Djam/openssh
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/openssh.git synced 2025-02-24 02:02:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Automatic import for version 5.8p2

Browse source
This commit is contained in:
Rosa 2012-02-01 14:38:48 +04:00
commit 1252c0b3a3
27 changed files with 8987 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.abf.yml Normal file
View file

@ -0,0 +1,4 @@
sources:
"openssh-4.4p1-watchdog.patch.tgz": e4a13018c494faf7ed06fd74dad720a8a8ac9089
"openssh-5.8p2.tar.gz": 64798328d310e4f06c9f01228107520adbc8b3e5
"x11-ssh-askpass-1.2.4.1.tar.bz2": 2943ce34a319beb5674b623b4557cc8a30e569d0

33
README.3.8p1.upgrade.urpmi Normal file
View file

@ -0,0 +1,33 @@
Openssh changes upgrading from <= 3.6p2 to 3.8p1
Jun-9-2004 Stew Benedict <sbenedict@mandrakesoft.com>
Some changes in the behavior of the openssh-server have
taken place in the 3.8p1 upgrade. UsePAM is now "no" by
default, and recommendations are not to enable it lightly.
That said, some changes have been made to /etc/pam.d/ssh to
preserve expected behavior if UsePAM is enabled:
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers
This line and the entry "root" in the referenced /etc/ssh/denyusers
allows "PermitRootLogin without-password" to behave as expected,
using keys. Otherwise, it's possible to still get a password prompt
and login without keys.
The package has a trigger to attempt to detect alternative auth methods
(ldap, mysql, winbind), and change UsePAM to yes if one of these are
detected. If you update and suddenly your users can't login via ssh
you may need to review and correct the configuration. Please consult
"man sshd_config" for details of the configuration choices.
You may also find you need to set:
ChallengeResponseAuthentication=no
For things like pam_mkhomedir to work.
In addition, for X11 forwarding to work in 3.8p1, the option
"ForwardX11Trusted yes" must be enabled in /etc/ssh/ssh_config.
This is enabled by default.

5
README.3.9p1-3.upgrade.urpmi Normal file
View file

@ -0,0 +1,5 @@
As of 3.9p1-3mdk, sshd by default only accepts protocol 2 connections.
To restore the old behavior change:
'Protocol 2' to 'Protocol 2,1' in /etc/ssh/sshd_config

41
README.hpn Normal file
View file

@ -0,0 +1,41 @@
Q: What is HPN-SSH?
A: HPN-SSH is a patch set designed to remove a networking bottleneck in the base OpenSSH code. Removing this bottleneck can improve performance drastically.
Q: What is this bottleneck?
A: SSH implements a multiplexed connection protocol so a single TCP/IP connection can host multiple SSH sessions at the same time. This means that SSH also has to implement a flow control mechanism in order to make sure that the network connection isn't overwhelmed. Much like TCP/IP it uses a recieve buffer to indicate how much data the sender should be sending at any one point. The developers of OpenSSH have set this buffer size to 64KiloBytes. This is often too small for very high speed connections over long distances. HPN-SSH allows this buffer to grow well past 64KB allowing transfers at very high rates.
Q: Will HPN-SSH help me?
A: Maybe, it depends on a number of variables but the most important one is the speed of your network connection to the Internet. It also depends on the distance to the destination you are trying to reach. As a general rule of thumb, the farther away the destination and the faster your connection the greater the improvement will be. You can determine how much HPN-SSH will help by multiplying the bandwidth to the destination by the RTT (Round Trip Time). This is called the BDP (Bandwidth Delay Product) and is expressed as BDP = BW(B/s) * RTT(s) and gives you the number of bytes that can be in transit between any two hosts at one time. If this value is less than the previous mention receive buffer on the receiving host then the potential throughput of the connection will be near line rates*. If the BDP is greater than the receive buffer the throughput will be limited in direct proprotion to the difference between the BDP and the receive buffer. As a rule of thumb you will generally need at least a 10Mb/s connection to the internet to see a benefit from HPN-SSH.
Q: I installed HPN-SSH but there is no improvement. Why not?
A: There are many possible answers to this but its important to understand that HPN-SSH will not make every transfer faster. Transfers in a local area network will not be improved by HPN-SSH and in some case might even be slower (in these cases use the -o HPNDisabled=yes option). You also have to make sure that your computer's network stacks are properly tuned. This is especially critical on the reciever side of the connection. Please see PSC's TCP Tuning page for details on how to do this. You might also be limited by firewalls, packet loss, network errors, and other problems that can affect network performance.
Q:How do I use HPN-SSH?
A: Generally its a direct replacement for SSH and can be used in the exact same way. However, depending on your operating system you may need to enable some options. For people using Linux kernels that support receive side autotuning (some 2.4 kernels and most 2.6 kernels) and Microsoft Windows Vista you want to use -o TCPRcvBufPoll=yes on the receiver side. This works for both the server and the client. If you do not enable TCPRcvBufPoll your SSH receive buffer will be limited to the initial receive buffer window size (64K for Vista and 85K for Linux). Please read either the HPN-README file distributed as part of the patch or the online version of the HPN-README file for more information on available options.
Q: What is the NONE Cipher Switch?
A: The NONE cipher switch disables data encryption AFTER you have been authenticated or logged into the remote host. This can significantly reduce the load on the CPUs of both machines and may improve performance even more. Its important to remember that the initial authentication process is still fully encrypted. Additionally, while the data is no longer encrypted each packet is still digitially signed and protected against in transit manipulation of the information. Anytime the NONE cipher is used a warning will be printed to screen saying "WARNING: NONE CIPHER ENABLED". If you do not see that warning then the None cipher is not in use.
Q: Is it dangerous to use the NONE Cipher Switch?
A: That depends entirelly on what you are trying to do. First off, you can't use the NONE Cipher Switch in an interactive session and is designed to be only used in the transfer of bulk data - like with scp. Second, you should be aware of what kind of data you are transfering. If you are copying financial or medical data then you would not want to use the NONE cipher. However, if you are copying non-sensitive data like MP3s, archives, images, and so forth it may make sense to use the NONE Cipher Switch. You will have to make that determination yourself. Lastly, since the authentication process is still encrypted hackers and eavesdroppers will not be able to steal your password.
Q: I have '-oNoneSwitch=yes' on the command line. Why doesn't it work?
A: You must use both '-oNoneSwitch=yes' and '-oNoneEnabled=yes' on the client command line. Only using one or the other will not work. Additionally, the None cipher must be enabled on the server with NoneEnabled=yes in the sshd_config file or on the command line. Anytime the None cipher is used a warning will be printed to screen saying "WARNING: NONE CIPHER ENABLED". If you do not see that warning then the NONE cipher is not in use.
Q: I'm having a lot of problems using HPN-SSH can you help me?
A: We will certainly do our best but please try see PSC's TCP Tuning page first. If you are still having problems then contact us at hpn-ssh@psc.edu and include the following information.
* The version of the operating system on both sides of the connection.
* The version of HPN-SSH you are using.
* As much information as you can about the network path (bandwidth, RTT, loss, etc)
* The level of throughput performance you expect to see and what you are seeing.
* The receive buffer sizes of the hosts
* Any other information you feel is important
We can't help everyone but we will do our best.
Q:If this HPN-SSH is so great why isn't it in the OpenSSH code base?
A: The HPN-SSH patch has been made available to the OpenSSH development team and I hope it will be incorporated (in either its current or some other form) in the near future. However, the team has other priorities and I'm perfectly able to maintain this patch until they can free up some time. Quite a number of organization are using HPN-SSH though including NASA, Sun Microsystems, HP, financial companies, research organizations, supercomputing ceneters, security concerns, and software developers.
Q:I have a suggestion for HPN-SSH or this FAQ, a comment, want to send thanks, or ask some other question. Who should I contact?
A: To contact us with any suggestions, questions, comments, or criticisms please contact us at hpn-ssh@psc.edu

22
README.sftpfilecontrol Normal file
View file

@ -0,0 +1,22 @@
Sftpfilecontrol Patch v1.2
A patch to provide control over umask, chmod, chown, and chgrp in the sftp-server that comes with openssh.
This patch is derived from the sftplogging patch.
Original patch by Michael Martinez <mwtzz@yahoo.com>
Copyright (c) 2002 - 2007, Michael Martinez
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Michael Martinez nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

11
openssh-3.1p1-check-only-ssl-version.patch Normal file
View file

@ -0,0 +1,11 @@
--- openssh-5.7p1/entropy.c.mdv 2011-01-13 08:05:29.000000000 -0200
+++ openssh-5.7p1/entropy.c 2011-01-29 15:41:52.000000000 -0200
@@ -155,7 +155,7 @@ init_rng(void)
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
* We match major, minor, fix and status (not patch)
*/
- if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
+ if ((SSLeay() >> 12) != (OPENSSL_VERSION_NUMBER >> 12))
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());

13
openssh-4.0p1-exit-deadlock.patch Normal file
View file

@ -0,0 +1,13 @@
--- openssh-4.0p1/channels.c.exit-deadlock 2005-03-01 11:24:33.000000000 +0100
+++ openssh-4.0p1/channels.c 2005-04-05 22:25:15.197226237 +0200
@@ -1403,6 +1403,10 @@
u_int dlen;
int len;
+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+ debug("channel %d: forcing write", c->self);
+ FD_SET(c->wfd, writeset);
+ }
/* Send buffered output data to the socket. */
if (c->wfd != -1 &&
FD_ISSET(c->wfd, writeset) &&

18
openssh-4.3p2-askpass-grab-info.patch Normal file
View file

@ -0,0 +1,18 @@
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info 2006-07-17 15:10:11.000000000 +0200
+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c 2006-07-17 15:25:04.000000000 +0200
@@ -65,9 +65,12 @@
err = gtk_message_dialog_new(NULL, 0,
GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE,
- "Could not grab %s. "
- "A malicious client may be eavesdropping "
- "on your session.", what);
+ "SSH password dialog could not grab the %s input.\n"
+ "This might be caused by application such as screensaver, "
+ "however it could also mean that someone may be eavesdropping "
+ "on your session.\n"
+ "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
TRUE);

27
openssh-4.3p2-gssapi-canohost.patch Normal file
View file

@ -0,0 +1,27 @@
Symptom: intermittent errors on GSSAPI authentication vs
machines on DNS loadbalancer, stupid client message "Generic Error",
server-side debug complains about unknown principal.
Comes from the fact that we resolve the generic DNS name once for
the connection, then again for getting the GSSAPI/Kerberos service
ticket. So the service ticket may be for a different host, if
the DNS alias switches in between the two resolves.
--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100
+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100
@@ -485,6 +485,7 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char* remotehost = get_canonical_hostname(1);
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -497,7 +498,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], remotehost)) {
ok = 1; /* Mechanism works */
} else {
mech++;

468
openssh-4.4p1-watchdog.diff Normal file
View file

@ -0,0 +1,468 @@
diff -Naurp openssh-5.3p1/clientloop.c openssh-5.3p1.oden/clientloop.c
--- openssh-5.3p1/clientloop.c 2009-08-28 03:21:07.000000000 +0200
+++ openssh-5.3p1.oden/clientloop.c 2009-10-07 17:39:17.000000000 +0200
@@ -155,6 +155,7 @@ static Buffer stderr_buffer; /* Buffer f
static u_int buffer_high;/* Soft max buffer size. */
static int connection_in; /* Connection to server (input). */
static int connection_out; /* Connection to server (output). */
+static time_t idle_time_last; /* Last time of packet transmission. */
static int need_rekeying; /* Set to non-zero if rekeying is requested. */
static int session_closed = 0; /* In SSH2: login session closed. */
@@ -568,16 +569,19 @@ client_wait_until_can_do_something(fd_se
* event pending.
*/
- if (options.server_alive_interval == 0 || !compat20)
- tvp = NULL;
- else {
+ if (options.server_alive_interval != 0 && compat20){
tv.tv_sec = options.server_alive_interval;
- tv.tv_usec = 0;
+ tv.tv_usec = 0;
+ tvp = &tv;
+ }
+ else{
+ tv.tv_sec = 0;
+ tv.tv_usec = 500 * 1000; /* time slot is 0.5sec */
tvp = &tv;
}
- ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
- if (ret < 0) {
- char buf[100];
+ ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
+ if (ret < 0) {
+ char buf[100];
/*
* We have to clear the select masks, because we return.
@@ -593,8 +597,43 @@ client_wait_until_can_do_something(fd_se
snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
buffer_append(&stderr_buffer, buf, strlen(buf));
quit_pending = 1;
- } else if (ret == 0)
- server_alive_check();
+ } else if (ret == 0){
+ if (options.server_alive_interval != 0 && compat20){
+ server_alive_check();
+ }
+ }
+
+ /* If the output channel has been silent for more than a specified
+ * time, send a keepalive packet (heartbeat) to the server.
+ * Keepalive packet is useful for keeping the connection over
+ * IP masquerade / NAT boxes, firewalls, etc.
+ * Some servers equipped with a watchdog timer require keepalive
+ * packets (heartbeats) to detect link down.
+ *
+ * Note: Although the interval between keepalive packets is not
+ * very precise, it's okay.
+ *
+ * Note: Some old servers may crash when they receive SSH_MSG_IGNORE.
+ * Those who want to connect to such a server should turn this
+ * function off by the option setting (e.g. Heartbeat 0).
+ */
+ if (options.heartbeat_interval > 0) {
+ if (FD_ISSET(connection_out,*writesetp)) {
+ /* Update the time of last data transmission. */
+ idle_time_last = time(NULL);
+ }
+ if (time(NULL) - idle_time_last >= (int)options.heartbeat_interval){
+ if (compat20) {
+ packet_start(SSH2_MSG_IGNORE);
+ }
+ else {
+ packet_start(SSH_MSG_IGNORE);
+ }
+ packet_put_string("", 0);
+ packet_send();
+ /* fputs("*",stderr); */
+ }
+ }
}
static void
@@ -1312,6 +1351,7 @@ client_loop(int have_pty, int escape_cha
debug("Entering interactive session.");
start_time = get_current_time();
+ idle_time_last = time(NULL);
/* Initialize variables. */
escape_pending1 = 0;
diff -Naurp openssh-5.3p1/readconf.c openssh-5.3p1.oden/readconf.c
--- openssh-5.3p1/readconf.c 2009-07-05 23:12:27.000000000 +0200
+++ openssh-5.3p1.oden/readconf.c 2009-10-07 17:39:17.000000000 +0200
@@ -118,7 +118,7 @@ typedef enum {
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
- oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
+ oCompressionLevel, oTCPKeepAlive, oHeartbeat, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@@ -199,6 +199,7 @@ static struct {
{ "compressionlevel", oCompressionLevel },
{ "tcpkeepalive", oTCPKeepAlive },
{ "keepalive", oTCPKeepAlive }, /* obsolete */
+ { "heartbeat", oHeartbeat },
{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
{ "loglevel", oLogLevel },
{ "dynamicforward", oDynamicForward },
@@ -502,6 +503,10 @@ parse_yesnoask:
intptr = &options->no_host_authentication_for_localhost;
goto parse_flag;
+ case oHeartbeat:
+ intptr = &options->heartbeat_interval;
+ goto parse_int;
+
case oNumberOfPasswordPrompts:
intptr = &options->number_of_password_prompts;
goto parse_int;
@@ -1024,6 +1029,7 @@ initialize_options(Options * options)
options->strict_host_key_checking = -1;
options->compression = -1;
options->tcp_keep_alive = -1;
+ options->heartbeat_interval = -1;
options->compression_level = -1;
options->port = -1;
options->address_family = -1;
@@ -1125,6 +1131,8 @@ fill_default_options(Options * options)
options->compression = 0;
if (options->tcp_keep_alive == -1)
options->tcp_keep_alive = 1;
+ if (options->heartbeat_interval == -1)
+ options->heartbeat_interval = 0; /* 0 means "no heartbeat" */
if (options->compression_level == -1)
options->compression_level = 6;
if (options->port == -1)
diff -Naurp openssh-5.3p1/readconf.h openssh-5.3p1.oden/readconf.h
--- openssh-5.3p1/readconf.h 2009-07-05 23:12:27.000000000 +0200
+++ openssh-5.3p1.oden/readconf.h 2009-10-07 17:39:17.000000000 +0200
@@ -57,6 +57,9 @@ typedef struct {
int compression_level; /* Compression level 1 (fast) to 9
* (best). */
int tcp_keep_alive; /* Set SO_KEEPALIVE. */
+ int heartbeat_interval; /* Number of seconds between keepalive
+ * packets (heartbeats) over encrypted
+ * channel. (in secs.) */
LogLevel log_level; /* Level for logging. */
int port; /* Port to connect. */
diff -Naurp openssh-5.3p1/servconf.c openssh-5.3p1.oden/servconf.c
--- openssh-5.3p1/servconf.c 2009-06-21 12:26:17.000000000 +0200
+++ openssh-5.3p1.oden/servconf.c 2009-10-07 17:39:17.000000000 +0200
@@ -80,6 +80,8 @@ initialize_server_options(ServerOptions
options->xauth_location = NULL;
options->strict_modes = -1;
options->tcp_keep_alive = -1;
+ options->watchdog_timeout = -1;
+ options->watchdog_timeout1 = -1;
options->log_facility = SYSLOG_FACILITY_NOT_SET;
options->log_level = SYSLOG_LEVEL_NOT_SET;
options->rhosts_rsa_authentication = -1;
@@ -186,6 +188,10 @@ fill_default_server_options(ServerOption
options->strict_modes = 1;
if (options->tcp_keep_alive == -1)
options->tcp_keep_alive = 1;
+ if (options->watchdog_timeout == -1)
+ options->watchdog_timeout = 0; /* 0 means "no timeout" */
+ if (options->watchdog_timeout1 == -1)
+ options->watchdog_timeout1 = 0; /* 0 means "no timeout" */
if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
options->log_facility = SYSLOG_FACILITY_AUTH;
if (options->log_level == SYSLOG_LEVEL_NOT_SET)
@@ -293,7 +299,7 @@ typedef enum {
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+ sStrictModes, sEmptyPasswd, sTCPKeepAlive, sWatchdogTimeout, sWatchdogTimeout1,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -395,6 +401,8 @@ static struct {
{ "compression", sCompression, SSHCFG_GLOBAL },
{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
+ { "watchdogtimeout", sWatchdogTimeout, SSHCFG_GLOBAL },
+ { "watchdogtimeout1", sWatchdogTimeout1, SSHCFG_GLOBAL },
{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
@@ -943,6 +951,14 @@ process_server_config_line(ServerOptions
intptr = &options->tcp_keep_alive;
goto parse_flag;
+ case sWatchdogTimeout:
+ intptr = &options->watchdog_timeout;
+ goto parse_int;
+
+ case sWatchdogTimeout1:
+ intptr = &options->watchdog_timeout1;
+ goto parse_int;
+
case sEmptyPasswd:
intptr = &options->permit_empty_passwd;
goto parse_flag;
diff -Naurp openssh-5.3p1/servconf.h openssh-5.3p1.oden/servconf.h
--- openssh-5.3p1/servconf.h 2009-01-28 06:31:23.000000000 +0100
+++ openssh-5.3p1.oden/servconf.h 2009-10-07 17:39:17.000000000 +0200
@@ -67,6 +67,10 @@ typedef struct {
char *xauth_location; /* Location of xauth program */
int strict_modes; /* If true, require string home dir modes. */
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
+ int watchdog_timeout, watchdog_timeout1;
+ /* Timeout of the watchdog timer which
+ checks the input activities over
+ encrypted channel. (in secs.) */
char *ciphers; /* Supported SSH2 ciphers. */
char *macs; /* Supported SSH2 macs. */
int protocol; /* Supported protocol versions. */
diff -Naurp openssh-5.3p1/serverloop.c openssh-5.3p1.oden/serverloop.c
--- openssh-5.3p1/serverloop.c 2009-09-09 03:07:28.000000000 +0200
+++ openssh-5.3p1.oden/serverloop.c 2009-10-07 17:40:09.000000000 +0200
@@ -107,6 +107,8 @@ static int connection_out; /* Connection
static int connection_closed = 0; /* Connection to client closed. */
static u_int buffer_high; /* "Soft" max buffer size. */
static int no_more_sessions = 0; /* Disallow further sessions. */
+static time_t idle_time_last; /* Last time of packet receipt. */
+static int child_forced_to_terminate; /* The child will be killed by sshd. */
/*
* This SIGCHLD kludge is used to detect when the child exits. The server
@@ -281,6 +283,7 @@ wait_until_can_do_something(fd_set **rea
{
struct timeval tv, *tvp;
int ret;
+ int watchdog_timeout = 0;
int client_alive_scheduled = 0;
int program_alive_scheduled = 0;
@@ -350,6 +353,19 @@ wait_until_can_do_something(fd_set **rea
if (max_time_milliseconds == 0 || client_alive_scheduled)
max_time_milliseconds = 100;
+ /* When the watchdog is needed, set the maximum length
+ * of timeout to 0.25sec.
+ */
+ watchdog_timeout = options.watchdog_timeout;
+ if (!compat20 && options.watchdog_timeout1 > 0){
+ watchdog_timeout = options.watchdog_timeout1;
+ }
+ if (watchdog_timeout > 0) {
+ if (max_time_milliseconds == 0 || max_time_milliseconds > 250) {
+ max_time_milliseconds = 250;
+ }
+ }
+
if (max_time_milliseconds == 0)
tvp = NULL;
else {
@@ -377,6 +393,23 @@ wait_until_can_do_something(fd_set **rea
}
}
+ /*
+ * Watchdog timer:
+ * If the input channel has been silent for more than the specified
+ * time, try to kill the child process(es) to protect server resources.
+ */
+ if (watchdog_timeout > 0) {
+ if (FD_ISSET(connection_in,*readsetp)) {
+ /* Update the time of last data receipt. */
+ idle_time_last = time(NULL);
+ /* fputs("*",stderr); */
+ }
+ if (!child_terminated && \
+ (time(NULL) - idle_time_last) > watchdog_timeout) {
+ child_forced_to_terminate = 1;
+ }
+ }
+
notify_done(*readsetp);
}
@@ -560,7 +593,9 @@ server_loop(pid_t pid, int fdin_arg, int
u_int max_time_milliseconds;
u_int previous_stdout_buffer_bytes;
u_int stdout_buffer_bytes;
- int type;
+ int type, i;
+
+ child_forced_to_terminate = 0;
debug("Entering interactive session.");
@@ -627,6 +662,8 @@ server_loop(pid_t pid, int fdin_arg, int
server_init_dispatch();
+ idle_time_last = time(NULL);
+
/* Main loop of the server for the interactive session mode. */
for (;;) {
@@ -707,6 +744,9 @@ server_loop(pid_t pid, int fdin_arg, int
cleanup_exit(255);
}
+ /* Break, if watchdog timeout occured. */
+ if (child_forced_to_terminate) break;
+
/* Process any channel events. */
channel_after_select(readset, writeset);
@@ -716,6 +756,24 @@ server_loop(pid_t pid, int fdin_arg, int
/* Process output to the client and to program stdin. */
process_output(writeset);
}
+
+ /*
+ * If the child should be terminated due to
+ * watchdog timeout, send kill signal to the child.
+ */
+ if (child_forced_to_terminate) {
+ /* We won't have pid=0. However, for safety... */
+ if ( pid != 0 ){
+ kill(pid, SIGHUP);
+ for (i=0 ; i<5 ; i++){
+ sleep(1);
+ if (child_terminated) break;
+ }
+ if (i>=5) kill(pid, SIGKILL);
+ logit("Warning: Command has been killed due to watchdog timeout.");
+ }
+ }
+
if (readset)
xfree(readset);
if (writeset)
@@ -724,7 +782,9 @@ server_loop(pid_t pid, int fdin_arg, int
/* Cleanup and termination code. */
/* Wait until all output has been sent to the client. */
- drain_output();
+ if (!child_forced_to_terminate) {
+ drain_output();
+ }
debug("End of interactive session; stdin %ld, stdout (read %ld, sent %ld), stderr %ld bytes.",
stdin_bytes, fdout_bytes, stdout_bytes, stderr_bytes);
@@ -752,6 +812,12 @@ server_loop(pid_t pid, int fdin_arg, int
/* We no longer want our SIGCHLD handler to be called. */
mysignal(SIGCHLD, SIG_DFL);
+ /* If the child has been terminated, free the session and exit here. */
+ if (child_forced_to_terminate) {
+ session_destroy_all(NULL);
+ return;
+ }
+
while ((wait_pid = waitpid(-1, &wait_status, 0)) < 0)
if (errno != EINTR)
packet_disconnect("wait: %.100s", strerror(errno));
@@ -825,6 +891,7 @@ server_loop2(Authctxt *authctxt)
mysignal(SIGCHLD, sigchld_handler);
child_terminated = 0;
+ child_forced_to_terminate = 0;
connection_in = packet_get_connection_in();
connection_out = packet_get_connection_out();
@@ -841,6 +908,8 @@ server_loop2(Authctxt *authctxt)
server_init_dispatch();
+ idle_time_last = time(NULL);
+
for (;;) {
process_buffered_input_packets();
@@ -857,6 +926,12 @@ server_loop2(Authctxt *authctxt)
cleanup_exit(255);
}
+ /* Terminate child processes, if watchdog timeout occured. */
+ if (child_forced_to_terminate){
+ packet_disconnect("Command has been killed due to watchdog timeout.");
+ logit("Warning: Command has been killed due to watchdog timeout.");
+ }
+
collect_children();
if (!rekeying) {
channel_after_select(readset, writeset);
diff -Naurp openssh-5.3p1/ssh.1 openssh-5.3p1.oden/ssh.1
--- openssh-5.3p1/ssh.1 2009-06-21 09:48:52.000000000 +0200
+++ openssh-5.3p1.oden/ssh.1 2009-10-07 17:39:17.000000000 +0200
@@ -453,6 +453,7 @@ For full details of the options listed b
.It GSSAPIAuthentication
.It GSSAPIDelegateCredentials
.It HashKnownHosts
+.It Heartbeat
.It Host
.It HostbasedAuthentication
.It HostKeyAlgorithms
diff -Naurp openssh-5.3p1/ssh_config.5 openssh-5.3p1.oden/ssh_config.5
--- openssh-5.3p1/ssh_config.5 2009-02-23 00:53:58.000000000 +0100
+++ openssh-5.3p1.oden/ssh_config.5 2009-10-07 17:39:17.000000000 +0200
@@ -500,6 +500,23 @@ Note that existing names and addresses i
will not be converted automatically,
but may be manually hashed using
.Xr ssh-keygen 1 .
+.It Cm Heartbeat
+Specifies the interval between heartbeats, in seconds. If the output
+channel has been silent for more than the specified time, a null message
+(SSH_MSG_IGNORE) is sent to the server.
+.Cm Heartbeat
+is useful for keeping alive connections over IP masquerade / NAT boxes,
+firewalls, etc., that implement connection timeouts, and in combination
+with the
+.Cm WatchdogTimeout
+option to
+.Xr sshd 8 .
+Heartbeat does not work if
+.Cm ServerAliveInterval
+is enabled at the same time.
+The default is
+.Dq 0 ,
+which disables the hearbeat.
.It Cm HostbasedAuthentication
Specifies whether to try rhosts based authentication with public key
authentication.
diff -Naurp openssh-5.3p1/sshd_config.5 openssh-5.3p1.oden/sshd_config.5
--- openssh-5.3p1/sshd_config.5 2009-08-28 02:27:08.000000000 +0200
+++ openssh-5.3p1.oden/sshd_config.5 2009-10-07 17:39:17.000000000 +0200
@@ -939,6 +939,30 @@ The goal of privilege separation is to p
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
+.It Cm WatchdogTimeout
+Specifies the watchdog timeout interval, in seconds.
+If a session input channel has been silent for more than the specified interval,
+.Cm sshd
+terminates the session by killing the child process(es). Only input
+packets from the client reset the watchdog timer; this makes it possible
+to terminate a session even if the serever continues sending some data
+to the client.
+When used in combination with
+.Cm ClientAliveInterval
+and/or the
+.Cm Heartbeat
+option of
+.Xr ssh 1
+this feature will detect and terminate hung sessions over unreliable
+networks, without interfering with normal usage.
+The default is
+.Dq 0 ,
+which disables the watchdog.
+.It Cm WatchdogTimeout1
+Specifies the watchdog timeout interval, in seconds, for SSH1 protocol
+only. See the
+.Cm WatchdogTimeout
+option.
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's

238
openssh-4.7p1-audit.patch Normal file
View file

@ -0,0 +1,238 @@
diff -Naurp openssh-5.3p1/auth.c openssh-5.3p1.oden/auth.c
--- openssh-5.3p1/auth.c 2008-11-05 06:12:54.000000000 +0100
+++ openssh-5.3p1.oden/auth.c 2009-10-07 18:46:05.000000000 +0200
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
+#if HAVE_LINUX_AUDIT
+ if (authenticated == 0 && !authctxt->postponed) {
+ linux_audit_record_event(-1, authctxt->user, NULL,
+ get_remote_ipaddr(), "sshd", 0);
+ }
+#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+ "sshd", 0);
+#endif
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
diff -Naurp openssh-5.3p1/config.h.in openssh-5.3p1.oden/config.h.in
--- openssh-5.3p1/config.h.in 2009-09-26 08:31:14.000000000 +0200
+++ openssh-5.3p1.oden/config.h.in 2009-10-07 18:46:05.000000000 +0200
@@ -533,6 +533,9 @@
/* Define to 1 if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
+/* Define to 1 if you have the <libaudit.h> header file. */
+#undef HAVE_LIBAUDIT_H
+
/* Define to 1 if you have the `bsm' library (-lbsm). */
#undef HAVE_LIBBSM
@@ -572,6 +575,9 @@
/* Define to 1 if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
/* Define to 1 if you have the <linux/if_tun.h> header file. */
#undef HAVE_LINUX_IF_TUN_H
@@ -768,6 +774,9 @@
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
+/* Define to 1 if you have the `setkeycreatecon' function. */
+#undef HAVE_SETKEYCREATECON
+
/* Define to 1 if you have the `setlogin' function. */
#undef HAVE_SETLOGIN
@@ -1348,6 +1357,11 @@
/* Prepend the address family to IP tunnel traffic */
#undef SSH_TUN_PREPEND_AF
+/* Define to your vendor patch level, if it has been modified from the
+ upstream source release. */
+#undef SSH_VENDOR_PATCHLEVEL
+
+
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff -Naurp openssh-5.3p1/configure.ac openssh-5.3p1.oden/configure.ac
--- openssh-5.3p1/configure.ac 2009-09-11 06:56:08.000000000 +0200
+++ openssh-5.3p1.oden/configure.ac 2009-10-07 18:46:05.000000000 +0200
@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux,
fi ]
)
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+AC_ARG_WITH(linux-audit,
+ [ --with-linux-audit Enable Linux audit support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+ LINUX_AUDIT_MSG="yes"
+ AC_CHECK_HEADERS(libaudit.h)
+ SSHDLIBS="$SSHDLIBS -laudit"
+ fi ]
+)
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -4226,6 +4238,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " Linux audit support: $LINUX_AUDIT_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
diff -Naurp openssh-5.3p1/loginrec.c openssh-5.3p1.oden/loginrec.c
--- openssh-5.3p1/loginrec.c 2009-02-12 03:12:22.000000000 +0100
+++ openssh-5.3p1.oden/loginrec.c 2009-10-07 18:46:05.000000000 +0200
@@ -176,6 +176,10 @@
#include "auth.h"
#include "buffer.h"
+#ifdef HAVE_LINUX_AUDIT
+# include <libaudit.h>
+#endif
+
#ifdef HAVE_UTIL_H
# include <util.h>
#endif
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
int utmpx_write_entry(struct logininfo *li);
int wtmp_write_entry(struct logininfo *li);
int wtmpx_write_entry(struct logininfo *li);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_write_entry(struct logininfo *li);
+#endif
int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li);
@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
/* set the timestamp */
login_set_current_time(li);
+#ifdef HAVE_LINUX_AUDIT
+ if (linux_audit_write_entry(li) == 0)
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
+#endif
#ifdef USE_LOGIN
syslogin_write_entry(li);
#endif
@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
}
#endif /* USE_WTMPX */
+#ifdef HAVE_LINUX_AUDIT
+static void
+_audit_hexscape(const char *what, char *where, unsigned int size)
+{
+ const char *ptr = what;
+ const char *hex = "0123456789ABCDEF";
+
+ while (*ptr) {
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
+ unsigned int i;
+ ptr = what;
+ for (i = 0; *ptr && i+2 < size; i += 2) {
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
+ ptr++;
+ }
+ where[i] = '\0';
+ return;
+ }
+ ptr++;
+ }
+ where[0] = '"';
+ if ((unsigned)(ptr - what) < size - 3)
+ {
+ size = ptr - what + 3;
+ }
+ strncpy(where + 1, what, size - 3);
+ where[size-2] = '"';
+ where[size-1] = '\0';
+}
+
+#define AUDIT_LOG_SIZE 128
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
+
+int
+linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success)
+{
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, rc;
+
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 1; /* No audit support in kernel */
+ else
+ return 0; /* Must prevent login */
+ }
+ if (username == NULL)
+ snprintf(buf, sizeof(buf), "uid=%d", uid);
+ else {
+ char encoded[AUDIT_ACCT_SIZE];
+ _audit_hexscape(username, encoded, sizeof(encoded));
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
+ }
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+ buf, hostname, ip, ttyn, success);
+ close(audit_fd);
+ if (rc >= 0)
+ return 1;
+ else
+ return 0;
+}
+
+int
+linux_audit_write_entry(struct logininfo *li)
+{
+ switch(li->type) {
+ case LTYPE_LOGIN:
+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
+ NULL, li->line, 1));
+ case LTYPE_LOGOUT:
+ return (1); /* We only care about logins */
+ default:
+ logit("%s: invalid type field", __func__);
+ return (0);
+ }
+}
+#endif /* HAVE_LINUX_AUDIT */
+
/**
** Low-level libutil login() functions
**/
diff -Naurp openssh-5.3p1/loginrec.h openssh-5.3p1.oden/loginrec.h
--- openssh-5.3p1/loginrec.h 2006-08-05 04:39:40.000000000 +0200
+++ openssh-5.3p1.oden/loginrec.h 2009-10-07 18:46:05.000000000 +0200
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
char *line_abbrevname(char *dst, const char *src, int dstsize);
void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */

711
openssh-4.9p1.sftplogging-v1.5.diff Normal file
View file

@ -0,0 +1,711 @@
diff -Naurp openssh-4.9p1/servconf.c openssh-4.9p1.oden/servconf.c
--- openssh-4.9p1/servconf.c 2008-02-10 12:48:55.000000000 +0100
+++ openssh-4.9p1.oden/servconf.c 2008-04-01 13:21:17.000000000 +0200
@@ -118,6 +118,15 @@ initialize_server_options(ServerOptions
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
options->authorized_keys_file2 = NULL;
+ options->log_sftp = LOG_SFTP_NOT_SET;
+ options->sftp_log_facility = SYSLOG_FACILITY_NOT_SET;
+ options->sftp_log_level = SYSLOG_LEVEL_NOT_SET;
+
+ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH);
+
+ options->sftp_permit_chmod = SFTP_PERMIT_NOT_SET;
+ options->sftp_permit_chown = SFTP_PERMIT_NOT_SET;
+
options->num_accept_env = 0;
options->permit_tun = -1;
options->num_permitted_opens = -1;
@@ -251,6 +260,24 @@ fill_default_server_options(ServerOption
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ /* Turn sftp-server logging off by default */
+ if (options->log_sftp == LOG_SFTP_NOT_SET)
+ options->log_sftp = LOG_SFTP_NO;
+ if (options->sftp_log_facility == SYSLOG_FACILITY_NOT_SET)
+ options->sftp_log_facility = SYSLOG_FACILITY_AUTH;
+ if (options->sftp_log_level == SYSLOG_LEVEL_NOT_SET)
+ options->sftp_log_level = SYSLOG_LEVEL_INFO;
+
+ /* Don't set sftp-server umask */
+ if (!options->sftp_umask)
+ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH);
+
+ /* allow sftp client to issue chmod, chown / chgrp commands */
+ if (options->sftp_permit_chmod == SFTP_PERMIT_NOT_SET)
+ options->sftp_permit_chmod = SFTP_PERMIT_YES;
+ if (options->sftp_permit_chown == SFTP_PERMIT_NOT_SET)
+ options->sftp_permit_chown = SFTP_PERMIT_YES;
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
@@ -294,6 +321,9 @@ typedef enum {
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation,
+ sLogSftp, sSftpLogFacility, sSftpLogLevel,
+ sSftpUmask,
+ sSftpPermitChown, sSftpPermitChmod,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -400,6 +430,12 @@ static struct {
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
+ { "logsftp", sLogSftp},
+ { "sftplogfacility", sSftpLogFacility},
+ { "sftploglevel", sSftpLogLevel},
+ { "sftpumask", sSftpUmask},
+ { "sftppermitchmod", sSftpPermitChmod},
+ { "sftppermitchown", sSftpPermitChown},
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
@@ -626,6 +662,8 @@ process_server_config_line(ServerOptions
SyslogFacility *log_facility_ptr;
LogLevel *log_level_ptr;
ServerOpCodes opcode;
+ unsigned int umaskvalue = 0;
+ char *umaskptr;
u_short port;
u_int i, flags = 0;
size_t len;
@@ -1150,6 +1188,57 @@ parse_flag:
charptr = &options->banner;
goto parse_filename;
+ case sLogSftp:
+ intptr = &options->log_sftp;
+ goto parse_flag;
+
+ case sSftpLogFacility:
+ intptr = (int *) &options->sftp_log_facility;
+ arg = strdelim(&cp);
+ value = log_facility_number(arg);
+ if (value == SYSLOG_FACILITY_NOT_SET)
+ fatal("%.200s line %d: unsupported log facility '%s'",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*intptr == -1)
+ *intptr = (SyslogFacility) value;
+ break;
+
+ case sSftpLogLevel:
+ intptr = (int *) &options->sftp_log_level;
+ arg = strdelim(&cp);
+ value = log_level_number(arg);
+ if (value == SYSLOG_LEVEL_NOT_SET)
+ fatal("%.200s line %d: unsupported log level '%s'",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*intptr == -1)
+ *intptr = (LogLevel) value;
+ break;
+
+ case sSftpUmask:
+ arg = strdelim(&cp);
+ umaskptr = arg;
+ while (*arg && *arg >= '0' && *arg <= '9')
+ umaskvalue = umaskvalue * 8 + *arg++ - '0';
+ if (*arg || umaskvalue > 0777)
+ fatal("%s line %d: bad value for umask",
+ filename, linenum);
+ else {
+ while (*umaskptr && *umaskptr == '0')
+ *umaskptr++;
+ strncpy(options->sftp_umask, umaskptr,
+ SFTP_UMASK_LENGTH);
+ }
+
+ break;
+
+ case sSftpPermitChmod:
+ intptr = &options->sftp_permit_chmod;
+ goto parse_flag;
+
+ case sSftpPermitChown:
+ intptr = &options->sftp_permit_chown;
+ goto parse_flag;
+
/*
* These options can contain %X options expanded at
* connect time, so that you can specify paths like:
diff -Naurp openssh-4.9p1/servconf.h openssh-4.9p1.oden/servconf.h
--- openssh-4.9p1/servconf.h 2008-03-07 08:31:24.000000000 +0100
+++ openssh-4.9p1.oden/servconf.h 2008-04-01 13:18:51.000000000 +0200
@@ -34,6 +34,18 @@
#define PERMIT_NO_PASSWD 2
#define PERMIT_YES 3
+/* sftp-server logging */
+#define LOG_SFTP_NOT_SET -1
+#define LOG_SFTP_NO 0
+#define LOG_SFTP_YES 1
+
+/* sftp-server umask control */
+#define SFTP_UMASK_LENGTH 5
+
+/* sftp-server client priviledge */
+#define SFTP_PERMIT_NOT_SET -1
+#define SFTP_PERMIT_NO 0
+#define SFTP_PERMIT_YES 1
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
/* Magic name for internal sftp-server */
@@ -137,6 +149,12 @@ typedef struct {
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
+ int log_sftp; /* perform sftp-server logging */
+ SyslogFacility sftp_log_facility; /* Facility for sftp subsystem logging. */
+ LogLevel sftp_log_level; /* Level for sftp subsystem logging. */
+ char sftp_umask[SFTP_UMASK_LENGTH]; /* Sftp Umask */
+ int sftp_permit_chmod;
+ int sftp_permit_chown;
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
diff -Naurp openssh-4.9p1/session.c openssh-4.9p1.oden/session.c
--- openssh-4.9p1/session.c 2008-03-27 01:03:05.000000000 +0100
+++ openssh-4.9p1.oden/session.c 2008-04-01 13:18:51.000000000 +0200
@@ -144,6 +144,15 @@ login_cap_t *lc;
static int is_child = 0;
+/* so SFTP_LOG_FACILITY and SFTP_LOG_LEVEL can be passed through the
+ environment to the sftp-server subsystem. */
+static const char *sysfac_to_int[] = { "0", "1", "2", "3", "4", "5", "6",
+ "7", "8", "9", "10", "11", "-1" };
+static const char *syslevel_to_int[] = { "0", "1", "2", "3", "4", "5", "6",
+ "7", "-1" };
+
+static char *sftpumask;
+
/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;
static char *auth_sock_dir = NULL;
@@ -1172,6 +1181,67 @@ do_setup_env(Session *s, const char *she
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_sock_name);
+ /* LOG_SFTP */
+ if (options.log_sftp == -1 )
+ child_set_env(&env, &envsize, "LOG_SFTP", "-1");
+ else if (options.log_sftp == 0)
+ child_set_env(&env, &envsize, "LOG_SFTP", "0");
+ else
+ child_set_env(&env, &envsize, "LOG_SFTP", "1");
+
+ /* SFTP_LOG_FACILITY */
+ if (options.sftp_log_facility < 0)
+ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY",
+ "-1");
+ else
+ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY",
+ sysfac_to_int[options.sftp_log_facility]);
+
+ /* SFTP_LOG_LEVEL */
+ if (options.sftp_log_level < 0)
+ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL",
+ "-1");
+ else
+ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL",
+ syslevel_to_int[options.sftp_log_level]);
+
+ /* SFTP_UMASK */
+
+ if (options.sftp_umask[0] == '\0')
+ child_set_env(&env, &envsize, "SFTP_UMASK",
+ "" );
+ else {
+ if (!(sftpumask = calloc(SFTP_UMASK_LENGTH,1))) {
+
+logit("session.c: unabled to allocate memory for SftpUmask. SftpUmask control \
+will be turned off.");
+
+ child_set_env(&env, &envsize, "SFTP_UMASK",
+ "" );
+ } else {
+ strncpy(sftpumask, options.sftp_umask,
+ SFTP_UMASK_LENGTH);
+ child_set_env(&env, &envsize, "SFTP_UMASK",
+ sftpumask );
+ }
+ }
+
+ /* SFTP_PERMIT_CHMOD */
+ if (options.sftp_permit_chmod == -1 )
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "-1");
+ else if (options.sftp_permit_chmod == 0)
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "0");
+ else
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "1");
+
+ /* SFTP_PERMIT_CHOWN */
+ if (options.sftp_permit_chown == -1 )
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "-1");
+ else if (options.sftp_permit_chown == 0)
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "0");
+ else
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "1");
+
/* read $HOME/.ssh/environment. */
if (options.permit_user_env && !options.use_login) {
snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
diff -Naurp openssh-4.9p1/sftp-server.8 openssh-4.9p1.oden/sftp-server.8
--- openssh-4.9p1/sftp-server.8 2007-06-05 10:27:13.000000000 +0200
+++ openssh-4.9p1.oden/sftp-server.8 2008-04-01 13:18:51.000000000 +0200
@@ -50,6 +50,20 @@ should be specified in the
declaration.
See
.Xr sshd_config 5
+for more information. Sftp-server transactions may be logged
+using the
+.Cm LogSftp ,
+.Cm SftpLogFacility ,
+and
+.Cm SftpLogLevel
+options. The administrator may exert control over the file and directory
+permission and ownership, with
+.Cm SftpUmask ,
+.Cm SftpPermitChmod ,
+and
+.Cm SftpPermitChown
+. See
+.Xr sshd_config 5
for more information.
.Pp
Valid options are:
@@ -76,7 +90,8 @@ The default is ERROR.
.Xr sftp 1 ,
.Xr ssh 1 ,
.Xr sshd_config 5 ,
-.Xr sshd 8
+.Xr sshd 8,
+.Xr sshd_config 5
.Rs
.%A T. Ylonen
.%A S. Lehtinen
diff -Naurp openssh-4.9p1/sftp-server.c openssh-4.9p1.oden/sftp-server.c
--- openssh-4.9p1/sftp-server.c 2008-03-07 08:33:53.000000000 +0100
+++ openssh-4.9p1.oden/sftp-server.c 2008-04-01 13:27:43.000000000 +0200
@@ -50,6 +50,13 @@
#define get_int() buffer_get_int(&iqueue);
#define get_string(lenp) buffer_get_string(&iqueue, lenp);
+/* SFTP_UMASK */
+static mode_t setumask = 0;
+
+static int permit_chmod = 1;
+static int permit_chown = 1;
+static int permit_logging = 0;
+
/* Our verbosity */
LogLevel log_level = SYSLOG_LEVEL_ERROR;
@@ -509,6 +516,14 @@ process_open(void)
a = get_attrib();
flags = flags_from_portable(pflags);
mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
+
+ if (setumask != 0) {
+ if ( permit_logging == 1 )
+ logit("setting file creation mode to 0666 and umask to %o", setumask);
+ mode = 0666;
+ umask(setumask);
+ }
+
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
fd = open(name, flags, mode);
@@ -523,6 +538,8 @@ process_open(void)
status = SSH2_FX_OK;
}
}
+ if ( permit_logging == 1 )
+ logit("open %s", name);
if (status != SSH2_FX_OK)
send_status(id, status);
xfree(name);
@@ -560,7 +577,8 @@ process_read(void)
id, handle_to_name(handle), handle, (unsigned long long)off, len);
if (len > sizeof buf) {
len = sizeof buf;
- debug2("read change len %d", len);
+ if (permit_logging == 1)
+ logit("read change len %d", len);
}
fd = handle_to_fd(handle);
if (fd >= 0) {
@@ -580,6 +598,8 @@ process_read(void)
}
}
}
+ if ( permit_logging == 1 )
+ logit("reading %d bytes from file", ret);
if (status != SSH2_FX_OK)
send_status(id, status);
}
@@ -615,10 +635,13 @@ process_write(void)
status = SSH2_FX_OK;
handle_update_write(handle, ret);
} else {
- debug2("nothing at all written");
+ if ( permit_logging == 1 )
+ logit("nothing at all written");
}
}
}
+ if ( permit_logging == 1 )
+ logit("writing %d bytes to file", ret);
send_status(id, status);
xfree(data);
}
@@ -720,15 +743,25 @@ process_setstat(void)
status = errno_to_portable(errno);
}
if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
- logit("set \"%s\" mode %04o", name, a->perm);
- ret = chmod(name, a->perm & 0777);
- if (ret == -1)
- status = errno_to_portable(errno);
+ if (permit_chmod == 1) {
+ ret = chmod(name, a->perm & 0777);
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ else
+ if ( permit_logging == 1 )
+ logit("chmod'ed %s", name);
+ } else {
+ status = SSH2_FX_PERMISSION_DENIED;
+ if ( permit_logging == 1 )
+ logit("chmod %s: operation prohibited by sftp-server configuration.", name);
+ }
}
if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
char buf[64];
time_t t = a->mtime;
+if ( permit_logging == 1 )
+logit("process_setstat: utimes");
strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
localtime(&t));
logit("set \"%s\" modtime %s", name, buf);
@@ -737,11 +770,18 @@ process_setstat(void)
status = errno_to_portable(errno);
}
if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
- logit("set \"%s\" owner %lu group %lu", name,
- (u_long)a->uid, (u_long)a->gid);
- ret = chown(name, a->uid, a->gid);
- if (ret == -1)
- status = errno_to_portable(errno);
+ if (permit_chown == 1) {
+ ret = chown(name, a->uid, a->gid);
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ else
+ if ( permit_logging == 1 )
+ logit("chown'ed %s.", name);
+ } else {
+ status = SSH2_FX_PERMISSION_DENIED;
+ if ( permit_logging == 1 )
+ logit("chown %s: operation prohibited by sftp-server configuration.", name);
+ }
}
send_status(id, status);
xfree(name);
@@ -755,8 +795,13 @@ process_fsetstat(void)
int handle, fd, ret;
int status = SSH2_FX_OK;
+if ( permit_logging == 1 )
+logit("process_fsetstat");
+
id = get_int();
handle = get_handle();
+if ( permit_logging == 1 )
+logit("process_fsetstat: ftruncate");
a = get_attrib();
debug("request %u: fsetstat handle %d", id, handle);
fd = handle_to_fd(handle);
@@ -766,6 +811,8 @@ process_fsetstat(void)
char *name = handle_to_name(handle);
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
+ if ( permit_logging == 1 )
+ logit("process_setstat: truncate");
logit("set \"%s\" size %llu",
name, (unsigned long long)a->size);
ret = ftruncate(fd, a->size);
@@ -773,7 +820,9 @@ process_fsetstat(void)
status = errno_to_portable(errno);
}
if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
+if ( permit_logging == 1 )
logit("set \"%s\" mode %04o", name, a->perm);
+ if (permit_chmod == 1) {
#ifdef HAVE_FCHMOD
ret = fchmod(fd, a->perm & 0777);
#else
@@ -781,11 +830,21 @@ process_fsetstat(void)
#endif
if (ret == -1)
status = errno_to_portable(errno);
+ else
+ if ( permit_logging == 1 )
+ logit("chmod: succeeded.");
+ } else { // permit_chmod
+ status = SSH2_FX_PERMISSION_DENIED;
+ if ( permit_logging == 1 )
+ logit("chmod: operation prohibited by sftp-server configuration.");
+ } // permit_chmod
}
if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
char buf[64];
time_t t = a->mtime;
+if ( permit_logging == 1 )
+logit("process_fsetstat: utimes");
strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
localtime(&t));
logit("set \"%s\" modtime %s", name, buf);
@@ -800,6 +859,7 @@ process_fsetstat(void)
if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
logit("set \"%s\" owner %lu group %lu", name,
(u_long)a->uid, (u_long)a->gid);
+ if (permit_chown == 1) {
#ifdef HAVE_FCHOWN
ret = fchown(fd, a->uid, a->gid);
#else
@@ -807,6 +867,14 @@ process_fsetstat(void)
#endif
if (ret == -1)
status = errno_to_portable(errno);
+ else
+ if ( permit_logging == 1 )
+ logit("chown: succeeded");
+ } else { // permit_chown
+ status = SSH2_FX_PERMISSION_DENIED;
+ if ( permit_logging == 1 )
+ logit("chown: operation prohibited by sftp-server configuration.");
+ } // permit_chown
}
}
send_status(id, status);
@@ -929,6 +997,14 @@ process_mkdir(void)
a = get_attrib();
mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a->perm & 0777 : 0777;
+
+ if (setumask != 0) {
+ if ( permit_logging == 1 )
+ logit("setting directory creation mode to 0777 and umask to %o.", setumask);
+ mode = 0777;
+ umask(setumask);
+ }
+
debug3("request %u: mkdir", id);
logit("mkdir name \"%s\" mode 0%o", name, mode);
ret = mkdir(name, mode);
@@ -977,6 +1053,8 @@ process_realpath(void)
s.name = s.long_name = resolvedname;
send_names(id, 1, &s);
}
+ if ( permit_logging == 1 )
+ logit("realpath %s", path);
xfree(path);
}
@@ -1059,6 +1137,8 @@ process_readlink(void)
s.name = s.long_name = buf;
send_names(id, 1, &s);
}
+ if ( permit_logging == 1 )
+ logit("readlink %s", path);
xfree(path);
}
@@ -1246,6 +1326,8 @@ sftp_server_main(int argc, char **argv,
{
fd_set *rset, *wset;
int in, out, max, ch, skipargs = 0, log_stderr = 0;
+ unsigned int val = 0;
+ char *umask_env;
ssize_t len, olen, set_size;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
char *cp, buf[4*4096];
@@ -1254,7 +1336,16 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;
__progname = ssh_get_progname(argv[0]);
- log_init(__progname, log_level, log_facility, log_stderr);
+ /* sftplogging */
+
+ if ( (getenv("LOG_SFTP") != NULL) && (atoi(getenv("LOG_SFTP")) == 1) )
+ {
+ permit_logging = 1;
+ log_init("sftp-server", (getenv("SFTP_LOG_LEVEL") != NULL) ? atoi(getenv("SFTP_LOG_LEVEL")) : SYSLOG_LEVEL_DEBUG1,
+ (getenv("SFTP_LOG_FACILITY") != NULL) ? atoi(getenv("SFTP_LOG_FACILITY")) : SYSLOG_FACILITY_AUTH, 0);
+ };
+
+
while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) {
switch (ch) {
@@ -1284,7 +1375,6 @@ sftp_server_main(int argc, char **argv,
}
}
- log_init(__progname, log_level, log_facility, log_stderr);
if ((cp = getenv("SSH_CONNECTION")) != NULL) {
client_addr = xstrdup(cp);
@@ -1302,6 +1392,41 @@ sftp_server_main(int argc, char **argv,
logit("session opened for local user %s from [%s]",
pw->pw_name, client_addr);
+ if ( permit_logging == 1 )
+ logit("Starting sftp-server logging for user %s.", getenv("USER"));
+
+ /* Umask control */
+
+ if ( (umask_env = getenv("SFTP_UMASK")) != NULL )
+ {
+ while (*umask_env && *umask_env >= '0' && *umask_env <= '9')
+ val = val * 8 + *umask_env++ - '0';
+
+ if (*umask_env || val > 0777 || val == 0) {
+ if ( permit_logging == 1 )
+ logit("bad value %o for SFTP_UMASK, turning umask control off.", val);
+ setumask = 0;
+ } else {
+ if ( permit_logging == 1 )
+ logit("umask control is on.");
+ setumask = val;
+ };
+ } else setumask = 0;
+
+
+ /* Sensitive client commands */
+
+ if ( (getenv("SFTP_PERMIT_CHMOD") != NULL) && (atoi(getenv("SFTP_PERMIT_CHMOD")) != 1) ) {
+ permit_chmod = 0;
+ if ( permit_logging == 1 )
+ logit("client is not permitted to chmod.");
+ };
+ if ( (getenv("SFTP_PERMIT_CHOWN") != NULL) && (atoi(getenv("SFTP_PERMIT_CHOWN")) != 1) ) {
+ permit_chown = 0;
+ if ( permit_logging == 1 )
+ logit("client is not permitted to chown.");
+ };
+
in = dup(STDIN_FILENO);
out = dup(STDOUT_FILENO);
@@ -1352,6 +1477,8 @@ sftp_server_main(int argc, char **argv,
len = read(in, buf, sizeof buf);
if (len == 0) {
debug("read eof");
+ if ( permit_logging == 1 )
+ logit("sftp-server finished.");
sftp_server_cleanup_exit(0);
} else if (len < 0) {
error("read: %s", strerror(errno));
diff -Naurp openssh-4.9p1/sshd.c openssh-4.9p1.oden/sshd.c
--- openssh-4.9p1/sshd.c 2008-03-11 12:58:25.000000000 +0100
+++ openssh-4.9p1.oden/sshd.c 2008-04-01 13:18:51.000000000 +0200
@@ -421,7 +421,7 @@ sshd_exchange_identification(int sock_in
major = PROTOCOL_MAJOR_1;
minor = PROTOCOL_MINOR_1;
}
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_RELEASE);
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */
diff -Naurp openssh-4.9p1/sshd_config openssh-4.9p1.oden/sshd_config
--- openssh-4.9p1/sshd_config 2008-02-10 12:40:12.000000000 +0100
+++ openssh-4.9p1.oden/sshd_config 2008-04-01 13:18:51.000000000 +0200
@@ -110,6 +110,17 @@ Protocol 2
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
+# sftp-server logging
+#LogSftp no
+#SftpLogFacility AUTH
+#SftpLogLevel INFO
+
+# sftp-server umask control
+#SftpUmask
+
+#SftpPermitChmod yes
+#SftpPermitChown yes
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
diff -Naurp openssh-4.9p1/sshd_config.5 openssh-4.9p1.oden/sshd_config.5
--- openssh-4.9p1/sshd_config.5 2008-03-27 01:02:02.000000000 +0100
+++ openssh-4.9p1.oden/sshd_config.5 2008-04-01 13:18:51.000000000 +0200
@@ -530,6 +530,10 @@ The default is INFO.
DEBUG and DEBUG1 are equivalent.
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
Logging with a DEBUG level violates the privacy of users and is not recommended.
+.It Cm LogSftp
+Specifies whether to perform logging of
+.Nm sftp-server
+subsystem transactions. Must be "yes" or "no." The default value is "no."
.It Cm MACs
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used in protocol version 2
@@ -773,6 +777,37 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 768.
+.It Cm SftpLogFacility
+Gives the facility code that is used when logging
+.Nm sftp-server .
+transactions. The possible values are: DAEMON, USER, AUTH, LOCAL0,
+LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is AUTH.
+.It Cm SftpLogLevel
+Gives the verbosity level that is used when logging messages from
+.Nm sftp-server .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
+The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
+and DEBUG3 each specify higher levels of debugging output.
+Logging with a DEBUG level violates the privacy of users
+and is not recommended.
+.It Cm SftpPermitChmod
+Specifies whether the sftp-server allows the sftp client to execute chmod
+commands on the server. The default is yes.
+.It Cm SftpPermitChown
+Specifies whether the sftp-server allows the sftp client to execute chown
+or chgrp commands on the server. Turning this value on means that the client
+is allowed to execute both chown and chgrp commands. Turning it off means that
+the client is prohibited from executing either chown or chgrp.
+ The default is yes.
+.It Cm SftpUmask
+Specifies an optional umask for
+.Nm sftp-server
+subsystem transactions. If a umask is given, this umask will override all system,
+environment or sftp client permission modes. If
+no umask or an invalid umask is given, file creation mode defaults to the permission
+mode specified by the sftp client. The default is for no umask.
.It Cm StrictModes
Specifies whether
.Xr sshd 8
diff -Naurp openssh-4.9p1/version.h openssh-4.9p1.oden/version.h
--- openssh-4.9p1/version.h 2008-03-27 01:18:13.000000000 +0100
+++ openssh-4.9p1.oden/version.h 2008-04-01 13:18:51.000000000 +0200
@@ -2,5 +2,5 @@
#define SSH_VERSION "OpenSSH_4.9"
-#define SSH_PORTABLE "p1"
+#define SSH_PORTABLE "p1+sftplogging-v1.5"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE

79
openssh-5.1p1-askpass-progress.patch Normal file
View file

@ -0,0 +1,79 @@
diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c
--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress 2008-07-23 19:05:26.000000000 +0200
+++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c 2008-07-23 19:05:26.000000000 +0200
@@ -53,6 +53,7 @@
#include <string.h>
#include <unistd.h>
#include <X11/Xlib.h>
+#include <glib.h>
#include <gtk/gtk.h>
#include <gdk/gdkx.h>
@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
}
+static void
+move_progress(GtkWidget *entry, gpointer progress)
+{
+ gdouble step;
+ g_return_if_fail(GTK_IS_PROGRESS_BAR(progress));
+
+ step = g_random_double_range(0.03, 0.1);
+ gtk_progress_bar_set_pulse_step(GTK_PROGRESS_BAR(progress), step);
+ gtk_progress_bar_pulse(GTK_PROGRESS_BAR(progress));
+}
+
static int
passphrase_dialog(char *message)
{
const char *failed;
char *passphrase, *local;
int result, grab_tries, grab_server, grab_pointer;
- GtkWidget *dialog, *entry;
+ GtkWidget *dialog, *entry, *progress, *hbox;
GdkGrabStatus status;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
@@ -102,13 +114,31 @@ passphrase_dialog(char *message)
"%s",
message);
+ hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+ FALSE, 0);
+ gtk_widget_show(hbox);
+
entry = gtk_entry_new();
- gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
+ gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE,
FALSE, 0);
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
gtk_widget_show(entry);
+ hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+ FALSE, 8);
+ gtk_widget_show(hbox);
+
+ progress = gtk_progress_bar_new();
+
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
+ TRUE, 5);
+ gtk_widget_show(progress);
+
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
@@ -119,6 +149,8 @@ passphrase_dialog(char *message)
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);
+ g_signal_connect(G_OBJECT(entry), "changed",
+ G_CALLBACK(move_progress), progress);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);

3693
openssh-5.2p1-hpn13v6.diff Normal file
View file

File diff suppressed because it is too large Load diff

7
openssh-5.8p2.tar.gz.asc Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (OpenBSD)
iD8DBQBNwgQ7zo7LA4b/nEgRAoSQAJ4o4iy2x9GRjjz0ffeAHswyhIRhugCgtYDe
drVlYJmSot+PGjSRblBDdx0=
=MfCT
-----END PGP SIGNATURE-----

1881
openssh-lpk-5.4p1-0.3.10.diff Normal file
View file

File diff suppressed because it is too large Load diff

78
openssh-mdv_conf.diff Normal file
View file

@ -0,0 +1,78 @@
--- openssh-5.7p1/ssh_config.mdv 2010-01-12 06:40:27.000000000 -0200
+++ openssh-5.7p1/ssh_config 2011-01-29 15:40:38.000000000 -0200
@@ -45,3 +45,17 @@
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
+
+Host *
+ ForwardX11 yes
+ Protocol 2,1
+
+ # If this option is set to yes then remote X11 clients will have full access
+ # to the original X11 display. As virtually no X11 client supports the untrusted
+ # mode correctly we set this to yes.
+ ForwardX11Trusted yes
+
+ # Send locale-related environment variables
+ #SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ #SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ #SendEnv LC_IDENTIFICATION LC_ALL
--- openssh-5.7p1/sshd_config.mdv 2010-09-09 22:20:12.000000000 -0300
+++ openssh-5.7p1/sshd_config 2011-01-29 15:41:11.000000000 -0200
@@ -3,7 +3,7 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This sshd was compiled with PATH=_OPENSSH_PATH_
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
@@ -20,9 +20,10 @@
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
+HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
@@ -37,7 +38,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin yes
+PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
@@ -84,17 +85,22 @@
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation yes
+UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0

16
openssh-xinetd Normal file
View file

@ -0,0 +1,16 @@
# default: off
# description: sshd server, xinetd version. \
# Don't run the standalone version if you run \
# this.
service ssh
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}

1236
openssh.spec Normal file
View file

File diff suppressed because it is too large Load diff

72
openssh5.1-peaktput.diff Normal file
View file

@ -0,0 +1,72 @@
--- ../openssh-5.1p1/progressmeter.c 2006-08-04 22:39:40.000000000 -0400
+++ ./progressmeter.c 2008-07-29 14:33:13.000000000 -0400
@@ -68,6 +68,8 @@
static char *file; /* name of the file being transferred */
static off_t end_pos; /* ending position of transfer */
static off_t cur_pos; /* transfer position as of last refresh */
+static off_t last_pos;
+static off_t max_delta_pos = 0;
static volatile off_t *counter; /* progress counter */
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -128,12 +130,17 @@
int hours, minutes, seconds;
int i, len;
int file_len;
+ off_t delta_pos;
transferred = *counter - cur_pos;
cur_pos = *counter;
now = time(NULL);
bytes_left = end_pos - cur_pos;
+ delta_pos = cur_pos - last_pos;
+ if (delta_pos > max_delta_pos)
+ max_delta_pos = delta_pos;
+
if (bytes_left > 0)
elapsed = now - last_update;
else {
@@ -158,7 +165,7 @@
/* filename */
buf[0] = '\0';
- file_len = win_size - 35;
+ file_len = win_size - 45;
if (file_len > 0) {
len = snprintf(buf, file_len + 1, "\r%s", file);
if (len < 0)
@@ -175,7 +182,8 @@
percent = ((float)cur_pos / end_pos) * 100;
else
percent = 100;
- snprintf(buf + strlen(buf), win_size - strlen(buf),
+
+ snprintf(buf + strlen(buf), win_size - strlen(buf-8),
" %3d%% ", percent);
/* amount transferred */
@@ -188,6 +196,15 @@
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
+ /* instantaneous rate */
+ if (bytes_left > 0)
+ format_rate(buf + strlen(buf), win_size - strlen(buf),
+ delta_pos);
+ else
+ format_rate(buf + strlen(buf), win_size - strlen(buf),
+ max_delta_pos);
+ strlcat(buf, "/s ", win_size);
+
/* ETA */
if (!transferred)
stalled += elapsed;
@@ -224,6 +241,7 @@
atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
last_update = now;
+ last_pos = cur_pos;
}
/*ARGSUSED*/

19
openssh_tcp_wrappers.patch Normal file
View file

@ -0,0 +1,19 @@
---
sshd.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)
Index: openssh-5.2p1/sshd.c
===================================================================
--- openssh-5.2p1.orig/sshd.c 2009-01-28 00:31:23.000000000 -0500
+++ openssh-5.2p1/sshd.c 2009-05-28 13:00:03.000000000 -0400
@@ -122,8 +122,8 @@
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
-int allow_severity;
-int deny_severity;
+extern int allow_severity;
+extern int deny_severity;
#endif /* LIBWRAP */
#ifndef O_NOCTTY

40
ssh-avahi-integration Normal file
View file

@ -0,0 +1,40 @@
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<!-- $Id: ssh.service 995 2005-11-17 15:26:53Z lennart $ -->
<!--
This file is part of avahi.
avahi is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.
avahi is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with avahi; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA.
-->
<!-- See avahi.service(5) for more information about this configuration file -->
<service-group>
<name replace-wildcards="yes">Remote Access on %h</name>
<service>
<type>_ssh._tcp</type>
<port>22</port>
</service>
<service>
<type>_sftp-ssh._tcp</type>
<port>22</port>
</service>
</service-group>

50
ssh-copy-id Normal file
View file

@ -0,0 +1,50 @@
#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.
ID_FILE="${HOME}/.ssh/identity.pub"
if [ "-i" = "$1" ]; then
shift
# check if we have 2 parameters left, if so the first is the new ID file
if [ -n "$2" ]; then
if expr "$1" : ".*\.pub" ; then
ID_FILE="$1"
else
ID_FILE="$1.pub"
fi
shift # and this should leave $1 as the target name
fi
else
if [ x$SSH_AUTH_SOCK != x ] ; then
GET_ID="$GET_ID ssh-add -L"
fi
fi
if [ $# != 1 ]; then
echo "usage: ssh-copy-id [-i identity_file] [user@]hostname"
exit 1
fi
if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then
GET_ID="cat ${ID_FILE}"
fi
if [ -z "`eval $GET_ID`" ]; then
echo "$0: ERROR: No identities found"
exit 1
fi
{ eval "$GET_ID" ; } | ssh $1 "test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys ; chmod g-w . .ssh .ssh/authorized_keys"
cat <<EOF
Now try logging into the machine, with "ssh '$1'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF

29
ssh_ldap_key.pl Normal file
View file

@ -0,0 +1,29 @@
#!/usr/bin/perl
use MIME::Base64;
$file=$ARGV;
$DEFAULT_BASE = "dc=padl,dc=com";
if (defined($ENV{'LDAP_BASEDN'})) {
$DEFAULT_BASE = $ENV{'LDAP_BASEDN'};
}
open(FH,"authorized_keys") or die "Can't open $_: $!\n";
#open(FH,$file) or die "Can't open $file: $!\n";
@list = <FH>;
close FH;
chomp @list;
foreach (@list) {
~ /(.+)\s(\w+)\@(.+$)/;
$warez=$1;
$uid=$2;
$warez64 = encode_base64("$warez");
$warez64 =~ s/\n//g;
print "dn: uid=$uid,ou=People,$DEFAULT_BASE\n";
print "changetype: modify\n";
print "add: objectClass\n";
print "objectClass: strongAuthenticationUser\n";
print "userCertificate;binary:: $warez64\n\n";
}
exit;

182
sshd.init Normal file
View file

@ -0,0 +1,182 @@
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
#
### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $network
# Should-Start: $remote_fs
# Required-Stop: $network
# Should-Stop: $remote_fs
# Default-Start: 2 3 4 5
# Short-Description: OpenSSH server daemon
# Description: OpenSSH server daemon
### END INIT INFO
# source function library
. /etc/rc.d/init.d/functions
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >/dev/null 2>&1; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >/dev/null 2>&1; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >/dev/null 2>&1; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
# Create keys if necessary
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success "startup" || failure "startup"
RETVAL=$?
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
echo
}
stop()
{
echo -n $"Stopping $prog:"
if [ -r /var/run/sshd.pid ]; then
kill -s TERM `cat /var/run/sshd.pid`
RETVAL=$?
if [ "$runlevel" = 0 -o "$runlevel" = 6 ]; then
# stopping the system, kill active sshd clients
killproc -p "" sshd
fi
[ "$RETVAL" = 0 ] && success "stop" || failure "stop"
else
success "already stopped"
RETVAL=0
fi
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
echo
}
reload()
{
echo -n $"Reloading $prog:"
if [ -r /var/run/sshd.pid ]; then
kill -s HUP `cat /var/run/sshd.pid`
RETVAL=$?
[ "$RETVAL" = 0 ] && success "config reload" || failure "config reload"
else
failure "not running so config reload"
RETVAL=1
fi
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
sleep 1
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ "$RETVAL" = 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

7
sshd.pam Normal file
View file

@ -0,0 +1,7 @@
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth

7
sshd.pam-0.77 Normal file
View file

@ -0,0 +1,7 @@
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth