diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2007-08-25 17:41:37 +0000 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2007-08-25 17:41:37 +0000 |
| commit | 63c18ac5185cfaa2e3a91d66bd968e1f08ac9e5e (patch) | |
| tree | 8716d29281154cead8f2127efe2e511d1162a9bf /net-misc/openssh/files | |
| parent | amd64 stable (diff) | |
| download | historical-63c18ac5185cfaa2e3a91d66bd968e1f08ac9e5e.tar.gz historical-63c18ac5185cfaa2e3a91d66bd968e1f08ac9e5e.tar.bz2 historical-63c18ac5185cfaa2e3a91d66bd968e1f08ac9e5e.zip | |
old
Diffstat (limited to 'net-misc/openssh/files')
31 files changed, 0 insertions, 1731 deletions
diff --git a/net-misc/openssh/files/digest-openssh-3.9_p1-r3 b/net-misc/openssh/files/digest-openssh-3.9_p1-r3 deleted file mode 100644 index b44ac04c86a1..000000000000 --- a/net-misc/openssh/files/digest-openssh-3.9_p1-r3 +++ /dev/null @@ -1,12 +0,0 @@ -MD5 1187a9e000e4a78575e1986249861a2b openssh-3.9p1+x509-5.3.diff.gz 126331 -RMD160 7b33dc161664f7bc155a19a09c603b1938924b75 openssh-3.9p1+x509-5.3.diff.gz 126331 -SHA256 4d1a8cc0a40d45a3e8f5ffa3fa70ad8d5b4141adf0e04c1643acf30ff80899df openssh-3.9p1+x509-5.3.diff.gz 126331 -MD5 b91d73e58e2b72aecb3025ee550411fb openssh-3.9p1-hpn11.diff 13237 -RMD160 02e9a3c12e289ef7dea5b7d81ec5b2e06580b7d0 openssh-3.9p1-hpn11.diff 13237 -SHA256 ce83e3c38fe79c85f371e8e1a47d45085dd08b7e4604f7291264e36d9ebb35fe openssh-3.9p1-hpn11.diff 13237 -MD5 8e1774d0b52aff08f817f3987442a16e openssh-3.9p1.tar.gz 854027 -RMD160 e4abf280a18e3ae046d0dee19dab919bba8e5568 openssh-3.9p1.tar.gz 854027 -SHA256 e119eb9b09c13ddd945a0105f19b05983e62de0bac167264f055f93115048090 openssh-3.9p1.tar.gz 854027 -MD5 e6b4c237887d76819e4c626016077907 openssh-lpk-3.9p1-0.3.6.patch 60920 -RMD160 0fdde5cf35e1fe59a428d330509f6964ff3402ed openssh-lpk-3.9p1-0.3.6.patch 60920 -SHA256 f4732659ec8e222a8d80741a8e7975ffde089ab985fcad3c986d087732de7c33 openssh-lpk-3.9p1-0.3.6.patch 60920 diff --git a/net-misc/openssh/files/digest-openssh-4.0_p1-r2 b/net-misc/openssh/files/digest-openssh-4.0_p1-r2 deleted file mode 100644 index 48f8c89a4335..000000000000 --- a/net-misc/openssh/files/digest-openssh-4.0_p1-r2 +++ /dev/null @@ -1,15 +0,0 @@ -MD5 79f5648305c8b8a1bc1414e8f6c6134c openssh-4.0p1+SecurID_v1.3.1.patch 610662 -RMD160 6dc56b0d6c4ec46d2a75fbdecd60e914cae190d3 openssh-4.0p1+SecurID_v1.3.1.patch 610662 -SHA256 0961df23c431b50fee300ccafa318d6526b8347a50b55dec4e790d9f21f637e1 openssh-4.0p1+SecurID_v1.3.1.patch 610662 -MD5 36b87d7b49ca92d066363d38d1251859 openssh-4.0p1+x509-5.2.diff.gz 123547 -RMD160 6361ea898e31860e07c88830cd0a4c9a000c0f26 openssh-4.0p1+x509-5.2.diff.gz 123547 -SHA256 021161975d906bd2982214f9ecd42fa3d83cf3301b4247dbb8c9a8e579900665 openssh-4.0p1+x509-5.2.diff.gz 123547 -MD5 997c4f320c171d7dce1e00fba481ccf2 openssh-4.0p1-hpn11.diff 14225 -RMD160 07f90806e32f7d2d34eb0048a2a016273c760199 openssh-4.0p1-hpn11.diff 14225 -SHA256 58c5d84cc3ae13f0bb3e30416db5913a986e4ef050359d3721219c78e0554889 openssh-4.0p1-hpn11.diff 14225 -MD5 7b36f28fc16e1b7f4ba3c1dca191ac92 openssh-4.0p1.tar.gz 889880 -RMD160 e0b48aaa92e7a697c8e344d3e148c16ac20b919c openssh-4.0p1.tar.gz 889880 -SHA256 5adb9b2c2002650e15216bf94ed9db9541d9a17c96fcd876784861a8890bc92b openssh-4.0p1.tar.gz 889880 -MD5 28ffb4f9c62e73f2e0f436f88ee1d718 openssh-lpk-4.0p1-0.3.6.patch 60557 -RMD160 da57dcc8078c127abea0dc4017399cd5c3f8eee2 openssh-lpk-4.0p1-0.3.6.patch 60557 -SHA256 61b244eb4c15db9c1a9b575be23afcbe6a30a248a2abbda0de18f0791842dbad openssh-lpk-4.0p1-0.3.6.patch 60557 diff --git a/net-misc/openssh/files/digest-openssh-4.1_p1-r1 b/net-misc/openssh/files/digest-openssh-4.1_p1-r1 deleted file mode 100644 index 38255c51de97..000000000000 --- a/net-misc/openssh/files/digest-openssh-4.1_p1-r1 +++ /dev/null @@ -1,15 +0,0 @@ -MD5 7c5798757b7efc79a897f92de5f80539 openssh-4.1p1+SecurID_v1.3.1.patch 612445 -RMD160 f0aff5cba4f0155146b79a5b63dde7c9e60538a3 openssh-4.1p1+SecurID_v1.3.1.patch 612445 -SHA256 4e249ede6481b8baf711c39463c664cbc9b132690cb8d8863594d65ec0d871f0 openssh-4.1p1+SecurID_v1.3.1.patch 612445 -MD5 ebc18c981d3a1d6b3772b14316f6d5ad openssh-4.1p1+x509-5.2.diff.gz 123415 -RMD160 87a1bf01884a29d0df790a60478d108e0d52474a openssh-4.1p1+x509-5.2.diff.gz 123415 -SHA256 83eb6c2cd68199bf471c00af4780be3eae930f24a428dc4cc14405c63957fded openssh-4.1p1+x509-5.2.diff.gz 123415 -MD5 7a9abefaf7078da86ac2e70bf154127f openssh-4.1p1-hpn11.diff 14223 -RMD160 1f364093a3a3c8e9627f8b7d5fafcf488df001cf openssh-4.1p1-hpn11.diff 14223 -SHA256 34fb3e7966b8bd37c48661b6484112924b3997fe655d76f61a4d691e0559050c openssh-4.1p1-hpn11.diff 14223 -MD5 959c663e709c981f07a3315bfd64f3d0 openssh-4.1p1.tar.gz 894234 -RMD160 7904611ca9c7913af56e8805450f239b9187ce6a openssh-4.1p1.tar.gz 894234 -SHA256 8331394f9dae92fda26811aff4a3775fb1e10945de5afc780f70f31d98ce4c0a openssh-4.1p1.tar.gz 894234 -MD5 b779906d657d63794144cabe2bf978b8 openssh-lpk-4.1p1-0.3.6.patch 60312 -RMD160 489d8be3b66ad5dad4b23fa61b9423be43e891ad openssh-lpk-4.1p1-0.3.6.patch 60312 -SHA256 318d8b70e423c014069157535eecb2c943f42fec4b14d3f6a65350c1edd66540 openssh-lpk-4.1p1-0.3.6.patch 60312 diff --git a/net-misc/openssh/files/digest-openssh-4.2_p1-r1 b/net-misc/openssh/files/digest-openssh-4.2_p1-r1 deleted file mode 100644 index 84d74f3751f6..000000000000 --- a/net-misc/openssh/files/digest-openssh-4.2_p1-r1 +++ /dev/null @@ -1,15 +0,0 @@ -MD5 6c89525f43b93fb2671af345dd85783b openssh-4.2p1+SecurID_v1.3.2.patch 616248 -RMD160 71edbd3bd63b81d65ca7e755d0d89d631e77bb36 openssh-4.2p1+SecurID_v1.3.2.patch 616248 -SHA256 272429d32e0d5e4188faac605e730d70ee507d10700ab06bf627ef88ae0e3e36 openssh-4.2p1+SecurID_v1.3.2.patch 616248 -MD5 f2317f7a413f1d132a37e036166975b1 openssh-4.2p1+x509-5.5.diff.gz 133405 -RMD160 fba6bc99857d890cda0e5a88bf195b7e327f0aff openssh-4.2p1+x509-5.5.diff.gz 133405 -SHA256 42509cdd9edce6e6f2cb635cb480bfc0e3c0f26a0747760559742355a8b1ddce openssh-4.2p1+x509-5.5.diff.gz 133405 -MD5 4b8f0befa09f234d6e7f1a5849b86197 openssh-4.2p1-hpn11.diff 14765 -RMD160 c3cd4cbb53094fb1f248a780c3e5a05af2585f88 openssh-4.2p1-hpn11.diff 14765 -SHA256 0819c71dd48805ae0015b1744d9da746a71df4fac11b88cac227e7d9a991e46a openssh-4.2p1-hpn11.diff 14765 -MD5 df899194a340c933944b193477c628fa openssh-4.2p1.tar.gz 914165 -RMD160 e1f45333e66d0afceb9934ab73401b4ca06f03a6 openssh-4.2p1.tar.gz 914165 -SHA256 2a61e84b36958c0af19e4f6f9f3e27f8ed432a5188d654e26602402fd4047f6d openssh-4.2p1.tar.gz 914165 -MD5 b779906d657d63794144cabe2bf978b8 openssh-lpk-4.1p1-0.3.6.patch 60312 -RMD160 489d8be3b66ad5dad4b23fa61b9423be43e891ad openssh-lpk-4.1p1-0.3.6.patch 60312 -SHA256 318d8b70e423c014069157535eecb2c943f42fec4b14d3f6a65350c1edd66540 openssh-lpk-4.1p1-0.3.6.patch 60312 diff --git a/net-misc/openssh/files/digest-openssh-4.3_p2-r5 b/net-misc/openssh/files/digest-openssh-4.3_p2-r5 deleted file mode 100644 index adb9f80e2b55..000000000000 --- a/net-misc/openssh/files/digest-openssh-4.3_p2-r5 +++ /dev/null @@ -1,15 +0,0 @@ -MD5 3611a21a0098c32416d4b8f75232c796 openssh-4.3p2+SecurID_v1.3.2.patch 47650 -RMD160 90c719e8b7576d06bda5fdfb86287bfa577c5e1a openssh-4.3p2+SecurID_v1.3.2.patch 47650 -SHA256 d6fc92a11c23f3fa0c77f50e6d76cb6c6635ae4907df724a12e460b90c90e988 openssh-4.3p2+SecurID_v1.3.2.patch 47650 -MD5 bc93a31436941ae32e7f9d20c592eca7 openssh-4.3p2+x509-5.5.diff.gz 136017 -RMD160 21069550bbb05ea22870da853f68ee9910b2b71e openssh-4.3p2+x509-5.5.diff.gz 136017 -SHA256 b62ee8afd927d9c97367ac738be55464327deacabf803a610159a98c569e72ad openssh-4.3p2+x509-5.5.diff.gz 136017 -MD5 41b69edab053387f5233798864fcec74 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642 -RMD160 34fd5390d602a9ab99edb25756318cc0dd842360 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642 -SHA256 14d8ec5601bf1977f583a45353213a2dc4e8a453e3fc9c7a65499d0645cc9063 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642 -MD5 7e9880ac20a9b9db0d3fea30a9ff3d46 openssh-4.3p2.tar.gz 941455 -RMD160 ccd5967e3296347e6dd2be43c3d6caacde2b6833 openssh-4.3p2.tar.gz 941455 -SHA256 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f openssh-4.3p2.tar.gz 941455 -MD5 d9eacb819a73daddb3d21ca7aa8e5c25 openssh-lpk-4.3p1-0.3.7.patch 60451 -RMD160 fda93b8ee3ef9b633947784fe84a9eed2acbd325 openssh-lpk-4.3p1-0.3.7.patch 60451 -SHA256 0bcfa28804caf685de2248ddc966666196f6df81d1d058066f2da17714518af4 openssh-lpk-4.3p1-0.3.7.patch 60451 diff --git a/net-misc/openssh/files/openssh-3.9_p1-chroot.patch b/net-misc/openssh/files/openssh-3.9_p1-chroot.patch deleted file mode 100644 index c903673de7c7..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-chroot.patch +++ /dev/null @@ -1,74 +0,0 @@ -################################################################################ -################################################################################ -# # -# Original patch by Ricardo Cerqueira <rmcc@clix.pt> # -# # -# Updated by James Dennis <james@firstaidmusic.com> for openssh-3.7.1p2 # -# # -# A patch to cause sshd to chroot when it encounters the magic token # -# '/./' in a users home directory. The directory portion before the # -# token is the directory to chroot() to, the portion after the # -# token is the user's home directory relative to the new root. # -# # -# Patch source using: patch -p0 < /path/to/patch # -# # -# Systems with a bad diff (doesn't understand -u or -N) should use gnu diff. # -# Solaris may store this as gdiff under /opt/sfw/bin. I can't say much about # -# other systems (unless you email me your experiences!). # -# # -################################################################################ -################################################################################ - -diff -uNr openssh-3.7.1p2/session.c openssh-3.7.1p2-chroot/session.c ---- openssh-3.7.1p2/session.c Tue Sep 23 04:59:08 2003 -+++ openssh-3.7.1p2-chroot/session.c Fri Sep 26 13:42:52 2003 -@@ -58,6 +58,8 @@ - #include "session.h" - #include "monitor_wrap.h" - -+#define CHROOT -+ - #ifdef GSSAPI - #include "ssh-gss.h" - #endif -@@ -1231,6 +1233,12 @@ - void - do_setusercontext(struct passwd *pw) - { -+ -+#ifdef CHROOT -+ char *user_dir; -+ char *new_root; -+#endif /* CHROOT */ -+ - #ifndef HAVE_CYGWIN - if (getuid() == 0 || geteuid() == 0) - #endif /* HAVE_CYGWIN */ -@@ -1268,6 +1276,27 @@ - do_pam_setcred(0); - } - # endif /* USE_PAM */ -+ -+#ifdef CHROOT -+ user_dir = xstrdup(pw->pw_dir); -+ new_root = user_dir + 1; -+ -+ while((new_root = strchr(new_root, '.')) != NULL) { -+ new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { -+ *new_root = '\0'; -+ new_root += 2; -+ -+ if(chroot(user_dir) != 0) -+ fatal("Couldn't chroot to user directory %s", user_dir); -+ pw->pw_dir = new_root; -+ break; -+ } -+ new_root += 2; -+ } -+#endif /* CHROOT */ -+ -+ - # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) - irix_setusercontext(pw); - # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ diff --git a/net-misc/openssh/files/openssh-3.9_p1-configure-openct.patch b/net-misc/openssh/files/openssh-3.9_p1-configure-openct.patch deleted file mode 100644 index f6a3bab23cc1..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-configure-openct.patch +++ /dev/null @@ -1,34 +0,0 @@ -The --without-opensc logic is broken, so let's fix it. - -patch by Stian Skjelstad. - -http://bugs.gentoo.org/show_bug.cgi?id=78730 - ---- openssh-3.9p1/configure.ac -+++ openssh-3.9p1/configure.ac -@@ -2171,9 +2171,9 @@ - AC_ARG_WITH(opensc, - AC_HELP_STRING([--with-opensc=PFX], - [Enable smartcard support using OpenSC]), -- opensc_config_prefix="$withval", opensc_config_prefix="") --if test x$opensc_config_prefix != x ; then -- OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config -+ [ -+if test "x$withval" != xno ; then -+ OPENSC_CONFIG="$withval/bin/opensc-config" - AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) - if test "$OPENSC_CONFIG" != "no"; then - LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` -@@ -2183,8 +2183,12 @@ - AC_DEFINE(SMARTCARD) - AC_DEFINE(USE_OPENSC) - SCARD_MSG="yes, using OpenSC" -+ else -+ AC_MSG_ERROR([opensc-config not found]) - fi - fi -+ ] -+) - - # Check libraries needed by DNS fingerprint support - AC_SEARCH_LIBS(getrrsetbyname, resolv, diff --git a/net-misc/openssh/files/openssh-3.9_p1-fix_suid-x509.patch b/net-misc/openssh/files/openssh-3.9_p1-fix_suid-x509.patch deleted file mode 100644 index 1d993146b160..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-fix_suid-x509.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.in -+++ Makefile.in -@@ -149,7 +149,7 @@ - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o $(X509STORE_OBJS) -- $(LD) -o $@ ssh-keysign.o readconf.o $(X509STORE_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBLDAP) $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o $(X509STORE_OBJS) $(LDFLAGS) -Wl,-z,now -lssh -lopenbsd-compat $(LIBLDAP) $(LIBS) - - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) diff --git a/net-misc/openssh/files/openssh-3.9_p1-fix_suid.patch b/net-misc/openssh/files/openssh-3.9_p1-fix_suid.patch deleted file mode 100644 index 207907af61ce..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-fix_suid.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.in -+++ Makefile.in -@@ -149,7 +149,7 @@ - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o -- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -Wl,-z,now -lssh -lopenbsd-compat $(LIBS) - - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) diff --git a/net-misc/openssh/files/openssh-3.9_p1-infoleak.patch b/net-misc/openssh/files/openssh-3.9_p1-infoleak.patch deleted file mode 100644 index c47020047304..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-infoleak.patch +++ /dev/null @@ -1,75 +0,0 @@ -openssh has an information leak related to timing under some conditions - -nothing special - -http://bugs.gentoo.org/show_bug.cgi?id=59361 - -Index: auth2-chall.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v -retrieving revision 1.21 -diff -u -p -r1.21 auth2-chall.c ---- auth2-chall.c 1 Jun 2004 14:20:45 -0000 1.21 -+++ auth2-chall.c 6 Jul 2004 12:13:10 -0000 -@@ -268,12 +268,9 @@ input_userauth_info_response(int type, u - } - packet_check_eom(); - -- if (authctxt->valid) { -- res = kbdintctxt->device->respond(kbdintctxt->ctxt, -- nresp, response); -- } else { -- res = -1; -- } -+ res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); -+ if (!authctxt->valid) -+ res = 1; /* keep going if login invalid */ - - for (i = 0; i < nresp; i++) { - memset(response[i], 'r', strlen(response[i])); -@@ -285,7 +282,7 @@ input_userauth_info_response(int type, u - switch (res) { - case 0: - /* Success! */ -- authenticated = 1; -+ authenticated = authctxt->valid ? 1 : 0; - break; - case 1: - /* Authentication needs further interaction */ -Index: auth-pam.c -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v -retrieving revision 1.118 -diff -u -p -r1.118 auth-pam.c ---- auth-pam.c 16 Oct 2004 08:52:44 -0000 1.118 -+++ auth-pam.c 20 Nov 2004 02:40:58 -0000 -@@ -186,6 +186,7 @@ static int sshpam_account_status = -1; - static char **sshpam_env = NULL; - static Authctxt *sshpam_authctxt = NULL; - static const char *sshpam_password = NULL; -+static char badpw[] = "\b\n\r\177INCORRECT"; - - /* Some PAM implementations don't implement this */ - #ifndef HAVE_PAM_GETENVLIST -@@ -746,7 +747,12 @@ sshpam_respond(void *ctx, u_int num, cha - return (-1); - } - buffer_init(&buffer); -- buffer_put_cstring(&buffer, *resp); -+ if (sshpam_authctxt->valid && -+ (sshpam_authctxt->pw->pw_uid != 0 || -+ options.permit_root_login == PERMIT_YES)) -+ buffer_put_cstring(&buffer, *resp); -+ else -+ buffer_put_cstring(&buffer, badpw); - if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { - buffer_free(&buffer); - return (-1); -@@ -1093,7 +1097,6 @@ sshpam_auth_passwd(Authctxt *authctxt, c - { - int flags = (options.permit_empty_passwd == 0 ? - PAM_DISALLOW_NULL_AUTHTOK : 0); -- static char badpw[] = "\b\n\r\177INCORRECT"; - - if (!options.use_pam || sshpam_handle == NULL) - fatal("PAM: %s called when PAM disabled or failed to " diff --git a/net-misc/openssh/files/openssh-3.9_p1-kerberos-detection.patch b/net-misc/openssh/files/openssh-3.9_p1-kerberos-detection.patch deleted file mode 100644 index 850e72ea9ed6..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-kerberos-detection.patch +++ /dev/null @@ -1,23 +0,0 @@ -Seems that even if you do `./configure --without-kerberos`, configure -will still search for some krb headers/libs, evil! - -http://bugs.gentoo.org/show_bug.cgi?id=80811 - ---- configure.ac -+++ configure.ac -@@ -2464,7 +2464,6 @@ - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${KRB5ROOT}/lib" - fi -- fi - - AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) - AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) -@@ -2473,6 +2472,7 @@ - LIBS="$LIBS $K5LIBS" - AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) - AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS)) -+ fi - ] - ) - diff --git a/net-misc/openssh/files/openssh-3.9_p1-pamfix.patch b/net-misc/openssh/files/openssh-3.9_p1-pamfix.patch deleted file mode 100644 index c1f060fd4083..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-pamfix.patch +++ /dev/null @@ -1,97 +0,0 @@ -Index: auth-chall.c -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-chall.c,v -retrieving revision 1.14 ---- auth-chall.c -+++ auth-chall.c -@@ -28,11 +28,13 @@ RCSID("$OpenBSD: auth-chall.c,v 1.9 2003 - #include "auth.h" - #include "log.h" - #include "xmalloc.h" -+#include "servconf.h" - - /* limited protocol v1 interface to kbd-interactive authentication */ - - extern KbdintDevice *devices[]; - static KbdintDevice *device; -+extern ServerOptions options; - - char * - get_challenge(Authctxt *authctxt) -@@ -40,6 +42,11 @@ get_challenge(Authctxt *authctxt) - char *challenge, *name, *info, **prompts; - u_int i, numprompts; - u_int *echo_on; -+ -+#ifdef USE_PAM -+ if (!options.use_pam) -+ remove_kbdint_device("pam"); -+#endif - - device = devices[0]; /* we always use the 1st device for protocol 1 */ - if (device == NULL) -Index: auth.h -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.h,v -retrieving revision 1.63 ---- auth.h -+++ auth.h -@@ -130,6 +130,8 @@ int auth_shadow_pwexpired(Authctxt *); - #endif - - #include "auth-pam.h" -+void remove_kbdint_device(const char *); -+ - void disable_forwarding(void); - - void do_authentication(Authctxt *); -Index: auth2-chall.c -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2-chall.c,v -retrieving revision 1.23 ---- auth2-chall.c -+++ auth2-chall.c -@@ -32,6 +32,10 @@ RCSID("$OpenBSD: auth2-chall.c,v 1.21 20 - #include "xmalloc.h" - #include "dispatch.h" - #include "log.h" -+#include "servconf.h" -+ -+/* import */ -+extern ServerOptions options; - - static int auth2_challenge_start(Authctxt *); - static int send_userauth_info_request(Authctxt *); -@@ -71,12 +75,32 @@ struct KbdintAuthctxt - u_int nreq; - }; - -+#ifdef USE_PAM -+void -+remove_kbdint_device(const char *devname) -+{ -+ int i, j; -+ -+ for (i = 0; devices[i] != NULL; i++) -+ if (strcmp(devices[i]->name, devname) == 0) { -+ for (j = i; devices[j] != NULL; j++) -+ devices[j] = devices[j+1]; -+ i--; -+ } -+} -+#endif -+ - static KbdintAuthctxt * - kbdint_alloc(const char *devs) - { - KbdintAuthctxt *kbdintctxt; - Buffer b; - int i; -+ -+#ifdef USE_PAM -+ if (!options.use_pam) -+ remove_kbdint_device("pam"); -+#endif - - kbdintctxt = xmalloc(sizeof(KbdintAuthctxt)); - if (strcmp(devs, "") == 0) { diff --git a/net-misc/openssh/files/openssh-3.9_p1-selinux.diff b/net-misc/openssh/files/openssh-3.9_p1-selinux.diff deleted file mode 100644 index ae57ba3c461c..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-selinux.diff +++ /dev/null @@ -1,107 +0,0 @@ ---- openssh-3.7.1p1/Makefile.in -+++ openssh-3.7.1p1/Makefile.in -@@ -40,7 +40,7 @@ - - CC=@CC@ - LD=@LD@ --CFLAGS=@CFLAGS@ -+CFLAGS=@CFLAGS@ -DWITH_SELINUX - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - LIBS=@LIBS@ - LIBPAM=@LIBPAM@ -@@ -53,7 +53,7 @@ - SED=@SED@ - ENT=@ENT@ - XAUTH_PATH=@XAUTH_PATH@ --LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ -+LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ -lselinux - EXEEXT=@EXEEXT@ - - INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ ---- openssh-3.7.1p1/session.c -+++ openssh-3.7.1p1/session.c -@@ -66,6 +66,11 @@ - #include "ssh-gss.h" - #endif - -+#ifdef WITH_SELINUX -+#include <selinux/get_context_list.h> -+#include <selinux/selinux.h> -+#endif -+ - /* func */ - - Session *session_new(void); -@@ -1304,6 +1309,19 @@ - #endif - if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) - fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled()) -+ { -+ security_context_t scontext; -+ if (get_default_context(pw->pw_name,NULL,&scontext)) -+ fatal("Failed to get default security context for %s.", pw->pw_name); -+ if (setexeccon(scontext)) { -+ freecon(scontext); -+ fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name); -+ } -+ freecon(scontext); -+ } -+#endif - } - - static void ---- openssh-3.7.1p1/sshpty.c -+++ openssh-3.7.1p1/sshpty.c -@@ -30,6 +30,12 @@ - #define O_NOCTTY 0 - #endif - -+#ifdef WITH_SELINUX -+#include <selinux/flask.h> -+#include <selinux/get_context_list.h> -+#include <selinux/selinux.h> -+#endif -+ - /* - * Allocates and opens a pty. Returns 0 if no pty could be allocated, or - * nonzero if a pty was successfully allocated. On success, open file -@@ -196,6 +202,37 @@ - * Warn but continue if filesystem is read-only and the uids match/ - * tty is owned by root. - */ -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled()) { -+ security_context_t new_tty_context=NULL, -+ user_context=NULL, old_tty_context=NULL; -+ -+ if (get_default_context(pw->pw_name,NULL,&user_context)) -+ fatal("Failed to get default security context for %s.", pw->pw_name); -+ -+ if (getfilecon(tty, &old_tty_context)<0) { -+ error("getfilecon(%.100s) failed: %.100s", tty, -+ strerror(errno)); -+ } -+ else -+ { -+ if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) { -+ error("security_compute_relabel(%.100s) failed: %.100s", tty, -+ strerror(errno)); -+ } -+ else -+ { -+ if (setfilecon (tty, new_tty_context) != 0) { -+ error("setfilecon(%.100s, %s) failed: %.100s", -+ tty, new_tty_context, strerror(errno)); -+ } -+ freecon(new_tty_context); -+ } -+ freecon(old_tty_context); -+ } -+ freecon(user_context); -+ } -+#endif - if (stat(tty, &st)) - fatal("stat(%.100s) failed: %.100s", tty, - strerror(errno)); diff --git a/net-misc/openssh/files/openssh-3.9_p1-sftplogging-1.2-gentoo.patch.bz2 b/net-misc/openssh/files/openssh-3.9_p1-sftplogging-1.2-gentoo.patch.bz2 Binary files differdeleted file mode 100644 index 6a11945ce66b..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-sftplogging-1.2-gentoo.patch.bz2 +++ /dev/null diff --git a/net-misc/openssh/files/openssh-3.9_p1-skey.patch b/net-misc/openssh/files/openssh-3.9_p1-skey.patch deleted file mode 100644 index 2ae24fe726bd..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-skey.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- configure.ac -+++ configure.ac -@@ -721,7 +721,7 @@ - [ - #include <stdio.h> - #include <skey.h> --int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } -+int main() { char *ff = "true"; ff=""; exit(0); } - ], - [AC_MSG_RESULT(yes)], - [ diff --git a/net-misc/openssh/files/openssh-3.9_p1-terminal_restore.patch b/net-misc/openssh/files/openssh-3.9_p1-terminal_restore.patch deleted file mode 100644 index 0bbfdd99ef40..000000000000 --- a/net-misc/openssh/files/openssh-3.9_p1-terminal_restore.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- scp.c -+++ scp.c -@@ -112,8 +112,10 @@ - static void - killchild(int signo) - { -- if (do_cmd_pid > 1) -+ if (do_cmd_pid > 1) { - kill(do_cmd_pid, signo); -+ waitpid(do_cmd_pid, NULL, 0); -+ } - - _exit(1); - } ---- sftp.c -+++ sftp.c -@@ -144,9 +144,10 @@ - static void - killchild(int signo) - { -- if (sshpid > 1) -+ if (sshpid > 1) { - kill(sshpid, SIGTERM); -- -+ waitpid(sshpid, NULL, 0); -+ } - _exit(1); - } - diff --git a/net-misc/openssh/files/openssh-4.0_p1-sftplogging-1.2-gentoo.patch.bz2 b/net-misc/openssh/files/openssh-4.0_p1-sftplogging-1.2-gentoo.patch.bz2 Binary files differdeleted file mode 100644 index 074e6081d375..000000000000 --- a/net-misc/openssh/files/openssh-4.0_p1-sftplogging-1.2-gentoo.patch.bz2 +++ /dev/null diff --git a/net-misc/openssh/files/openssh-4.2_p1-CVE-2006-0225.patch b/net-misc/openssh/files/openssh-4.2_p1-CVE-2006-0225.patch deleted file mode 100644 index a683007f1ed2..000000000000 --- a/net-misc/openssh/files/openssh-4.2_p1-CVE-2006-0225.patch +++ /dev/null @@ -1,337 +0,0 @@ -Index: misc.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/misc.c,v -retrieving revision 1.41 -retrieving revision 1.42 -diff -u -p -r1.41 -r1.42 ---- misc.c 5 Jan 2006 23:43:53 -0000 1.41 -+++ misc.c 31 Jan 2006 10:19:02 -0000 1.42 -@@ -383,12 +383,15 @@ void - addargs(arglist *args, char *fmt, ...) - { - va_list ap; -- char buf[1024]; -+ char *cp; - u_int nalloc; -+ int r; - - va_start(ap, fmt); -- vsnprintf(buf, sizeof(buf), fmt, ap); -+ r = vasprintf(&cp, fmt, ap); - va_end(ap); -+ if (r == -1) -+ fatal("addargs: argument too long"); - - nalloc = args->nalloc; - if (args->list == NULL) { -@@ -399,8 +402,42 @@ addargs(arglist *args, char *fmt, ...) - - args->list = xrealloc(args->list, nalloc * sizeof(char *)); - args->nalloc = nalloc; -- args->list[args->num++] = xstrdup(buf); -+ args->list[args->num++] = cp; - args->list[args->num] = NULL; -+} -+ -+void -+replacearg(arglist *args, u_int which, char *fmt, ...) -+{ -+ va_list ap; -+ char *cp; -+ int r; -+ -+ va_start(ap, fmt); -+ r = vasprintf(&cp, fmt, ap); -+ va_end(ap); -+ if (r == -1) -+ fatal("replacearg: argument too long"); -+ -+ if (which >= args->num) -+ fatal("replacearg: tried to replace invalid arg %d >= %d", -+ which, args->num); -+ xfree(args->list[which]); -+ args->list[which] = cp; -+} -+ -+void -+freeargs(arglist *args) -+{ -+ u_int i; -+ -+ if (args->list != NULL) { -+ for (i = 0; i < args->num; i++) -+ xfree(args->list[i]); -+ xfree(args->list); -+ args->nalloc = args->num = 0; -+ args->list = NULL; -+ } - } - - /* -Index: misc.h -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/misc.h,v -retrieving revision 1.28 -retrieving revision 1.29 -diff -u -p -r1.28 -r1.29 ---- misc.h 8 Dec 2005 18:34:11 -0000 1.28 -+++ misc.h 31 Jan 2006 10:19:02 -0000 1.29 -@@ -38,7 +38,11 @@ struct arglist { - u_int num; - u_int nalloc; - }; --void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); -+void addargs(arglist *, char *, ...) -+ __attribute__((format(printf, 2, 3))); -+void replacearg(arglist *, u_int, char *, ...) -+ __attribute__((format(printf, 3, 4))); -+void freeargs(arglist *); - - /* readpass.c */ - -Index: scp.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/scp.c,v -retrieving revision 1.128 -retrieving revision 1.129 -diff -u -p -r1.128 -r1.129 ---- scp.c 6 Dec 2005 22:38:27 -0000 1.128 -+++ scp.c 31 Jan 2006 10:19:02 -0000 1.129 -@@ -118,6 +118,48 @@ killchild(int signo) - exit(1); - } - -+static int -+do_local_cmd(arglist *a) -+{ -+ u_int i; -+ int status; -+ pid_t pid; -+ -+ if (a->num == 0) -+ fatal("do_local_cmd: no arguments"); -+ -+ if (verbose_mode) { -+ fprintf(stderr, "Executing:"); -+ for (i = 0; i < a->num; i++) -+ fprintf(stderr, " %s", a->list[i]); -+ fprintf(stderr, "\n"); -+ } -+ if ((pid = fork()) == -1) -+ fatal("do_local_cmd: fork: %s", strerror(errno)); -+ -+ if (pid == 0) { -+ execvp(a->list[0], a->list); -+ perror(a->list[0]); -+ exit(1); -+ } -+ -+ do_cmd_pid = pid; -+ signal(SIGTERM, killchild); -+ signal(SIGINT, killchild); -+ signal(SIGHUP, killchild); -+ -+ while (waitpid(pid, &status, 0) == -1) -+ if (errno != EINTR) -+ fatal("do_local_cmd: waitpid: %s", strerror(errno)); -+ -+ do_cmd_pid = -1; -+ -+ if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) -+ return (-1); -+ -+ return (0); -+} -+ - /* - * This function executes the given command as the specified user on the - * given host. This returns < 0 if execution fails, and >= 0 otherwise. This -@@ -162,7 +204,7 @@ do_cmd(char *host, char *remuser, char * - close(pin[0]); - close(pout[1]); - -- args.list[0] = ssh_program; -+ replacearg(&args, 0, "%s", ssh_program); - if (remuser != NULL) - addargs(&args, "-l%s", remuser); - addargs(&args, "%s", host); -@@ -225,8 +267,9 @@ main(int argc, char **argv) - /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ - sanitise_stdfd(); - -+ memset(&args, '\0', sizeof(args)); - args.list = NULL; -- addargs(&args, "ssh"); /* overwritten with ssh_program */ -+ addargs(&args, "%s", ssh_program); - addargs(&args, "-x"); - addargs(&args, "-oForwardAgent no"); - addargs(&args, "-oPermitLocalCommand no"); -@@ -363,6 +406,10 @@ toremote(char *targ, int argc, char **ar - { - int i, len; - char *bp, *host, *src, *suser, *thost, *tuser, *arg; -+ arglist alist; -+ -+ memset(&alist, '\0', sizeof(alist)); -+ alist.list = NULL; - - *targ++ = 0; - if (*targ == 0) -@@ -380,56 +427,48 @@ toremote(char *targ, int argc, char **ar - tuser = NULL; - } - -+ if (tuser != NULL && !okname(tuser)) { -+ xfree(arg); -+ return; -+ } -+ - for (i = 0; i < argc - 1; i++) { - src = colon(argv[i]); - if (src) { /* remote to remote */ -- static char *ssh_options = -- "-x -o'ClearAllForwardings yes'"; -+ freeargs(&alist); -+ addargs(&alist, "%s", ssh_program); -+ if (verbose_mode) -+ addargs(&alist, "-v"); -+ addargs(&alist, "-x"); -+ addargs(&alist, "-oClearAllForwardings yes"); -+ addargs(&alist, "-n"); -+ - *src++ = 0; - if (*src == 0) - src = "."; - host = strrchr(argv[i], '@'); -- len = strlen(ssh_program) + strlen(argv[i]) + -- strlen(src) + (tuser ? strlen(tuser) : 0) + -- strlen(thost) + strlen(targ) + -- strlen(ssh_options) + CMDNEEDS + 20; -- bp = xmalloc(len); -+ - if (host) { - *host++ = 0; - host = cleanhostname(host); - suser = argv[i]; - if (*suser == '\0') - suser = pwd->pw_name; -- else if (!okname(suser)) { -- xfree(bp); -- continue; -- } -- if (tuser && !okname(tuser)) { -- xfree(bp); -+ else if (!okname(suser)) - continue; -- } -- snprintf(bp, len, -- "%s%s %s -n " -- "-l %s %s %s %s '%s%s%s:%s'", -- ssh_program, verbose_mode ? " -v" : "", -- ssh_options, suser, host, cmd, src, -- tuser ? tuser : "", tuser ? "@" : "", -- thost, targ); -+ addargs(&alist, "-l"); -+ addargs(&alist, "%s", suser); - } else { - host = cleanhostname(argv[i]); -- snprintf(bp, len, -- "exec %s%s %s -n %s " -- "%s %s '%s%s%s:%s'", -- ssh_program, verbose_mode ? " -v" : "", -- ssh_options, host, cmd, src, -- tuser ? tuser : "", tuser ? "@" : "", -- thost, targ); - } -- if (verbose_mode) -- fprintf(stderr, "Executing: %s\n", bp); -- if (system(bp) != 0) -+ addargs(&alist, "%s", host); -+ addargs(&alist, "%s", cmd); -+ addargs(&alist, "%s", src); -+ addargs(&alist, "%s%s%s:%s", -+ tuser ? tuser : "", tuser ? "@" : "", -+ thost, targ); -+ if (do_local_cmd(&alist) != 0) - errs = 1; -- (void) xfree(bp); - } else { /* local to remote */ - if (remin == -1) { - len = strlen(targ) + CMDNEEDS + 20; -@@ -453,20 +492,23 @@ tolocal(int argc, char **argv) - { - int i, len; - char *bp, *host, *src, *suser; -+ arglist alist; -+ -+ memset(&alist, '\0', sizeof(alist)); -+ alist.list = NULL; - - for (i = 0; i < argc - 1; i++) { - if (!(src = colon(argv[i]))) { /* Local to local. */ -- len = strlen(_PATH_CP) + strlen(argv[i]) + -- strlen(argv[argc - 1]) + 20; -- bp = xmalloc(len); -- (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP, -- iamrecursive ? " -r" : "", pflag ? " -p" : "", -- argv[i], argv[argc - 1]); -- if (verbose_mode) -- fprintf(stderr, "Executing: %s\n", bp); -- if (system(bp)) -+ freeargs(&alist); -+ addargs(&alist, "%s", _PATH_CP); -+ if (iamrecursive) -+ addargs(&alist, "-r"); -+ if (pflag) -+ addargs(&alist, "-p"); -+ addargs(&alist, "%s", argv[i]); -+ addargs(&alist, "%s", argv[argc-1]); -+ if (do_local_cmd(&alist)) - ++errs; -- (void) xfree(bp); - continue; - } - *src++ = 0; -Index: sftp.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/sftp.c,v -retrieving revision 1.69 -retrieving revision 1.70 -diff -u -p -r1.69 -r1.70 ---- sftp.c 6 Dec 2005 22:38:27 -0000 1.69 -+++ sftp.c 31 Jan 2006 10:19:02 -0000 1.70 -@@ -1433,8 +1433,9 @@ main(int argc, char **argv) - extern char *optarg; - - __progname = ssh_get_progname(argv[0]); -+ memset(&args, '\0', sizeof(args)); - args.list = NULL; -- addargs(&args, "ssh"); /* overwritten with ssh_program */ -+ addargs(&args, ssh_program); - addargs(&args, "-oForwardX11 no"); - addargs(&args, "-oForwardAgent no"); - addargs(&args, "-oPermitLocalCommand no"); -@@ -1469,6 +1470,7 @@ main(int argc, char **argv) - break; - case 'S': - ssh_program = optarg; -+ replacearg(&args, 0, "%s", ssh_program); - break; - case 'b': - if (batchmode) -@@ -1545,7 +1547,6 @@ main(int argc, char **argv) - addargs(&args, "%s", host); - addargs(&args, "%s", (sftp_server != NULL ? - sftp_server : "sftp")); -- args.list[0] = ssh_program; - - if (!batchmode) - fprintf(stderr, "Connecting to %s...\n", host); -@@ -1558,6 +1559,7 @@ main(int argc, char **argv) - fprintf(stderr, "Attaching to %s...\n", sftp_direct); - connect_to_server(sftp_direct, args.list, &in, &out); - } -+ freeargs(&args); - - err = interactive_loop(in, out, file1, file2); - diff --git a/net-misc/openssh/files/openssh-4.2_p1-cross-compile.patch b/net-misc/openssh/files/openssh-4.2_p1-cross-compile.patch deleted file mode 100644 index 11652f88e702..000000000000 --- a/net-misc/openssh/files/openssh-4.2_p1-cross-compile.patch +++ /dev/null @@ -1,35 +0,0 @@ -Add fallback tests for cross-compile - -http://bugs.gentoo.org/120567 -http://bugzilla.mindrot.org/show_bug.cgi?id=1145 - ---- openssh/configure.ac -+++ openssh/configure.ac -@@ -1366,6 +1366,9 @@ - [ - AC_MSG_RESULT(no) - AC_DEFINE(SSHD_ACQUIRES_CTTY) -+ ], -+ [ -+ AC_MSG_WARN([cross compiling: Assuming yes]) - ] - ) - fi -@@ -2959,13 +2964,12 @@ - [ etc_default_login=yes ] - ) - --if test "x$etc_default_login" != "xno"; then -+if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then -+ AC_MSG_WARN([cross compiling: Disabling /etc/default/login test]) -+elif test "x$etc_default_login" != "xno"; then - AC_CHECK_FILE("/etc/default/login", - [ external_path_file=/etc/default/login ]) -- if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; -- then -- AC_MSG_WARN([cross compiling: Disabling /etc/default/login test]) -- elif test "x$external_path_file" = "x/etc/default/login"; then -+ if test "x$external_path_file" = "x/etc/default/login"; then - AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN) - fi - fi diff --git a/net-misc/openssh/files/openssh-4.2_p1-kerberos-detection.patch b/net-misc/openssh/files/openssh-4.2_p1-kerberos-detection.patch deleted file mode 100644 index fdfd5113dff7..000000000000 --- a/net-misc/openssh/files/openssh-4.2_p1-kerberos-detection.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- configure.ac -+++ configure.ac -@@ -2757,7 +2757,6 @@ - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${KRB5ROOT}/lib" - fi -- fi - - AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) - AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) -@@ -2765,6 +2764,7 @@ - - LIBS="$LIBS $K5LIBS" - AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) -+ fi - ] - ) - diff --git a/net-misc/openssh/files/openssh-4.2_p1-selinux.patch b/net-misc/openssh/files/openssh-4.2_p1-selinux.patch deleted file mode 100644 index 88c2b74e43fc..000000000000 --- a/net-misc/openssh/files/openssh-4.2_p1-selinux.patch +++ /dev/null @@ -1,87 +0,0 @@ ---- openssh/session.c -+++ openssh/session.c -@@ -66,6 +66,11 @@ - #include "ssh-gss.h" - #endif - -+#ifdef WITH_SELINUX -+#include <selinux/get_context_list.h> -+#include <selinux/selinux.h> -+#endif -+ - /* func */ - - Session *session_new(void); -@@ -1304,6 +1309,19 @@ - #endif - if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) - fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled()) -+ { -+ security_context_t scontext; -+ if (get_default_context(pw->pw_name,NULL,&scontext)) -+ fatal("Failed to get default security context for %s.", pw->pw_name); -+ if (setexeccon(scontext)) { -+ freecon(scontext); -+ fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name); -+ } -+ freecon(scontext); -+ } -+#endif - } - - static void ---- openssh/sshpty.c -+++ openssh/sshpty.c -@@ -30,6 +30,12 @@ - #define O_NOCTTY 0 - #endif - -+#ifdef WITH_SELINUX -+#include <selinux/flask.h> -+#include <selinux/get_context_list.h> -+#include <selinux/selinux.h> -+#endif -+ - /* - * Allocates and opens a pty. Returns 0 if no pty could be allocated, or - * nonzero if a pty was successfully allocated. On success, open file -@@ -196,6 +202,37 @@ - * Warn but continue if filesystem is read-only and the uids match/ - * tty is owned by root. - */ -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled()) { -+ security_context_t new_tty_context=NULL, -+ user_context=NULL, old_tty_context=NULL; -+ -+ if (get_default_context(pw->pw_name,NULL,&user_context)) -+ fatal("Failed to get default security context for %s.", pw->pw_name); -+ -+ if (getfilecon(tty, &old_tty_context)<0) { -+ error("getfilecon(%.100s) failed: %.100s", tty, -+ strerror(errno)); -+ } -+ else -+ { -+ if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) { -+ error("security_compute_relabel(%.100s) failed: %.100s", tty, -+ strerror(errno)); -+ } -+ else -+ { -+ if (setfilecon (tty, new_tty_context) != 0) { -+ error("setfilecon(%.100s, %s) failed: %.100s", -+ tty, new_tty_context, strerror(errno)); -+ } -+ freecon(new_tty_context); -+ } -+ freecon(old_tty_context); -+ } -+ freecon(user_context); -+ } -+#endif - if (stat(tty, &st)) - fatal("stat(%.100s) failed: %.100s", tty, - strerror(errno)); diff --git a/net-misc/openssh/files/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2 b/net-misc/openssh/files/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2 Binary files differdeleted file mode 100644 index 19613bb6d88d..000000000000 --- a/net-misc/openssh/files/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2 +++ /dev/null diff --git a/net-misc/openssh/files/openssh-4.3_p1-krb5-typos.patch b/net-misc/openssh/files/openssh-4.3_p1-krb5-typos.patch deleted file mode 100644 index 2496cd327669..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p1-krb5-typos.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- gss-serv-krb5.c -+++ gss-serv-krb5.c -@@ -41,9 +41,9 @@ - #ifdef HEIMDAL - # include <krb5.h> - #else --# ifdef HAVE_GSSAPI_KRB5 -+# ifdef HAVE_GSSAPI_KRB5_H - # include <gssapi_krb5.h> --# elif HAVE_GSSAPI_GSSAPI_KRB5 -+# elif HAVE_GSSAPI_GSSAPI_KRB5_H - # include <gssapi/gssapi_krb5.h> - # endif - #endif diff --git a/net-misc/openssh/files/openssh-4.3_p2-configure.patch b/net-misc/openssh/files/openssh-4.3_p2-configure.patch deleted file mode 100644 index 2f5d4a8501f6..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p2-configure.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- configure.ac.orig 2006-06-26 21:07:34.000000000 -0400 -+++ configure.ac 2006-06-26 21:07:44.000000000 -0400 -@@ -1608,6 +1608,7 @@ - AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_GETADDRINFO) - ], -+ [ - AC_MSG_RESULT(cross-compiling, assuming no) - ] - ) diff --git a/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos-2.patch b/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos-2.patch deleted file mode 100644 index 22c8beab38a3..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos-2.patch +++ /dev/null @@ -1,119 +0,0 @@ -http://bugs.gentoo.org/148228 - -taken from upstream cvs and munged a little to apply against 4.3p2 - -=================================================================== -RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v -retrieving revision 1.29 -retrieving revision 1.30 -diff -u -r1.29 -r1.30 ---- src/usr.bin/ssh/deattack.c 2006/08/03 03:34:42 1.29 -+++ src/usr.bin/ssh/deattack.c 2006/09/16 19:53:37 1.30 -@@ -30,6 +30,24 @@ - #include "crc32.h" - #include "misc.h" - -+/* -+ * CRC attack detection has a worst-case behaviour that is O(N^3) over -+ * the number of identical blocks in a packet. This behaviour can be -+ * exploited to create a limited denial of service attack. -+ * -+ * However, because we are dealing with encrypted data, identical -+ * blocks should only occur every 2^35 maximally-sized packets or so. -+ * Consequently, we can detect this DoS by looking for identical blocks -+ * in a packet. -+ * -+ * The parameter below determines how many identical blocks we will -+ * accept in a single packet, trading off between attack detection and -+ * likelihood of terminating a legitimate connection. A value of 32 -+ * corresponds to an average of 2^40 messages before an attack is -+ * misdetected -+ */ -+#define MAX_IDENTICAL 32 -+ - /* SSH Constants */ - #define SSH_MAXBLOCKS (32 * 1024) - #define SSH_BLOCKSIZE (8) -@@ -85,7 +103,7 @@ - static u_int16_t *h = (u_int16_t *) NULL; - static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; - u_int32_t i, j; -- u_int32_t l; -+ u_int32_t l, same; - u_char *c; - u_char *d; - -@@ -122,11 +140,13 @@ - if (IV) - h[HASH(IV) & (n - 1)] = HASH_IV; - -- for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { -+ for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { - for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; - i = (i + 1) & (n - 1)) { -+ if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE) && ++same > MAX_IDENTICAL) -+ return (DEATTACK_DOS_DETECTED); - if (h[i] == HASH_IV) { - if (!CMP(c, IV)) { - if (check_crc(c, buf, len, IV)) - return (DEATTACK_DETECTED); - else -=================================================================== -RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v -retrieving revision 1.143 -retrieving revision 1.144 -diff -u -r1.143 -r1.144 ---- src/usr.bin/ssh/packet.c 2006/08/05 08:34:04 1.143 -+++ src/usr.bin/ssh/packet.c 2006/09/16 19:53:37 1.144 -@@ -991,9 +991,16 @@ - * (C)1998 CORE-SDI, Buenos Aires Argentina - * Ariel Futoransky(futo@core-sdi.com) - */ -- if (!receive_context.plaintext && -- detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED) -- packet_disconnect("crc32 compensation attack: network attack detected"); -+ if (!receive_context.plaintext) { -+ switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) { -+ case DEATTACK_DETECTED: -+ packet_disconnect("crc32 compensation attack: " -+ "network attack detected"); -+ case DEATTACK_DOS_DETECTED: -+ packet_disconnect("deattack denial of " -+ "service detected"); -+ } -+ } - - /* Decrypt data to incoming_packet. */ - buffer_clear(&incoming_packet); -=================================================================== -RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.h,v -retrieving revision 1.9 -retrieving revision 1.10 -diff -u -r1.9 -r1.10 ---- src/usr.bin/ssh/deattack.h 2006/03/25 22:22:43 1.9 -+++ src/usr.bin/ssh/deattack.h 2006/09/16 19:53:37 1.10 -@@ -25,6 +25,7 @@ - /* Return codes */ - #define DEATTACK_OK 0 - #define DEATTACK_DETECTED 1 -+#define DEATTACK_DOS_DETECTED 2 - - int detect_attack(u_char *, u_int32_t); - #endif -=================================================================== -RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v -retrieving revision 1.144 -retrieving revision 1.145 -diff -u -r1.144 -r1.145 ---- src/usr.bin/ssh/packet.c 2006/09/16 19:53:37 1.144 -+++ src/usr.bin/ssh/packet.c 2006/09/19 21:14:08 1.145 -@@ -682,6 +682,9 @@ - */ - after_authentication = 1; - for (mode = 0; mode < MODE_MAX; mode++) { -+ /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ -+ if (newkeys[mode] == NULL) -+ continue; - comp = &newkeys[mode]->comp; - if (comp && !comp->enabled && comp->type == COMP_DELAYED) { - packet_init_compression(); diff --git a/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch b/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch deleted file mode 100644 index 84c043fe6544..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch +++ /dev/null @@ -1,119 +0,0 @@ -http://bugs.gentoo.org/148228 - -taken from upstream cvs and munged a little to apply against 4.3p2 - -=================================================================== -RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v -retrieving revision 1.29 -retrieving revision 1.30 -diff -u -r1.29 -r1.30 ---- src/usr.bin/ssh/deattack.c 2006/08/03 03:34:42 1.29 -+++ src/usr.bin/ssh/deattack.c 2006/09/16 19:53:37 1.30 -@@ -30,6 +30,24 @@ - #include "crc32.h" - #include "misc.h" - -+/* -+ * CRC attack detection has a worst-case behaviour that is O(N^3) over -+ * the number of identical blocks in a packet. This behaviour can be -+ * exploited to create a limited denial of service attack. -+ * -+ * However, because we are dealing with encrypted data, identical -+ * blocks should only occur every 2^35 maximally-sized packets or so. -+ * Consequently, we can detect this DoS by looking for identical blocks -+ * in a packet. -+ * -+ * The parameter below determines how many identical blocks we will -+ * accept in a single packet, trading off between attack detection and -+ * likelihood of terminating a legitimate connection. A value of 32 -+ * corresponds to an average of 2^40 messages before an attack is -+ * misdetected -+ */ -+#define MAX_IDENTICAL 32 -+ - /* SSH Constants */ - #define SSH_MAXBLOCKS (32 * 1024) - #define SSH_BLOCKSIZE (8) -@@ -85,7 +103,7 @@ - static u_int16_t *h = (u_int16_t *) NULL; - static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; - u_int32_t i, j; -- u_int32_t l; -+ u_int32_t l, same; - u_char *c; - u_char *d; - -@@ -122,11 +140,13 @@ - if (IV) - h[HASH(IV) & (n - 1)] = HASH_IV; - -- for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { -+ for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { - for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; - i = (i + 1) & (n - 1)) { - if (h[i] == HASH_IV) { - if (!CMP(c, IV)) { -+ if (++same > MAX_IDENTICAL) -+ return (DEATTACK_DOS_DETECTED); - if (check_crc(c, buf, len, IV)) - return (DEATTACK_DETECTED); - else -=================================================================== -RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v -retrieving revision 1.143 -retrieving revision 1.144 -diff -u -r1.143 -r1.144 ---- src/usr.bin/ssh/packet.c 2006/08/05 08:34:04 1.143 -+++ src/usr.bin/ssh/packet.c 2006/09/16 19:53:37 1.144 -@@ -991,9 +991,16 @@ - * (C)1998 CORE-SDI, Buenos Aires Argentina - * Ariel Futoransky(futo@core-sdi.com) - */ -- if (!receive_context.plaintext && -- detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED) -- packet_disconnect("crc32 compensation attack: network attack detected"); -+ if (!receive_context.plaintext) { -+ switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) { -+ case DEATTACK_DETECTED: -+ packet_disconnect("crc32 compensation attack: " -+ "network attack detected"); -+ case DEATTACK_DOS_DETECTED: -+ packet_disconnect("deattack denial of " -+ "service detected"); -+ } -+ } - - /* Decrypt data to incoming_packet. */ - buffer_clear(&incoming_packet); -=================================================================== -RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.h,v -retrieving revision 1.9 -retrieving revision 1.10 -diff -u -r1.9 -r1.10 ---- src/usr.bin/ssh/deattack.h 2006/03/25 22:22:43 1.9 -+++ src/usr.bin/ssh/deattack.h 2006/09/16 19:53:37 1.10 -@@ -25,6 +25,7 @@ - /* Return codes */ - #define DEATTACK_OK 0 - #define DEATTACK_DETECTED 1 -+#define DEATTACK_DOS_DETECTED 2 - - int detect_attack(u_char *, u_int32_t); - #endif -=================================================================== -RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v -retrieving revision 1.144 -retrieving revision 1.145 -diff -u -r1.144 -r1.145 ---- src/usr.bin/ssh/packet.c 2006/09/16 19:53:37 1.144 -+++ src/usr.bin/ssh/packet.c 2006/09/19 21:14:08 1.145 -@@ -682,6 +682,9 @@ - */ - after_authentication = 1; - for (mode = 0; mode < MODE_MAX; mode++) { -+ /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ -+ if (newkeys[mode] == NULL) -+ continue; - comp = &newkeys[mode]->comp; - if (comp && !comp->enabled && comp->type == COMP_DELAYED) { - packet_init_compression(); diff --git a/net-misc/openssh/files/openssh-4.3_p2-ldap-updates.patch b/net-misc/openssh/files/openssh-4.3_p2-ldap-updates.patch deleted file mode 100644 index 197d45de2671..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p2-ldap-updates.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- configure.ac -+++ configure.ac -@@ -1209,7 +1209,7 @@ - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - -- AC_DEFINE(WITH_LDAP_PUBKEY) -+ AC_DEFINE(WITH_LDAP_PUBKEY, 1, [Enable ldap pubkey support]) - LIBS="-lldap $LIBS" - LDAP_MSG="yes" - diff --git a/net-misc/openssh/files/openssh-4.3_p2-opensc-libs.patch b/net-misc/openssh/files/openssh-4.3_p2-opensc-libs.patch deleted file mode 100644 index 8eb8ff823069..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p2-opensc-libs.patch +++ /dev/null @@ -1,14 +0,0 @@ -http://bugs.gentoo.org/148538 -http://bugzilla.mindrot.org/show_bug.cgi?id=1234 - ---- openssh/configure -+++ openssh/configure -@@ -3086,7 +3086,7 @@ AC_ARG_WITH(opensc, - LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` - LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` - CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" -- LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" -+ LIBS="$LIBS $LIBOPENSC_LIBS" - cat >>confdefs.h <<\_ACEOF - #define SMARTCARD 1 - _ACEOF diff --git a/net-misc/openssh/files/openssh-4.3_p2-selinux.patch b/net-misc/openssh/files/openssh-4.3_p2-selinux.patch deleted file mode 100644 index 2bf9cd60cf82..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p2-selinux.patch +++ /dev/null @@ -1,368 +0,0 @@ ---- openssh-4.3p1/Makefile.in -+++ openssh-4.3p1/Makefile.in -@@ -43,6 +43,7 @@ - CFLAGS=@CFLAGS@ - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - LIBS=@LIBS@ -+LIBSELINUX=@LIBSELINUX@ - LIBEDIT=@LIBEDIT@ - LIBPAM=@LIBPAM@ - LIBWRAP=@LIBWRAP@ -@@ -77,7 +78,7 @@ - sshconnect.o sshconnect1.o sshconnect2.o - - SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ -- sshpty.o sshlogin.o servconf.o serverloop.o \ -+ sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \ - auth.o auth1.o auth2.o auth-options.o session.o \ - auth-chall.o auth2-chall.o groupaccess.o \ - auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ -@@ -136,7 +137,7 @@ - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ---- openssh-4.3p1/auth.h -+++ openssh-4.3p1/auth.h -@@ -58,6 +58,7 @@ - char *service; - struct passwd *pw; /* set if 'valid' */ - char *style; -+ char *role; - void *kbdintctxt; - #ifdef BSD_AUTH - auth_session_t *as; ---- openssh-4.3p1/auth1.c -+++ openssh-4.3p1/auth1.c -@@ -370,7 +370,7 @@ - do_authentication(Authctxt *authctxt) - { - u_int ulen; -- char *user, *style = NULL; -+ char *user, *style = NULL, *role=NULL; - - /* Get the name of the user that we wish to log in as. */ - packet_read_expect(SSH_CMSG_USER); -@@ -379,11 +379,19 @@ - user = packet_get_string(&ulen); - packet_check_eom(); - -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = '\0'; -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = '\0'; -+ else -+ if (role && (style = strchr(role, ':')) != NULL) -+ *style++ = '\0'; -+ - - authctxt->user = user; - authctxt->style = style; -+ authctxt->role = role; - - /* Verify that the user is a valid user. */ - if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) ---- openssh-4.3p1/auth2.c -+++ openssh-4.3p1/auth2.c -@@ -134,7 +134,7 @@ - { - Authctxt *authctxt = ctxt; - Authmethod *m = NULL; -- char *user, *service, *method, *style = NULL; -+ char *user, *service, *method, *style = NULL, *role = NULL; - int authenticated = 0; - - if (authctxt == NULL) -@@ -146,6 +146,9 @@ - debug("userauth-request for user %s service %s method %s", user, service, method); - debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); - -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = 0; -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = 0; - -@@ -171,8 +174,11 @@ - use_privsep ? " [net]" : ""); - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; -- if (use_privsep) -+ authctxt->role = role ? xstrdup(role) : NULL; -+ if (use_privsep) { - mm_inform_authserv(service, style); -+ mm_inform_authrole(role); -+ } - } else if (strcmp(user, authctxt->user) != 0 || - strcmp(service, authctxt->service) != 0) { - packet_disconnect("Change of username or service not allowed: " ---- openssh-4.3p1/configure.ac -+++ openssh-4.3p1/configure.ac -@@ -2945,6 +2945,20 @@ - [#include <arpa/nameser.h>]) - ]) - -+# Check whether user wants SELinux support -+SELINUX_MSG="no" -+LIBSELINUX="" -+AC_ARG_WITH(selinux, -+ [ --with-selinux Enable SELinux support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) -+ SELINUX_MSG="yes" -+ AC_CHECK_HEADERS(selinux.h) -+ LIBSELINUX="-lselinux" -+ fi -+ ]) -+AC_SUBST(LIBSELINUX) -+ - # Check whether user wants Kerberos 5 support - KRB5_MSG="no" - AC_ARG_WITH(kerberos5, -@@ -3763,6 +3777,7 @@ - echo " Manpage format: $MANTYPE" - echo " PAM support: $PAM_MSG" - echo " KerberosV support: $KRB5_MSG" -+echo " SELinux support: $SELINUX_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" ---- openssh-4.3p1/monitor.c -+++ openssh-4.3p1/monitor.c -@@ -115,6 +115,7 @@ - int mm_answer_authpassword(int, Buffer *); - int mm_answer_bsdauthquery(int, Buffer *); - int mm_answer_bsdauthrespond(int, Buffer *); -+int mm_answer_authrole(int, Buffer *); - int mm_answer_skeyquery(int, Buffer *); - int mm_answer_skeyrespond(int, Buffer *); - int mm_answer_keyallowed(int, Buffer *); -@@ -181,6 +182,7 @@ - {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, - {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, - {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, -+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, - {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, - {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, - #ifdef USE_PAM -@@ -623,6 +625,7 @@ - else { - /* Allow service/style information on the auth context */ - monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); -+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); - } - -@@ -671,6 +674,23 @@ - } - - int -+mm_answer_authrole(int sock, Buffer *m) -+{ -+ monitor_permit_authentications(1); -+ -+ authctxt->role = buffer_get_string(m, NULL); -+ debug3("%s: role=%s", -+ __func__, authctxt->role); -+ -+ if (strlen(authctxt->role) == 0) { -+ xfree(authctxt->role); -+ authctxt->role = NULL; -+ } -+ -+ return (0); -+} -+ -+int - mm_answer_authpassword(int sock, Buffer *m) - { - static int call_count; ---- openssh-4.3p1/monitor.h -+++ openssh-4.3p1/monitor.h -@@ -30,7 +30,7 @@ - - enum monitor_reqtype { - MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, -- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, -+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE, - MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, - MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, - MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, ---- openssh-4.3p1/monitor_wrap.c -+++ openssh-4.3p1/monitor_wrap.c -@@ -271,6 +271,23 @@ - buffer_free(&m); - } - -+/* Inform the privileged process about role */ -+ -+void -+mm_inform_authrole(char *role) -+{ -+ Buffer m; -+ -+ debug3("%s entering", __func__); -+ -+ buffer_init(&m); -+ buffer_put_cstring(&m, role ? role : ""); -+ -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); -+ -+ buffer_free(&m); -+} -+ - /* Do the password authentication */ - int - mm_auth_password(Authctxt *authctxt, char *password) ---- openssh-4.3p1/monitor_wrap.h -+++ openssh-4.3p1/monitor_wrap.h -@@ -44,6 +44,7 @@ - DH *mm_choose_dh(int, int, int); - int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); - void mm_inform_authserv(char *, char *); -+void mm_inform_authrole(char *); - struct passwd *mm_getpwnamallow(const char *); - char *mm_auth2_read_banner(void); - int mm_auth_password(struct Authctxt *, char *); ---- openssh-4.3p1/selinux.c -+++ openssh-4.3p1/selinux.c -@@ -0,0 +1,86 @@ -+#include "includes.h" -+#include "auth.h" -+#include "log.h" -+ -+#ifdef WITH_SELINUX -+#include <selinux/selinux.h> -+#include <selinux/flask.h> -+#include <selinux/context.h> -+#include <selinux/get_context_list.h> -+#include <selinux/get_default_type.h> -+extern Authctxt *the_authctxt; -+ -+static const security_context_t selinux_get_user_context(const char *name) { -+ security_context_t user_context=NULL; -+ char *role=NULL; -+ int ret=-1; -+ char *seuser=NULL; -+ char *level=NULL; -+ -+ if (the_authctxt) -+ role=the_authctxt->role; -+ -+ if (getseuserbyname(name, &seuser, &level)==0) { -+ if (role != NULL && role[0]) -+ ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context); -+ else -+ ret=get_default_context_with_level(seuser, level, NULL,&user_context); -+ } -+ -+ if ( ret < 0 ) { -+ if (security_getenforce() > 0) -+ fatal("Failed to get default security context for %s.", name); -+ else -+ error("Failed to get default security context for %s. Continuing in permissive mode", name); -+ } -+ return user_context; -+} -+ -+void setup_selinux_pty(const char *name, const char *tty) { -+ if (is_selinux_enabled() > 0) { -+ security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; -+ -+ user_context=selinux_get_user_context(name); -+ -+ if (getfilecon(tty, &old_tty_context) < 0) { -+ error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno)); -+ } else { -+ if (security_compute_relabel(user_context,old_tty_context, -+ SECCLASS_CHR_FILE, -+ &new_tty_context) != 0) { -+ error("security_compute_relabel(%.100s) failed: %.100s", tty, -+ strerror(errno)); -+ } else { -+ if (setfilecon (tty, new_tty_context) != 0) -+ error("setfilecon(%.100s, %s) failed: %.100s", -+ tty, new_tty_context, -+ strerror(errno)); -+ freecon(new_tty_context); -+ } -+ freecon(old_tty_context); -+ } -+ if (user_context) { -+ freecon(user_context); -+ } -+ } -+} -+ -+void setup_selinux_exec_context(char *name) { -+ -+ if (is_selinux_enabled() > 0) { -+ security_context_t user_context=selinux_get_user_context(name); -+ if (setexeccon(user_context)) { -+ if (security_getenforce() > 0) -+ fatal("Failed to set exec security context %s for %s.", user_context, name); -+ else -+ error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name); -+ } -+ if (user_context) { -+ freecon(user_context); -+ } -+ } -+} -+#else -+inline void setup_selinux_pty(const char *name, const char *tty) {} -+inline void setup_selinux_exec_context(const char *name) {} -+#endif /* WITH_SELINUX */ ---- openssh-4.3p1/selinux.h -+++ openssh-4.3p1/selinux.h -@@ -0,0 +1,5 @@ -+#ifndef __SELINUX_H_ -+#define __SELINUX_H_ -+extern void setup_selinux_pty(const char *name, const char *tty); -+extern void setup_selinux_exec_context(const char *name); -+#endif /* __SELINUX_H_ */ ---- openssh-4.3p1/session.c -+++ openssh-4.3p1/session.c -@@ -59,6 +59,8 @@ - #include "kex.h" - #include "monitor_wrap.h" - -+#include "selinux.h" -+ - #if defined(KRB5) && defined(USE_AFS) - #include <kafs.h> - #endif -@@ -1340,6 +1342,8 @@ - #endif - if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) - fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); -+ -+ setup_selinux_exec_context(pw->pw_name); - } - - static void ---- openssh-4.3p1/sshpty.c -+++ openssh-4.3p1/sshpty.c -@@ -22,6 +22,8 @@ - #include "log.h" - #include "misc.h" - -+#include "selinux.h" -+ - #ifdef HAVE_PTY_H - # include <pty.h> - #endif -@@ -200,6 +202,8 @@ - fatal("stat(%.100s) failed: %.100s", tty, - strerror(errno)); - -+ setup_selinux_pty(pw->pw_name, tty); -+ - if (st.st_uid != pw->pw_uid || st.st_gid != gid) { - if (chown(tty, pw->pw_uid, gid) < 0) { - if (errno == EROFS && diff --git a/net-misc/openssh/files/openssh-4.3_p2-selinux.patch.glue b/net-misc/openssh/files/openssh-4.3_p2-selinux.patch.glue deleted file mode 100644 index 7f82e26be834..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p2-selinux.patch.glue +++ /dev/null @@ -1,17 +0,0 @@ ---- openssh-4.3_p2-selinux.patch.orig 2006-03-05 17:13:49.000000000 -0500 -+++ openssh-4.3_p2-selinux.patch 2006-03-05 17:14:25.000000000 -0500 -@@ -18,11 +18,11 @@ - auth-chall.o auth2-chall.o groupaccess.o \ - auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ - @@ -136,7 +137,7 @@ -- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBLDAP) $(LIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) --- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) --+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) -+- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBLDAP) $(LIBS) -++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBLDAP) $(LIBSELINUX) $(LIBS) - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/net-misc/openssh/files/openssh-4.3_p2-x509-hpn-glue.patch b/net-misc/openssh/files/openssh-4.3_p2-x509-hpn-glue.patch deleted file mode 100644 index bc42c19b7124..000000000000 --- a/net-misc/openssh/files/openssh-4.3_p2-x509-hpn-glue.patch +++ /dev/null @@ -1,38 +0,0 @@ -tweak the x509 code a little so hpn patches cleanly - ---- servconf.c -+++ servconf.c -@@ -335,6 +335,7 @@ - sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sUsePrivilegeSeparation, -+ sDeprecated, sUnsupported -- sHostbasedAlgorithms, -+ ,sHostbasedAlgorithms, - sPubkeyAlgorithms, - sX509KeyAlgorithm, -@@ -345,7 +346,6 @@ - sCAldapVersion, sCAldapURL, - sVAType, sVACertificateFile, -- sVAOCSPResponderURL, -+ sVAOCSPResponderURL -- sDeprecated, sUnsupported - } ServerOpCodes; - - /* Textual representation of the tokens. */ -@@ -446,6 +446,7 @@ - { "authorizedkeysfile2", sAuthorizedKeysFile2 }, - { "useprivilegeseparation", sUsePrivilegeSeparation}, - { "acceptenv", sAcceptEnv }, -+ { "permittunnel", sPermitTunnel }, - { "hostbasedalgorithms", sHostbasedAlgorithms }, - { "pubkeyalgorithms", sPubkeyAlgorithms }, - { "x509rsasigtype", sDeprecated }, -@@ -462,7 +463,6 @@ - { "vatype", sVAType }, - { "vacertificatefile", sVACertificateFile }, - { "vaocspresponderurl", sVAOCSPResponderURL }, -- { "permittunnel", sPermitTunnel }, - { NULL, sBadOption } - }; - |