diff --git a/.cvsignore b/.cvsignore index cdbea46..a10c671 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -openssh-3.6.1p2.tar.gz +openssh-3.8.1p1.tar.gz x11-ssh-askpass-1.2.4.1.tar.gz diff --git a/openssh-3.8.1p1-krb5-config.patch b/openssh-3.8.1p1-krb5-config.patch new file mode 100644 index 0000000..f284632 --- /dev/null +++ b/openssh-3.8.1p1-krb5-config.patch @@ -0,0 +1,16 @@ +Search the path for krb5-config if the prefix wasn't specified. +--- openssh-3.8p1/configure.ac 2004-02-26 21:17:12.000000000 -0500 ++++ openssh-3.8p1/configure.ac 2004-02-26 21:17:06.000000000 -0500 +@@ -2077,8 +2077,10 @@ + KRB5_MSG="yes" + + AC_MSG_CHECKING(for krb5-config) +- if test -x $KRB5ROOT/bin/krb5-config ; then +- KRB5CONF=$KRB5ROOT/bin/krb5-config ++ AC_PATH_PROG([KRB5CONF],[krb5-config], ++ [$KRB5ROOT/bin/krb5-config], ++ [$KRB5ROOT/bin:$PATH]) ++ if test -x $KRB5CONF ; then + AC_MSG_RESULT($KRB5CONF) + + AC_MSG_CHECKING(for gssapi support) diff --git a/openssh-3.8.1p1-skip-initial.patch b/openssh-3.8.1p1-skip-initial.patch new file mode 100644 index 0000000..77be56e --- /dev/null +++ b/openssh-3.8.1p1-skip-initial.patch @@ -0,0 +1,26 @@ +Skip the initial empty-password check if permit_empty_passwd is disabled. This +doesn't change the timing profiles of the host because the additional condition +check which can short-circuit the call to pam_authenticate() has no dependency +on the identity of the user who is being authenticated. +--- openssh-3.8p1/auth1.c 2004-02-26 21:05:25.000000000 -0500 ++++ openssh-3.8p1/auth1.c 2004-02-26 21:05:20.000000000 -0500 +@@ -76,7 +76,7 @@ + authctxt->valid ? "" : "illegal user ", authctxt->user); + + /* If the user has no password, accept authentication immediately. */ +- if (options.password_authentication && ++ if (options.permit_empty_passwd && options.password_authentication && + #ifdef KRB5 + (!options.kerberos_authentication || options.kerberos_or_local_passwd) && + #endif +--- openssh-3.8p1/auth2-none.c 2004-02-26 21:07:34.000000000 -0500 ++++ openssh-3.8p1/auth2-none.c 2004-02-26 21:07:28.000000000 -0500 +@@ -100,7 +100,7 @@ + if (check_nt_auth(1, authctxt->pw) == 0) + return(0); + #endif +- if (options.password_authentication) ++ if (options.permit_empty_passwd && options.password_authentication) + return (PRIVSEP(auth_password(authctxt, ""))); + return (0); + } diff --git a/openssh.spec b/openssh.spec index e35ca02..196595c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -35,9 +35,6 @@ %define pie 0 %endif -# Disable IPv6 (avoids DNS hangs on some glibc versions) -%define noip6 0 - # Do we want kerberos5 support (1=yes 0=no) %define kerberos5 1 @@ -49,13 +46,17 @@ %{?skip_x11_askpass:%define no_x11_askpass 1} %{?skip_gnome_askpass:%define no_gnome_askpass 1} +# Add option to build without GTK2 for older platforms with only GTK+. +# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. +# rpm -ba|--rebuild --define 'no_gtk2 1' +%{?no_gtk2:%define gtk2 0} + # Is this a build for RHL 6.x or earlier? %{?build_6x:%define build6x 1} # If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. %if %{build6x} %define _sysconfdir /etc -%define noip6 1 %endif # Options for static OpenSSL link: @@ -66,10 +67,6 @@ # rpm -ba|--rebuild --define "smartcard 1" %{?smartcard:%define scard 1} -# Option to disable ipv6 -# rpm -ba|--rebuild --define "noipv6 1" -%{?noipv6:%define noip6 1} - # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) %define rescue 0 %{?build_rescue:%define rescue 1} @@ -81,8 +78,8 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2. Name: openssh -Version: 3.6.1p2 -%define rel 36 +Version: 3.8.1p1 +%define rel 1 %if %{rescue} Release: %{rel}rescue %else @@ -92,17 +89,13 @@ URL: http://www.openssh.com/portable.html Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig Source2: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz -Patch0: openssh-SNAP-20020220-redhat.patch +Patch0: openssh-3.8.1p1-redhat.patch Patch1: openssh-3.6.1p2-groups.patch -Patch2: openssh-3.5p1-multilib-pam.patch -Patch3: openssh-buffer-size.patch -Patch4: openssh-3.5p1-skip-initial.patch -Patch5: openssh-3.6.1p2-owl-realloc.diff -Patch6: openssh-3.7.1-buffer-double-free.patch -Patch7: openssh-getsockopt-nowhinge.patch -Patch8: openssh-3.6.1p1-owl-password-changing.diff -Patch11: http://www.sxw.org.uk/computing/patches/openssh-3.6.1p2-gssapi-20030430.diff +Patch2: openssh-3.8.1p1-skip-initial.patch +Patch3: openssh-3.8.1p1-krb5-config.patch +Patch4: openssh-3.8.1p1-pam_password.patch Patch12: openssh-selinux.patch +Patch20: openssh-3.8p1-gssapimitm.patch License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot @@ -120,8 +113,8 @@ PreReq: initscripts >= 5.20 %if %{gtk2} BuildPreReq: gtk2-devel %endif -BuildPreReq: openssl-devel, perl, sharutils, tcp_wrappers, zlib-devel -BuildPreReq: /bin/login +BuildPreReq: autoconf, openssl-devel, perl, sharutils, tcp_wrappers, zlib-devel +BuildPreReq: /bin/login, xauth %if %{build6x} BuildPreReq: glibc-devel, pam @@ -216,26 +209,19 @@ environment. %endif %patch0 -p1 -b .redhat %patch1 -p1 -b .groups -%patch2 -p1 -b .multilib-pam -%patch3 -p0 -b .buffer-size -%patch4 -p1 -b .skip-initial -%patch5 -p1 -b .owl-realloc -%patch6 -p3 -b .buffer-double-free -%patch7 -p1 -b .getsockopt -%patch8 -p1 -b .password-changing - -# Apply gss-specific patches only if the release tag includes "gss". (Not -# to be used for actual releases until it's in the mainline.) -if echo "%{release}" | grep -q gss; then -%patch11 -p1 -b .gssapi -autoreconf -fi +%patch2 -p1 -b .skip-initial +%patch3 -p1 -b .krb5-config +%patch4 -p0 -b .pam_password %if %{WITH_SELINUX} #SELinux %patch12 -p1 -b .selinux %endif +#%patch20 -p0 -b .gssapimitm + +autoconf + %build CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS %if %{rescue} @@ -278,14 +264,11 @@ fi %if %{scard} --with-smartcard \ %endif -%if %{noip6} - --with-ipv4-default \ -%endif %if %{build6x} --with-ipv4-default \ %endif %if %{rescue} - --without-pam --with-md5-passwords \ + --without-pam \ %else --with-pam \ %endif @@ -361,9 +344,11 @@ install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome rm -f $RPM_BUILD_ROOT%{_datadir}/openssh/Ssh.bin %endif +%if ! %{no_gnome_askpass} install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +%endif perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* @@ -448,7 +433,7 @@ fi %attr(0644,root,root) %{_mandir}/man1/slogin.1* %attr(0644,root,root) %{_mandir}/man5/ssh_config.5* %if ! %{rescue} -%attr(0755,root,root) %{_bindir}/ssh-agent +%attr(2755,root,nobody) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add %attr(0755,root,root) %{_bindir}/ssh-keyscan %attr(0755,root,root) %{_bindir}/sftp @@ -491,9 +476,18 @@ fi %endif %changelog +* Mon Jun 7 2004 Nalin Dahyabhai 3.8.1p1-1 +- request gssapi-with-mic by default but not delegation (flag day for anyone + who used previous gssapi patches) +- no longer request x11 forwarding by default + * Thu Jun 3 2004 Daniel Walsh 3.6.1p2-36 - Change pam file to use open and close with pam_selinux +* Tue Jun 1 2004 Nalin Dahyabhai 3.8.1p1-0 +- update to 3.8.1p1 +- add workaround from CVS to reintroduce passwordauth using pam + * Tue Jun 1 2004 Daniel Walsh 3.6.1p2-35 - Remove CLOSEXEC on STDERR diff --git a/sources b/sources index b59349c..b7e358a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -f3879270bffe479e1bd057aa36258696 openssh-3.6.1p2.tar.gz +1dbfd40ae683f822ae917eebf171ca42 openssh-3.8.1p1.tar.gz 8f2e41f3f7eaa8543a2440454637f3c3 x11-ssh-askpass-1.2.4.1.tar.gz