c9833c9
# Do we want SELinux & Audit
Jan F 6bd5ca2
%if 0%{?!noselinux:1}
a0e2525
%global WITH_SELINUX 1
Jan F 6bd5ca2
%else
a0e2525
%global WITH_SELINUX 0
Jan F 6bd5ca2
%endif
fc72c21
14c675f
%global _hardened_build 1
14c675f
cvsdist 8264e71
# OpenSSH privilege separation requires a user & group ID
a0e2525
%global sshd_uid    74
a0e2525
%global sshd_gid    74
cvsdist 8264e71
cvsdist f28bf6e
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
a0e2525
%global no_gnome_askpass 0
cvsdist f28bf6e
cvsdist b46e395
# Do we want to link against a static libcrypto? (1=yes 0=no)
a0e2525
%global static_libcrypto 0
cvsdist b46e395
cvsdist 3e66bdc
# Use GTK2 instead of GNOME in gnome-ssh-askpass
a0e2525
%global gtk2 1
cvsdist 3e66bdc
cvsdist fe98d86
# Build position-independent executables (requires toolchain support)?
a0e2525
%global pie 1
cvsdist fe98d86
cvsdist 3e66bdc
# Do we want kerberos5 support (1=yes 0=no)
a0e2525
%global kerberos5 1
cvsdist 8264e71
c9833c9
# Do we want libedit support
a0e2525
%global libedit 1
c9833c9
7e7fb42
# Do we want LDAP support
a0e2525
%global ldap 1
7e7fb42
e47cb00
# Whether to build pam_ssh_agent_auth
Jan F 6bd5ca2
%if 0%{?!nopam:1}
a0e2525
%global pam_ssh_agent 1
Jan F 6bd5ca2
%else
a0e2525
%global pam_ssh_agent 0
Jan F 6bd5ca2
%endif
e47cb00
cvsdist 43f95f0
# Reserve options to override askpass settings with:
cvsdist 43f95f0
# rpm -ba|--rebuild --define 'skip_xxx 1'
b8bdc7c
%{?skip_gnome_askpass:%global no_gnome_askpass 1}
cvsdist 43f95f0
cvsdist ffdec57
# Add option to build without GTK2 for older platforms with only GTK+.
389c431
# Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples.
cvsdist ffdec57
# rpm -ba|--rebuild --define 'no_gtk2 1'
b8bdc7c
%{?no_gtk2:%global gtk2 0}
cvsdist ffdec57
cvsdist b46e395
# Options for static OpenSSL link:
cvsdist b46e395
# rpm -ba|--rebuild --define "static_openssl 1"
b8bdc7c
%{?static_openssl:%global static_libcrypto 1}
cvsdist b46e395
cvsdist b46e395
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
a0e2525
%global rescue 0
b8bdc7c
%{?build_rescue:%global rescue 1}
b8bdc7c
%{?build_rescue:%global rescue_rel rescue}
cvsdist b46e395
cvsdist 3e66bdc
# Turn off some stuff for resuce builds
cvsdist 3e66bdc
%if %{rescue}
a0e2525
%global kerberos5 0
a0e2525
%global libedit 0
a0e2525
%global pam_ssh_agent 0
cvsdist 3e66bdc
%endif
cvsdist 3e66bdc
04cab1d
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
9163ba1
%global openssh_ver 7.2p2
ba8f389
%global openssh_rel 7
87ab5fc
%global pam_ssh_agent_ver 0.10.2
9163ba1
%global pam_ssh_agent_rel 3
e47cb00
9e5c6ec
Summary: An open source implementation of SSH protocol versions 1 and 2
cvsdist f710772
Name: openssh
aa8fb3e
Version: %{openssh_ver}
46445f1
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
cvsdist f710772
URL: http://www.openssh.com/portable.html
7451555
#URL1: http://pamsshagentauth.sourceforge.net
1900351
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
c9833c9
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
ca47f63
Source2: sshd.pam
e47cb00
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
e47cb00
Source5: pam_ssh_agent-rmheaders
Jan F 99f4276
Source6: ssh-keycat.pam
Jan F 11896aa
Source7: sshd.sysconfig
Jan F 5c8b5cb
Source9: sshd@.service
Jan F 5c8b5cb
Source10: sshd.socket
Jan F 53f618d
Source11: sshd.service
00c7b75
Source12: sshd-keygen@.service
Jan F 5c8b5cb
Source13: sshd-keygen
c31740f
Source14: sshd.tmpfiles
5489ace
Source15: sshd-keygen.target
0b5300a
Source16: sshd-keygen.legacy
6fa4d80
Jan F. Chadima 69dd72f
# Internal debug
Jan F. Chadima cff1d0c
Patch0: openssh-5.9p1-wIm.patch
Jan F. Chadima 69dd72f
1144aef
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
580f986
Patch100: openssh-6.7p1-coverity.patch
Jan F 9c4d06a
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
feb99ea
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
1144aef
#Patch102: openssh-5.8p1-getaddrinfo.patch
Jan F 1ddd0ee
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
Jan F. Chadima 3b545be
Patch103: openssh-5.8p1-packet.patch
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
720cf82
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
720cf82
# record pfs= field in CRYPTO_SESSION audit event
13073f8
Patch200: openssh-7.2p1-audit.patch
44fc972
# Audit race condition in forked child (#1310684)
44fc972
Patch201: openssh-7.1p2-audit-race-condition.patch
Jan F. Chadima 69dd72f
Jan F 003cb0b
# --- pam_ssh-agent ---
4f4687c
# make it build reusing the openssh sources
4f4687c
Patch300: pam_ssh_agent_auth-0.9.3-build.patch
4f4687c
# check return value of seteuid()
Jan F. Chadima 69dd72f
Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
4f4687c
# explicitly make pam callbacks visible
4f4687c
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
637556d
# update to current version of agent structure
637556d
Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch
87ab5fc
# remove prefixes to be able to build against current openssh library
87ab5fc
Patch306: pam_ssh_agent_auth-0.10.2-compat.patch
ea94213
# Fix NULL dereference from getpwuid() return value
ea94213
# https://sourceforge.net/p/pamsshagentauth/bugs/22/
ea94213
Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch
637556d
Jan F 0f7ccbf
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
94c6f8d
Patch400: openssh-6.6p1-role-mls.patch
cd5891d
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
94c6f8d
Patch404: openssh-6.6p1-privsep-selinux.patch
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f
#?-- unwanted child :(
1900351
Patch501: openssh-6.7p1-ldap.patch
Jan F 8fe1509
#?
94c6f8d
Patch502: openssh-6.6p1-keycat.patch
Jan F. Chadima 69dd72f
87ab5fc
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
94c6f8d
Patch601: openssh-6.6p1-allow-ip-opts.patch
1144aef
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893 (WONTFIX)
94c6f8d
Patch604: openssh-6.6p1-keyperm.patch
1144aef
#(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925
Jan F. Chadima 69dd72f
Patch606: openssh-5.9p1-ipv6man.patch
Jan F 1ddd0ee
#?
8b5feef
Patch607: openssh-5.8p2-sigpipe.patch
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
f286828
Patch609: openssh-7.2p2-x11.patch
Jan F. Chadima 69dd72f
Jan F 003cb0b
#?
13073f8
Patch700: openssh-7.2p1-fips.patch
Jan F 003cb0b
#?
Jan F. Chadima 69dd72f
Patch702: openssh-5.1p1-askpass-progress.patch
1144aef
#https://bugzilla.redhat.com/show_bug.cgi?id=198332
Jan F. Chadima 69dd72f
Patch703: openssh-4.3p2-askpass-grab-info.patch
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
94c6f8d
Patch707: openssh-6.6p1-redhat.patch
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
94c6f8d
Patch708: openssh-6.6p1-entropy.patch
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
8a29ded
Patch709: openssh-6.2p1-vendor.patch
5bd5aa2
# warn users for unsupported UsePAM=no (#757545)
94c6f8d
Patch711: openssh-6.6p1-log-usepam-no.patch
6148abd
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
84822b5
Patch712: openssh-6.3p1-ctr-evp-fast.patch
017c65d
# add cavs test binary for the aes-ctr
94c6f8d
Patch713: openssh-6.6p1-ctr-cavstest.patch
bb3e880
# add SSH KDF CAVS test driver
bb3e880
Patch714: openssh-6.7p1-kdf-cavs.patch
5382ccb
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f
#http://www.sxw.org.uk/computing/patches/openssh.html
51ca3be
#changed cache storage type - #848228
13073f8
Patch800: openssh-7.2p1-gsskex.patch
Jan F 5b4ccb3
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
94c6f8d
Patch801: openssh-6.6p1-force_krb.patch
140e5ca
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
140e5ca
# CVE-2014-9278
140e5ca
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
d9d9575
# Documentation about GSSAPI
d9d9575
# from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
d9d9575
Patch803: openssh-7.1p1-gssapi-documentation.patch
d78d347
# use default_ccache_name from /etc/krb5.conf (#991186)
d78d347
Patch804: openssh-6.3p1-krb5-use-default_ccache_name.patch
d78d347
# Respect k5login_directory option in krk5.conf (#1328243)
d78d347
Patch805: openssh-7.2p2-k5login_directory.patch
d9d9575
52c8eca
Patch900: openssh-6.1p1-gssapi-canohost.patch
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
94c6f8d
Patch901: openssh-6.6p1-kuserok.patch
96df3b5
# Use tty allocation for a remote scp (#985650)
96df3b5
Patch906: openssh-6.4p1-fromto-remote.patch
0a3f4e1
# set a client's address right after a connection is set
0a3f4e1
# http://bugzilla.mindrot.org/show_bug.cgi?id=2257
0a3f4e1
Patch911: openssh-6.6p1-set_remote_ipaddr.patch
1630648
# apply RFC3454 stringprep to banners when possible
1630648
# https://bugzilla.mindrot.org/show_bug.cgi?id=2058
1630648
# slightly changed patch from comment 10
1630648
Patch912: openssh-6.6.1p1-utf8-banner.patch
4b24967
# fix parsing of empty options in sshd_conf
4b24967
# https://bugzilla.mindrot.org/show_bug.cgi?id=2281
4b24967
Patch914: openssh-6.6.1p1-servconf-parser.patch
5296a79
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
5296a79
Patch916: openssh-6.6.1p1-selinux-contexts.patch
08fe9e8
# use different values for DH for Cisco servers (#1026430)
08fe9e8
Patch917: openssh-6.6.1p1-cisco-dh-keys.patch
7a7b8f0
# log via monitor in chroots without /dev/log
7a7b8f0
Patch918: openssh-6.6.1p1-log-in-chroot.patch
fd06d69
# scp file into non-existing directory (#1142223)
fd06d69
Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
b9d68e7
# Config parser shouldn't accept ip/port syntax (#1130733)
b9d68e7
Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
f29c878
# restore tcp wrappers support, based on Debian patch
f29c878
# https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
f29c878
Patch921: openssh-6.7p1-debian-restore-tcp-wrappers.patch
b552eb6
# apply upstream patch and make sshd -T more consistent (#1187521)
0a076e7
Patch922: openssh-6.8p1-sshdT-output.patch
a4d9cd5
# Seccomp support for secondary architectures (#1195065)
a4d9cd5
Patch924: openssh-6.9p1-seccomp-secondary.patch
558fb7b
# Add sftp option to force mode of created files (#1191055)
558fb7b
Patch926: openssh-6.7p1-sftp-force-permission.patch
8244d5a
# Memory problems
8244d5a
# https://bugzilla.mindrot.org/show_bug.cgi?id=2401
8244d5a
Patch928: openssh-6.8p1-memory-problems.patch
5de6c89
# Restore compatible default (#89216)
5de6c89
Patch929: openssh-6.9p1-permit-root-login.patch
67938e0
# Handle terminal control characters in scp progressmeter (#1247204)
67938e0
Patch931: openssh-6.9p1-scp-progressmeter.patch
bc4ef0f
# Add GSSAPIKexAlgorithms option for server and client application
bc4ef0f
Patch932: openssh-7.0p1-gssKexAlgorithms.patch
4df30a2
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
4df30a2
Patch933: openssh-7.0p1-show-more-fingerprints.patch
f6bd29a
# Preserve IUTF8 tty mode flag over ssh connections (#1270248)
f6bd29a
# https://bugzilla.mindrot.org/show_bug.cgi?id=2477
f6bd29a
Patch936: openssh-7.1p1-iutf8.patch
cf4e3a1
# CVE-2015-8325: ignore PAM environment vars when UseLogin=yes
cf4e3a1
Patch937: openssh-7.2p2-CVE-2015-8325.patch
8dd0608
# Regression in certificate based authentication (#1333498)
8dd0608
Patch938: openssh-7.2p2-certificats-regress.patch
b552eb6
f29c878
cvsdist 7d7b035
License: BSD
cvsdist f710772
Group: Applications/Internet
9d725bd
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
cvsdist 8264e71
Requires: /sbin/nologin
e40d5d1
Obsoletes: openssh-clients-fips, openssh-server-fips
fb6f390
Obsoletes: openssh-server-sysvinit
cvsdist 8264e71
c92dff4
%if ! %{no_gnome_askpass}
cvsdist 092b0a1
%if %{gtk2}
ef32423
BuildRequires: gtk2-devel
ef32423
BuildRequires: libX11-devel
c92dff4
%else
ef32423
BuildRequires: gnome-libs-devel
cvsdist 092b0a1
%endif
c92dff4
%endif
c92dff4
7e7fb42
%if %{ldap}
7e7fb42
BuildRequires: openldap-devel
7e7fb42
%endif
ad928ac
BuildRequires: autoconf, automake, perl, perl-generators, zlib-devel
Jan F. Chadima f44bdee
BuildRequires: audit-libs-devel >= 2.0.5
9e777a2
BuildRequires: util-linux, groff
ef32423
BuildRequires: pam-devel
fc2f31d
BuildRequires: tcp_wrappers-devel
b61d9c1
BuildRequires: fipscheck-devel >= 1.3.0
d93958d
BuildRequires: openssl-devel >= 0.9.8j
87391b7
BuildRequires: perl-podlators
cvsdist 8264e71
cvsdist 3e66bdc
%if %{kerberos5}
ef32423
BuildRequires: krb5-devel
cvsdist 3e66bdc
%endif
cvsdist 3e66bdc
c9833c9
%if %{libedit}
0a9a407
BuildRequires: libedit-devel ncurses-devel
c9833c9
%endif
c9833c9
fc72c21
%if %{WITH_SELINUX}
5296a79
Requires: libselinux >= 2.3-5
5296a79
BuildRequires: libselinux-devel >= 2.3-5
fc72c21
Requires: audit-libs >= 1.0.8
fc72c21
BuildRequires: audit-libs >= 1.0.8
fc72c21
%endif
cvsdist 5ef6073
ef32423
BuildRequires: xauth
ef32423
cvsdist f710772
%package clients
9e5c6ec
Summary: An open source SSH client applications
cvsdist f710772
Group: Applications/Internet
13fa787
Requires: openssh = %{version}-%{release}
b61d9c1
Requires: fipscheck-lib%{_isa} >= 1.3.0
cvsdist f710772
2939c32
%package clients-ssh1
2939c32
Summary: An open source SSH client applications for legacy SSH1 protocol
2939c32
Group: Applications/Internet
2939c32
Requires: openssh = %{version}-%{release}
2939c32
Requires: fipscheck-lib%{_isa} >= 1.3.0
2939c32
cvsdist f710772
%package server
9e5c6ec
Summary: An open source SSH server daemon
cvsdist f710772
Group: System Environment/Daemons
ef32423
Requires: openssh = %{version}-%{release}
ef32423
Requires(pre): /usr/sbin/useradd
1961bc1
Requires: pam >= 1.0.1-3
2ae5f9f
Requires: fipscheck-lib%{_isa} >= 1.3.0
Jan F 5c8b5cb
Requires(post): systemd-units
Jan F 5c8b5cb
Requires(preun): systemd-units
Jan F 5c8b5cb
Requires(postun): systemd-units
Jan F 5c8b5cb
3fdf10c
%if %{ldap}
3fdf10c
%package ldap
3fdf10c
Summary: A LDAP support for open source SSH server daemon
3fdf10c
Requires: openssh = %{version}-%{release}
3fdf10c
Group: System Environment/Daemons
3fdf10c
%endif
3fdf10c
Jan F 99f4276
%package keycat
Jan F 99f4276
Summary: A mls keycat backend for openssh
Jan F 99f4276
Requires: openssh = %{version}-%{release}
Jan F 99f4276
Group: System Environment/Daemons
Jan F 99f4276
cvsdist f710772
%package askpass
ef32423
Summary: A passphrase dialog for OpenSSH and X
cvsdist f710772
Group: Applications/Internet
cvsdist 3287400
Requires: openssh = %{version}-%{release}
762e407
Obsoletes: openssh-askpass-gnome
762e407
Provides: openssh-askpass-gnome
cvsdist f710772
08cb909
%package cavs
08cb909
Summary: CAVS tests for FIPS validation
08cb909
Group: Applications/Internet
08cb909
Requires: openssh = %{version}-%{release}
08cb909
e47cb00
%package -n pam_ssh_agent_auth
e47cb00
Summary: PAM module for authentication with ssh-agent
e47cb00
Group: System Environment/Base
e47cb00
Version: %{pam_ssh_agent_ver}
b2b837a
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.1
7451555
License: BSD
e47cb00
cvsdist f710772
%description
cvsdist 7d7b035
SSH (Secure SHell) is a program for logging into and executing
cvsdist 7d7b035
commands on a remote machine. SSH is intended to replace rlogin and
cvsdist 7d7b035
rsh, and to provide secure encrypted communications between two
cvsdist 7d7b035
untrusted hosts over an insecure network. X11 connections and
cvsdist f710772
arbitrary TCP/IP ports can also be forwarded over the secure channel.
cvsdist f710772
cvsdist 7d7b035
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
9e5c6ec
it up to date in terms of security and features.
cvsdist f710772
cvsdist f710772
This package includes the core files necessary for both the OpenSSH
cvsdist 7d7b035
client and server. To make this package useful, you should also
cvsdist f710772
install openssh-clients, openssh-server, or both.
cvsdist f710772
cvsdist f710772
%description clients
cvsdist 7d7b035
OpenSSH is a free version of SSH (Secure SHell), a program for logging
cvsdist 7d7b035
into and executing commands on a remote machine. This package includes
cvsdist 7d7b035
the clients necessary to make encrypted connections to SSH servers.
cvsdist f710772
2939c32
%description clients-ssh1
2939c32
OpenSSH is a free version of SSH (Secure SHell), a program for logging
2939c32
into and executing commands on a remote machine. This package includes
2939c32
the clients necessary to make encrypted connections to SSH servers
2939c32
which support only legacy SSH1 protocol.
2939c32
cvsdist f710772
%description server
cvsdist 7d7b035
OpenSSH is a free version of SSH (Secure SHell), a program for logging
cvsdist 7d7b035
into and executing commands on a remote machine. This package contains
cvsdist 7d7b035
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
9e5c6ec
securely connect to your SSH server.
cvsdist f710772
3fdf10c
%if %{ldap}
3fdf10c
%description ldap
3fdf10c
OpenSSH LDAP backend is a way how to distribute the authorized tokens
3fdf10c
among the servers in the network.
3fdf10c
%endif
3fdf10c
Jan F 99f4276
%description keycat
Jan F 99f4276
OpenSSH mls keycat is backend for using the authorized keys in the
Jan F 99f4276
openssh in the mls mode.
Jan F 99f4276
cvsdist f710772
%description askpass
cvsdist 7d7b035
OpenSSH is a free version of SSH (Secure SHell), a program for logging
cvsdist 7d7b035
into and executing commands on a remote machine. This package contains
cvsdist 7d7b035
an X11 passphrase dialog for OpenSSH.
cvsdist f710772
08cb909
%description cavs
08cb909
This package contains test binaries and scripts to make FIPS validation
08cb909
easier. Now contains CTR and KDF CAVS test driver.
08cb909
e47cb00
%description -n pam_ssh_agent_auth
e47cb00
This package contains a PAM module which can be used to authenticate
e47cb00
users using ssh keys stored in a ssh-agent. Through the use of the
e47cb00
forwarding of ssh-agent connection it also allows to authenticate with
e47cb00
remote ssh-agent instance.
e47cb00
e47cb00
The module is most useful for su and sudo service stacks.
e47cb00
cvsdist 43f95f0
%prep
1900351
%setup -q -a 4
Jan F 5c20fa8
#Do not enable by default
Jan F. Chadima 28b0dc6
%if 0
Jan F. Chadima 28b0dc6
%patch0 -p1 -b .wIm
Jan F. Chadima 28b0dc6
%endif
Jan F 5b4ccb3
94c6f8d
# investigate %patch102 -p1 -b .getaddrinfo
Jan F. Chadima 3b545be
%patch103 -p1 -b .packet
Jan F. Chadima 69dd72f
e47cb00
%if %{pam_ssh_agent}
e47cb00
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
87ab5fc
%patch300 -p2 -b .psaa-build
Jan F. Chadima 69dd72f
%patch301 -p1 -b .psaa-seteuid
87ab5fc
%patch302 -p2 -b .psaa-visibility
87ab5fc
%patch306 -p2 -b .psaa-compat
637556d
%patch305 -p2 -b .psaa-agent
ea94213
%patch307 -p2 -b .psaa-deref
87ab5fc
# Remove duplicate headers and library files
e47cb00
rm -f $(cat %{SOURCE5})
e47cb00
popd
e47cb00
%endif
Jan F. Chadima 69dd72f
Jan F 003cb0b
%if %{WITH_SELINUX}
65ba94e
%patch400 -p1 -b .role-mls
cd5891d
%patch404 -p1 -b .privsep-selinux
Jan F. Chadima 69dd72f
%endif
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f
%if %{ldap}
Jan F. Chadima 69dd72f
%patch501 -p1 -b .ldap
Jan F. Chadima 69dd72f
%endif
Jan F. Chadima 69dd72f
%patch502 -p1 -b .keycat
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f
%patch601 -p1 -b .ip-opts
Jan F. Chadima 69dd72f
%patch604 -p1 -b .keyperm
Jan F. Chadima 69dd72f
%patch606 -p1 -b .ipv6man
8b5feef
%patch607 -p1 -b .sigpipe
86f29c3
%patch609 -p1 -b .x11
Jan F. Chadima 69dd72f
%patch702 -p1 -b .progress
Jan F. Chadima 69dd72f
%patch703 -p1 -b .grab-info
Jan F. Chadima 69dd72f
%patch707 -p1 -b .redhat
Jan F. Chadima 69dd72f
%patch708 -p1 -b .entropy
Jan F. Chadima 69dd72f
%patch709 -p1 -b .vendor
5bd5aa2
%patch711 -p1 -b .log-usepam-no
6148abd
%patch712 -p1 -b .evp-ctr
017c65d
%patch713 -p1 -b .ctr-cavs
bb3e880
%patch714 -p1 -b .kdf-cavs
94c6f8d
# 
Jan F. Chadima 69dd72f
%patch800 -p1 -b .gsskex
Jan F. Chadima 69dd72f
%patch801 -p1 -b .force_krb
d9d9575
%patch803 -p1 -b .gss-docs
d78d347
%patch804 -p1 -b .ccache_name
d78d347
%patch805 -p1 -b .k5login
94c6f8d
# 
Jan F. Chadima 69dd72f
%patch900 -p1 -b .canohost
Jan F. Chadima 69dd72f
%patch901 -p1 -b .kuserok
96df3b5
%patch906 -p1 -b .fromto-remote
0a3f4e1
%patch911 -p1 -b .set_remote_ipaddr
1630648
%patch912 -p1 -b .utf8-banner
4b24967
%patch914 -p1 -b .servconf
5296a79
%patch916 -p1 -b .contexts
535d341
#%patch917 -p1 -b .cisco-dh # investigate
7a7b8f0
%patch918 -p1 -b .log-in-chroot
fd06d69
%patch919 -p1 -b .scp
b9d68e7
%patch920 -p1 -b .config
140e5ca
%patch802 -p1 -b .GSSAPIEnablek5users
f29c878
%patch921 -p1 -b .tcp_wrappers
b552eb6
%patch922 -p1 -b .sshdt
Marcin Juszkiewicz 6656486
%patch924 -p1 -b .seccomp
558fb7b
%patch926 -p1 -b .sftp-force-mode
8244d5a
%patch928 -p1 -b .memory
5de6c89
%patch929 -p1 -b .root-login
67938e0
%patch931 -p1 -b .progressmeter
bc4ef0f
%patch932 -p1 -b .gsskexalg
4df30a2
%patch933 -p1 -b .fingerprint
f6bd29a
%patch936 -p1 -b .iutf8
cf4e3a1
%patch937 -p1 -b .pam_uselogin_cve
8dd0608
%patch938 -p1 -b .certificates
05c945b
12cf3e4
%patch200 -p1 -b .audit
44fc972
%patch201 -p1 -b .audit-race
8028159
%patch700 -p1 -b .fips
5160c9c
580f986
%patch100 -p1 -b .coverity
1630648
Jan F. Chadima 28b0dc6
%if 0
Jan F. Chadima 28b0dc6
# Nothing here yet
Jan F. Chadima 28b0dc6
%endif
Jan F. Chadima 28b0dc6
8ccaa9f
autoreconf
50a3ddb
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
50a3ddb
autoreconf
50a3ddb
popd
cvsdist ffdec57
cvsdist 43f95f0
%build
4f4687c
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
4f4687c
# and it makes the ssh build more clean and even optimized better
4f4687c
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
cvsdist fe98d86
%if %{rescue}
cvsdist fe98d86
CFLAGS="$CFLAGS -Os"
cvsdist fe98d86
%endif
cvsdist fe98d86
%if %{pie}
91bdf49
%ifarch s390 s390x sparc sparcv9 sparc64
e47cb00
CFLAGS="$CFLAGS -fPIC"
cvsdist 8f87201
%else
e47cb00
CFLAGS="$CFLAGS -fpic"
cvsdist 8f87201
%endif
e47cb00
SAVE_LDFLAGS="$LDFLAGS"
Jan F 003cb0b
LDFLAGS="$LDFLAGS -pie -z relro -z now"
Jan F 003cb0b
Jan F 003cb0b
export CFLAGS
Jan F 003cb0b
export LDFLAGS
Jan F 003cb0b
cvsdist fe98d86
%endif
cvsdist 092b0a1
%if %{kerberos5}
2640293
if test -r /etc/profile.d/krb5-devel.sh ; then
77f453b
	source /etc/profile.d/krb5-devel.sh
2640293
fi
cvsdist 092b0a1
krb5_prefix=`krb5-config --prefix`
cvsdist 092b0a1
if test "$krb5_prefix" != "%{_prefix}" ; then
cvsdist 092b0a1
	CPPFLAGS="$CPPFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"; export CPPFLAGS
cvsdist 092b0a1
	CFLAGS="$CFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"
cvsdist 092b0a1
	LDFLAGS="$LDFLAGS -L${krb5_prefix}/%{_lib}"; export LDFLAGS
cvsdist 092b0a1
else
cvsdist 092b0a1
	krb5_prefix=
cvsdist 092b0a1
	CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS
cvsdist 092b0a1
	CFLAGS="$CFLAGS -I%{_includedir}/gssapi"
cvsdist 092b0a1
fi
cvsdist 092b0a1
%endif
cvsdist b46e395
2939c32
# do ssh1 clients
2939c32
%configure  \
2939c32
	--sysconfdir=%{_sysconfdir}/ssh \
2939c32
	--libexecdir=%{_libexecdir}/openssh \
2939c32
	--datadir=%{_datadir}/openssh \
2939c32
	--with-default-path=/usr/local/bin:/usr/bin \
2939c32
	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
2939c32
	--disable-strip \
2939c32
	--without-zlib-version-check \
2939c32
	--with-ssl-engine \
2939c32
	--with-ipaddr-display \
2939c32
	--with-pie=no \
2939c32
	--with-selinux --with-audit=linux \
2939c32
	--with-pam \
2939c32
	--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
ccd1868
	--with-ldap \
2939c32
	--with-ssh1
2939c32
sed -i.back -e 's|^SSH_PROGRAM=.*|SSH_PROGRAM=/usr/bin/ssh1|' Makefile
2939c32
make scp ssh ssh-keygen
2939c32
cp ssh{,1}
2939c32
cp scp{,1}
2939c32
cp ssh-keygen{,1}
2939c32
cp Makefile{.back,}
2939c32
make clean
2939c32
cvsdist 43f95f0
%configure \
cvsdist 43f95f0
	--sysconfdir=%{_sysconfdir}/ssh \
cvsdist 43f95f0
	--libexecdir=%{_libexecdir}/openssh \
cvsdist b46e395
	--datadir=%{_datadir}/openssh \
cvsdist 43f95f0
	--with-tcp-wrappers \
e58e548
	--with-default-path=/usr/local/bin:/usr/bin \
e58e548
	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
cvsdist 8264e71
	--with-privsep-path=%{_var}/empty/sshd \
9080a85
	--enable-vendor-patchlevel="FC-%{openssh_ver}-%{openssh_rel}" \
8ccaa9f
	--disable-strip \
de2e7a3
	--without-zlib-version-check \
ff6d597
	--with-ssl-engine \
Jan F. Chadima 39b26b5
	--with-ipaddr-display \
14c675f
	--with-pie=no \
7e7fb42
%if %{ldap}
7e7fb42
	--with-ldap \
7e7fb42
%endif
cvsdist 43f95f0
%if %{rescue}
cvsdist ffdec57
	--without-pam \
cvsdist 3e66bdc
%else
cvsdist 3e66bdc
	--with-pam \
cvsdist 3e66bdc
%endif
fc72c21
%if %{WITH_SELINUX}
Jan F. Chadima 28b0dc6
	--with-selinux --with-audit=linux \
f6a096c
%ifnarch ppc
b9846a8
	--with-sandbox=seccomp_filter \
74e740c
%else
d5a8001
	--with-sandbox=rlimit \
74e740c
%endif
fc72c21
%endif
cvsdist 3e66bdc
%if %{kerberos5}
c9833c9
	--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
cvsdist 43f95f0
%else
c9833c9
	--without-kerberos5 \
c9833c9
%endif
c9833c9
%if %{libedit}
b61d9c1
	--with-libedit
c9833c9
%else
b61d9c1
	--without-libedit
cvsdist b46e395
%endif
cvsdist b46e395
cvsdist b46e395
%if %{static_libcrypto}
cvsdist b46e395
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
cvsdist 43f95f0
%endif
cvsdist 43f95f0
cvsdist 43f95f0
make
cvsdist 43f95f0
cvsdist 8264e71
# Define a variable to toggle gnome1/gtk2 building.  This is necessary
cvsdist 8264e71
# because RPM doesn't handle nested %if statements.
cvsdist 8264e71
%if %{gtk2}
cvsdist 3e66bdc
	gtk2=yes
cvsdist 8264e71
%else
cvsdist 3e66bdc
	gtk2=no
cvsdist 8264e71
%endif
cvsdist 8264e71
cvsdist 43f95f0
%if ! %{no_gnome_askpass}
cvsdist 43f95f0
pushd contrib
cvsdist 8264e71
if [ $gtk2 = yes ] ; then
812f08d
	CFLAGS="$CFLAGS %{?__global_ldflags}" \
812f08d
	    make gnome-ssh-askpass2
cvsdist 3e66bdc
	mv gnome-ssh-askpass2 gnome-ssh-askpass
cvsdist 8264e71
else
812f08d
	CFLAGS="$CFLAGS %{?__global_ldflags}"
812f08d
	    make gnome-ssh-askpass1
cvsdist 3e66bdc
	mv gnome-ssh-askpass1 gnome-ssh-askpass
cvsdist 8264e71
fi
cvsdist 43f95f0
popd
cvsdist 43f95f0
%endif
cvsdist 43f95f0
e47cb00
%if %{pam_ssh_agent}
e47cb00
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
e47cb00
LDFLAGS="$SAVE_LDFLAGS"
d2b3b9a
%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
e47cb00
make
e47cb00
popd
e47cb00
%endif
e47cb00
d93958d
# Add generation of HMAC checksums of the final stripped binaries
a0e2525
%global __spec_install_post \
a0e2525
    %%{?__debug_package:%%{__debug_install_post}} \
7c5d0a6
    %%{__arch_install_post} \
7c5d0a6
    %%{__os_install_post} \
13fa787
    fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
d93958d
%{nil}
d93958d
fd408ed
%check
fd408ed
#to run tests use "--with check"
fd408ed
%if %{?_with_check:1}%{!?_with_check:0}
fd408ed
make tests
fd408ed
%endif
fd408ed
cvsdist 43f95f0
%install
cvsdist 43f95f0
rm -rf $RPM_BUILD_ROOT
cvsdist 43f95f0
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
cvsdist 43f95f0
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
320a1c8
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
cvsdist 43f95f0
make install DESTDIR=$RPM_BUILD_ROOT
99d9a39
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
cvsdist 43f95f0
cvsdist 43f95f0
install -d $RPM_BUILD_ROOT/etc/pam.d/
Jan F 11896aa
install -d $RPM_BUILD_ROOT/etc/sysconfig/
cvsdist 43f95f0
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
13fa787
install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
ca47f63
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
Jan F 99f4276
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
Jan F 11896aa
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
0b5300a
install -m755 %{SOURCE16} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
Jan F 0ecc97b
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
678b808
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
678b808
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
Jan F d470c46
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
00c7b75
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
5489ace
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
00c7b75
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
f94d8f5
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
f94d8f5
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
766438b
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
cvsdist 43f95f0
2939c32
# clients-ssh1
2939c32
install -m755 ssh1 $RPM_BUILD_ROOT/%{_bindir}/ssh1
2939c32
install -m755 scp1 $RPM_BUILD_ROOT/%{_bindir}/scp1
2939c32
install -m755 ssh-keygen1 $RPM_BUILD_ROOT/%{_bindir}/ssh-keygen1
2939c32
e762f72
# restore slogin
e762f72
pushd $RPM_BUILD_ROOT%{_bindir}
e762f72
ln -s ./ssh slogin
e762f72
pushd $RPM_BUILD_ROOT%{_mandir}/man1
e762f72
ln -s ./ssh.1 slogin.1
e762f72
popd; popd;
e762f72
cvsdist 43f95f0
%if ! %{no_gnome_askpass}
Jan F. Chadima 2b67a53
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
cvsdist 43f95f0
%endif
cvsdist 43f95f0
cvsdist ffdec57
%if ! %{no_gnome_askpass}
09d7e68
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
cvsdist b46e395
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
cvsdist 8264e71
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
cvsdist 8264e71
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
cvsdist ffdec57
%endif
cvsdist 43f95f0
cvsdist 5ef6073
%if %{no_gnome_askpass}
cvsdist 5ef6073
rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
cvsdist 5ef6073
%endif
cvsdist 5ef6073
cvsdist 43f95f0
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
cvsdist 43f95f0
e47cb00
%if %{pam_ssh_agent}
e47cb00
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
e47cb00
make install DESTDIR=$RPM_BUILD_ROOT
e47cb00
popd
e47cb00
%endif
cvsdist 43f95f0
%clean
cvsdist 43f95f0
rm -rf $RPM_BUILD_ROOT
cvsdist 43f95f0
Jan F 1ddd0ee
%pre
Jan F 1ddd0ee
getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
Jan F 1ddd0ee
cvsdist 8264e71
%pre server
2fd1054
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
2fd1054
getent passwd sshd >/dev/null || \
d48f1a7
  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
2fd1054
  -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
cvsdist 8264e71
cvsdist 43f95f0
%post server
678b808
%systemd_post sshd.service sshd.socket
cvsdist 43f95f0
cvsdist 43f95f0
%preun server
678b808
%systemd_preun sshd.service sshd.socket
94943d5
94943d5
%postun server
94943d5
%systemd_postun_with_restart sshd.service
Jan F 5c8b5cb
cvsdist 43f95f0
%files
e336e33
%license LICENCE
e336e33
%doc CREDITS ChangeLog INSTALL OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
cvsdist 43f95f0
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
f9f83a0
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
cvsdist 43f95f0
%if ! %{rescue}
cvsdist 43f95f0
%attr(0755,root,root) %{_bindir}/ssh-keygen
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
cvsdist 43f95f0
%attr(0755,root,root) %dir %{_libexecdir}/openssh
06b1d53
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
cvsdist 8264e71
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
cvsdist 43f95f0
%endif
cvsdist 43f95f0
cvsdist 43f95f0
%files clients
cvsdist 8264e71
%attr(0755,root,root) %{_bindir}/ssh
2ae5f9f
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
cvsdist 3e66bdc
%attr(0755,root,root) %{_bindir}/scp
cvsdist 3e66bdc
%attr(0644,root,root) %{_mandir}/man1/scp.1*
cvsdist 43f95f0
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
e762f72
%attr(0755,root,root) %{_bindir}/slogin
e762f72
%attr(0644,root,root) %{_mandir}/man1/slogin.1*
cvsdist 3e66bdc
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
cvsdist 43f95f0
%if ! %{rescue}
f26cd8d
%attr(0755,root,root) %{_bindir}/ssh-agent
cvsdist 43f95f0
%attr(0755,root,root) %{_bindir}/ssh-add
cvsdist 43f95f0
%attr(0755,root,root) %{_bindir}/ssh-keyscan
cvsdist 43f95f0
%attr(0755,root,root) %{_bindir}/sftp
f94d8f5
%attr(0755,root,root) %{_bindir}/ssh-copy-id
974c89c
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
f94d8f5
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
974c89c
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
cvsdist 43f95f0
%endif
cvsdist 43f95f0
2939c32
%files clients-ssh1
2939c32
%attr(0755,root,root) %{_bindir}/ssh1
2939c32
%attr(0755,root,root) %{_bindir}/scp1
2939c32
%attr(0755,root,root) %{_bindir}/ssh-keygen1
2939c32
cvsdist 43f95f0
%if ! %{rescue}
cvsdist 43f95f0
%files server
ef32423
%dir %attr(0711,root,root) %{_var}/empty/sshd
cvsdist 43f95f0
%attr(0755,root,root) %{_sbindir}/sshd
0b5300a
%attr(0755,root,root) %{_sbindir}/sshd-keygen
2ae5f9f
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
cvsdist 43f95f0
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
00c7b75
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
cvsdist 8264e71
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
93a4744
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
cvsdist 43f95f0
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
5a8f6b5
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
Jan F 11896aa
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
Jan F 53f618d
%attr(0644,root,root) %{_unitdir}/sshd.service
678b808
%attr(0644,root,root) %{_unitdir}/sshd@.service
678b808
%attr(0644,root,root) %{_unitdir}/sshd.socket
00c7b75
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
5489ace
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
766438b
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
Jan F c0cd660
%endif
cvsdist 43f95f0
3fdf10c
%if %{ldap}
3fdf10c
%files ldap
Jan F 9404cdd
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
09ca6ef
%doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif
3fdf10c
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
Jan F b934981
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
3fdf10c
%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
222d52d
%attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5*
3fdf10c
%endif
3fdf10c
Jan F 99f4276
%files keycat
Jan F 825921b
%doc HOWTO.ssh-keycat
Jan F 99f4276
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
Jan F 99f4276
%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
Jan F 99f4276
cvsdist 43f95f0
%if ! %{no_gnome_askpass}
09d7e68
%files askpass
b40baab
%attr(0644,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
cvsdist 43f95f0
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
09d7e68
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
cvsdist 43f95f0
%endif
cvsdist 43f95f0
08cb909
%files cavs
08cb909
%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
08cb909
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
08cb909
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
08cb909
e47cb00
%if %{pam_ssh_agent}
e47cb00
%files -n pam_ssh_agent_auth
e336e33
%license pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
d2b3b9a
%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
e47cb00
%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
e47cb00
%endif
e47cb00
cvsdist f710772
%changelog
ba8f389
* Mon Jun 06 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-7
ba8f389
- Fix regression in certificate-based authentication (#1333498)
ba8f389
- Check for real location of .k5login file (#1328243)
ba8f389
- Fix unchecked dereference in pam_ssh_agent_auth
ba8f389
- Clean up old patches
ba8f389
- Build with seccomp filter on ppc64(le) (#1195065)
ba8f389
991b662
* Fri Apr 29 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-6 + 0.10.2-3
991b662
- Add legacy sshd-keygen for anaconda (#1331077)
991b662
1380564
* Fri Apr 22 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-5 + 0.10.2-3
1380564
- CVE-2015-8325: ignore PAM environment vars when UseLogin=yes (#1328013)
1380564
- Fix typo in sysconfig/sshd (#1325535)
1380564
58d2868
* Fri Apr 15 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-4 + 0.10.2-3
58d2868
- Revise socket activation and services dependencies (#1325535)
58d2868
- Drop unused init script
58d2868
32a7488
* Wed Apr 13 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-3 + 0.10.2-3
32a7488
- Make sshd-keygen comply with packaging guidelines (#1325535)
32a7488
- Soft-deny socket() syscall in seccomp sandbox (#1324493)
32a7488
- Remove *sha1 Kex in FIPS mode (#1324493)
32a7488
- Remove *gcm ciphers in FIPS mode (#1324493)
32a7488
f7e56a5
* Wed Apr 06 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-2 + 0.10.2-3
f7e56a5
- Fix GSSAPI Key Exchange according to RFC (#1323622)
f7e56a5
- Remove init.d/functions dependency from sshd-keygen (#1317722)
f7e56a5
- Do not use MD5 in pam_ssh_agent_auth in FIPS mode
f7e56a5
9163ba1
* Thu Mar 10 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-1 + 0.10.2-3
9163ba1
- New upstream (security) release (#1316529)
9163ba1
- Clean up audit patch
9163ba1
0bdae3b
* Thu Mar 03 2016 Jakub Jelen <jjelen@redhat.com> 7.2p1-2 + 0.10.2-2
0bdae3b
- Restore slogin symlinks to preserve backward compatibility
0bdae3b
13073f8
* Mon Feb 29 2016 Jakub Jelen <jjelen@redhat.com> 7.2p1-1 + 0.10.2-2
13073f8
- New upstream release (#1312870)
13073f8
46445f1
* Wed Feb 24 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-4.1 + 0.10.2-1
46445f1
- Fix race condition in auditing events when using multiplexing (#1308295)
46445f1
- Fix X11 forwarding CVE according to upstream
46445f1
- Fix problem when running without privsep (#1303910)
46445f1
- Remove hard glob limit in SFTP
46445f1
b2b837a
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 7.1p2-3.1
b2b837a
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
b2b837a
8ddd3ed
* Sat Jan 30 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-3 + 0.10.2-1
8ddd3ed
- Fix segfaults with pam_ssh_agent_auth (#1303036)
8ddd3ed
- Silently disable X11 forwarding on problems
8ddd3ed
- Systemd service should be forking to detect immediate failures
8ddd3ed
6c2eb5e
* Mon Jan 25 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-2 + 0.10.2-1
6c2eb5e
- Rebased to recent version of pam_ssh_agent_auth
6c2eb5e
- Upstream fix for CVE-2016-1908
6c2eb5e
- Remove useless defattr
6c2eb5e
7bc6437
* Thu Jan 14 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-1 + 0.9.2-9
7bc6437
- New security upstream release for CVE-2016-0777
7bc6437
b2191db
* Tue Jan 12 2016 Jakub Jelen <jjelen@redhat.com> 7.1p1-7 + 0.9.2-8
b2191db
- Change RPM define macros to global according to packaging guidelines
b2191db
- Fix wrong handling of SSH_COPY_ID_LEGACY environment variable
b2191db
- Update ssh-agent and ssh-keysign permissions (#1296724)
b2191db
- Fix few problems with alternative builds without GSSAPI or openSSL
b2191db
- Fix condition to run sshd-keygen
b2191db
c45d147
* Fri Dec 18 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-6 + 0.9.2-8
c45d147
- Preserve IUTF8 tty mode flag over ssh connections (#1270248)
c45d147
- Do not require sysconfig file to start service (#1279521)
c45d147
- Update ssh-copy-id to upstream version
c45d147
- GSSAPI Key Exchange documentation improvements
c45d147
- Remove unused patches
c45d147
ef86a31
* Wed Nov 04 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-5 + 0.9.2-8
ef86a31
- Do not set user context too many times for root logins (#1269072)
ef86a31
fa54d54
* Thu Oct 22 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-4 + 0.9.2-8
fa54d54
- Review SELinux user context handling after authentication (#1269072)
fa54d54
- Handle root logins the same way as other users (#1269072)
fa54d54
- Audit implicit mac, if mac is covered in cipher (#1271694)
fa54d54
- Increase size limit for remote glob over sftp
fa54d54
a80c277
* Fri Sep 25 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-3 + 0.9.2-8
a80c277
- Fix FIPS mode for DH kex (#1260253)
a80c277
- Provide full RELRO and PIE form askpass helper (#1264036)
a80c277
- Fix gssapi key exchange on server and client (#1261414)
a80c277
- Allow gss-keyex root login when without-password is set (upstream #2456)
a80c277
- Fix obsolete usage of SELinux constants (#1261496)
a80c277
9826215
* Wed Sep 09 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-2 + 0.9.2-8
9826215
- Fix warnings reported by gcc related to keysign and keyAlgorithms
9826215
757fec5
* Sat Aug 22 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-1 + 0.9.2-8
757fec5
- New upstream release
757fec5
ebdae84
* Wed Aug 19 2015 Jakub Jelen <jjelen@redhat.com> 7.0p1-2 + 0.9.3-7
ebdae84
- Fix problem with DSA keys using pam_ssh_agent_auth (#1251777)
ebdae84
- Add GSSAPIKexAlgorithms option for server and client application
ebdae84
- Possibility to validate legacy systems by more fingerprints (#1249626)
ebdae84
18e5499
* Wed Aug 12 2015 Jakub Jelen <jjelen@redhat.com> 7.0p1-1 + 0.9.3-7
3f55133
- New upstream release (#1252639)
3f55133
- Fix pam_ssh_agent_auth package (#1251777)
3f55133
- Security: Use-after-free bug related to PAM support (#1252853)
3f55133
- Security: Privilege separation weakness related to PAM support (#1252854)
3f55133
- Security: Incorrectly set TTYs to be world-writable (#1252862)
3f55133
6286d6a
* Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-4 + 0.9.3-6
6286d6a
- Handle terminal control characters in scp progressmeter (#1247204)
6286d6a
83bfb1f
* Thu Jul 23 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-3 + 0.9.3-6
83bfb1f
- CVE-2015-5600: only query each keyboard-interactive device once (#1245971)
83bfb1f
ca62b61
* Wed Jul 15 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-2 + 0.9.3-6
ca62b61
- Enable SECCOMP filter for s390* architecture (#1195065)
ca62b61
- Fix race condition when multiplexing connection (#1242682)
ca62b61
187a349
* Wed Jul 01 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-1 + 0.9.3-6
187a349
- New upstream release (#1238253)
187a349
- Increase limitation number of files which can be listed using glob in sftp
187a349
- Correctly revert "PermitRootLogin no" option from upstream sources (#89216)
187a349
f3002bf
* Wed Jun 24 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-9 + 0.9.3-5
f3002bf
- Allow socketcall(SYS_SHUTDOWN) for net_child on ix86 architecture
f3002bf
b59dd83
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.8p1-8.1
b59dd83
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
b59dd83
5aa47ae
* Mon Jun 08 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-8 + 0.9.3-5
5aa47ae
- Return stat syscall to seccomp filter (#1228323)
5aa47ae
f049b3b
* Wed Jun 03 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-7 + 0.9.3-5
f049b3b
- Handle pam_ssh_agent_auth memory, buffers and variable sizes (#1225106)
f049b3b
8a10dcb
* Thu May 28 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-6 + 0.9.3-5
8a10dcb
- Resolve problem with pam_ssh_agent_auth after rebase (#1225106)
8a10dcb
- ssh-copy-id: tcsh doesnt work with multiline strings
8a10dcb
- Fix upstream memory problems
8a10dcb
- Add missing options in testmode output and manual pages
8a10dcb
- Provide LDIF version of LPK schema
8a10dcb
- Document required selinux boolean for working ssh-ldap-helper
8a10dcb
775e1b2
* Mon Apr 20 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-5 + 0.9.3-5
775e1b2
- Fix segfault on daemon exit caused by API change (#1213423)
775e1b2
c516316
* Thu Apr 02 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-4 + 0.9.3-5
c516316
- Fix audit_end_command to restore ControlPersist function (#1203900)
c516316
c028ac5
* Tue Mar 31 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-3 + 0.9.3-5
c028ac5
- Fixed issue with GSSAPI key exchange (#1207719)
c028ac5
- Add pam_namespace to sshd pam stack (based on #1125110)
c028ac5
- Remove krb5-config workaround for #1203900
c028ac5
- Fix handling SELinux context in MLS systems
c028ac5
- Regression: solve sshd segfaults if other instance already running
c028ac5
e5b15a7
* Thu Mar 26 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-2 + 0.9.3-5
e5b15a7
- Update audit and gss patches after rebase
e5b15a7
- Fix reintroduced upstrem bug #1878
e5b15a7
e3688f3
* Tue Mar 24 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-1 + 0.9.3-5
e3688f3
- new upstream release openssh-6.8p1 (#1203245)
e3688f3
- Resolve segfault with auditing commands (#1203900)
e3688f3
- Workaround krb5-config bug (#1204646)
132f8f8
7b82d08
* Thu Mar 12 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-11 + 0.9.3-4
7b82d08
- Ability to specify LDAP filter in ldap.conf for ssh-ldap-helper
7b82d08
- Fix auditing when using combination of ForceCommand and PTY
7b82d08
- Add sftp option to force mode of created files (from rhel)
7b82d08
- Fix tmpfiles.d entries to be more consistent (#1196807)
7b82d08
7aa6321
* Mon Mar 02 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-10 + 0.9.3-4
7aa6321
- Add tmpfiles.d entries (#1196807)
7aa6321
c8b4078
* Fri Feb 27 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-9 + 0.9.3-4
c8b4078
- Adjust seccomp filter for primary architectures and solve aarch64 issue (#1197051)
c8b4078
- Solve issue with ssh-copy-id and keys without trailing newline (#1093168)
c8b4078
5f3c83f
* Tue Feb 24 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-8 + 0.9.3-4
5f3c83f
- Add AArch64 support for seccomp_filter sandbox (#1195065)
5f3c83f
e0f867b
* Mon Feb 23 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-7 + 0.9.3-4
e0f867b
- Fix seccomp filter on architectures without getuid32
e0f867b
c13a4b7
* Mon Feb 23 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-6 + 0.9.3-4
c13a4b7
- Update seccomp filter to work on i686 architectures (#1194401)
c13a4b7
- Fix previous failing build (#1195065)
c13a4b7
74e740c
* Sun Feb 22 2015 Peter Robinson <pbrobinson@fedoraproject.org> 6.7p1-5 + 0.9.3-4
74e740c
- Only use seccomp for sandboxing on supported platforms
74e740c
c694529
* Fri Feb 20 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-4 + 0.9.3-4
c694529
- Move cavs tests into subpackage -cavs (#1194320)
c694529
2f55636
* Wed Feb 18 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-3 + 0.9.3-4
2f55636
- update coverity patch
2f55636
- make output of sshd -T more consistent (#1187521)
2f55636
- enable seccomp for sandboxing instead of rlimit (#1062953)
2f55636
- update hardening to compile on gcc5
2f55636
- Add SSH KDF CAVS test driver (#1193045)
2f55636
- Fix ssh-copy-id on non-sh remote shells (#1045191)
2f55636
6c6416d
* Tue Jan 27 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-2 + 0.9.3-4
6c6416d
- fixed audit patch after rebase
6c6416d
1900351
* Tue Jan 20 2015 Petr Lautrbach <plautrba@redhat.com> 6.7p1-1 + 0.9.3-4
1900351
- new upstream release openssh-6.7p1
1900351
3ffcb79
* Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-11.1 + 0.9.3-3
2109ab6
- error message if scp when directory doesn't exist (#1142223)
2109ab6
- parsing configuration file values (#1130733)
2109ab6
- documentation in service and socket files for systemd (#1181593)
2109ab6
- updated ldap patch (#981058)
2109ab6
- fixed vendor-patchlevel
2109ab6
- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 (#1170745)
2109ab6
62986c5
* Fri Dec 19 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-10 + 0.9.3-3
62986c5
- log via monitor in chroots without /dev/log
62986c5
276c16c
* Wed Dec 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-9 + 0.9.3-3
276c16c
- the .local domain example should be in ssh_config, not in sshd_config
276c16c
- use different values for DH for Cisco servers (#1026430)
276c16c
823364a
* Thu Nov 13 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-8 + 0.9.3-3
823364a
- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)
823364a
a1e1ac2
* Fri Nov 07 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-7 + 0.9.3-3
a1e1ac2
- correct the calculation of bytes for authctxt->krb5_ccname <ams@corefiling.com> (#1161073)
a1e1ac2
3b7c862
* Tue Nov 04 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-6 + 0.9.3-3
3b7c862
- privsep_preauth: use SELinux context from selinux-policy (#1008580)
3b7c862
- change audit trail for unknown users (mindrot#2245)
3b7c862
- fix kuserok patch which checked for the existence of .k5login
3b7c862
  unconditionally and hence prevented other mechanisms to be used properly
3b7c862
- revert the default of KerberosUseKuserok back to yes (#1153076)
3b7c862
- ignore SIGXFSZ in postauth monitor (mindrot#2263)
3b7c862
- sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode
3b7c862
afde9f8
* Mon Sep 08 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-5 + 0.9.3-3
afde9f8
- set a client's address right after a connection is set (mindrot#2257)
afde9f8
- apply RFC3454 stringprep to banners when possible (mindrot#2058)
afde9f8
- don't consider a partial success as a failure (mindrot#2270)
afde9f8
662c5a0
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.6.1p1-4.1
662c5a0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
662c5a0
e336e33
* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> 6.6.1p1-4 + 0.9.3-3
e336e33
- fix license handling (both)
e336e33
8ff21c9
* Fri Jul 18 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-3 + 0.9.3-2
8ff21c9
- standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
8ff21c9
cef0d58
* Mon Jul 14 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-2 + 0.9.3-2
cef0d58
- add pam_reauthorize.so to sshd.pam (#1115977)
cef0d58
- spec file and patches clenup
cef0d58
d1b0938
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.6.1p1-1.1
d1b0938
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
d1b0938
5cde9cd
* Tue Jun 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-1 + 0.9.3-2
5cde9cd
- disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6
5cde9cd
- add support for ED25519 keys to sshd-keygen and sshd.sysconfig
5cde9cd
- drop openssh-server-sysvinit subpackage
5cde9cd
- slightly change systemd units logic - use sshd-keygen.service (#1066615)
5cde9cd
94c6f8d
* Tue Jun 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6p1-1 + 0.9.3-2
94c6f8d
- new upstream release openssh-6.6p1
94c6f8d
d755752
* Thu May 15 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-4 + 0.9.3-1
d755752
- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
d755752
- make /etc/ssh/moduli file public (#1043661)
d755752
- test existence of /etc/ssh/ssh_host_ecdsa_key in sshd-keygen.service
d755752
- don't clean up gssapi credentials by default (#1055016)
d755752
- ssh-agent - try CLOCK_BOOTTIME with fallback (#1091992)
d755752
- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
d755752
- ignore environment variables with embedded '=' or '\0' characters - CVE-2014-2532
d755752
  (#1077843)
d755752
222dd2e
* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-3 + 0.9.3-1
222dd2e
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
222dd2e
- use only rsa and ecdsa host keys by default
222dd2e
89d920b
* Tue Nov 26 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-2 + 0.9.3-1
89d920b
- fix fatal() cleanup in the audit patch (#1029074)
89d920b
- fix parsing logic of ldap.conf file (#1033662)
89d920b
09e9ef3
* Fri Nov 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-1 + 0.9.3-1
09e9ef3
- new upstream release
09e9ef3
3ed6191
* Fri Nov 01 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-5 + 0.9.3-7
3ed6191
- adjust gss kex mechanism to the upstream changes (#1024004)
3ed6191
- don't use xfree in pam_ssh_agent_auth sources <geertj@gmail.com> (#1024965)
3ed6191
7feb965
* Fri Oct 25 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-4 + 0.9.3-6
7feb965
- rebuild with the openssl with the ECC support
7feb965
a5e23f2
* Thu Oct 24 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-3 + 0.9.3-6
a5e23f2
- don't use SSH_FP_MD5 for fingerprints in FIPS mode
a5e23f2
ff7a26b
* Wed Oct 23 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-2 + 0.9.3-6
ff7a26b
- use default_ccache_name from /etc/krb5.conf for a kerberos cache (#991186)
ff7a26b
- increase the size of the Diffie-Hellman groups (#1010607)
ff7a26b
- sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222)
ff7a26b
e40d5d1
* Tue Oct 15 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-1.1 + 0.9.3-6
a92e916
- new upstream release (#1007769)
a92e916
c33ef55
* Tue Oct 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-9 + 0.9.3-5
c33ef55
- use dracut-fips package to determine if a FIPS module is installed
c33ef55
- revert -fips subpackages and hmac files suffixes
c33ef55
f344f84
* Wed Sep 25 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-8 + 0.9.3-5
f344f84
- sshd-keygen: generate only RSA keys by default (#1010092)
f344f84
- use dist tag in suffixes for hmac checksum files
f344f84
eba55f9
* Wed Sep 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-7 + 0.9.3-5
eba55f9
- use hmac_suffix for ssh{,d} hmac checksums
eba55f9
- bump the minimum value of SSH_USE_STRONG_RNG to 14 according to SP800-131A
eba55f9
- automatically restart sshd.service on-failure after 42s interval
eba55f9
a19397f
* Thu Aug 29 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-6.1 + 0.9.3-5
f4e927b
- add -fips subpackages that contains the FIPS module files
f4e927b
631ffb2
* Wed Jul 31 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-5 + 0.9.3-5
631ffb2
- gssapi credentials need to be stored before a pam session opened (#987792)
631ffb2
115aad3
* Tue Jul 23 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-4 + 0.9.3-5
115aad3
- don't show Success for EAI_SYSTEM (#985964)
115aad3
- make sftp's libedit interface marginally multibyte aware (#841771)
115aad3
66608a1
* Mon Jun 17 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-3 + 0.9.3-5
66608a1
- move default gssapi cache to /run/user/<uid> (#848228)
66608a1
e99c484
* Tue May 21 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-2 + 0.9.3-5
e99c484
- add socket activated sshd units to the package (#963268)
e99c484
- fix the example in the HOWTO.ldap-keys
e99c484
21acbc4
* Mon May 20 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-1 + 0.9.3-5
21acbc4
- new upstream release (#963582)
21acbc4
a92d744
* Wed Apr 17 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-4 + 0.9.3-4
a92d744
- don't use export in sysconfig file (#953111)
a92d744
c276d31
* Tue Apr 16 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-3 + 0.9.3-4
c276d31
- sshd.service: use KillMode=process (#890376)
c276d31
- add latest config.{sub,guess} to support aarch64 (#926284)
c276d31
1042786
* Tue Apr 09 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-2 + 0.9.3-4
1042786
- keep track of which IndentityFile options were manually supplied and
1042786
  which were default options, and don't warn if the latter are missing.
1042786
  (mindrot#2084)
1042786
b6f89ab
* Tue Apr 09 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-1 + 0.9.3-4
b6f89ab
- new upstream release (#924727)
b6f89ab
1b95bc3
* Wed Mar 06 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-7 + 0.9.3-3
1b95bc3
- use SELinux type sshd_net_t for [net] childs (#915085)
1b95bc3
2a7883d
* Thu Feb 14 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-6 + 0.9.3-3
2a7883d
- fix AuthorizedKeysCommand option
2a7883d
cab7f53
* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-5 + 0.9.3-3
cab7f53
- change default value of MaxStartups - CVE-2010-5107 (#908707)
cab7f53
7642de9
* Mon Dec 03 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-4 + 0.9.3-3
7642de9
- fix segfault in openssh-5.8p2-force_krb.patch (#882541)
7642de9
790103e
* Mon Dec 03 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-3 + 0.9.3-3
790103e
- replace RequiredAuthentications2 with AuthenticationMethods based on upstream
790103e
- obsolete RequiredAuthentications[12] options
790103e
- fix openssh-6.1p1-privsep-selinux.patch
790103e
af2ebf7
* Fri Oct 26 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-2
af2ebf7
- add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400)
af2ebf7
- drop required chkconfig (#865498)
af2ebf7
- drop openssh-5.9p1-sftp-chroot.patch (#830237)
af2ebf7
d0630aa
* Sat Sep 15 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-1 + 0.9.3-3
d0630aa
- new upstream release (#852651)
d0630aa
- use DIR: kerberos type cache (#848228)
d0630aa
- don't use chroot_user_t for chrooted users (#830237)
d0630aa
- replace scriptlets with systemd macros (#850249)
d0630aa
- don't use /bin and /sbin paths (#856590)
d0630aa
65ba94e
* Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 6.0p1-1 + 0.9.3-2
65ba94e
- new upstream release
65ba94e
90e11f3
* Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-26 + 0.9.3-1
90e11f3
- change SELinux context also for root user (#827109)
90e11f3
b648890
* Fri Jul 27 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-25 + 0.9.3-1
b648890
- fix various issues in openssh-5.9p1-required-authentications.patch
b648890
e962030
* Tue Jul 17 2012 Tomas Mraz <tmraz@redhat.com> 5.9p1-24 + 0.9.3-1
e962030
- allow sha256 and sha512 hmacs in the FIPS mode
e962030
4f4687c
* Fri Jun 22 2012 Tomas Mraz <tmraz@redhat.com> 5.9p1-23 + 0.9.3-1
4f4687c
- fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent
4f4687c
  is not running, most probably not exploitable
4f4687c
- update pam_ssh_agent_auth to 0.9.3 upstream version
4f4687c
2649d91
* Fri Apr 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-22 + 0.9.2-32
2649d91
- don't create RSA1 key in FIPS mode
2649d91
- don't install sshd-keygen.service (#810419)
2649d91
7294a99
* Fri Mar 30 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-21 + 0.9.2-32
7294a99
- fix various issues in openssh-5.9p1-required-authentications.patch
7294a99
22f0191
* Wed Mar 21 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-20 + 0.9.2-32
22f0191
- Fix dependencies in systemd units, don't enable sshd-keygen.service (#805338)
22f0191
33e0acc
* Wed Feb 22 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-19 + 0.9.2-32
33e0acc
- Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo (#735889)
33e0acc
d3ab957
* Mon Feb 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-18 + 0.9.2-32
d3ab957
- replace TwoFactorAuth with RequiredAuthentications[12]
d3ab957
  https://bugzilla.mindrot.org/show_bug.cgi?id=983
d3ab957
21699d5
* Tue Jan 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-17 + 0.9.2-32
21699d5
- run privsep slave process as the users SELinux context (#781634)
21699d5
19725a9
* Tue Dec 13 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-16 + 0.9.2-32
017c65d
- add CAVS test driver for the aes-ctr ciphers
017c65d
19725a9
* Sun Dec 11 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-15 + 0.9.2-32
6148abd
- enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI
6148abd
2e12878
* Tue Dec 06 2011 Petr Lautrbach <plautrba@redhat.com> 5.9p1-14 + 0.9.2-32
2e12878
- warn about unsupported option UsePAM=no (#757545)
2e12878
4fc1674
* Mon Nov 21 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-13 + 0.9.2-32
4fc1674
- add back the restorecon call to ssh-copy-id - it might be needed on older
4fc1674
  distributions (#739989)
4fc1674
17eb103
* Fri Nov 18 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-12 + 0.9.2-32
17eb103
- still support /etc/sysconfig/sshd loading in sshd service (#754732)
81da99e
- fix incorrect key permissions generated by sshd-keygen script (#754779)
17eb103
0fcb25a
* Fri Oct 14 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-11 + 0.9.2-32
0fcb25a
- remove unnecessary requires on initscripts
0fcb25a
- set VerifyHostKeyDNS to ask in the default configuration (#739856)
0fcb25a
Jan F. Chadima 28b0dc6
* Mon Sep 19 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-10 + 0.9.2-32
Jan F. Chadima 28b0dc6
- selinux sandbox rewrite
Jan F. Chadima 28b0dc6
- two factor authentication tweaking
Jan F. Chadima 28b0dc6
Jan F. Chadima cff1d0c
* Wed Sep 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-9 + 0.9.2-32
Jan F. Chadima cff1d0c
- coverity upgrade
Jan F. Chadima cff1d0c
- wipe off nonfunctional nss
Jan F. Chadima cff1d0c
- selinux sandbox tweaking
Jan F. Chadima cff1d0c
Jan F. Chadima c870e66
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-8 + 0.9.2-32
Jan F. Chadima c870e66
- coverity upgrade
Jan F. Chadima c870e66
- experimental selinux sandbox
Jan F. Chadima c870e66
JFCH c2ea13d
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-7 + 0.9.2-32
JFCH c2ea13d
- fully reanable auditing
JFCH c2ea13d
Jan F. Chadima 1df0cf4
* Mon Sep 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-6 + 0.9.2-32
Jan F. Chadima 1df0cf4
- repair signedness in akc patch
Jan F. Chadima 1df0cf4
Jan F. Chadima 026db1c
* Mon Sep 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-5 + 0.9.2-32
Jan F. Chadima 39b26b5
- temporarily disable part of audit4 patch
Jan F. Chadima 39b26b5
Jan F. Chadima ea97ffa
* Fri Sep  9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-3 + 0.9.2-32
Jan F. Chadima ea97ffa
- Coverity second pass
Jan F. Chadima ea97ffa
- Reenable akc patch
Jan F. Chadima ea97ffa
Jan F. Chadima 3b545be
* Thu Sep  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-2 + 0.9.2-32
Jan F. Chadima 3b545be
- Coverity first pass
Jan F. Chadima 3b545be
Jan F. Chadima 311e6bb
* Wed Sep  7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-1 + 0.9.2-32
Jan F. Chadima 311e6bb
- Rebase to 5.9p1
Jan F. Chadima 311e6bb
- Add chroot sftp patch
Jan F. Chadima 311e6bb
- Add two factor auth patch
Jan F. Chadima 311e6bb
Jan F. Chadima 19d4c79
* Tue Aug 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-21 + 0.9.2-31
Jan F. Chadima 19d4c79
- ignore SIGPIPE in ssh keyscan
Jan F. Chadima 19d4c79
Jan F. Chadima 2b67a53
* Tue Aug  9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-20 + 0.9.2-31
Jan F. Chadima 2b67a53
- save ssh-askpass's debuginfo
Jan F. Chadima 2b67a53
Jan F. Chadima 56b50ec
* Mon Aug  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-19 + 0.9.2-31
Jan F. Chadima 56b50ec
- compile ssh-askpass with corect CFLAGS
Jan F. Chadima 56b50ec
Jan F. Chadima 54f33f6
* Mon Aug  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-18 + 0.9.2-31
Jan F. Chadima 54f33f6
- improve selinux's change context log 
Jan F. Chadima 54f33f6
Jan F. Chadima ec36224
* Mon Aug  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-17 + 0.9.2-31
Jan F. Chadima ec36224
- repair broken man pages
Jan F. Chadima ec36224
Jan F. Chadima d704eab
* Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-16 + 0.9.2-31
Jan F. Chadima ec36224
- rebuild due to broken rpmbiild
Jan F. Chadima d704eab
Jan F. Chadima 294ca75
* Thu Jul 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-15 + 0.9.2-31
Jan F. Chadima 294ca75
- Do not change context when run under unconfined_t
Jan F. Chadima 294ca75
Jan F. Chadima d3d3406
* Thu Jul 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-14 + 0.9.2-31
Jan F. Chadima 0d4fd57
- Add postlogin to pam. (#718807)
Jan F. Chadima 0d4fd57
Jan F. Chadima d56cc37
* Tue Jun 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-12 + 0.9.2-31
Jan F 5c8b5cb
- Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org>
Jan F 5c8b5cb
- Split out the host keygen into their own command, to ease future migration
Jan F 5c8b5cb
  to systemd. Compatitbility with the init script was kept.
Jan F 5c8b5cb
- Migrate the package to full native systemd unit files, according to the Fedora
Jan F 5c8b5cb
  packaging guidelines.
Jan F 5c8b5cb
- Prepate the unit files for running an ondemand server. (do not add it actually)
Jan F 5c8b5cb
Jan F 29b683c
* Tue Jun 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-10 + 0.9.2-31
Jan F 29b683c
- Mention IPv6 usage in man pages
Jan F 29b683c
Jan F d3542d5
* Mon Jun 20 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-9 + 0.9.2-31
Jan F ef264f5
- Improve init script
Jan F ef264f5
Jan F 6bd5ca2
* Thu Jun 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-7 + 0.9.2-31
Jan F 6bd5ca2
- Add possibility to compile openssh without downstream patches
Jan F 6bd5ca2
Jan F. Chadima 6a2cfe2
* Thu Jun  9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-6 + 0.9.2-31
Jan F. Chadima 6a2cfe2
- remove stale control sockets (#706396)
Jan F. Chadima 6a2cfe2
Jan F bc60f31
* Tue May 31 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-5 + 0.9.2-31
Jan F bc60f31
- improove entropy manuals
Jan F bc60f31
Jan F 0e9135f
* Fri May 27 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-4 + 0.9.2-31
Jan F 0e9135f
- improove entropy handling
Jan F 0e9135f
- concat ldap patches
Jan F 0e9135f
Jan F ba32c8e
* Tue May 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-3 + 0.9.2-31
Jan F ba32c8e
- improove ldap manuals
Jan F ba32c8e
Jan F 5b4ccb3
* Mon May 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-2 + 0.9.2-31
Jan F 5b4ccb3
- add gssapi forced command
Jan F 5b4ccb3
Jan F 87ae976
* Tue May  3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-1 + 0.9.2-31
Jan F c2c99d4
- update the openssh version
Jan F 87ae976
Jan F c0cd660
* Thu Apr 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-34 + 0.9.2-30
Jan F c0cd660
- temporarily disabling systemd units
Jan F c0cd660
Jan F 9c4d06a
* Wed Apr 27 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-33 + 0.9.2-30
Jan F 9c4d06a
- add flags AI_V4MAPPED and AI_ADDRCONFIG to getaddrinfo
Jan F 9c4d06a
Jan F 6077c76
* Tue Apr 26 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-32 + 0.9.2-30
Jan F 2cd304e
- update scriptlets
Jan F 2cd304e
Jan F 56091ff
* Fri Apr 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-30 + 0.9.2-30
Jan F 53f618d
- add systemd units
Jan F 53f618d
Jan F 53f618d
* Fri Apr 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-28 + 0.9.2-30
Jan F e93cf27
- improving sshd -> passwd transation
Jan F 0e46f27
- add template for .local domain to sshd_config
Jan F e93cf27
Jan F 1ddd0ee
* Thu Apr 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-27 + 0.9.2-30
Jan F 1ddd0ee
- the private keys may be 640 root:ssh_keys ssh_keysign is sgid
Jan F 1ddd0ee
Jan F c7ffe02
* Wed Apr 20 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-26 + 0.9.2-30
Jan F c7ffe02
- improving sshd -> passwd transation
Jan F c7ffe02
Jan F 439c349
* Tue Apr  5 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-25 + 0.9.2-30
Jan F 8bc65c4
- the intermediate context is set to sshd_sftpd_t
Jan F 8bc65c4
- do not crash in packet.c if no connection
Jan F 8bc65c4
Jan F 8a77a1d
* Thu Mar 31 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-24 + 0.9.2-30
Jan F 8a77a1d
- resolve warnings in port_linux.c
Jan F 8a77a1d
Jan F 11896aa
* Tue Mar 29 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-23 + 0.9.2-30
Jan F 11896aa
- add /etc/sysconfig/sshd
Jan F 11896aa
Jan F 0553df8
* Mon Mar 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-22 + 0.9.2-30
Jan F 0553df8
- improve reseeding and seed source (documentation)
Jan F e6d33e3
Jan F 39c7b05
* Tue Mar 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-20 + 0.9.2-30
Jan F 3657adf
- use /dev/random or /dev/urandom for seeding prng
Jan F 39c7b05
- improve periodical reseeding of random generator
Jan F 3657adf
Jan F 8fe1509
* Thu Mar 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-18 + 0.9.2-30
Jan F 8fe1509
- add periodical reseeding of random generator 
Jan F 8fe1509
- change selinux contex for internal sftp in do_usercontext
Jan F 8fe1509
- exit(0) after sigterm
Jan F 8fe1509
Jan F 9404cdd
* Thu Mar 10 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-17 + 0.9.2-30
Jan F 9404cdd
- improove ssh-ldap (documentation)
Jan F 9404cdd
Jan F d1fc5c2
* Tue Mar  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-16 + 0.9.2-30
Jan F d1fc5c2
- improve session keys audit
Jan F d1fc5c2
Jan F 71d3d9c
* Mon Mar  7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30
Jan F 71d3d9c
- CVE-2010-4755
Jan F 71d3d9c
Jan F 825921b
* Fri Mar  4 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-14 + 0.9.2-30
Jan F 9404cdd
- improove ssh-keycat (documentation)
Jan F 825921b
Jan F edc1723
* Thu Mar  3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-13 + 0.9.2-30
Jan F edc1723
- improve audit of logins and auths
Jan F edc1723
Jan F 1499a28
* Tue Mar  1 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-12 + 0.9.2-30
Jan F 1499a28
- improove ssk-keycat
Jan F 1499a28
Jan F 99f4276
* Mon Feb 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-11 + 0.9.2-30
Jan F 99f4276
- add ssk-keycat
Jan F 99f4276
Jan F b934981
* Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-10 + 0.9.2-30
Jan F b934981
- reenable auth-keys ldap backend
Jan F b934981
Jan F 48446f1
* Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-9 + 0.9.2-30
Jan F 48446f1
- another audit improovements
Jan F 48446f1
Jan F f9ff105
* Thu Feb 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-8 + 0.9.2-30
Jan F 9cefae0
- another audit improovements
Jan F 48446f1
- switchable fingerprint mode
Jan F 9cefae0
Jan F 2c1a4ad
* Thu Feb 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-4 + 0.9.2-30
Jan F 48446f1
- improve audit of server key management
Jan F 2c1a4ad
Jan F b9127ef
* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-3 + 0.9.2-30
Jan F 483c733
- improve audit of logins and auths
Jan F 483c733
Jan F 003cb0b
* Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30
Jan F 003cb0b
- bump openssh version to 5.8p1
Jan F 003cb0b
fa335ee
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6p1-30.1
fa335ee
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
fa335ee
Jan F cfb0f30
* Mon Feb  7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-30 + 0.9.2-29
Jan F cfb0f30
- clean the data structures in the non privileged process
Jan F 865391f
- clean the data structures when roaming
Jan F 865391f
19725a9
* Wed Feb  2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-28 + 0.9.2-29
Jan F 6f93166
- clean the data structures in the privileged process
Jan F 6f93166
Jan F f00e4a3
* Tue Jan 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-25 + 0.9.2-29
Jan F f00e4a3
- clean the data structures before exit net process
Jan F f00e4a3
Jan F af87384
* Mon Jan 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-24 + 0.9.2-29
Jan F af87384
- make audit compatible with the fips mode
Jan F af87384
Jan F 92eab14
* Fri Jan 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-23 + 0.9.2-29
Jan F 92eab14
- add audit of destruction the server keys
Jan F 92eab14
Jan F 5c20fa8
* Wed Jan 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-22 + 0.9.2-29
Jan F 5c20fa8
- add audit of destruction the session keys
Jan F 5c20fa8
Jan F. Chadima a7cb7d2
* Fri Dec 10 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-21 + 0.9.2-29
Jan F. Chadima a7cb7d2
- reenable run sshd as non root user
Jan F. Chadima a7cb7d2
- renable rekeying
Jan F. Chadima a7cb7d2
Jan F 436639a
* Wed Nov 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-20 + 0.9.2-29
Jan F 436639a
- reapair clientloop crash (#627332)
Jan F bb5eb00
- properly restore euid in case connect to the ssh-agent socket fails
Jan F bb5eb00
Jan F. Chadima d2ed53b
* Mon Nov 22 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-19 + 0.9.2-28
Jan F. Chadima d2ed53b
- striped read permissions from suid and sgid binaries
Jan F. Chadima d2ed53b
Jan F 7c53d7e
* Mon Nov 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-18 + 0.9.2-27
Jan F 7c53d7e
- used upstream version of the biguid patch
Jan F 7c53d7e
Jan F 82036ab
* Mon Nov 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-17 + 0.9.2-27
Jan F 82036ab
- improoved kuserok patch
Jan F 82036ab
Jan F 5daee12
* Fri Nov  5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-16 + 0.9.2-27
Jan F 5daee12
- add auditing the host based key ussage
Jan F 5daee12
- repait X11 abstract layer socket (#648896)
Jan F 5daee12
Jan F. Chadima f44bdee
* Wed Nov  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-15 + 0.9.2-27
Jan F. Chadima f44bdee
- add auditing the kex result
Jan F. Chadima f44bdee
19725a9
* Tue Nov  2 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-14 + 0.9.2-27
Jan F 0f4c82e
- add auditing the key ussage
Jan F 0f4c82e
19725a9
* Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-12 + 0.9.2-27
Jan F 2d0bc8b
- update gsskex patch (#645389)
Jan F 2d0bc8b
Jan F ba25ecf
* Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-11 + 0.9.2-27
Jan F ba25ecf
- rebase linux audit according to upstream
Jan F ba25ecf
Jan F. Chadima cf74d50
* Fri Oct  1 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-10 + 0.9.2-27
Jan F. Chadima cf74d50
- add missing headers to linux audit
Jan F. Chadima cf74d50
Jan F faae1e8
* Wed Sep 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-9 + 0.9.2-27
Jan F faae1e8
- audit module now uses openssh audit framevork
Jan F faae1e8
Jan F 46c77f5
* Wed Sep 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-8 + 0.9.2-27
Jan F 46c77f5
- Add the GSSAPI kuserok switch to the kuserok patch
Jan F 46c77f5
Jan F 4c4aa13
* Wed Sep 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-7 + 0.9.2-27
Jan F 4c4aa13
- Repaired the kuserok patch
Jan F 4c4aa13
Jan F ce0606e
* Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-6 + 0.9.2-27
Jan F ce0606e
- Repaired the problem with puting entries with very big uid into lastlog
Jan F ce0606e
Jan F 84d568a
* Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-5 + 0.9.2-27
Jan F 84d568a
- Merging selabel patch with the upstream version. (#632914)
Jan F 84d568a
Jan F 93909d9
* Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-4 + 0.9.2-27
Jan F 84d568a
- Tweaking selabel patch to work properly without selinux rules loaded. (#632914)
Jan F 93909d9
13fa787
* Wed Sep  8 2010 Tomas Mraz <tmraz@redhat.com> - 5.6p1-3 + 0.9.2-27
13fa787
- Make fipscheck hmacs compliant with FHS - requires new fipscheck
13fa787
Jan F f7e15d5
* Fri Sep  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-2 + 0.9.2-27
Jan F f7e15d5
- Added -z relro -z now to LDFLAGS
Jan F f7e15d5
Jan F. Chadima c6801b9
* Fri Sep  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-1 + 0.9.2-27
Jan F. Chadima c6801b9
- Rebased to openssh5.6p1
Jan F. Chadima c6801b9
7818e56
* Wed Jul  7 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-18 + 0.9.2-26
7818e56
- merged with newer bugzilla's version of authorized keys command patch
7818e56
eb358aa
* Wed Jun 30 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-17 + 0.9.2-26
eb358aa
- improved the x11 patch according to upstream (#598671)
eb358aa
19725a9
* Fri Jun 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-16 + 0.9.2-26
a3dee6b
- improved the x11 patch (#598671)
a3dee6b
41a56c5
* Thu Jun 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-15 + 0.9.2-26
41a56c5
- changed _PATH_UNIX_X to unexistent file name (#598671)
41a56c5
411b917
* Wed Jun 23 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-14 + 0.9.2-26
411b917
- sftp works in deviceless chroot again (broken from 5.5p1-3)
411b917
59d42d3
* Tue Jun  8 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-13 + 0.9.2-26
59d42d3
- add option to switch out krb5_kuserok
59d42d3
2fd1054
* Fri May 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-12 + 0.9.2-26
2fd1054
- synchronize uid and gid for the user sshd
2fd1054
b1a625a
* Thu May 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-11 + 0.9.2-26
b1a625a
- Typo in ssh-ldap.conf(5) and ssh-ladap-helper(8)
b1a625a
99d9a39
* Fri May 14 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-10 + 0.9.2-26
99d9a39
- Repair the reference in man ssh-ldap-helper(8)
99d9a39
- Repair the PubkeyAgent section in sshd_config(5)
99d9a39
- Provide example ldap.conf
99d9a39
222d52d
* Thu May 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-9 + 0.9.2-26
222d52d
- Make the Ldap configuration widely compatible
222d52d
- create the aditional docs for LDAP support.
222d52d
4669c37
* Thu May  6 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-8 + 0.9.2-26
4669c37
- Make LDAP config elements TLS_CACERT and TLS_REQCERT compatiple with pam_ldap (#589360)
4669c37
b6bdf18
* Thu May  6 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-7 + 0.9.2-26
b6bdf18
- Make LDAP config element tls_checkpeer compatiple with nss_ldap (#589360)
b6bdf18
6fa4d80
* Tue May  4 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-6 + 0.9.2-26
6fa4d80
- Comment spec.file
6fa4d80
- Sync patches from upstream
6fa4d80
3fdf10c
* Mon May  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-5 + 0.9.2-26
3fdf10c
- Create separate ldap package
3fdf10c
- Tweak the ldap patch
3fdf10c
- Rename stderr patch properly
3fdf10c
19725a9
* Thu Apr 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-4 + 0.9.2-26
7e7fb42
- Added LDAP support
7e7fb42
2220e68
* Mon Apr 26 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-3 + 0.9.2-26
2220e68
- Ignore .bashrc output to stderr in the subsystems
2220e68
9e777a2
* Tue Apr 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-2 + 0.9.2-26
9e777a2
- Drop dependency on man
9e777a2
82bc825
* Fri Apr 16 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-1 + 0.9.2-26
82bc825
- Update to 5.5p1
82bc825
b823409
* Fri Mar 12 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-3 + 0.9.2-25
50a3ddb
- repair configure script of pam_ssh_agent
b823409
- repair error mesage in ssh-keygen
50a3ddb
2640293
* Fri Mar 12 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-2
2640293
- source krb5-devel profile script only if exists
2640293
d1a73d1
* Tue Mar  9 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-1
d1a73d1
- Update to 5.4p1
04cab1d
- discontinued support for nss-keys
04cab1d
- discontinued support for scard
d1a73d1
974c89c
* Wed Mar  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-0.snap20100302.1
974c89c
- Prepare update to 5.4p1
974c89c
806a11f
* Mon Feb 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-22
806a11f
- ImplicitDSOLinking (#564824)
806a11f
a2a0cf4
* Fri Jan 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-21
a2a0cf4
- Allow to use hardware crypto if awailable (#559555)
a2a0cf4
606b55d
* Mon Jan 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-20
606b55d
- optimized FD_CLOEXEC on accept socket (#541809)
606b55d
7451555
* Mon Jan 25 2010 Tomas Mraz <tmraz@redhat.com> - 5.3p1-19
7451555
- updated pam_ssh_agent_auth to new version from upstream (just
7451555
  a licence change)
7451555
e39eb5b
* Thu Jan 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-18
e39eb5b
- optimized RAND_cleanup patch (#557166)
e39eb5b
28355b8
* Wed Jan 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-17
28355b8
- add RAND_cleanup at the exit of each program using RAND (#557166)
28355b8
3131004
* Tue Jan 19 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-16
3131004
- set FD_CLOEXEC on accepted socket (#541809)
3131004
37c0ae0
* Fri Jan  8 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-15
b8bdc7c
- replaced define by global in macros
b8bdc7c
9051e57
* Tue Jan  5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-14
9051e57
- Update the pka patch
9051e57
ecd50fd
* Mon Dec 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-13
ecd50fd
- Update the audit patch
ecd50fd
c32d4ac
* Fri Dec  4 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-12
c32d4ac
- Add possibility to autocreate only RSA key into initscript (#533339)
c32d4ac
6323f67
* Fri Nov 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-11
6323f67
- Prepare NSS key patch for future SEC_ERROR_LOCKED_PASSWORD (#537411)
6323f67
0a64234
* Tue Nov 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-10
0a64234
- Update NSS key patch (#537411, #356451)
0a64234
0a64234
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-9
3d742c1
- Add gssapi key exchange patch (#455351)
3d742c1
3d742c1
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-8
201f4ac
- Add public key agent patch (#455350)
201f4ac
d2767e5
* Mon Nov  2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-7
d2767e5
- Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy (#531849)
d2767e5
5fb555b
* Thu Oct 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-6
5fb555b
- Modify the init script to prevent it to hang during generating the keys (#515145)
5fb555b
838d936
* Tue Oct 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-5
838d936
- Add README.nss
838d936
e47cb00
* Mon Oct 19 2009 Tomas Mraz <tmraz@redhat.com> - 5.3p1-4
e47cb00
- Add pam_ssh_agent_auth module to a subpackage.
e47cb00
2ed3f9b
* Fri Oct 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-3
2ed3f9b
- Reenable audit.
2ed3f9b
c54a8b0
* Fri Oct  2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-2
35695c0
- Upgrade to new wersion 5.3p1
35695c0
71e8744
* Tue Sep 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-29
71e8744
- Resolve locking in ssh-add (#491312)
71e8744
f013bee
* Thu Sep 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-28
cee78eb
- Repair initscript to be acord to guidelines (#521860)
cee78eb
- Add bugzilla# to application of edns and xmodifiers patch
cee78eb
4330e6a
* Wed Sep 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-26
4330e6a
- Changed pam stack to password-auth
4330e6a
0447c9e
* Fri Sep 11 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-25
0447c9e
- Dropped homechroot patch
0447c9e
257d66a
* Mon Sep  7 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-24
257d66a
- Add check for nosuid, nodev in homechroot
257d66a
49d0cf7
* Tue Sep  1 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-23
49d0cf7
- add correct patch for ip-opts
49d0cf7
bd8eb96
* Tue Sep  1 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-22
bd8eb96
- replace ip-opts patch by an upstream candidate version
bd8eb96
ce94dae
* Mon Aug 31 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-21
726565c
- rearange selinux patch to be acceptable for upstream
726565c
- replace seftp patch by an upstream version
726565c
15914f2
* Fri Aug 28 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-20
15914f2
- merged xmodifiers to redhat patch
15914f2
- merged gssapi-role to selinux patch
15914f2
- merged cve-2007_3102 to audit patch
15914f2
- sesftp patch only with WITH_SELINUX flag
56bb420
- rearange sesftp patch according to upstream request
15914f2
214b7b9
* Wed Aug 26 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-19
214b7b9
- minor change in sesftp patch
214b7b9
80bcb17
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-18
80bcb17
- rebuilt with new openssl
80bcb17
986cee7
* Thu Jul 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-17
cee78eb
- Added dnssec support. (#205842)
986cee7
42c5391
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2p1-16
42c5391
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
42c5391
aa89838
* Fri Jul 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-15
aa89838
- only INTERNAL_SFTP can be home-chrooted
aa89838
- save _u and _r parts of context changing to sftpd_t
aa89838
3d6b00a
* Fri Jul 17 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-14
3d6b00a
- changed internal-sftp context to sftpd_t
3d6b00a
3d6b00a
* Fri Jul  3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-13
3d6b00a
- changed home length path patch to upstream version
3d6b00a
3d6b00a
* Tue Jun 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-12
ca05b36
- create '~/.ssh/known_hosts' within proper context
ca05b36
f4b0b4b
* Mon Jun 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-11
f4b0b4b
- length of home path in ssh now limited by PATH_MAX
ca05b36
- correct timezone with daylight processing
f4b0b4b
eca05fc
* Sat Jun 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-10
eca05fc
- final version chroot %%h (sftp only)
eca05fc
c1398b8
* Tue Jun 23 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-9
c1398b8
- repair broken ls in chroot %%h
c1398b8
ecd8460
* Fri Jun 12 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-8
cee78eb
- add XMODIFIERS to exported environment (#495690)
e45f2ca
76f329e
* Fri May 15 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-6
76f329e
- allow only protocol 2 in the FIPS mode
76f329e
685b623
* Thu Apr 30 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-5
685b623
- do integrity verification only on binaries which are part
685b623
  of the OpenSSH FIPS modules
685b623
0a4fa5d
* Mon Apr 20 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-4
0a4fa5d
- log if FIPS mode is initialized
0a4fa5d
- make aes-ctr cipher modes work in the FIPS mode
0a4fa5d
061e214
* Fri Apr  3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-3
061e214
- fix logging after chroot
3a94ae1
- enable non root users to use chroot %%h in internal-sftp
061e214
0f07b4a
* Fri Mar 13 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-2
0f07b4a
- add AES-CTR ciphers to the FIPS mode proposal
0f07b4a
0f07b4a
* Mon Mar  9 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-1
a3ba41c
- upgrade to new upstream release
a3ba41c
c5f25a5
* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.1p1-8
c5f25a5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
c5f25a5
d93958d
* Thu Feb 12 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-7
d93958d
- drop obsolete triggers
d93958d
- add testing FIPS mode support
d93958d
- LSBize the initscript (#247014)
d93958d
ff6d597
* Fri Jan 30 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-6
ff6d597
- enable use of ssl engines (#481100)
ff6d597
6a5e296
* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-5
6a5e296
- remove obsolete --with-rsh (#478298)
6a5e296
- add pam_sepermit to allow blocking confined users in permissive mode
6a5e296
  (#471746)
6a5e296
- move system-auth after pam_selinux in the session stack
6a5e296
9e5c6ec
* Thu Dec 11 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-4
9e5c6ec
- set FD_CLOEXEC on channel sockets (#475866)
9e5c6ec
- adjust summary
9e5c6ec
- adjust nss-keys patch so it is applicable without selinux patches (#470859)
9e5c6ec
b9a07ad
* Fri Oct 17 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-3
b9a07ad
- fix compatibility with some servers (#466818)
b9a07ad
578f0d0
* Thu Jul 31 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-2
578f0d0
- fixed zero length banner problem (#457326)
578f0d0
93a4744
* Wed Jul 23 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-1
93a4744
- upgrade to new upstream release
93a4744
- fixed a problem with public key authentication and explicitely
93a4744
  specified SELinux role
93a4744
077dad7
* Wed May 21 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-3
077dad7
- pass the connection socket to ssh-keysign (#447680)
077dad7
1961bc1
* Mon May 19 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-2
1961bc1
- add LANGUAGE to accepted/sent environment variables (#443231)
1961bc1
- use pam_selinux to obtain the user context instead of doing it itself
1961bc1
- unbreak server keep alive settings (patch from upstream)
1961bc1
- small addition to scp manpage
1961bc1
ca47f63
* Mon Apr  7 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-1
ca47f63
- upgrade to new upstream (#441066)
ca47f63
- prevent initscript from killing itself on halt with upstart (#438449)
ca47f63
- initscript status should show that the daemon is running
ca47f63
  only when the main daemon is still alive (#430882)
ca47f63
ca47f63
* Thu Mar  6 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-10
ca47f63
- fix race on control master and cleanup stale control socket (#436311)
ca47f63
  patches by David Woodhouse
ca47f63
2cb0e73
* Fri Feb 29 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-9
2cb0e73
- set FD_CLOEXEC on client socket
2cb0e73
- apply real fix for window size problem (#286181) from upstream
2cb0e73
- apply fix for the spurious failed bind from upstream
2cb0e73
- apply open handle leak in sftp fix from upstream
2cb0e73
91bdf49
* Tue Feb 12 2008 Dennis Gilmore <dennis@ausil.us> - 4.7p1-8
91bdf49
- we build for sparcv9 now  and it needs -fPIE
91bdf49
993dd1a
* Thu Jan  3 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-7
993dd1a
- fix gssapi auth with explicit selinux role requested (#427303) - patch
993dd1a
  by Nalin Dahyabhai
993dd1a
3457e3e
* Tue Dec  4 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-6
2cc09c6
- explicitly source krb5-devel profile script
3457e3e
3457e3e
* Tue Dec 04 2007 Release Engineering <rel-eng at fedoraproject dot org> - 4.7p1-5
3457e3e
- Rebuild for openssl bump
9eac427
b1ffa00
* Tue Nov 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-4
8b8c4dc
- do not copy /etc/localtime into the chroot as it is not
8b8c4dc
  necessary anymore (#193184)
8b8c4dc
- call setkeycreatecon when selinux context is established
8b8c4dc
- test for NULL privk when freeing key (#391871) - patch by
8b8c4dc
  Pierre Ossman
8b8c4dc
95be083
* Mon Sep 17 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-2
95be083
- revert default window size adjustments (#286181)
95be083
c9833c9
* Thu Sep  6 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-1
c9833c9
- upgrade to latest upstream
c9833c9
- use libedit in sftp (#203009)
c9833c9
- fixed audit log injection problem (CVE-2007-3102)
c9833c9
f370730
* Thu Aug  9 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-8
f370730
- fix sftp client problems on write error (#247802)
f370730
- allow disabling autocreation of server keys (#235466)
f370730
c3274cc
* Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7
c3274cc
- experimental NSS keys support
c3274cc
- correctly setup context when empty level requested (#234951)
c3274cc
7210c01
* Tue Mar 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-6
7210c01
- mls level check must be done with default role same as requested
7210c01
b40baab
* Mon Mar 19 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-5
b40baab
- make profile.d/gnome-ssh-askpass.* regular files (#226218)
b40baab
19725a9
* Tue Feb 27 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-4
546fdd9
- reject connection if requested mls range is not obtained (#229278)
546fdd9
19725a9
* Thu Feb 22 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-3
9d725bd
- improve Buildroot
9d725bd
- remove duplicate /etc/ssh from files
9d725bd
c2b35d0
* Tue Jan 16 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-2
c2b35d0
- support mls on labeled networks (#220487)
c2b35d0
- support mls level selection on unlabeled networks
c2b35d0
- allow / in usernames in scp (only beginning /, ./, and ../ is special) 
c2b35d0
ad07b99
* Thu Dec 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.5p1-1
ad07b99
- update to 4.5p1 (#212606)
ad07b99
914284f
* Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-14
914284f
- fix gssapi with DNS loadbalanced clusters (#216857)
914284f
d63dc67
* Tue Nov 28 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-13
d63dc67
- improved pam_session patch so it doesn't regress, the patch is necessary
d63dc67
  for the pam_session_close to be called correctly as uid 0
d63dc67
ad61b11
* Fri Nov 10 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-12
ad61b11
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
ad61b11
19675af
* Thu Nov  2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-11
19675af
- merge sshd initscript patches
19675af
- kill all ssh sessions when stop is called in halt or reboot runlevel
19675af
- remove -TERM option from killproc so we don't race on sshd restart
19675af
7114c42
* Mon Oct  2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-10
7114c42
- improve gssapi-no-spnego patch (#208102)
7114c42
- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
7114c42
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
7114c42
ac4818c
* Wed Aug 23 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-9
ac4818c
- don't report duplicate syslog messages, use correct local time (#189158)
ac4818c
- don't allow spnego as gssapi mechanism (from upstream)
ac4818c
- fixed memleaks found by Coverity (from upstream)
ac4818c
- allow ip options except source routing (#202856) (patch by HP)
ac4818c
c12d6ba
* Tue Aug  8 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-8
c12d6ba
- drop the pam-session patch from the previous build (#201341)
c12d6ba
- don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
c12d6ba
762e407
* Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-7
762e407
- dropped old ssh obsoletes
762e407
- call the pam_session_open/close from the monitor when privsep is
762e407
  enabled so it is always called as root (patch by Darren Tucker)
762e407
ef32423
* Mon Jul 17 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-6
ef32423
- improve selinux patch (by Jan Kiszka)
ef32423
- upstream patch for buffer append space error (#191940)
ef32423
- fixed typo in configure.ac (#198986)
ef32423
- added pam_keyinit to pam configuration (#198628)
ef32423
- improved error message when askpass dialog cannot grab
ef32423
  keyboard input (#198332)
ef32423
- buildrequires xauth instead of xorg-x11-xauth
ef32423
- fixed a few rpmlint warnings
ef32423
d446e97
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 4.3p2-5.1
d446e97
- rebuild
d446e97
7e1c558
* Fri Apr 14 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-5
7e1c558
- don't request pseudoterminal allocation if stdin is not tty (#188983)
7e1c558
5f29aca
* Thu Mar  2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-4
5f29aca
- allow access if audit is not compiled in kernel (#183243)
5f29aca
e01ed66
* Fri Feb 24 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-3
e01ed66
- enable the subprocess in chroot to send messages to system log
e01ed66
- sshd should prevent login if audit call fails
e01ed66
b5e849f
* Tue Feb 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-2
b5e849f
- print error from scp if not remote (patch by Bjorn Augustsson #178923)
b5e849f
f16d34e
* Mon Feb 13 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-1
f16d34e
- new version
f16d34e
3de0ff3
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 4.3p1-2.1
3de0ff3
- bump again for double-long bug on ppc(64)
3de0ff3
f223ebd
* Mon Feb  6 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p1-2
f223ebd
- fixed another place where syslog was called in signal handler
f223ebd
- pass locale environment variables to server, accept them there (#179851)
f223ebd
fd638ab
* Wed Feb  1 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p1-1
fd638ab
- new version, dropped obsolete patches
fd638ab
bb93ea2
* Tue Dec 20 2005 Tomas Mraz <tmraz@redhat.com> - 4.2p1-10
bb93ea2
- hopefully make the askpass dialog less confusing (#174765)
bb93ea2
6e3ae48
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
6e3ae48
- rebuilt
6e3ae48
09d7e68
* Tue Nov 22 2005 Tomas Mraz <tmraz@redhat.com> - 4.2p1-9
09d7e68
- drop x11-ssh-askpass from the package
09d7e68
- drop old build_6x ifs from spec file
09d7e68
- improve gnome-ssh-askpass so it doesn't reveal number of passphrase 
09d7e68
  characters to person looking at the display
09d7e68
- less hackish fix for the __USE_GNU problem
09d7e68
05c945b
* Fri Nov 18 2005 Nalin Dahyabhai <nalin@redhat.com> - 4.2p1-8
05c945b
- work around missing gccmakedep by wrapping makedepend in a local script
db25651
- remove now-obsolete build dependency on "xauth"
05c945b
d40b8ce
* Thu Nov 17 2005 Warren Togami <wtogami@redhat.com> - 4.2p1-7
19e22ad
- xorg-x11-devel -> libXt-devel
19e22ad
- rebuild for new xauth location so X forwarding works
0e58628
- buildreq audit-libs-devel
0e58628
- buildreq automake for aclocal
0e58628
- buildreq imake for xmkmf
0e58628
-  -D_GNU_SOURCE in flags in order to get it to build
0e58628
   Ugly hack to workaround openssh defining __USE_GNU which is
0e58628
   not allowed and causes problems according to Ulrich Drepper
0e58628
   fix this the correct way after FC5test1
d40b8ce
35e1e0c
* Wed Nov  9 2005 Jeremy Katz <katzj@redhat.com> - 4.2p1-6
35e1e0c
- rebuild against new openssl
35e1e0c
fc72c21
* Fri Oct 28 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-5
fc72c21
- put back the possibility to skip SELinux patch
fc72c21
- add patch for user login auditing by Steve Grubb
fc72c21
5312560
* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 4.2p1-4
5312560
- Change selinux patch to use get_default_context_with_rolelevel in libselinux.
5312560
0e07edf
* Thu Oct 13 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-3
0e07edf
- Update selinux patch to use getseuserbyname
0e07edf
5bab487
* Fri Oct  7 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-2
5bab487
- use include instead of pam_stack in pam config
fd638ab
- use fork+exec instead of system in scp - CVE-2006-0225 (#168167)
5bab487
- upstream patch for displaying authentication errors
5bab487
de2e7a3
* Tue Sep 06 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-1
de2e7a3
- upgrade to a new upstream version
de2e7a3
f94d8f5
* Tue Aug 16 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-5
f94d8f5
- use x11-ssh-askpass if openssh-askpass-gnome is not installed (#165207)
f94d8f5
- install ssh-copy-id from contrib (#88707)
f94d8f5
fa14815
* Wed Jul 27 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-4
fa14815
- don't deadlock on exit with multiple X forwarded channels (#152432)
fa14815
- don't use X11 port which can't be bound on all IP families (#163732)
fa14815
79c9686
* Wed Jun 29 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-3
79c9686
- fix small regression caused by the nologin patch (#161956)
79c9686
- fix race in getpeername error checking (mindrot #1054)
79c9686
9ac1c8b
* Thu Jun  9 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-2
9ac1c8b
- use only pam_nologin for nologin testing
9ac1c8b
9cf4ab1
* Mon Jun  6 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-1
9cf4ab1
- upgrade to a new upstream version
9cf4ab1
- call pam_loginuid as a pam session module
9cf4ab1
9c57713
* Mon May 16 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-3
9c57713
- link libselinux only to sshd (#157678)
9c57713
1e27c05
* Mon Apr  4 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-2
1e27c05
- fixed Local/RemoteForward in ssh_config.5 manpage
1e27c05
- fix fatal when Local/RemoteForward is used and scp run (#153258)
1e27c05
- don't leak user validity when using krb5 authentication
1e27c05
5de53f1
* Thu Mar 24 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-1
5de53f1
- upgrade to 4.0p1
5de53f1
- remove obsolete groups patch
5de53f1
Elliot Lee 683f4f3
* Wed Mar 16 2005 Elliot Lee <sopwith@redhat.com>
Elliot Lee 683f4f3
- rebuilt
Elliot Lee 683f4f3
4f9d64c
* Mon Feb 28 2005 Nalin Dahyabhai <nalin@redhat.com> 3.9p1-12
4f9d64c
- rebuild so that configure can detect that krb5_init_ets is gone now
4f9d64c
8d62bf1
* Mon Feb 21 2005 Tomas Mraz <tmraz@redhat.com> 3.9p1-11
d048f92
- don't call syslog in signal handler
8d62bf1
- allow password authentication when copying from remote
8d62bf1
  to remote machine (#103364)
d048f92
504978b
* Wed Feb  9 2005 Tomas Mraz <tmraz@redhat.com>
504978b
- add spaces to messages in initscript (#138508)
504978b
4c55a53
* Tue Feb  8 2005 Tomas Mraz <tmraz@redhat.com> 3.9p1-10
4c55a53
- enable trusted forwarding by default if X11 forwarding is 
4c55a53
  required by user (#137685 and duplicates)
4c55a53
- disable protocol 1 support by default in sshd server config (#88329)
4c55a53
- keep the gnome-askpass dialog above others (#69131)
4c55a53
5a8f6b5
* Fri Feb  4 2005 Tomas Mraz <tmraz@redhat.com>
4c55a53
- change permissions on pam.d/sshd to 0644 (#64697)
5a8f6b5
- patch initscript so it doesn't kill opened sessions if
4c55a53
  the sshd daemon isn't running anymore (#67624)
5a8f6b5
ede9e01
* Mon Jan  3 2005 Bill Nottingham <notting@redhat.com> 3.9p1-9
ede9e01
- don't use initlog
ede9e01
b562127
* Mon Nov 29 2004 Thomas Woerner <twoerner@redhat.com> 3.9p1-8.1
b562127
- fixed PIE build for all architectures
b562127
8ccaa9f
* Mon Oct  4 2004 Nalin Dahyabhai <nalin@redhat.com> 3.9p1-8
8ccaa9f
- add a --enable-vendor-patchlevel option which allows a ShowPatchLevel option
8ccaa9f
  to enable display of a vendor patch level during version exchange (#120285)
8ccaa9f
- configure with --disable-strip to build useful debuginfo subpackages
8ccaa9f
c92dff4
* Mon Sep 20 2004 Bill Nottingham <notting@redhat.com> 3.9p1-7
c92dff4
- when using gtk2 for askpass, don't buildprereq gnome-libs-devel
c92dff4
567e63c
* Tue Sep 14 2004 Nalin Dahyabhai <nalin@redhat.com> 3.9p1-6
567e63c
- build
567e63c
deb1e49
* Mon Sep 13 2004 Nalin Dahyabhai <nalin@redhat.com>
deb1e49
- disable ACSS support
deb1e49
c82df74
* Thu Sep 2 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-5
c82df74
- Change selinux patch to use get_default_context_with_role in libselinux.
c82df74
c82df74
* Thu Sep 2 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-4
c82df74
- Fix patch
c82df74
	* Bad debug statement.
c82df74
	* Handle root/sysadm_r:kerberos
c82df74
cvsdist 29a4bfd
* Thu Sep 2 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-3
cvsdist 29a4bfd
- Modify Colin Walter's patch to allow specifying rule during connection
cvsdist 29a4bfd
cvsdist d7affcf
* Tue Aug 31 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-2
cvsdist d7affcf
- Fix TTY handling for SELinux
cvsdist d7affcf
cvsdist 653818f
* Tue Aug 24 2004 Daniel Walsh <dwalsh@redhat.com> 3.9p1-1
cvsdist 653818f
- Update to upstream
cvsdist 653818f
cvsdist 5ef6073
* Sun Aug 1 2004 Alan Cox <alan@redhat.com> 3.8.1p1-5
cvsdist 5ef6073
- Apply buildreq fixup patch (#125296)
cvsdist 5ef6073
cvsdist 9d5a538
* Tue Jun 15 2004 Daniel Walsh <dwalsh@redhat.com> 3.8.1p1-4
cvsdist 9d5a538
- Clean up patch for upstream submission.
cvsdist 9d5a538
cvsdist de28cc3
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
cvsdist de28cc3
- rebuilt
cvsdist de28cc3
cvsdist e965c75
* Wed Jun 9 2004 Daniel Walsh <dwalsh@redhat.com> 3.8.1p1-2
cvsdist e965c75
- Remove use of pam_selinux and patch selinux in directly.  
cvsdist e965c75
cvsdist ffdec57
* Mon Jun  7 2004 Nalin Dahyabhai <nalin@redhat.com> 3.8.1p1-1
cvsdist ffdec57
- request gssapi-with-mic by default but not delegation (flag day for anyone
cvsdist ffdec57
  who used previous gssapi patches)
cvsdist ffdec57
- no longer request x11 forwarding by default
cvsdist ffdec57
cvsdist 162c7f9
* Thu Jun 3 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-36
cvsdist 162c7f9
- Change pam file to use open and close with pam_selinux
cvsdist 162c7f9
cvsdist ffdec57
* Tue Jun  1 2004 Nalin Dahyabhai <nalin@redhat.com> 3.8.1p1-0
cvsdist ffdec57
- update to 3.8.1p1
cvsdist ffdec57
- add workaround from CVS to reintroduce passwordauth using pam
cvsdist ffdec57
cvsdist 73e10ec
* Tue Jun 1 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-35
cvsdist 73e10ec
- Remove CLOSEXEC on STDERR
cvsdist 73e10ec
cvsdist 8f87201
* Tue Mar 16 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-34
cvsdist 8f87201
cvsdist 8f87201
* Wed Mar 03 2004 Phil Knirsch <pknirsch@redhat.com> 3.6.1p2-33.30.1
cvsdist 8f87201
- Built RHLE3 U2 update package.
cvsdist 8f87201
cvsdist 8f87201
* Wed Mar 3 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-33
cvsdist 8f87201
- Close file descriptors on exec 
cvsdist 8f87201
cvsdist 8f87201
* Mon Mar  1 2004 Thomas Woerner <twoerner@redhat.com> 3.6.1p2-32
cvsdist 8f87201
- fixed pie build
cvsdist 8f87201
cvsdist 8f87201
* Thu Feb 26 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-31
cvsdist 8f87201
- Add restorecon to startup scripts
cvsdist 8f87201
cvsdist 8f87201
* Thu Feb 26 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-30
cvsdist 8f87201
- Add multiple qualified to openssh
cvsdist 8f87201
cvsdist 8f87201
* Mon Feb 23 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-29
cvsdist 8f87201
- Eliminate selinux code and use pam_selinux
cvsdist 8f87201
cvsdist 8f87201
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
cvsdist 8f87201
- rebuilt
cvsdist 8f87201
cvsdist fe98d86
* Mon Jan 26 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-27
cvsdist fe98d86
- turn off pie on ppc
cvsdist fe98d86
cvsdist fe98d86
* Mon Jan 26 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-26
cvsdist fe98d86
- fix is_selinux_enabled
cvsdist fe98d86
cvsdist fe98d86
* Wed Jan 14 2004 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-25
cvsdist fe98d86
- Rebuild to grab shared libselinux
cvsdist fe98d86
cvsdist fe98d86
* Wed Dec 3 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-24
cvsdist fe98d86
- turn on selinux
cvsdist fe98d86
cvsdist fe98d86
* Tue Nov 18 2003 Nalin Dahyabhai <nalin@redhat.com>
cvsdist fe98d86
- un#ifdef out code for reporting password expiration in non-privsep
cvsdist fe98d86
  mode (#83585)
cvsdist fe98d86
cvsdist fe98d86
* Mon Nov 10 2003 Nalin Dahyabhai <nalin@redhat.com>
cvsdist fe98d86
- add machinery to build with/without -fpie/-pie, default to doing so
cvsdist fe98d86
cvsdist fe98d86
* Thu Nov 06 2003 David Woodhouse <dwmw2@redhat.com> 3.6.1p2-23
cvsdist fe98d86
- Don't whinge about getsockopt failing (#109161)
cvsdist fe98d86
cvsdist fe98d86
* Fri Oct 24 2003 Nalin Dahyabhai <nalin@redhat.com>
cvsdist fe98d86
- add missing buildprereq on zlib-devel (#104558)
cvsdist fe98d86
cvsdist fe98d86
* Mon Oct 13 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-22
cvsdist fe98d86
- turn selinux off
cvsdist fe98d86
cvsdist fe98d86
* Mon Oct 13 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-21.sel
cvsdist fe98d86
- turn selinux on
cvsdist fe98d86
cvsdist fe98d86
* Fri Sep 19 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-21
cvsdist fe98d86
- turn selinux off
cvsdist fe98d86
cvsdist fe98d86
* Fri Sep 19 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-20.sel
cvsdist fe98d86
- turn selinux on
cvsdist fe98d86
cvsdist fe98d86
* Fri Sep 19 2003 Nalin Dahyabhai <nalin@redhat.com>
cvsdist fe98d86
- additional fix for apparently-never-happens double-free in buffer_free()
cvsdist fe98d86
- extend fix for #103998 to cover SSH1
cvsdist fe98d86
cvsdist fe98d86
* Wed Sep 17 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-19
cvsdist 092b0a1
- rebuild
cvsdist 092b0a1
cvsdist fe98d86
* Wed Sep 17 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-18
cvsdist 9037309
- additional buffer manipulation cleanups from Solar Designer
cvsdist 9037309
cvsdist 092b0a1
* Wed Sep 17 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-17
cvsdist 092b0a1
- turn selinux off
cvsdist 092b0a1
cvsdist 092b0a1
* Wed Sep 17 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-16.sel
cvsdist 092b0a1
- turn selinux on
cvsdist 092b0a1
cvsdist fe98d86
* Tue Sep 16 2003 Bill Nottingham <notting@redhat.com> 3.6.1p2-15
cvsdist 092b0a1
- rebuild
cvsdist 092b0a1
cvsdist fe98d86
* Tue Sep 16 2003 Bill Nottingham <notting@redhat.com> 3.6.1p2-14
cvsdist 9037309
- additional buffer manipulation fixes (CAN-2003-0695)
cvsdist 44a5d2b
cvsdist 092b0a1
* Tue Sep 16 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-13.sel
cvsdist 092b0a1
- turn selinux on
cvsdist 092b0a1
cvsdist fe98d86
* Tue Sep 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-12
cvsdist 092b0a1
- rebuild
cvsdist 092b0a1
cvsdist fe98d86
* Tue Sep 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-11
cvsdist 6eaa41e
- apply patch to store the correct buffer size in allocated buffers
cvsdist 6eaa41e
  (CAN-2003-0693)
cvsdist 6eaa41e
- skip the initial PAM authentication attempt with an empty password if
cvsdist 6eaa41e
  empty passwords are not permitted in our configuration (#103998)
cvsdist 6eaa41e
cvsdist 092b0a1
* Fri Sep 5 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-10
cvsdist 092b0a1
- turn selinux off
cvsdist 092b0a1
cvsdist 092b0a1
* Fri Sep 5 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-9.sel
cvsdist 092b0a1
- turn selinux on
cvsdist 092b0a1
cvsdist 092b0a1
* Tue Aug 26 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-8
cvsdist 092b0a1
- Add BuildPreReq gtk2-devel if gtk2
cvsdist 092b0a1
cvsdist 092b0a1
* Tue Aug 12 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-7
cvsdist 092b0a1
- rebuild
cvsdist 092b0a1
cvsdist 092b0a1
* Tue Aug 12 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-6
cvsdist 092b0a1
- modify patch which clears the supplemental group list at startup to only
cvsdist 092b0a1
  complain if setgroups() fails if sshd has euid == 0
cvsdist 092b0a1
- handle krb5 installed in %%{_prefix} or elsewhere by using krb5-config
cvsdist 092b0a1
19725a9
* Mon Jul 28 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-5
cvsdist 092b0a1
- Add SELinux patch
cvsdist 092b0a1
cvsdist 092b0a1
* Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-4
cvsdist 092b0a1
- rebuild
cvsdist 092b0a1
19725a9
* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-3
cvsdist 092b0a1
- rebuild
cvsdist 092b0a1
19725a9
* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-2
cvsdist 092b0a1
- rebuild
cvsdist 092b0a1
cvsdist 092b0a1
* Thu Jun  5 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-1
cvsdist 092b0a1
- update to 3.6.1p2
cvsdist 092b0a1
cvsdist 092b0a1
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
3131004
6 rebuilt
cvsdist 092b0a1
cvsdist 092b0a1
* Mon Mar 24 2003 Florian La Roche <Florian.LaRoche@redhat.de>
cvsdist 092b0a1
- add patch for getsockopt() call to work on bigendian 64bit archs
cvsdist 6c4a0be
cvsdist 3e66bdc
* Fri Feb 14 2003 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-6
cvsdist 3e66bdc
- move scp to the -clients subpackage, because it directly depends on ssh
cvsdist 3e66bdc
  which is also in -clients (#84329)
cvsdist 3e66bdc
cvsdist 3e66bdc
* Mon Feb 10 2003 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-5
cvsdist 3e66bdc
- rebuild
cvsdist 3e66bdc
cvsdist 3e66bdc
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
cvsdist 3e66bdc
- rebuilt
cvsdist 8180003
cvsdist 3e66bdc
* Tue Jan  7 2003 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-3
cvsdist 8180003
- rebuild
cvsdist 8180003
cvsdist 3e66bdc
* Tue Nov 12 2002 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-2
cvsdist 3e66bdc
- patch PAM configuration to use relative path names for the modules, allowing
cvsdist 3e66bdc
  us to not worry about which arch the modules are built for on multilib systems
cvsdist 3e66bdc
cvsdist 3e66bdc
* Tue Oct 15 2002 Nalin Dahyabhai <nalin@redhat.com> 3.5p1-1
cvsdist 3e66bdc
- update to 3.5p1, merging in filelist/perm changes from the upstream spec
cvsdist 3e66bdc
cvsdist 3e66bdc
* Fri Oct  4 2002 Nalin Dahyabhai <nalin@redhat.com> 3.4p1-3
cvsdist 3e66bdc
- merge
cvsdist 3e66bdc
cvsdist 3e66bdc
* Thu Sep 12 2002  Than Ngo <than@redhat.com> 3.4p1-2.1
cvsdist 3e66bdc
- fix to build on multilib systems
cvsdist 3e66bdc
cvsdist 3e66bdc
* Thu Aug 29 2002 Curtis Zinzilieta <curtisz@redhat.com> 3.4p1-2gss
cvsdist 3e66bdc
- added gssapi patches and uncommented patch here
cvsdist 8180003
cvsdist e98831d
* Wed Aug 14 2002 Nalin Dahyabhai <nalin@redhat.com> 3.4p1-2
cvsdist e98831d
- pull patch from CVS to fix too-early free in ssh-keysign (#70009)
cvsdist e98831d
cvsdist 8264e71
* Thu Jun 27 2002 Nalin Dahyabhai <nalin@redhat.com> 3.4p1-1
cvsdist 8264e71
- 3.4p1
cvsdist 8264e71
- drop anon mmap patch
cvsdist 8264e71
cvsdist 8264e71
* Tue Jun 25 2002 Nalin Dahyabhai <nalin@redhat.com> 3.3p1-2
cvsdist 8264e71
- rework the close-on-exit docs
cvsdist 8264e71
- include configuration file man pages
cvsdist 8264e71
- make use of nologin as the privsep shell optional
cvsdist 8264e71
cvsdist 8264e71
* Mon Jun 24 2002 Nalin Dahyabhai <nalin@redhat.com> 3.3p1-1
cvsdist 8264e71
- update to 3.3p1
cvsdist 8264e71
- merge in spec file changes from upstream (remove setuid from ssh, ssh-keysign)
cvsdist 8264e71
- disable gtk2 askpass
cvsdist 8264e71
- require pam-devel by filename rather than by package for erratum
cvsdist 8264e71
- include patch from Solar Designer to work around anonymous mmap failures
cvsdist 7c1cbd3
cvsdist 8264e71
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
cvsdist 8264e71
- automated rebuild
cvsdist 7c1cbd3
cvsdist 8264e71
* Fri Jun  7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-3
cvsdist 8264e71
- don't require autoconf any more
cvsdist 7c1cbd3
cvsdist 8264e71
* Fri May 31 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-2
cvsdist 8264e71
- build gnome-ssh-askpass with gtk2
cvsdist 7c1cbd3
cvsdist 8264e71
* Tue May 28 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.3p1-1
cvsdist 8264e71
- update to 3.2.3p1
cvsdist 8264e71
- merge in spec file changes from upstream
cvsdist a423ec3
cvsdist 8264e71
* Fri May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 3.2.2p1-1
cvsdist 8264e71
- update to 3.2.2p1
cvsdist a423ec3
cvsdist 8264e71
* Fri May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-4
cvsdist a423ec3
- drop buildreq on db1-devel
cvsdist a423ec3
- require pam-devel by package name
cvsdist a423ec3
- require autoconf instead of autoconf253 again
cvsdist a423ec3
cvsdist 0c11050
* Tue Apr  2 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-3
cvsdist 0c11050
- pull patch from CVS to avoid printing error messages when some of the
cvsdist 0c11050
  default keys aren't available when running ssh-add
cvsdist 0c11050
- refresh to current revisions of Simon's patches
cvsdist 0c11050