh.spec 2011-05-03
02:04:24.000000000 +0200
@@ -1,4 +1,4 @@
-%define ver 5.8p1
+%define ver 5.8p2
%define rel 1
# OpenSSH privilege separation requires a user & group ID
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/contrib/suse/openssh.spec
new/openssh-5.8p2/contrib/suse/openssh.spec
--- old/openssh-5.8p1/contrib/suse/openssh.spec 2011-02-04 01:57:57.000000000
+0100
+++ new/openssh-5.8p2/contrib/suse/openssh.spec 2011-05-03 02:04:26.000000000
+0200
@@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 5.8p1
+Version: 5.8p2
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/entropy.c new/openssh-5.8p2/entropy.c
--- old/openssh-5.8p1/entropy.c 2011-01-13 11:05:29.000000000 +0100
+++ new/openssh-5.8p2/entropy.c 2011-05-03 02:00:08.000000000 +0200
@@ -100,6 +100,7 @@
close(p[0]);
close(p[1]);
close(devnull);
+ closefrom(STDERR_FILENO + 1);
if (original_uid != original_euid &&
( seteuid(getuid()) == -1 ||
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/openbsd-compat/port-linux.c
new/openssh-5.8p2/openbsd-compat/port-linux.c
--- old/openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-04
01:43:08.000000000 +0100
+++ new/openssh-5.8p2/openbsd-compat/port-linux.c 2011-02-06
03:24:17.000000000 +0100
@@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+/* $Id: port-linux.c,v 1.11.4.3 2011/02/06 02:24:17 dtucker Exp $ */
/*
* Copyright (c) 2005 Daniel Walsh <dwa...@redhat.com>
@@ -213,7 +213,7 @@
if (!ssh_selinux_enabled())
return;
- if (path == NULL)
+ if (path == NULL) {
setfscreatecon(NULL);
return;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssh-5.8p1/version.h new/openssh-5.8p2/version.h
--- old/openssh-5.8p1/version.h 2011-02-04 01:48:57.000000000 +0100
+++ new/openssh-5.8p2/version.h 2011-05-05 03:56:54.000000000 +0200
@@ -2,5 +2,5 @@
#define SSH_VERSION "OpenSSH_5.8"
-#define SSH_PORTABLE "p1"
+#define SSH_PORTABLE "p2"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
++++++ openssh-SuSE.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSE/etc/init.d/sshd new/SuSE/etc/init.d/sshd
--- old/SuSE/etc/init.d/sshd 2011-01-25 11:54:41.000000000 +0100
+++ new/SuSE/etc/init.d/sshd 2011-05-10 17:07:10.000000000 +0200
@@ -46,15 +46,15 @@
if ! grep -q '^[[:space:]]*HostKey[[:space:]]' /etc/ssh/sshd_config;
then
if ! test -f /etc/ssh/ssh_host_key ; then
echo Generating /etc/ssh/ssh_host_key.
- ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
+ ssh-keygen -t rsa1 -b 2048 -f /etc/ssh/ssh_host_key -N ''
fi
if ! test -f /etc/ssh/ssh_host_dsa_key ; then
echo Generating /etc/ssh/ssh_host_dsa_key.
- ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N
''
+ ssh-keygen -t dsa -b 2048 -f /etc/ssh/ssh_host_dsa_key -N
''
fi
if ! test -f /etc/ssh/ssh_host_rsa_key ; then
echo Generating /etc/ssh/ssh_host_rsa_key.
- ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N
''
+ ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N
''
fi
if ! test -f /etc/ssh/ssh_host_ecdsa_key ; then
echo Generating /etc/ssh/ssh_host_ecdsa_key.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
