Call for testers.
Pekka Savola
pekkas at netcore.fi
Sat Sep 15 20:12:57 EST 2001
On Fri, 14 Sep 2001 mouring at etoh.eviladmin.org wrote:
> http://bass.directhit.com/openssh_snap/
> Starting tonight I plan on tracking changes very closely with the OpenBSD
> tree. I need people to test the latest snapshot (9/14 at of right now)
> and report success or failure on compiling.
>
> I am starting this now because we are looking at a code freeze soon and I
> really want to ensure it compiles and runs on all existing platforms. So
> we (the portable group) is not rushing to get a release out of the door.
Compiled & run fine on RHL62 and RHL72beta.
A couple of issues (mostly just fine-tuning :-)..
1) it would be nice if the init scripts took advantage of the new sshd -t
feature. Patch attached. The failure will look like:
# ./sshd restart
/etc/ssh/sshd_config: line 11: Bad configuration option: Unf
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]
and the syslog output will be:
Sep 15 12:46:48 haukka sshd: Configuration file or keys failed
(note that keys almost never should fail as they are autogenerated if
missing or support disabled..)
2) Merging the latest Red Hat openssh spec file and the current one a bit.
XXX: ssh-keyscan is in both openssh and openssh-clients; I removed it from
openssh, your mileage may vary. If there is a will, I could try to merge
these further.
3) Taking package descriptions from latest Red Hat spec; IMO these are a
bit better, -askpass, -gnome-askpass etc. are too "noisy" at least; as
they require OpenSSH, one should not need to explain openssh in those.
(separate patch from above for clarity; this might also be a bit more
controversial..)
4) A patch from Red Hat that makes sshd.c do setgroups so that under some
circumstances supplemental groups are removed (the cookie attack). May or
may not be useful.
I fixed a warning in this one, in the ambiguous if - if - else structure.
5) It might be time to remove --with-ipv4-default, at least for redhat7,
but this is a policy decision..
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
-------------- next part --------------
Index: sshd.init
===================================================================
RCS file: /cvs/openssh_cvs/contrib/redhat/sshd.init,v
retrieving revision 1.8
diff -u -r1.8 sshd.init
--- sshd.init 2001/04/27 00:46:18 1.8
+++ sshd.init 2001/09/15 09:55:09
@@ -96,6 +96,16 @@
fi
fi
}
+do_restart_sanity_check() {
+ $SSHD -t
+ RETVAL=$?
+ if [ ! "$RETVAL" = 0 ]; then
+ my_failure "Configuration file or keys"
+ echo
+ exit $RETVAL
+ fi
+}
+
case "$1" in
start)
@@ -127,12 +137,14 @@
echo
;;
restart)
+ do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
+ do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
-------------- next part --------------
Index: openssh.spec
===================================================================
RCS file: /cvs/openssh_cvs/contrib/redhat/openssh.spec,v
retrieving revision 1.73
diff -u -r1.73 openssh.spec
--- openssh.spec 2001/07/25 00:11:15 1.73
+++ openssh.spec 2001/09/15 09:32:33
@@ -36,18 +36,21 @@
Version: %{oversion}
Release: 1
Packager: Damien Miller <djm at mindrot.org>
-URL: http://www.openssh.com/
+URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz
%if ! %{no_x11_askpass}
-Source1: http://www.jmknoble.cx/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
+Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
%endif
-Copyright: BSD
+License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
BuildPreReq: perl, openssl-devel, tcp_wrappers
BuildPreReq: /bin/login, /usr/include/security/pam_appl.h
BuildPreReq: rpm >= 3.0.5
+%if ! %{no_x11_askpass}
+BuildPreReq: XFree86-devel
+%endif
%if ! %{no_gnome_askpass}
BuildPreReq: gnome-libs-devel
%endif
@@ -242,13 +245,10 @@
%files
%defattr(-,root,root)
-%doc ChangeLog OVERVIEW README* INSTALL
-%doc CREDITS LICENCE
+%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING*
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0755,root,root) %{_bindir}/scp
-%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
-%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0755,root,root) %dir %{_sysconfdir}
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/moduli
-------------- next part --------------
--- openssh.spec.1 Sat Sep 15 12:27:22 2001
+++ openssh.spec Sat Sep 15 12:34:02 2001
@@ -31,7 +31,7 @@
%define exact_openssl_version %(rpm -q openssl | cut -d - -f 2)
-Summary: OpenSSH free Secure Shell (SSH) implementation
+Summary: The OpenSSH implementation of SSH.
Name: openssh
Version: %{oversion}
Release: 1
@@ -62,13 +62,13 @@
Requires: rpm >= 3.0.5
%package clients
-Summary: OpenSSH Secure Shell protocol clients
+Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients
%package server
-Summary: OpenSSH Secure Shell protocol server (sshd)
+Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
@@ -77,87 +77,55 @@
%endif
%package askpass
-Summary: OpenSSH X11 passphrase dialog
+Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%package askpass-gnome
-Summary: OpenSSH GNOME passphrase dialog
+Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%description
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
+SSH (Secure SHell) is a program for logging into and executing
+commands on a remote machine. SSH is intended to replace rlogin and
+rsh, and to provide secure encrypted communications between two
+untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
-up to date in terms of security and features, as well as removing all
-patented algorithms to separate libraries (OpenSSL).
+OpenSSH is OpenBSD's version of the last free version of SSH, bringing
+it up to date in terms of security and features, as well as removing
+all patented algorithms to separate libraries.
This package includes the core files necessary for both the OpenSSH
-client and server. To make this package useful, you should also
+client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
%description clients
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
-up to date in terms of security and features, as well as removing all
-patented algorithms to separate libraries (OpenSSL).
-
-This package includes the clients necessary to make encrypted connections
-to SSH servers.
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package includes
+the clients necessary to make encrypted connections to SSH servers.
+You'll also need to install the openssh package on OpenSSH clients.
%description server
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
-up to date in terms of security and features, as well as removing all
-patented algorithms to separate libraries (OpenSSL).
-
-This package contains the secure shell daemon. The sshd is the server
-part of the secure shell protocol and allows ssh clients to connect to
-your host.
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+the secure shell daemon (sshd). The sshd daemon allows SSH clients to
+securely connect to your SSH server. You also need to have the openssh
+package installed.
%description askpass
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
-up to date in terms of security and features, as well as removing all
-patented algorithms to separate libraries (OpenSSL).
-
-This package contains Jim Knoble's <jmknoble at jmknoble.cx> X11 passphrase
-dialog.
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+an X11 passphrase dialog for OpenSSH.
%description askpass-gnome
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
-up to date in terms of security and features, as well as removing all
-patented algorithms to separate libraries (OpenSSL).
-
-This package contains the GNOME passphrase dialog.
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
+environment.
%prep
-------------- next part --------------
Fix one piece of zen-parse at gmx.net's advisory on cookie files.
Index: sshd.c
===================================================================
RCS file: /cvs/openssh_cvs/sshd.c,v
retrieving revision 1.161
diff -u -r1.161 sshd.c
--- sshd.c 2001/09/12 16:58:05 1.161
+++ sshd.c 2001/09/15 10:09:57
@@ -776,6 +776,17 @@
#ifdef HAVE_SCO_PROTECTED_PW
(void) set_auth_parameters(ac, av);
#endif
+ /* Clear out any supplemental groups we may have inherited. This
+ * prevents inadvertent creation of files with bad modes (in the
+ * portable version at least, it's certainly possible for a pluggable
+ * authentication module to create a file, and we can't control the
+ * code in eery module which might be used). */
+ if (setgroups(0, NULL) < 0) {
+ if (debug_flag)
+ error("setgroups() failed: %.200s", strerror(errno));
+ else
+ fatal("setgroups() failed: %.200s", strerror(errno));
+ }
/* Initialize the log (it is reinitialized below in case we forked). */
if (debug_flag && !inetd_flag)
More information about the openssh-unix-dev
mailing list