[packages/openssh] - up to 8.2p1; new - FIDO/U2F support

arekm arekm at pld-linux.org
Sat Feb 15 13:06:30 CET 2020 

commit 204858e58df7e196f7fb25089f172ef27e4689f6
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Sat Feb 15 13:06:22 2020 +0100

    - up to 8.2p1; new - FIDO/U2F support

 openssh-include.patch | 11 -----------
 openssh-ldap.patch    | 54 ++++++++++++++++++++++++++-------------------------
 openssh-sigpipe.patch | 10 +++++-----
 openssh.spec          | 17 ++++++++--------
 ossh-bug-3093.patch   | 40 --------------------------------------
 5 files changed, 42 insertions(+), 90 deletions(-)
---
diff --git a/openssh.spec b/openssh.spec
index 065eb67..b6e6ed1 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -36,13 +36,13 @@ Summary(pt_BR.UTF-8):	Implementação livre do SSH
 Summary(ru.UTF-8):	OpenSSH - свободная реализация протокола Secure Shell (SSH)
 Summary(uk.UTF-8):	OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
 Name:		openssh
-Version:	8.1p1
-Release:	4
+Version:	8.2p1
+Release:	1
 Epoch:		2
 License:	BSD
 Group:		Applications/Networking
 Source0:	http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5:	513694343631a99841e815306806edf0
+# Source0-md5:	3076e6413e8dbe56d33848c1054ac091
 Source1:	http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
 # Source1-md5:	66943d481cc422512b537bcc2c7400d1
 Source2:	%{name}d.init
@@ -68,13 +68,12 @@ Patch8:		ldap-helper-sigpipe.patch
 # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
 # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
 Patch9:		%{name}-5.2p1-hpn13v6.diff
-Patch10:	%{name}-include.patch
+
 Patch11:	%{name}-chroot.patch
 Patch12:	openssh-bug-2905.patch
 Patch13:	%{name}-skip-interop-tests.patch
 Patch14:	%{name}-bind.patch
 Patch15:	%{name}-disable_ldap.patch
-Patch16:	ossh-bug-3093.patch
 URL:		http://www.openssh.com/portable.html
 BuildRequires:	%{__perl}
 %{?with_audit:BuildRequires:	audit-libs-devel}
@@ -85,6 +84,7 @@ BuildRequires:	automake
 %{?with_kerberos5:BuildRequires:	heimdal-devel >= 0.7}
 %{?with_ldns:BuildRequires:	ldns-devel}
 %{?with_libedit:BuildRequires:	libedit-devel}
+BuildRequires:	libfido2-devel
 BuildRequires:	libseccomp-devel
 %{?with_selinux:BuildRequires:	libselinux-devel}
 %{?with_ldap:BuildRequires:	openldap-devel}
@@ -538,7 +538,7 @@ openldap-a.
 %patch8 -p1
 
 %{?with_hpn:%patch9 -p1}
-%patch10 -p1
+
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
@@ -551,8 +551,6 @@ openldap-a.
 %{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile
 %endif
 
-%patch16 -p1
-
 # hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
 sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
 
@@ -586,6 +584,7 @@ CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99"
 	--with-pid-dir=%{_localstatedir}/run \
 	--with-privsep-path=%{_privsepdir} \
 	--with-privsep-user=sshd \
+	--with-security-key-builtin \
 	%{?with_selinux:--with-selinux} \
 %if "%{pld_release}" == "ac"
 	--with-xauth=/usr/X11R6/bin/xauth
@@ -794,6 +793,7 @@ fi
 %attr(755,root,root) %{_bindir}/ssh-add
 %attr(755,root,root) %{_bindir}/ssh-copy-id
 %attr(755,root,root) %{_bindir}/scp
+%attr(755,root,root) %{_libexecdir}/ssh-sk-helper
 %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config
 %config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
 %{_mandir}/man1/scp.1*
@@ -803,6 +803,7 @@ fi
 %{_mandir}/man1/ssh-add.1*
 %{_mandir}/man1/ssh-copy-id.1*
 %{_mandir}/man5/ssh_config.5*
+%{_mandir}/man8/ssh-sk-helper.8*
 %lang(it) %{_mandir}/it/man1/ssh.1*
 %lang(it) %{_mandir}/it/man5/ssh_config.5*
 %lang(pl) %{_mandir}/pl/man1/scp.1*
diff --git a/openssh-include.patch b/openssh-include.patch
deleted file mode 100644
index 801c681..0000000
--- a/openssh-include.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- openssh-5.9p1/configure.ac~	2011-09-06 19:31:16.000000000 +0200
-+++ openssh-5.9p1/configure.ac	2011-09-06 19:31:55.291791679 +0200
-@@ -1076,6 +1076,7 @@
- 
- AC_MSG_CHECKING([for possibly buggy zlib])
- AC_RUN_IFELSE([AC_LANG_PROGRAM([[
-+#include <stdlib.h>
- #include <stdio.h>
- #include <zlib.h>
- 	]],
-
diff --git a/openssh-ldap.patch b/openssh-ldap.patch
index 2920eab..fe93879 100644
--- a/openssh-ldap.patch
+++ b/openssh-ldap.patch
@@ -1995,14 +1995,16 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
  PRIVSEP_PATH=@PRIVSEP_PATH@
  SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -61,8 +63,9 @@
+@@ -61,10 +63,11 @@
  EXEEXT=@EXEEXT@
  MANFMT=@MANFMT@
  MKDIR_P=@MKDIR_P@
 +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
+
+ .SUFFIXES: .lo
  
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
  
  LIBOPENSSH_OBJS=\
  	ssh_api.o \
@@ -2010,45 +2012,45 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
  	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
  	sandbox-solaris.o
  
--MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
--MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
-+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
-+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
+-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
+-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
++MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
++MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
  MANTYPE		= @MANTYPE@
  
  CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -184,6 +187,9 @@
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -235,6 +235,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
  
 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
 +	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 +
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
  
-@@ -311,6 +317,10 @@
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+@@ -395,6 +395,10 @@ install-files:
  	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
 +	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
-+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
++	    $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
++	    $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
 +	fi
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
  	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-@@ -327,6 +337,10 @@
- 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+@@ -416,6 +416,10 @@ install-files:
  	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
  	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ 	$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
 +	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
-+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
++	    $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
++	    $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
 +	fi
  
  install-sysconf:
- 	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
+ 	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
 @@ -352,6 +366,13 @@
  	else \
  		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
@@ -2063,23 +2065,23 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
  
  host-key: ssh-keygen$(EXEEXT)
  	@if [ -z "$(DESTDIR)" ] ; then \
-@@ -392,6 +413,8 @@
- 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+@@ -488,6 +488,8 @@ uninstall:
  	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
  	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
 +	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
 +	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -403,6 +426,7 @@
- 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+@@ -502,6 +502,7 @@ uninstall:
  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
 +	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
  
  regress-prep:
- 	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
+ 	$(MKDIR_P) `pwd`/regress/unittests/test_helper
 diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
 --- openssh-6.2p1/openssh-lpk-openldap.schema.ldap	2013-03-25 21:27:15.894248110 +0100
 +++ openssh-6.2p1/openssh-lpk-openldap.schema	2013-03-25 21:27:15.894248110 +0100
diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch
index 3d60ddf..a190b7c 100644
--- a/openssh-sigpipe.patch
+++ b/openssh-sigpipe.patch
@@ -10,13 +10,13 @@
  /*
   * Flag to indicate that we have received a window change signal which has
   * not yet been processed.  This will cause a message indicating the new
-@@ -1236,6 +1239,8 @@
- 		signal(SIGQUIT, signal_handler);
- 	if (signal(SIGTERM, SIG_IGN) != SIG_IGN)
- 		signal(SIGTERM, signal_handler);
+@@ -1317,6 +1317,8 @@ client_loop(struct ssh *ssh, int have_pt
+ 		ssh_signal(SIGQUIT, signal_handler);
+ 	if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN)
+ 		ssh_signal(SIGTERM, signal_handler);
 +	if (enable_sigpipe)
 +		signal(SIGPIPE, signal_handler);
- 	signal(SIGWINCH, window_change_handler);
+ 	ssh_signal(SIGWINCH, window_change_handler);
  
  	if (have_pty)
 diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
diff --git a/ossh-bug-3093.patch b/ossh-bug-3093.patch
deleted file mode 100644
index fa33bae..0000000
--- a/ossh-bug-3093.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index b5cda70b..f80981fa 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_shmdt
- 	SC_DENY(__NR_shmdt, EACCES),
- #endif
-+#ifdef __NR_ipc
-+	SC_DENY(__NR_ipc, EACCES),
-+#endif
- 
- 	/* Syscalls to permit */
- #ifdef __NR_brk
-@@ -185,6 +188,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_clock_gettime
- 	SC_ALLOW(__NR_clock_gettime),
- #endif
-+#ifdef __NR_clock_gettime64
-+	SC_ALLOW(__NR_clock_gettime64),
-+#endif
- #ifdef __NR_close
- 	SC_ALLOW(__NR_close),
- #endif
-@@ -242,6 +248,15 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_nanosleep
- 	SC_ALLOW(__NR_nanosleep),
- #endif
-+#ifdef __NR_clock_nanosleep
-+	SC_ALLOW(__NR_clock_nanosleep),
-+#endif
-+#ifdef __NR_clock_nanosleep_time64
-+	SC_ALLOW(__NR_clock_nanosleep_time64),
-+#endif
-+#ifdef __NR_clock_gettime64
-+	SC_ALLOW(__NR_clock_gettime64),
-+#endif
- #ifdef __NR__newselect
- 	SC_ALLOW(__NR__newselect),
- #endif
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/openssh.git/commitdiff/204858e58df7e196f7fb25089f172ef27e4689f6

More information about the pld-cvs-commit mailing list