diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2016-06-30 20:26:57 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2018-05-31 23:31:18 +0200 |
commit | d31c50870d0bee042ce660e445c9294a59a3a65b (patch) | |
tree | 6bfc0de3c95267b401b620c2c67859557dc60f97 /source/n/openssh | |
parent | 76fc4757ac91ac7947a01fb7b53dddf9a78a01d1 (diff) | |
download | current-d31c50870d0bee042ce660e445c9294a59a3a65b.tar.gz |
Slackware 14.2slackware-14.2
Thu Jun 30 20:26:57 UTC 2016
Slackware 14.2 x86_64 stable is released!
The long development cycle (the Linux community has lately been living in
"interesting times", as they say) is finally behind us, and we're proud to
announce the release of Slackware 14.2. The new release brings many updates
and modern tools, has switched from udev to eudev (no systemd), and adds
well over a hundred new packages to the system. Thanks to the team, the
upstream developers, the dedicated Slackware community, and everyone else
who pitched in to help make this release a reality.
The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided
32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware
project by picking up a copy from store.slackware.com. We're taking
pre-orders now, and offer a discount if you sign up for a subscription.
Have fun! :-)
Diffstat (limited to 'source/n/openssh')
-rw-r--r-- | source/n/openssh/doinst.sh | 16 | ||||
-rw-r--r-- | source/n/openssh/openssh-7.2p1-libwrap.diff | 156 | ||||
-rwxr-xr-x | source/n/openssh/openssh.SlackBuild | 10 | ||||
-rw-r--r-- | source/n/openssh/rc.sshd | 9 |
4 files changed, 184 insertions, 7 deletions
diff --git a/source/n/openssh/doinst.sh b/source/n/openssh/doinst.sh index d696245d..73ce6283 100644 --- a/source/n/openssh/doinst.sh +++ b/source/n/openssh/doinst.sh @@ -9,10 +9,24 @@ config() { fi # Otherwise, we leave the .new copy for the admin to consider... } +preserve_perms() { + NEW="$1" + OLD="$(dirname ${NEW})/$(basename ${NEW} .new)" + if [ -e ${OLD} ]; then + cp -a ${OLD} ${NEW}.incoming + cat ${NEW} > ${NEW}.incoming + touch -r ${NEW} ${NEW}.incoming + mv ${NEW}.incoming ${NEW} + fi + config ${NEW} +} config etc/ssh/ssh_config.new config etc/ssh/sshd_config.new -config etc/rc.d/rc.sshd.new +preserve_perms etc/rc.d/rc.sshd.new +if [ -e etc/rc.d/rc.sshd.new ]; then + mv etc/rc.d/rc.sshd.new etc/rc.d/rc.sshd +fi # If the sshd user/group/shadow don't exist, add them: diff --git a/source/n/openssh/openssh-7.2p1-libwrap.diff b/source/n/openssh/openssh-7.2p1-libwrap.diff new file mode 100644 index 00000000..546e63ce --- /dev/null +++ b/source/n/openssh/openssh-7.2p1-libwrap.diff @@ -0,0 +1,156 @@ +From 8c59bae0e4bdc0e3456d1802b391370bdf9975f3 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Mon, 6 Oct 2014 +Subject: Re-introduce TCP Wrappers support + +Support for TCP Wrappers was dropped as of OpenSSH 6.7. This patch +resurrects the feature. + +Relevant upstream commits: + + https://anongit.mindrot.org/openssh.git/commit/?id=f2719b7c2b8a + https://anongit.mindrot.org/openssh.git/commit/?id=f9696566fb41 + +--- + configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + sshd.8 | 7 +++++++ + sshd.c | 25 +++++++++++++++++++++++ + 3 files changed, 89 insertions(+) + +--- a/configure.ac ++++ b/configure.ac +@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey], + ] + ) + ++# Check whether user wants TCP wrappers support ++TCPW_MSG="no" ++AC_ARG_WITH([tcp-wrappers], ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], ++ [ ++ if test "x$withval" != "xno" ; then ++ saved_LIBS="$LIBS" ++ saved_LDFLAGS="$LDFLAGS" ++ saved_CPPFLAGS="$CPPFLAGS" ++ if test -n "${withval}" && \ ++ test "x${withval}" != "xyes"; then ++ if test -d "${withval}/lib"; then ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ else ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval} ${LDFLAGS}" ++ fi ++ fi ++ if test -d "${withval}/include"; then ++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" ++ else ++ CPPFLAGS="-I${withval} ${CPPFLAGS}" ++ fi ++ fi ++ LIBS="-lwrap -lnsl $LIBS" ++ AC_MSG_CHECKING([for libwrap]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++#include <sys/types.h> ++#include <sys/socket.h> ++#include <netinet/in.h> ++#include <tcpd.h> ++int deny_severity = 0, allow_severity = 0; ++ ]], [[ ++ hosts_access(0); ++ ]])], [ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([LIBWRAP], [1], ++ [Define if you want ++ TCP Wrappers support]) ++ SSHDLIBS="$SSHDLIBS -lwrap -lnsl" ++ TCPW_MSG="yes" ++ ], [ ++ AC_MSG_ERROR([*** libwrap missing]) ++ ++ ]) ++ LIBS="$saved_LIBS" ++ fi ++ ] ++) ++ + # Check whether user wants to use ldns + LDNS_MSG="no" + AC_ARG_WITH(ldns, +@@ -4829,6 +4885,7 @@ echo " KerberosV support + echo " SELinux support: $SELINUX_MSG" + echo " Smartcard support: $SCARD_MSG" + echo " S/KEY support: $SKEY_MSG" ++echo " TCP Wrappers support: $TCPW_MSG" + echo " MD5 password support: $MD5_MSG" + echo " libedit support: $LIBEDIT_MSG" + echo " Solaris process contract support: $SPC_MSG" +--- a/sshd.8 ++++ b/sshd.8 +@@ -851,6 +851,12 @@ the user's home directory becomes access + This file should be writable only by the user, and need not be + readable by anyone else. + .Pp ++.It Pa /etc/hosts.allow ++.It Pa /etc/hosts.deny ++Access controls that should be enforced by tcp-wrappers are defined here. ++Further details are described in ++.Xr hosts_access 5 . ++.Pp + .It Pa /etc/hosts.equiv + This file is for host-based authentication (see + .Xr ssh 1 ) . +@@ -954,6 +960,7 @@ The content of this file is not sensitiv + .Xr ssh-keygen 1 , + .Xr ssh-keyscan 1 , + .Xr chroot 2 , ++.Xr hosts_access 5 , + .Xr login.conf 5 , + .Xr moduli 5 , + .Xr sshd_config 5 , +--- a/sshd.c ++++ b/sshd.c +@@ -123,6 +123,13 @@ + #include "ssh-sandbox.h" + #include "version.h" + ++#ifdef LIBWRAP ++#include <tcpd.h> ++#include <syslog.h> ++int allow_severity; ++int deny_severity; ++#endif /* LIBWRAP */ ++ + #ifndef O_NOCTTY + #define O_NOCTTY 0 + #endif +@@ -2054,6 +2061,24 @@ main(int ac, char **av) + #ifdef SSH_AUDIT_EVENTS + audit_connection_from(remote_ip, remote_port); + #endif ++#ifdef LIBWRAP ++ allow_severity = options.log_facility|LOG_INFO; ++ deny_severity = options.log_facility|LOG_WARNING; ++ /* Check whether logins are denied from this host. */ ++ if (packet_connection_is_on_socket()) { ++ struct request_info req; ++ ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); ++ fromhost(&req); ++ ++ if (!hosts_access(&req)) { ++ debug("Connection refused by tcp wrapper"); ++ refuse(&req); ++ /* NOTREACHED */ ++ fatal("libwrap refuse returns"); ++ } ++ } ++#endif /* LIBWRAP */ + + /* Log the connection. */ + verbose("Connection from %s port %d on %s port %d", diff --git a/source/n/openssh/openssh.SlackBuild b/source/n/openssh/openssh.SlackBuild index 07ea1615..a917ee80 100755 --- a/source/n/openssh/openssh.SlackBuild +++ b/source/n/openssh/openssh.SlackBuild @@ -36,15 +36,15 @@ NUMJOBS=${NUMJOBS:--j6} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then case "$( uname -m )" in - i?86) export ARCH=i486 ;; + i?86) export ARCH=i586 ;; arm*) export ARCH=arm ;; # Unless $ARCH is already set, use uname -m for all other archs: *) export ARCH=$( uname -m ) ;; esac fi -if [ "$ARCH" = "i486" ]; then - SLKCFLAGS="-O2 -march=i486 -mtune=i686" +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" elif [ "$ARCH" = "s390" ]; then SLKCFLAGS="-O2" elif [ "$ARCH" = "x86_64" ]; then @@ -68,6 +68,10 @@ tar xvf $CWD/openssh-$VERSION.tar.gz || tar xvf $CWD/openssh-$VERSION.tar.?z* || cd openssh-$VERSION chown -R root:root . +# Restore support for tcpwrappers: +zcat $CWD/openssh-7.2p1-libwrap.diff.gz | patch -p1 --verbose || exit 1 +autoreconf -vif + # Compile package: CFLAGS="$SLKCFLAGS" \ ./configure \ diff --git a/source/n/openssh/rc.sshd b/source/n/openssh/rc.sshd index cb2dfa41..2da2ab30 100644 --- a/source/n/openssh/rc.sshd +++ b/source/n/openssh/rc.sshd @@ -3,9 +3,6 @@ sshd_start() { # Create host keys if needed. - if [ ! -r /etc/ssh/ssh_host_key ]; then - /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' - fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' fi @@ -15,6 +12,12 @@ sshd_start() { if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' fi + if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then + /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' + fi + # Catch any new host key types not yet created above: + /usr/bin/ssh-keygen -A + # Start the sshd daemon: /usr/sbin/sshd } |