c9833c9
# Do we want SELinux & Audit
Jan F 6bd5ca2
%if 0%{?!noselinux:1}
a0e2525
%global WITH_SELINUX 1
Jan F 6bd5ca2
%else
a0e2525
%global WITH_SELINUX 0
Jan F 6bd5ca2
%endif
fc72c21
14c675f
%global _hardened_build 1
14c675f
cvsdist 8264e71
# OpenSSH privilege separation requires a user & group ID
a0e2525
%global sshd_uid    74
a0e2525
%global sshd_gid    74
cvsdist 8264e71
cvsdist f28bf6e
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
a0e2525
%global no_gnome_askpass 0
cvsdist f28bf6e
cvsdist b46e395
# Do we want to link against a static libcrypto? (1=yes 0=no)
a0e2525
%global static_libcrypto 0
cvsdist b46e395
cvsdist 3e66bdc
# Use GTK2 instead of GNOME in gnome-ssh-askpass
a0e2525
%global gtk2 1
cvsdist 3e66bdc
cvsdist fe98d86
# Build position-independent executables (requires toolchain support)?
a0e2525
%global pie 1
cvsdist fe98d86
cvsdist 3e66bdc
# Do we want kerberos5 support (1=yes 0=no)
a0e2525
%global kerberos5 1
cvsdist 8264e71
c9833c9
# Do we want libedit support
a0e2525
%global libedit 1
c9833c9
e47cb00
# Whether to build pam_ssh_agent_auth
Jan F 6bd5ca2
%if 0%{?!nopam:1}
a0e2525
%global pam_ssh_agent 1
Jan F 6bd5ca2
%else
a0e2525
%global pam_ssh_agent 0
Jan F 6bd5ca2
%endif
e47cb00
cvsdist 43f95f0
# Reserve options to override askpass settings with:
cvsdist 43f95f0
# rpm -ba|--rebuild --define 'skip_xxx 1'
b8bdc7c
%{?skip_gnome_askpass:%global no_gnome_askpass 1}
cvsdist 43f95f0
cvsdist ffdec57
# Add option to build without GTK2 for older platforms with only GTK+.
389c431
# Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples.
cvsdist ffdec57
# rpm -ba|--rebuild --define 'no_gtk2 1'
b8bdc7c
%{?no_gtk2:%global gtk2 0}
cvsdist ffdec57
cvsdist b46e395
# Options for static OpenSSL link:
cvsdist b46e395
# rpm -ba|--rebuild --define "static_openssl 1"
b8bdc7c
%{?static_openssl:%global static_libcrypto 1}
cvsdist b46e395
04cab1d
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
25c16c6
%global openssh_ver 8.5p1
9979ff5
%global openssh_rel 2
3783a5d
%global pam_ssh_agent_ver 0.10.4
25c16c6
%global pam_ssh_agent_rel 2
e47cb00
970a418
Summary: An open source implementation of SSH protocol version 2
cvsdist f710772
Name: openssh
aa8fb3e
Version: %{openssh_ver}
25c16c6
Release: %{openssh_rel}%{?dist}
cvsdist f710772
URL: http://www.openssh.com/portable.html
3783a5d
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
1900351
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
3cd4899
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
ca47f63
Source2: sshd.pam
25c16c6
Source3: gpgkey-736060BA.gpg
3783a5d
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
e47cb00
Source5: pam_ssh_agent-rmheaders
Jan F 99f4276
Source6: ssh-keycat.pam
Jan F 11896aa
Source7: sshd.sysconfig
Jan F 5c8b5cb
Source9: sshd@.service
Jan F 5c8b5cb
Source10: sshd.socket
Jan F 53f618d
Source11: sshd.service
00c7b75
Source12: sshd-keygen@.service
Jan F 5c8b5cb
Source13: sshd-keygen
5489ace
Source15: sshd-keygen.target
5f230a4
Source16: ssh-agent.service
6fa4d80
1144aef
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
580f986
Patch100: openssh-6.7p1-coverity.patch
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
720cf82
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
720cf82
# record pfs= field in CRYPTO_SESSION audit event
5b55d09
Patch200: openssh-7.6p1-audit.patch
44fc972
# Audit race condition in forked child (#1310684)
44fc972
Patch201: openssh-7.1p2-audit-race-condition.patch
Jan F. Chadima 69dd72f
Jan F 003cb0b
# --- pam_ssh-agent ---
4f4687c
# make it build reusing the openssh sources
4f4687c
Patch300: pam_ssh_agent_auth-0.9.3-build.patch
4f4687c
# check return value of seteuid()
465b6e6
# https://sourceforge.net/p/pamsshagentauth/bugs/23/
465b6e6
Patch301: pam_ssh_agent_auth-0.10.3-seteuid.patch
4f4687c
# explicitly make pam callbacks visible
4f4687c
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
637556d
# update to current version of agent structure
637556d
Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch
87ab5fc
# remove prefixes to be able to build against current openssh library
87ab5fc
Patch306: pam_ssh_agent_auth-0.10.2-compat.patch
ea94213
# Fix NULL dereference from getpwuid() return value
ea94213
# https://sourceforge.net/p/pamsshagentauth/bugs/22/
ea94213
Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch
637556d
Jan F 0f7ccbf
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
bbf61da
Patch400: openssh-7.8p1-role-mls.patch
cd5891d
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
94c6f8d
Patch404: openssh-6.6p1-privsep-selinux.patch
Jan F 8fe1509
#?
94c6f8d
Patch502: openssh-6.6p1-keycat.patch
Jan F. Chadima 69dd72f
87ab5fc
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
94c6f8d
Patch601: openssh-6.6p1-allow-ip-opts.patch
1144aef
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893 (WONTFIX)
94c6f8d
Patch604: openssh-6.6p1-keyperm.patch
1144aef
#(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925
Jan F. Chadima 69dd72f
Patch606: openssh-5.9p1-ipv6man.patch
Jan F 1ddd0ee
#?
8b5feef
Patch607: openssh-5.8p2-sigpipe.patch
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
f286828
Patch609: openssh-7.2p2-x11.patch
Jan F. Chadima 69dd72f
Jan F 003cb0b
#?
44e2032
Patch700: openssh-7.7p1-fips.patch
Jan F 003cb0b
#?
Jan F. Chadima 69dd72f
Patch702: openssh-5.1p1-askpass-progress.patch
1144aef
#https://bugzilla.redhat.com/show_bug.cgi?id=198332
Jan F. Chadima 69dd72f
Patch703: openssh-4.3p2-askpass-grab-info.patch
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
6c68d65
Patch707: openssh-7.7p1-redhat.patch
5bd5aa2
# warn users for unsupported UsePAM=no (#757545)
bbf61da
Patch711: openssh-7.8p1-UsePAM-warning.patch
6148abd
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
84822b5
Patch712: openssh-6.3p1-ctr-evp-fast.patch
5382ccb
b6df6b3
# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
def1deb
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
def1deb
Patch800: openssh-8.0p1-gssapi-keyex.patch
Jan F 5b4ccb3
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
94c6f8d
Patch801: openssh-6.6p1-force_krb.patch
140e5ca
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
140e5ca
# CVE-2014-9278
140e5ca
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
1176788
# Improve ccache handling in openssh (#991186, #1199363, #1566494)
1176788
# https://bugzilla.mindrot.org/show_bug.cgi?id=2775
1176788
Patch804: openssh-7.7p1-gssapi-new-unique.patch
d78d347
# Respect k5login_directory option in krk5.conf (#1328243)
d78d347
Patch805: openssh-7.2p2-k5login_directory.patch
d9d9575
def1deb
Jan F. Chadima 69dd72f
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
94c6f8d
Patch901: openssh-6.6p1-kuserok.patch
96df3b5
# Use tty allocation for a remote scp (#985650)
96df3b5
Patch906: openssh-6.4p1-fromto-remote.patch
5296a79
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
5296a79
Patch916: openssh-6.6.1p1-selinux-contexts.patch
b92d3c8
# log via monitor in chroots without /dev/log (#2681)
7a7b8f0
Patch918: openssh-6.6.1p1-log-in-chroot.patch
fd06d69
# scp file into non-existing directory (#1142223)
fd06d69
Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
b552eb6
# apply upstream patch and make sshd -T more consistent (#1187521)
0a076e7
Patch922: openssh-6.8p1-sshdT-output.patch
558fb7b
# Add sftp option to force mode of created files (#1191055)
558fb7b
Patch926: openssh-6.7p1-sftp-force-permission.patch
9864973
# make s390 use /dev/ crypto devices -- ignore closefrom
9864973
Patch939: openssh-7.2p2-s390-closefrom.patch
1629419
# Move MAX_DISPLAYS to a configuration option (#1341302)
1629419
Patch944: openssh-7.3p1-x11-max-displays.patch
4e7cdec
# Help systemd to track the running service
4e7cdec
Patch948: openssh-7.4p1-systemd.patch
5b55d09
# Pass inetd flags for SELinux down to openbsd compat level
5b55d09
Patch949: openssh-7.6p1-cleanup-selinux.patch
5b55d09
# Sandbox adjustments for s390 and audit
5b55d09
Patch950: openssh-7.5p1-sandbox.patch
7e9748a
# PKCS#11 URIs (upstream #2817, 2nd iteration)
51f5c1c
# https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
51f5c1c
# git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
def1deb
Patch951: openssh-8.0p1-pkcs11-uri.patch
9409715
# Unbreak scp between two IPv6 hosts (#1620333)
9409715
Patch953: openssh-7.8p1-scp-ipv6.patch
6caa973
# Mention crypto-policies in manual pages (#1668325)
6caa973
Patch962: openssh-8.0p1-crypto-policies.patch
751cd9a
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
751cd9a
Patch963: openssh-8.0p1-openssl-evp.patch
f726e51
# Use OpenSSL KDF (#1631761)
f726e51
Patch964: openssh-8.0p1-openssl-kdf.patch
51f5c1c
# sk-dummy.so built with -fvisibility=hidden does not work
51f5c1c
Patch965: openssh-8.2p1-visibility.patch
02af5cf
# Do not break X11 without IPv6
02af5cf
Patch966: openssh-8.2p1-x11-without-ipv6.patch
6a07699
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
6a07699
Patch969: openssh-8.4p1-debian-compat.patch
b552eb6
cvsdist 7d7b035
License: BSD
cvsdist 8264e71
Requires: /sbin/nologin
cvsdist 8264e71
c92dff4
%if ! %{no_gnome_askpass}
cvsdist 092b0a1
%if %{gtk2}
ef32423
BuildRequires: gtk2-devel
ef32423
BuildRequires: libX11-devel
c92dff4
%else
ef32423
BuildRequires: gnome-libs-devel
cvsdist 092b0a1
%endif
c92dff4
%endif
c92dff4
64a3610
BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
Jan F. Chadima f44bdee
BuildRequires: audit-libs-devel >= 2.0.5
9e777a2
BuildRequires: util-linux, groff
ef32423
BuildRequires: pam-devel
d93958d
BuildRequires: openssl-devel >= 0.9.8j
87391b7
BuildRequires: perl-podlators
6a6c2bc
BuildRequires: systemd-devel
5f230a4
BuildRequires: systemd-rpm-macros
bd35168
BuildRequires: gcc make
273086d
BuildRequires: p11-kit-devel
82f9421
BuildRequires: libfido2-devel
273086d
Recommends: p11-kit
d8a80c8
Obsoletes: openssh-ldap < 8.3p1-4
1a45c5d
Obsoletes: openssh-cavs < 8.4p1-5
cvsdist 8264e71
cvsdist 3e66bdc
%if %{kerberos5}
ef32423
BuildRequires: krb5-devel
cvsdist 3e66bdc
%endif
cvsdist 3e66bdc
c9833c9
%if %{libedit}
0a9a407
BuildRequires: libedit-devel ncurses-devel
c9833c9
%endif
c9833c9
fc72c21
%if %{WITH_SELINUX}
5296a79
Requires: libselinux >= 2.3-5
5296a79
BuildRequires: libselinux-devel >= 2.3-5
fc72c21
Requires: audit-libs >= 1.0.8
fc72c21
BuildRequires: audit-libs >= 1.0.8
fc72c21
%endif
cvsdist 5ef6073
ef32423
BuildRequires: xauth
3cd4899
# for tarball signature verification
3cd4899
BuildRequires: gnupg2
ef32423
cvsdist f710772
%package clients
9e5c6ec
Summary: An open source SSH client applications
13fa787
Requires: openssh = %{version}-%{release}
868439f
Requires: crypto-policies >= 20200610-1
cvsdist f710772
cvsdist f710772
%package server
9e5c6ec
Summary: An open source SSH server daemon
ef32423
Requires: openssh = %{version}-%{release}
ef32423
Requires(pre): /usr/sbin/useradd
1961bc1
Requires: pam >= 1.0.1-3
868439f
Requires: crypto-policies >= 20200610-1
0780f33
%{?systemd_requires}
Jan F 5c8b5cb
Jan F 99f4276
%package keycat
Jan F 99f4276
Summary: A mls keycat backend for openssh
Jan F 99f4276
Requires: openssh = %{version}-%{release}
Jan F 99f4276
cvsdist f710772
%package askpass
ef32423
Summary: A passphrase dialog for OpenSSH and X
cvsdist 3287400
Requires: openssh = %{version}-%{release}
cvsdist f710772
e47cb00
%package -n pam_ssh_agent_auth
e47cb00
Summary: PAM module for authentication with ssh-agent
e47cb00
Version: %{pam_ssh_agent_ver}
25c16c6
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
7451555
License: BSD
e47cb00
cvsdist f710772
%description
cvsdist 7d7b035
SSH (Secure SHell) is a program for logging into and executing
cvsdist 7d7b035
commands on a remote machine. SSH is intended to replace rlogin and
cvsdist 7d7b035
rsh, and to provide secure encrypted communications between two
cvsdist 7d7b035
untrusted hosts over an insecure network. X11 connections and
cvsdist f710772
arbitrary TCP/IP ports can also be forwarded over the secure channel.
cvsdist f710772
cvsdist 7d7b035
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
9e5c6ec
it up to date in terms of security and features.
cvsdist f710772
cvsdist f710772
This package includes the core files necessary for both the OpenSSH
cvsdist 7d7b035
client and server. To make this package useful, you should also
cvsdist f710772
install openssh-clients, openssh-server, or both.
cvsdist f710772
cvsdist f710772
%description clients
cvsdist 7d7b035
OpenSSH is a free version of SSH (Secure SHell), a program for logging
cvsdist 7d7b035
into and executing commands on a remote machine. This package includes
cvsdist 7d7b035
the clients necessary to make encrypted connections to SSH servers.
cvsdist f710772
cvsdist f710772
%description server
cvsdist 7d7b035
OpenSSH is a free version of SSH (Secure SHell), a program for logging
cvsdist 7d7b035
into and executing commands on a remote machine. This package contains
cvsdist 7d7b035
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
9e5c6ec
securely connect to your SSH server.
cvsdist f710772
Jan F 99f4276
%description keycat
Jan F 99f4276
OpenSSH mls keycat is backend for using the authorized keys in the
Jan F 99f4276
openssh in the mls mode.
Jan F 99f4276
cvsdist f710772
%description askpass
cvsdist 7d7b035
OpenSSH is a free version of SSH (Secure SHell), a program for logging
cvsdist 7d7b035
into and executing commands on a remote machine. This package contains
cvsdist 7d7b035
an X11 passphrase dialog for OpenSSH.
cvsdist f710772
e47cb00
%description -n pam_ssh_agent_auth
e47cb00
This package contains a PAM module which can be used to authenticate
e47cb00
users using ssh keys stored in a ssh-agent. Through the use of the
e47cb00
forwarding of ssh-agent connection it also allows to authenticate with
e47cb00
remote ssh-agent instance.
e47cb00
e47cb00
The module is most useful for su and sudo service stacks.
e47cb00
cvsdist 43f95f0
%prep
3cd4899
gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
1900351
%setup -q -a 4
Jan F 5b4ccb3
e47cb00
%if %{pam_ssh_agent}
3783a5d
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
87ab5fc
%patch300 -p2 -b .psaa-build
465b6e6
%patch301 -p2 -b .psaa-seteuid
87ab5fc
%patch302 -p2 -b .psaa-visibility
87ab5fc
%patch306 -p2 -b .psaa-compat
637556d
%patch305 -p2 -b .psaa-agent
ea94213
%patch307 -p2 -b .psaa-deref
87ab5fc
# Remove duplicate headers and library files
e47cb00
rm -f $(cat %{SOURCE5})
e47cb00
popd
e47cb00
%endif
Jan F. Chadima 69dd72f
65ba94e
%patch400 -p1 -b .role-mls
cd5891d
%patch404 -p1 -b .privsep-selinux
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f
%patch502 -p1 -b .keycat
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f
%patch601 -p1 -b .ip-opts
Jan F. Chadima 69dd72f
%patch604 -p1 -b .keyperm
Jan F. Chadima 69dd72f
%patch606 -p1 -b .ipv6man
8b5feef
%patch607 -p1 -b .sigpipe
86f29c3
%patch609 -p1 -b .x11
Jan F. Chadima 69dd72f
%patch702 -p1 -b .progress
Jan F. Chadima 69dd72f
%patch703 -p1 -b .grab-info
Jan F. Chadima 69dd72f
%patch707 -p1 -b .redhat
5bd5aa2
%patch711 -p1 -b .log-usepam-no
6148abd
%patch712 -p1 -b .evp-ctr
94c6f8d
# 
Jan F. Chadima 69dd72f
%patch800 -p1 -b .gsskex
Jan F. Chadima 69dd72f
%patch801 -p1 -b .force_krb
d78d347
%patch804 -p1 -b .ccache_name
d78d347
%patch805 -p1 -b .k5login
94c6f8d
# 
Jan F. Chadima 69dd72f
%patch901 -p1 -b .kuserok
96df3b5
%patch906 -p1 -b .fromto-remote
5296a79
%patch916 -p1 -b .contexts
7a7b8f0
%patch918 -p1 -b .log-in-chroot
fd06d69
%patch919 -p1 -b .scp
140e5ca
%patch802 -p1 -b .GSSAPIEnablek5users
b552eb6
%patch922 -p1 -b .sshdt
558fb7b
%patch926 -p1 -b .sftp-force-mode
9864973
%patch939 -p1 -b .s390-dev
1629419
%patch944 -p1 -b .x11max
4e7cdec
%patch948 -p1 -b .systemd
5b55d09
%patch949 -p1 -b .refactor
5b55d09
%patch950 -p1 -b .sandbox
7e9748a
%patch951 -p1 -b .pkcs11-uri
9409715
%patch953 -p1 -b .scp-ipv6
6caa973
%patch962 -p1 -b .crypto-policies
751cd9a
%patch963 -p1 -b .openssl-evp
f726e51
%patch964 -p1 -b .openssl-kdf
51f5c1c
%patch965 -p1 -b .visibility
02af5cf
%patch966 -p1 -b .x11-ipv6
6a07699
%patch969 -p0 -b .debian
05c945b
12cf3e4
%patch200 -p1 -b .audit
44fc972
%patch201 -p1 -b .audit-race
8028159
%patch700 -p1 -b .fips
5160c9c
580f986
%patch100 -p1 -b .coverity
1630648
8ccaa9f
autoreconf
3783a5d
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
50a3ddb
autoreconf
50a3ddb
popd
cvsdist ffdec57
cvsdist 43f95f0
%build
4f4687c
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
51f5c1c
# it is needed for lib(open)ssh build too since it is linked to the pam module too
4f4687c
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
cvsdist fe98d86
%if %{pie}
91bdf49
%ifarch s390 s390x sparc sparcv9 sparc64
e47cb00
CFLAGS="$CFLAGS -fPIC"
cvsdist 8f87201
%else
e47cb00
CFLAGS="$CFLAGS -fpic"
cvsdist 8f87201
%endif
e47cb00
SAVE_LDFLAGS="$LDFLAGS"
Jan F 003cb0b
LDFLAGS="$LDFLAGS -pie -z relro -z now"
Jan F 003cb0b
Jan F 003cb0b
export CFLAGS
Jan F 003cb0b
export LDFLAGS
Jan F 003cb0b
cvsdist fe98d86
%endif
cvsdist 092b0a1
%if %{kerberos5}
2640293
if test -r /etc/profile.d/krb5-devel.sh ; then
77f453b
	source /etc/profile.d/krb5-devel.sh
2640293
fi
cvsdist 092b0a1
krb5_prefix=`krb5-config --prefix`
cvsdist 092b0a1
if test "$krb5_prefix" != "%{_prefix}" ; then
cvsdist 092b0a1
	CPPFLAGS="$CPPFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"; export CPPFLAGS
cvsdist 092b0a1
	CFLAGS="$CFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"
cvsdist 092b0a1
	LDFLAGS="$LDFLAGS -L${krb5_prefix}/%{_lib}"; export LDFLAGS
cvsdist 092b0a1
else
cvsdist 092b0a1
	krb5_prefix=
cvsdist 092b0a1
	CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS
cvsdist 092b0a1
	CFLAGS="$CFLAGS -I%{_includedir}/gssapi"
cvsdist 092b0a1
fi
cvsdist 092b0a1
%endif
cvsdist b46e395
cvsdist 43f95f0
%configure \
cvsdist 43f95f0
	--sysconfdir=%{_sysconfdir}/ssh \
cvsdist 43f95f0
	--libexecdir=%{_libexecdir}/openssh \
cvsdist b46e395
	--datadir=%{_datadir}/openssh \
6c9d993
	--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
e58e548
	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
a886069
	--with-privsep-path=%{_datadir}/empty.sshd \
8ccaa9f
	--disable-strip \
de2e7a3
	--without-zlib-version-check \
ff6d597
	--with-ssl-engine \
Jan F. Chadima 39b26b5
	--with-ipaddr-display \
14c675f
	--with-pie=no \
84d3ff9
	--without-hardening `# The hardening flags are configured by system` \
4e7cdec
	--with-systemd \
273086d
	--with-default-pkcs11-provider=yes \
82f9421
	--with-security-key-builtin=yes \
cvsdist 3e66bdc
	--with-pam \
fc72c21
%if %{WITH_SELINUX}
Jan F. Chadima 28b0dc6
	--with-selinux --with-audit=linux \
b9846a8
	--with-sandbox=seccomp_filter \
fc72c21
%endif
cvsdist 3e66bdc
%if %{kerberos5}
c9833c9
	--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
cvsdist 43f95f0
%else
c9833c9
	--without-kerberos5 \
c9833c9
%endif
c9833c9
%if %{libedit}
b61d9c1
	--with-libedit
c9833c9
%else
b61d9c1
	--without-libedit
cvsdist b46e395
%endif
cvsdist b46e395
cvsdist b46e395
%if %{static_libcrypto}
cvsdist b46e395
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
cvsdist 43f95f0
%endif
cvsdist 43f95f0
68460c0
%make_build
cvsdist 43f95f0
cvsdist 8264e71
# Define a variable to toggle gnome1/gtk2 building.  This is necessary
8ebb991
# because RPM doesn't handle nested %%if statements.
cvsdist 8264e71
%if %{gtk2}
cvsdist 3e66bdc
	gtk2=yes
cvsdist 8264e71
%else
cvsdist 3e66bdc
	gtk2=no
cvsdist 8264e71
%endif
cvsdist 8264e71
cvsdist 43f95f0
%if ! %{no_gnome_askpass}
cvsdist 43f95f0
pushd contrib
cvsdist 8264e71
if [ $gtk2 = yes ] ; then
812f08d
	CFLAGS="$CFLAGS %{?__global_ldflags}" \
812f08d
	    make gnome-ssh-askpass2
cvsdist 3e66bdc
	mv gnome-ssh-askpass2 gnome-ssh-askpass
cvsdist 8264e71
else
812f08d
	CFLAGS="$CFLAGS %{?__global_ldflags}"
812f08d
	    make gnome-ssh-askpass1
cvsdist 3e66bdc
	mv gnome-ssh-askpass1 gnome-ssh-askpass
cvsdist 8264e71
fi
cvsdist 43f95f0
popd
cvsdist 43f95f0
%endif
cvsdist 43f95f0
e47cb00
%if %{pam_ssh_agent}
3783a5d
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
e47cb00
LDFLAGS="$SAVE_LDFLAGS"
eaa7af2
%configure --with-selinux \
eaa7af2
	--libexecdir=/%{_libdir}/security \
eaa7af2
	--with-mantype=man \
eaa7af2
	--without-openssl-header-check `# The check is broken`
68460c0
%make_build
e47cb00
popd
e47cb00
%endif
e47cb00
fd408ed
%check
fd408ed
#to run tests use "--with check"
fd408ed
%if %{?_with_check:1}%{!?_with_check:0}
fd408ed
make tests
fd408ed
%endif
fd408ed
cvsdist 43f95f0
%install
cvsdist 43f95f0
rm -rf $RPM_BUILD_ROOT
cvsdist 43f95f0
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
6454089
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
51f5c1c
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
cvsdist 43f95f0
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
68460c0
%make_install
cvsdist 43f95f0
cvsdist 43f95f0
install -d $RPM_BUILD_ROOT/etc/pam.d/
Jan F 11896aa
install -d $RPM_BUILD_ROOT/etc/sysconfig/
cvsdist 43f95f0
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
ca47f63
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
Jan F 99f4276
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
Jan F 11896aa
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
8b7ddfb
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/50-redhat.conf
8b7ddfb
install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/50-redhat.conf
Jan F 0ecc97b
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
678b808
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
678b808
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
Jan F d470c46
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
00c7b75
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
5489ace
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
44aae31
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
9979ff5
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
00c7b75
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
f94d8f5
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
f94d8f5
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
a886069
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
cvsdist 43f95f0
cvsdist 43f95f0
%if ! %{no_gnome_askpass}
Jan F. Chadima 2b67a53
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
cvsdist 43f95f0
%endif
cvsdist 43f95f0
cvsdist ffdec57
%if ! %{no_gnome_askpass}
09d7e68
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
cvsdist b46e395
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
cvsdist 8264e71
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
cvsdist 8264e71
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
cvsdist ffdec57
%endif
cvsdist 43f95f0
cvsdist 5ef6073
%if %{no_gnome_askpass}
cvsdist 5ef6073
rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
cvsdist 5ef6073
%endif
cvsdist 5ef6073
cvsdist 43f95f0
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
cvsdist 43f95f0
e47cb00
%if %{pam_ssh_agent}
3783a5d
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
68460c0
%make_install
e47cb00
popd
e47cb00
%endif
Jan F 1ddd0ee
%pre
Jan F 1ddd0ee
getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
Jan F 1ddd0ee
cvsdist 8264e71
%pre server
2fd1054
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
2fd1054
getent passwd sshd >/dev/null || \
d48f1a7
  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
a886069
  -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
cvsdist 8264e71
cvsdist 43f95f0
%post server
678b808
%systemd_post sshd.service sshd.socket
dfeecfb
# Migration scriptlet for Fedora 31 and 32 installations to sshd_config
dfeecfb
# drop-in directory (in F32+).
dfeecfb
# Do this only if the file generated by anaconda exists, contains our config
dfeecfb
# directive and sshd_config contains include directive as shipped in our package
dfeecfb
%global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin
dfeecfb
test -f %{sysconfig_anaconda} && \
dfeecfb
  test ! -f /etc/ssh/sshd_config.d/01-permitrootlogin.conf && \
dfeecfb
  grep -q '^PERMITROOTLOGIN="-oPermitRootLogin=yes"' %{sysconfig_anaconda} && \
dfeecfb
  grep -q '^Include /etc/ssh/sshd_config.d/\*.conf' /etc/ssh/sshd_config && \
dfeecfb
  echo "PermitRootLogin yes" >> /etc/ssh/sshd_config.d/25-permitrootlogin.conf && \
dfeecfb
  rm %{sysconfig_anaconda} || :
cvsdist 43f95f0
cvsdist 43f95f0
%preun server
678b808
%systemd_preun sshd.service sshd.socket
94943d5
94943d5
%postun server
94943d5
%systemd_postun_with_restart sshd.service
Jan F 5c8b5cb
5f230a4
%post clients
5f230a4
%systemd_user_post ssh-agent.service
5f230a4
5f230a4
%preun clients
5f230a4
%systemd_user_preun ssh-agent.service
5f230a4
cvsdist 43f95f0
%files
e336e33
%license LICENCE
58ee5c1
%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
cvsdist 43f95f0
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
f9f83a0
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
cvsdist 43f95f0
%attr(0755,root,root) %{_bindir}/ssh-keygen
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
cvsdist 43f95f0
%attr(0755,root,root) %dir %{_libexecdir}/openssh
06b1d53
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
cvsdist 8264e71
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
cvsdist 43f95f0
cvsdist 43f95f0
%files clients
cvsdist 8264e71
%attr(0755,root,root) %{_bindir}/ssh
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
cvsdist 3e66bdc
%attr(0755,root,root) %{_bindir}/scp
cvsdist 3e66bdc
%attr(0644,root,root) %{_mandir}/man1/scp.1*
cvsdist 43f95f0
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
90ffc35
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
8b7ddfb
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf
cvsdist 3e66bdc
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
f26cd8d
%attr(0755,root,root) %{_bindir}/ssh-agent
cvsdist 43f95f0
%attr(0755,root,root) %{_bindir}/ssh-add
cvsdist 43f95f0
%attr(0755,root,root) %{_bindir}/ssh-keyscan
cvsdist 43f95f0
%attr(0755,root,root) %{_bindir}/sftp
f94d8f5
%attr(0755,root,root) %{_bindir}/ssh-copy-id
974c89c
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
51f5c1c
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
f94d8f5
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
974c89c
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
51f5c1c
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
9979ff5
%attr(0644,root,root) %{_userunitdir}/ssh-agent.service
cvsdist 43f95f0
cvsdist 43f95f0
%files server
a886069
%dir %attr(0711,root,root) %{_datadir}/empty.sshd
cvsdist 43f95f0
%attr(0755,root,root) %{_sbindir}/sshd
cvsdist 43f95f0
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
00c7b75
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
cvsdist 8264e71
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
93a4744
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
cvsdist 43f95f0
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
cvsdist 43f95f0
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
51f5c1c
%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/
8b7ddfb
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-redhat.conf
5a8f6b5
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
Jan F 11896aa
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
Jan F 53f618d
%attr(0644,root,root) %{_unitdir}/sshd.service
678b808
%attr(0644,root,root) %{_unitdir}/sshd@.service
678b808
%attr(0644,root,root) %{_unitdir}/sshd.socket
00c7b75
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
5489ace
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
cvsdist 43f95f0
Jan F 99f4276
%files keycat
Jan F 825921b
%doc HOWTO.ssh-keycat
Jan F 99f4276
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
Jan F 99f4276
%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
Jan F 99f4276
cvsdist 43f95f0
%if ! %{no_gnome_askpass}
09d7e68
%files askpass
b40baab
%attr(0644,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
cvsdist 43f95f0
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
09d7e68
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
cvsdist 43f95f0
%endif
cvsdist 43f95f0
e47cb00
%if %{pam_ssh_agent}
e47cb00
%files -n pam_ssh_agent_auth
3783a5d
%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
d2b3b9a
%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
e47cb00
%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
e47cb00
%endif
e47cb00
cvsdist f710772
%changelog
9979ff5
* Tue Mar 09 2021 Rex Dieter <rdieter@fedoraproject.org> - 8.5p1-2
9979ff5
- ssh-agent.serivce is user unit (#1761817#27)
9979ff5
25c16c6
* Wed Mar 03 2021 Jakub Jelen <jjelen@redhat.com> - 8.5p1-1 + 0.10.4-2
25c16c6
- New upstream release (#1934336)
25c16c6
6e1851c
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.4p1-5.2
6e1851c
- Rebuilt for updated systemd-rpm-macros
6e1851c
  See https://pagure.io/fesco/issue/2583.
6e1851c
7347a74
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 8.4p1-5.1
7347a74
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
7347a74
106b283
* Fri Jan 22 2021 Jakub Jelen <jjelen@redhat.com> - 8.4p1-5 + 0.10.4-1
106b283
- Use /usr/share/empty.sshd instead of /var/empty/sshd
106b283
- Allow emptu labels in PKCS#11 tokens (#1919007)
106b283
- Drop openssh-cavs subpackage
106b283
258db09
* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
258db09
- Remove "PasswordAuthentication yes" from vendor configuration as it is
258db09
  already default and it might be hard to override.
258db09
- Fix broken obsoletes for openssh-ldap (#1902084)
258db09
126d278
* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-3 + 0.10.4-1
126d278
- Unbreak seccomp filter on arm (#1897712)
126d278
- Add a workaround for Debian's broken OpenSSH (#1881301)
126d278
a048fcc
* Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-2 + 0.10.4-1
a048fcc
- Unbreak ssh-copy-id after a release (#1884231)
a048fcc
- Remove misleading comment from sysconfig
a048fcc
7b064ea
* Tue Sep 29 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-1 + 0.10.4-1
7b064ea
- New upstream release of OpenSSH and pam_ssh_agent_auth (#1882995)
7b064ea
10cdecf
* Fri Aug 21 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-4 + 0.10.3-10
10cdecf
- Remove openssh-ldap subpackage (#1871025)
10cdecf
- pkcs11: Do not crash with invalid paths in ssh-agent (#1868996)
10cdecf
- Clarify documentation about sftp-server -m (#1862504)
10cdecf
fccd87e
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.3p1-3.1
fccd87e
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
fccd87e
996e25f
* Wed Jun 10 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-3 + 0.10.3-10
996e25f
- Do not lose PIN when more slots match PKCS#11 URI (#1843372)
996e25f
- Update to new crypto-policies version on server (using sshd_config include)
996e25f
- Move redhat configuraion files to larger number to allow simpler override
996e25f
- Move sshd_config include before any other definitions (#1824913)
996e25f
3bd5ced
* Mon Jun 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-2 + 0.10.3-10
3bd5ced
- Fix crash on cleanup (#1842281)
3bd5ced
5cd9552
* Wed May 27 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-1 + 0.10.3-10
5cd9552
- New upstream release (#1840503)
5cd9552
- Unbreak corner cases of sshd_config include
5cd9552
- Fix order of gssapi key exchange algorithms
5cd9552
4e3553b
* Wed Apr 08 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-3 + 0.10.3-9
4e3553b
- Simplify reference to crypto policies in configuration files
4e3553b
- Unbreak gssapi authentication with GSSAPITrustDNS over jump hosts
4e3553b
- Correctly print FIPS mode initialized in debug mode
4e3553b
- Enable SHA2-based GSSAPI key exchange methods (#1666781)
4e3553b
- Do not break X11 forwarding when IPv6 is disabled
4e3553b
- Remove fipscheck dependency as OpenSSH is no longer FIPS module
4e3553b
- Improve documentation about crypto policies defaults in manual pages
4e3553b
b241755
* Thu Feb 20 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-2 + 0.10.3-9
b241755
- Build against libfido2 to unbreak internal u2f support
b241755
51f5c1c
* Mon Feb 17 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-1 + 0.10.3-9
51f5c1c
- New upstrem reelase (#1803290)
51f5c1c
- New /etc/ssh/sshd_config.d drop in directory
51f5c1c
- Support for U2F security keys
51f5c1c
- Correctly report invalid key permissions (#1801459)
51f5c1c
- Do not write bogus information on stderr in FIPS mode (#1778224)
51f5c1c
a2cffc6
* Mon Feb 03 2020 Jakub Jelen <jjelen@redhat.com> - 8.1p1-4 + 0.10.3-8
a2cffc6
- Unbreak seccomp filter on ARM (#1796267)
a2cffc6
657d132
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.1p1-3.1
657d132
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
657d132
62361a7
* Wed Nov 27 2019 Jakub Jelen <jjelen@redhat.com> - 8.1p1-3 + 0.10.3-8
62361a7
- Unbreak seccomp filter also on ARM (#1777054)
62361a7
d26b44f
* Thu Nov 14 2019 Jakub Jelen <jjelen@redhat.com> - 8.1p1-2 + 0.10.3-8
d26b44f
- Unbreak seccomp filter with latest glibc (#1771946)
d26b44f
36fef56
* Wed Oct 09 2019 Jakub Jelen <jjelen@redhat.com> - 8.1p1-1 + 0.10.3-8
36fef56
- New upstream release (#1759750)
36fef56
0ca1614
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 8.0p1-8.1
0ca1614
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
0ca1614
73b069e
* Tue Jul 23 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-8 + 0.10.3-7
73b069e
- Use the upstream-accepted version of the PKCS#8 PEM support (#1722285)
73b069e
30922f6
* Fri Jul 12 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-7 + 0.10.3-7
30922f6
- Use the environment file under /etc/sysconfig for anaconda configuration (#1722928)
30922f6
e9bd9a2
* Wed Jul 03 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-6 + 0.10.3-7
e9bd9a2
- Provide the entry point for anaconda configuration in service file (#1722928)
e9bd9a2
36a4472
* Wed Jun 26 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-5 + 0.10.3-7
36a4472
- Disable root password logins (#1722928)
36a4472
- Fix typo in manual pages related to crypto-policies
36a4472
- Fix the gating test to make sure it removes the test user
36a4472
- Cleanu up spec file and get rid of some rpmlint warnings
36a4472
dad744a
* Mon Jun 17 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-4 + 0.10.3-7
dad744a
- Compatibility with ibmca engine for ECC
dad744a
- Generate more modern PEM files using new OpenSSL API
dad744a
- Provide correct signature types for RSA keys using SHA2 from agent
dad744a
7f1ad37
* Mon May 27 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-3 + 0.10.3-7
7f1ad37
- Remove problematic patch updating cached pw structure
7f1ad37
- Do not require the labels on the public objects (#1710832)
7f1ad37
53c9085
* Tue May 14 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-2 + 0.10.3-7
53c9085
- Use OpenSSL KDF
53c9085
- Use high-level OpenSSL API for signatures handling
53c9085
- Mention crypto-policies in manual pages instead of hardcoded defaults
53c9085
- Verify in package testsuite that SCP vulnerabilities are fixed
53c9085
- Do not fail in FIPS mode, when unsupported algorithm is listed in configuration
53c9085
def1deb
* Fri Apr 26 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-1 + 0.10.3-7
def1deb
- New upstream release (#1701072)
def1deb
- Removed support for VendroPatchLevel configuration option
def1deb
- Significant rework of GSSAPI Key Exchange
def1deb
- Significant rework of PKCS#11 URI support
def1deb
91aa3d4
* Mon Mar 11 2019 Jakub Jelen <jjelen@redhat.com> - 7.9p1-5 + 0.10.3.6
91aa3d4
- Fix kerberos cleanup procedures with GSSAPI
91aa3d4
- Update cached passwd structure after PAM authentication
91aa3d4
- Do not fall back to sshd_net_t SELinux context
91aa3d4
- Fix corner cases of PKCS#11 URI implementation
91aa3d4
- Do not negotiate arbitrary primes with DH GEX in FIPS 
91aa3d4
7295e97
* Wed Feb 06 2019 Jakub Jelen <jjelen@redhat.com> - 7.9p1-4 + 0.10.3.6
7295e97
- Log when a client requests an interactive session and only sftp is allowed
7295e97
- Fix minor issues in ssh-copy-id
7295e97
- Enclose redhat specific configuration with Match final block
7295e97
4e5f61c
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.9p1-3.2
4e5f61c
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
4e5f61c
018ac8d
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 7.9p1-3.1
018ac8d
- Rebuilt for libcrypt.so.2 (#1666033)
018ac8d
311908c
* Mon Jan 14 2019 Jakub Jelen <jjelen@redhat.com> - 7.9p1-3 + 0.10.3.6
311908c
- Backport Match final to unbreak canonicalization with crypto-policies (#1630166)
311908c
- gsskex: Dump correct option
311908c
- Backport several fixes from 7_9 branch, mostly related to certificate authentication (#1665611)
311908c
- Backport patch for CVE-2018-20685 (#1665786)
311908c
- Correctly initialize ECDSA key structures from PKCS#11
311908c
a4c0a26
* Wed Nov 14 2018 Jakub Jelen <jjelen@redhat.com> - 7.9p1-2 + 0.10.3-6
a4c0a26
- Fix LDAP configure test (#1642414)
a4c0a26
- Avoid segfault on kerberos authentication failure
a4c0a26
- Reference correct file in configuration example (#1643274)
a4c0a26
- Dump missing GSSAPI configuration options
a4c0a26
- Allow to disable RSA signatures with SHA-1
a4c0a26
9f2c8b9
* Fri Oct 19 2018 Jakub Jelen <jjelen@redhat.com> - 7.9p1-1 + 0.10.3-6
9f2c8b9
- New upstream release OpenSSH 7.9p1 (#1632902, #1630166)
9f2c8b9
- Honor GSSAPIServerIdentity option for GSSAPI key exchange
9f2c8b9
- Do not break gsssapi-keyex authentication method when specified in
9f2c8b9
  AuthenticationMethods
9f2c8b9
- Follow the system-wide PATH settings (#1633756)
9f2c8b9
- Address some coverity issues
9f2c8b9
97ee52c
* Mon Sep 24 2018 Jakub Jelen <jjelen@redhat.com> - 7.8p1-3 + 0.10.3-5
97ee52c
- Disable OpenSSH hardening flags and use the ones provided by system
97ee52c
- Ignore unknown parts of PKCS#11 URI
97ee52c
- Do not fail with GSSAPI enabled in match blocks (#1580017)
97ee52c
- Fix the segfaulting cavs test (#1628962)
97ee52c
8b9448c
* Fri Aug 31 2018 Jakub Jelen <jjelen@redhat.com> - 7.8p1-2 + 0.10.3-5
8b9448c
- New upstream release fixing CVE 2018-15473
8b9448c
- Remove unused patches
8b9448c
- Remove reference to unused enviornment variable SSH_USE_STRONG_RNG
8b9448c
- Address coverity issues
8b9448c
- Unbreak scp between two IPv6 hosts
8b9448c
- Unbreak GSSAPI key exchange (#1624344)
8b9448c
- Unbreak rekeying with GSSAPI key exchange (#1624344)
8b9448c
01ba761
* Thu Aug 09 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-6 + 0.10.3-4
01ba761
- Fix listing of kex algoritms in FIPS mode
01ba761
- Allow aes-gcm cipher modes in FIPS mode
01ba761
- Coverity fixes
01ba761
600d401
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.7p1-5.1
600d401
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
600d401
e1d8554
* Tue Jul 03 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-5 + 0.10.3-4
e1d8554
- Disable manual printing of motd by default (#1591381)
e1d8554
62f1736
* Wed Jun 27 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-4 + 0.10.3-4
62f1736
- Better handling of kerberos tickets storage (#1566494)
62f1736
- Add pam_motd to pam stack (#1591381)
62f1736
04ca5e7
* Mon Apr 16 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-3 + 0.10.3-4
04ca5e7
- Fix tun devices and other issues fixed after release upstream (#1567775)
04ca5e7
836590e
* Thu Apr 12 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-2 + 0.10.3-4
836590e
- Do not break quotes parsing in configuration file (#1566295)
836590e
b0815ca
* Wed Apr 04 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-1 + 0.10.3-4
b0815ca
- New upstream release (#1563223)
b0815ca
- Add support for ECDSA keys in PKCS#11 (#1354510)
b0815ca
- Add support for PKCS#11 URIs
b0815ca
cbb6ca5
* Tue Mar 06 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-7 + 0.10.3-3
cbb6ca5
- Require crypto-policies version and new path
cbb6ca5
- Remove bogus NSS linking
cbb6ca5
13efdb1
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.6p1-6.1
13efdb1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
13efdb1
bb4b7b7
* Fri Jan 26 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-6 + 0.10.3-3
bb4b7b7
- Rebuild for gcc bug on i386 (#1536555)
bb4b7b7
f61eaad
* Thu Jan 25 2018 Florian Weimer <fweimer@redhat.com> - 7.6p1-5.2
f61eaad
- Rebuild to work around gcc bug leading to sshd miscompilation (#1538648)
f61eaad
427beb2
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 7.6p1-5.1.1
427beb2
- Rebuilt for switch to libxcrypt
427beb2
4d97279
* Wed Jan 17 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-5 + 0.10.3-3
4d97279
- Drop support for TCP wrappers (#1530163)
4d97279
- Do not pass hostnames to audit -- UseDNS is usually disabled (#1534577)
4d97279
871dc3e
* Thu Dec 14 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-4 + 0.10.3-3
871dc3e
- Whitelist gettid() syscall in seccomp filter (#1524392)
871dc3e
1f2a7f3
* Mon Dec 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-3 + 0.10.3-3
1f2a7f3
- Do not segfault during audit cleanup (#1524233)
1f2a7f3
- Avoid gcc warnings about uninitialized variables
1f2a7f3
eef660e
* Wed Nov 22 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-2 + 0.10.3-3
eef660e
- Do not build everything against libldap
eef660e
- Do not segfault for ECC keys in PKCS#11
eef660e
8fc2fee
* Thu Oct 19 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-1 + 0.10.3-3
8fc2fee
- New upstream release OpenSSH 7.6
8fc2fee
- Addressing review remarks for OpenSSL 1.1.0 patch
8fc2fee
- Fix PermitOpen bug in OpenSSH 7.6
8fc2fee
- Drop support for ExposeAuthenticationMethods option
8fc2fee
9e46aaf
* Mon Sep 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-6 + 0.10.3-2
1176788
- Do not export KRB5CCNAME if the default path is used (#1199363)
9e46aaf
- Add enablement for openssl-ibmca and openssl-ibmpkcs11 (#1477636)
9e46aaf
- Add new GSSAPI kex algorithms with SHA-2, but leave them disabled for now
9e46aaf
- Enforce pam_sepermit for all logins in SSH (#1492313)
9e46aaf
- Remove pam_reauthorize, since it is not needed by cockpit anymore (#1492313)
9e46aaf
ef66c0c
* Mon Aug 14 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-5 + 0.10.3-2
ef66c0c
- Another less-intrusive approach to crypto policy (#1479271)
ef66c0c
fffad05
* Tue Aug 01 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-4 + 0.10.3-2
fffad05
- Remove SSH-1 subpackage for Fedora 27 (#1474942)
9e46aaf
- Follow system-wide crypto policy in server (#1479271)
fffad05
be108c2
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.5p1-3.1
be108c2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
be108c2
2ea24bb
* Fri Jun 30 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-2 + 0.10.3-2
2ea24bb
- Sync downstream patches with RHEL (FIPS)
2ea24bb
- Resolve potential issues with OpenSSL 1.1.0 patch
2ea24bb
204765a
* Wed Mar 22 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-2 + 0.10.3-2
204765a
- Fix various after-release typos including failed build in s390x (#1434341)
204765a
- Revert chroot magic with SELinux
204765a
17b491b
* Mon Mar 20 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-1 + 0.10.3-2
17b491b
- New upstream release
17b491b
7b666e5
* Fri Mar 03 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-4 + 0.10.3-1
7b666e5
- Avoid sending the SD_NOTIFY messages from wrong processes (#1427526)
7b666e5
- Address reports by coverity
7b666e5
ab7f947
* Mon Feb 20 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-3 + 0.10.3-1
ab7f947
- Properly report errors from included files (#1408558)
ab7f947
- New pam_ssh_agent_auth 0.10.3 release
ab7f947
- Switch to SD_NOTIFY to make systemd happy
ab7f947
26cec06
* Mon Feb 06 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-2 + 0.10.2-5
26cec06
- Fix ssh-agent cert signing error (#1416584)
26cec06
- Fix wrong path to crypto policies
26cec06
- Attempt to resolve issue with systemd
26cec06
b19926d
* Tue Jan 03 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-1 + 0.10.2-5
b19926d
- New upstream release (#1406204)
b19926d
- Cache supported OIDs for GSSAPI key exchange (#1395288)
b19926d
- Fix typo causing heap corruption (use-after-free) (#1409433)
b19926d
- Prevent hangs with long MOTD
b19926d
d8c2e8d
* Thu Dec 08 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-7 + 0.10.2-4
d8c2e8d
- Properly deserialize received RSA certificates in ssh-agent (#1402029)
d8c2e8d
- Move MAX_DISPLAYS to a configuration option
d8c2e8d
7bccf7e
* Wed Nov 16 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-6 + 0.10.2-4
7bccf7e
- GSSAPI requires futex syscall in privsep child (#1395288)
7bccf7e
2a8bce3
* Thu Oct 27 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-5 + 0.10.2-4
2a8bce3
- Build against OpenSSL 1.1.0 with compat changes
ccf6231
- Recommend crypto-policies
ccf6231
- Fix chroot dropping capabilities (#1386755)
2a8bce3
d924bc6
* Thu Sep 29 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-4 + 0.10.2-4
d924bc6
- Fix NULL dereference (#1380297)
d924bc6
- Include client Crypto Policy (#1225752)
d924bc6
0a605f4
* Mon Aug 15 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-3 + 0.10.2-4
0a605f4
- Proper content of included configuration file
0a605f4
73953d2
* Tue Aug 09 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-2 + 0.10.2-4
73953d2
- Fix permissions on the include directory (#1365270)
73953d2
73953d2
* Tue Aug 02 2016 Jakub Jelen <jjelen@redhat.com> - 7.3p1-1 + 0.10.2-4
a711d3c
- New upstream release (#1362156)
a711d3c
82bfd19
* Tue Jul 26 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-11 + 0.10.2-3
82bfd19
- Remove slogin and sshd-keygen (#1359762)
82bfd19
- Prevent guest_t from running sudo (#1357860)
82bfd19
9dc7413
* Mon Jul 18 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-10 + 0.10.2-3
9dc7413
- CVE-2016-6210: User enumeration via covert timing channel (#1357443)
9dc7413
- Expose more information about authentication to PAM
9dc7413
- Make closefrom() ignore softlinks to the /dev/ devices on s390
9dc7413
a49441f
* Fri Jul 01 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-9 + 0.10.2-3
a49441f
- Fix wrong detection of UseLogin in server configuration (#1350347)
a49441f
5a67d51
* Fri Jun 24 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-8 + 0.10.2-3
5a67d51
- Enable seccomp filter for MIPS architectures
5a67d51
- UseLogin=yes is not supported in Fedora
5a67d51
- SFTP server forced permissions should restore umask
5a67d51
- pam_ssh_agent_auth: Fix conflict bewteen two getpwuid() calls (#1349551)
5a67d51
ba8f389
* Mon Jun 06 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-7
ba8f389
- Fix regression in certificate-based authentication (#1333498)
ba8f389
- Check for real location of .k5login file (#1328243)
ba8f389
- Fix unchecked dereference in pam_ssh_agent_auth
ba8f389
- Clean up old patches
ba8f389
- Build with seccomp filter on ppc64(le) (#1195065)
ba8f389
991b662
* Fri Apr 29 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-6 + 0.10.2-3
991b662
- Add legacy sshd-keygen for anaconda (#1331077)
991b662
1380564
* Fri Apr 22 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-5 + 0.10.2-3
1380564
- CVE-2015-8325: ignore PAM environment vars when UseLogin=yes (#1328013)
1380564
- Fix typo in sysconfig/sshd (#1325535)
1380564
58d2868
* Fri Apr 15 2016 Jakub Jelen <jjelen@redhat.com> - 7.2p2-4 + 0.10.2-3
58d2868
- Revise socket activation and services dependencies (#1325535)
58d2868
- Drop unused init script
58d2868
32a7488
* Wed Apr 13 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-3 + 0.10.2-3
32a7488
- Make sshd-keygen comply with packaging guidelines (#1325535)
32a7488
- Soft-deny socket() syscall in seccomp sandbox (#1324493)
32a7488
- Remove *sha1 Kex in FIPS mode (#1324493)
32a7488
- Remove *gcm ciphers in FIPS mode (#1324493)
32a7488
f7e56a5
* Wed Apr 06 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-2 + 0.10.2-3
f7e56a5
- Fix GSSAPI Key Exchange according to RFC (#1323622)
f7e56a5
- Remove init.d/functions dependency from sshd-keygen (#1317722)
f7e56a5
- Do not use MD5 in pam_ssh_agent_auth in FIPS mode
f7e56a5
9163ba1
* Thu Mar 10 2016 Jakub Jelen <jjelen@redhat.com> 7.2p2-1 + 0.10.2-3
9163ba1
- New upstream (security) release (#1316529)
9163ba1
- Clean up audit patch
9163ba1
0bdae3b
* Thu Mar 03 2016 Jakub Jelen <jjelen@redhat.com> 7.2p1-2 + 0.10.2-2
0bdae3b
- Restore slogin symlinks to preserve backward compatibility
0bdae3b
13073f8
* Mon Feb 29 2016 Jakub Jelen <jjelen@redhat.com> 7.2p1-1 + 0.10.2-2
13073f8
- New upstream release (#1312870)
13073f8
46445f1
* Wed Feb 24 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-4.1 + 0.10.2-1
46445f1
- Fix race condition in auditing events when using multiplexing (#1308295)
46445f1
- Fix X11 forwarding CVE according to upstream
46445f1
- Fix problem when running without privsep (#1303910)
46445f1
- Remove hard glob limit in SFTP
46445f1
b2b837a
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 7.1p2-3.1
b2b837a
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
b2b837a
8ddd3ed
* Sat Jan 30 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-3 + 0.10.2-1
8ddd3ed
- Fix segfaults with pam_ssh_agent_auth (#1303036)
8ddd3ed
- Silently disable X11 forwarding on problems
8ddd3ed
- Systemd service should be forking to detect immediate failures
8ddd3ed
6c2eb5e
* Mon Jan 25 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-2 + 0.10.2-1
6c2eb5e
- Rebased to recent version of pam_ssh_agent_auth
6c2eb5e
- Upstream fix for CVE-2016-1908
6c2eb5e
- Remove useless defattr
6c2eb5e
7bc6437
* Thu Jan 14 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-1 + 0.9.2-9
7bc6437
- New security upstream release for CVE-2016-0777
7bc6437
b2191db
* Tue Jan 12 2016 Jakub Jelen <jjelen@redhat.com> 7.1p1-7 + 0.9.2-8
b2191db
- Change RPM define macros to global according to packaging guidelines
b2191db
- Fix wrong handling of SSH_COPY_ID_LEGACY environment variable
b2191db
- Update ssh-agent and ssh-keysign permissions (#1296724)
b2191db
- Fix few problems with alternative builds without GSSAPI or openSSL
b2191db
- Fix condition to run sshd-keygen
b2191db
c45d147
* Fri Dec 18 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-6 + 0.9.2-8
c45d147
- Preserve IUTF8 tty mode flag over ssh connections (#1270248)
c45d147
- Do not require sysconfig file to start service (#1279521)
c45d147
- Update ssh-copy-id to upstream version
c45d147
- GSSAPI Key Exchange documentation improvements
c45d147
- Remove unused patches
c45d147
ef86a31
* Wed Nov 04 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-5 + 0.9.2-8
ef86a31
- Do not set user context too many times for root logins (#1269072)
ef86a31
fa54d54
* Thu Oct 22 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-4 + 0.9.2-8
fa54d54
- Review SELinux user context handling after authentication (#1269072)
fa54d54
- Handle root logins the same way as other users (#1269072)
fa54d54
- Audit implicit mac, if mac is covered in cipher (#1271694)
fa54d54
- Increase size limit for remote glob over sftp
fa54d54
a80c277
* Fri Sep 25 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-3 + 0.9.2-8
a80c277
- Fix FIPS mode for DH kex (#1260253)
a80c277
- Provide full RELRO and PIE form askpass helper (#1264036)
a80c277
- Fix gssapi key exchange on server and client (#1261414)
a80c277
- Allow gss-keyex root login when without-password is set (upstream #2456)
a80c277
- Fix obsolete usage of SELinux constants (#1261496)
a80c277
9826215
* Wed Sep 09 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-2 + 0.9.2-8
9826215
- Fix warnings reported by gcc related to keysign and keyAlgorithms
9826215
757fec5
* Sat Aug 22 2015 Jakub Jelen <jjelen@redhat.com> 7.1p1-1 + 0.9.2-8
757fec5
- New upstream release
757fec5
ebdae84
* Wed Aug 19 2015 Jakub Jelen <jjelen@redhat.com> 7.0p1-2 + 0.9.3-7
ebdae84
- Fix problem with DSA keys using pam_ssh_agent_auth (#1251777)
ebdae84
- Add GSSAPIKexAlgorithms option for server and client application
ebdae84
- Possibility to validate legacy systems by more fingerprints (#1249626)
ebdae84
18e5499
* Wed Aug 12 2015 Jakub Jelen <jjelen@redhat.com> 7.0p1-1 + 0.9.3-7
3f55133
- New upstream release (#1252639)
3f55133
- Fix pam_ssh_agent_auth package (#1251777)
3f55133
- Security: Use-after-free bug related to PAM support (#1252853)
3f55133
- Security: Privilege separation weakness related to PAM support (#1252854)
3f55133
- Security: Incorrectly set TTYs to be world-writable (#1252862)
3f55133
6286d6a
* Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-4 + 0.9.3-6
6286d6a
- Handle terminal control characters in scp progressmeter (#1247204)
6286d6a
83bfb1f
* Thu Jul 23 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-3 + 0.9.3-6
83bfb1f
- CVE-2015-5600: only query each keyboard-interactive device once (#1245971)
83bfb1f
ca62b61
* Wed Jul 15 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-2 + 0.9.3-6
ca62b61
- Enable SECCOMP filter for s390* architecture (#1195065)
ca62b61
- Fix race condition when multiplexing connection (#1242682)
ca62b61
187a349
* Wed Jul 01 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-1 + 0.9.3-6
187a349
- New upstream release (#1238253)
187a349
- Increase limitation number of files which can be listed using glob in sftp
187a349
- Correctly revert "PermitRootLogin no" option from upstream sources (#89216)
187a349
f3002bf
* Wed Jun 24 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-9 + 0.9.3-5
f3002bf
- Allow socketcall(SYS_SHUTDOWN) for net_child on ix86 architecture
f3002bf
b59dd83
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.8p1-8.1
b59dd83
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
b59dd83
5aa47ae
* Mon Jun 08 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-8 + 0.9.3-5
5aa47ae
- Return stat syscall to seccomp filter (#1228323)
5aa47ae
f049b3b
* Wed Jun 03 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-7 + 0.9.3-5
f049b3b
- Handle pam_ssh_agent_auth memory, buffers and variable sizes (#1225106)
f049b3b
8a10dcb
* Thu May 28 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-6 + 0.9.3-5
8a10dcb
- Resolve problem with pam_ssh_agent_auth after rebase (#1225106)
8a10dcb
- ssh-copy-id: tcsh doesnt work with multiline strings
8a10dcb
- Fix upstream memory problems
8a10dcb
- Add missing options in testmode output and manual pages
8a10dcb
- Provide LDIF version of LPK schema
8a10dcb
- Document required selinux boolean for working ssh-ldap-helper
8a10dcb
775e1b2
* Mon Apr 20 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-5 + 0.9.3-5
775e1b2
- Fix segfault on daemon exit caused by API change (#1213423)
775e1b2
c516316
* Thu Apr 02 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-4 + 0.9.3-5
c516316
- Fix audit_end_command to restore ControlPersist function (#1203900)
c516316
c028ac5
* Tue Mar 31 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-3 + 0.9.3-5
c028ac5
- Fixed issue with GSSAPI key exchange (#1207719)
c028ac5
- Add pam_namespace to sshd pam stack (based on #1125110)
c028ac5
- Remove krb5-config workaround for #1203900
c028ac5
- Fix handling SELinux context in MLS systems
c028ac5
- Regression: solve sshd segfaults if other instance already running
c028ac5
e5b15a7
* Thu Mar 26 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-2 + 0.9.3-5
e5b15a7
- Update audit and gss patches after rebase
e5b15a7
- Fix reintroduced upstrem bug #1878
e5b15a7
e3688f3
* Tue Mar 24 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-1 + 0.9.3-5
e3688f3
- new upstream release openssh-6.8p1 (#1203245)
e3688f3
- Resolve segfault with auditing commands (#1203900)
e3688f3
- Workaround krb5-config bug (#1204646)
132f8f8
7b82d08
* Thu Mar 12 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-11 + 0.9.3-4
7b82d08
- Ability to specify LDAP filter in ldap.conf for ssh-ldap-helper
7b82d08
- Fix auditing when using combination of ForceCommand and PTY
7b82d08
- Add sftp option to force mode of created files (from rhel)
7b82d08
- Fix tmpfiles.d entries to be more consistent (#1196807)
7b82d08
7aa6321
* Mon Mar 02 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-10 + 0.9.3-4
7aa6321
- Add tmpfiles.d entries (#1196807)
7aa6321
c8b4078
* Fri Feb 27 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-9 + 0.9.3-4
c8b4078
- Adjust seccomp filter for primary architectures and solve aarch64 issue (#1197051)
c8b4078
- Solve issue with ssh-copy-id and keys without trailing newline (#1093168)
c8b4078
5f3c83f
* Tue Feb 24 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-8 + 0.9.3-4
5f3c83f
- Add AArch64 support for seccomp_filter sandbox (#1195065)
5f3c83f
e0f867b
* Mon Feb 23 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-7 + 0.9.3-4
e0f867b
- Fix seccomp filter on architectures without getuid32
e0f867b
c13a4b7
* Mon Feb 23 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-6 + 0.9.3-4
c13a4b7
- Update seccomp filter to work on i686 architectures (#1194401)
c13a4b7
- Fix previous failing build (#1195065)
c13a4b7
74e740c
* Sun Feb 22 2015 Peter Robinson <pbrobinson@fedoraproject.org> 6.7p1-5 + 0.9.3-4
74e740c
- Only use seccomp for sandboxing on supported platforms
74e740c
c694529
* Fri Feb 20 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-4 + 0.9.3-4
c694529
- Move cavs tests into subpackage -cavs (#1194320)
c694529
2f55636
* Wed Feb 18 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-3 + 0.9.3-4
2f55636
- update coverity patch
2f55636
- make output of sshd -T more consistent (#1187521)
2f55636
- enable seccomp for sandboxing instead of rlimit (#1062953)
2f55636
- update hardening to compile on gcc5
2f55636
- Add SSH KDF CAVS test driver (#1193045)
2f55636
- Fix ssh-copy-id on non-sh remote shells (#1045191)
2f55636
6c6416d
* Tue Jan 27 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-2 + 0.9.3-4
6c6416d
- fixed audit patch after rebase
6c6416d
1900351
* Tue Jan 20 2015 Petr Lautrbach <plautrba@redhat.com> 6.7p1-1 + 0.9.3-4
1900351
- new upstream release openssh-6.7p1
1900351
3ffcb79
* Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-11.1 + 0.9.3-3
2109ab6
- error message if scp when directory doesn't exist (#1142223)
2109ab6
- parsing configuration file values (#1130733)
2109ab6
- documentation in service and socket files for systemd (#1181593)
2109ab6
- updated ldap patch (#981058)
2109ab6
- fixed vendor-patchlevel
2109ab6
- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 (#1170745)
2109ab6
62986c5
* Fri Dec 19 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-10 + 0.9.3-3
62986c5
- log via monitor in chroots without /dev/log
62986c5
276c16c
* Wed Dec 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-9 + 0.9.3-3
276c16c
- the .local domain example should be in ssh_config, not in sshd_config
276c16c
- use different values for DH for Cisco servers (#1026430)
276c16c
823364a
* Thu Nov 13 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-8 + 0.9.3-3
823364a
- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)
823364a
a1e1ac2
* Fri Nov 07 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-7 + 0.9.3-3
a1e1ac2
- correct the calculation of bytes for authctxt->krb5_ccname <ams@corefiling.com> (#1161073)
a1e1ac2
3b7c862
* Tue Nov 04 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-6 + 0.9.3-3
3b7c862
- privsep_preauth: use SELinux context from selinux-policy (#1008580)
3b7c862
- change audit trail for unknown users (mindrot#2245)
3b7c862
- fix kuserok patch which checked for the existence of .k5login
3b7c862
  unconditionally and hence prevented other mechanisms to be used properly
3b7c862
- revert the default of KerberosUseKuserok back to yes (#1153076)
3b7c862
- ignore SIGXFSZ in postauth monitor (mindrot#2263)
3b7c862
- sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode
3b7c862
afde9f8
* Mon Sep 08 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-5 + 0.9.3-3
afde9f8
- set a client's address right after a connection is set (mindrot#2257)
afde9f8
- apply RFC3454 stringprep to banners when possible (mindrot#2058)
afde9f8
- don't consider a partial success as a failure (mindrot#2270)
afde9f8
662c5a0
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.6.1p1-4.1
662c5a0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
662c5a0
e336e33
* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> 6.6.1p1-4 + 0.9.3-3
e336e33
- fix license handling (both)
e336e33
8ff21c9
* Fri Jul 18 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-3 + 0.9.3-2
8ff21c9
- standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
8ff21c9
cef0d58
* Mon Jul 14 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-2 + 0.9.3-2
cef0d58
- add pam_reauthorize.so to sshd.pam (#1115977)
cef0d58
- spec file and patches clenup
cef0d58
d1b0938
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.6.1p1-1.1
d1b0938
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
d1b0938
5cde9cd
* Tue Jun 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-1 + 0.9.3-2
5cde9cd
- disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6
5cde9cd
- add support for ED25519 keys to sshd-keygen and sshd.sysconfig
5cde9cd
- drop openssh-server-sysvinit subpackage
5cde9cd
- slightly change systemd units logic - use sshd-keygen.service (#1066615)
5cde9cd
94c6f8d
* Tue Jun 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6p1-1 + 0.9.3-2
94c6f8d
- new upstream release openssh-6.6p1
94c6f8d
d755752
* Thu May 15 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-4 + 0.9.3-1
d755752
- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
d755752
- make /etc/ssh/moduli file public (#1043661)
d755752
- test existence of /etc/ssh/ssh_host_ecdsa_key in sshd-keygen.service
d755752
- don't clean up gssapi credentials by default (#1055016)
d755752
- ssh-agent - try CLOCK_BOOTTIME with fallback (#1091992)
d755752
- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
d755752
- ignore environment variables with embedded '=' or '\0' characters - CVE-2014-2532
d755752
  (#1077843)
d755752
222dd2e
* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-3 + 0.9.3-1
222dd2e
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
222dd2e
- use only rsa and ecdsa host keys by default
222dd2e
89d920b
* Tue Nov 26 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-2 + 0.9.3-1
89d920b
- fix fatal() cleanup in the audit patch (#1029074)
89d920b
- fix parsing logic of ldap.conf file (#1033662)
89d920b
09e9ef3
* Fri Nov 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-1 + 0.9.3-1
09e9ef3
- new upstream release
09e9ef3
3ed6191
* Fri Nov 01 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-5 + 0.9.3-7
3ed6191
- adjust gss kex mechanism to the upstream changes (#1024004)
3ed6191
- don't use xfree in pam_ssh_agent_auth sources <geertj@gmail.com> (#1024965)
3ed6191
7feb965
* Fri Oct 25 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-4 + 0.9.3-6
7feb965
- rebuild with the openssl with the ECC support
7feb965
a5e23f2
* Thu Oct 24 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-3 + 0.9.3-6
a5e23f2
- don't use SSH_FP_MD5 for fingerprints in FIPS mode
a5e23f2
ff7a26b
* Wed Oct 23 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-2 + 0.9.3-6
ff7a26b
- use default_ccache_name from /etc/krb5.conf for a kerberos cache (#991186)
ff7a26b
- increase the size of the Diffie-Hellman groups (#1010607)
ff7a26b
- sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222)
ff7a26b
e40d5d1
* Tue Oct 15 2013 Petr Lautrbach <plautrba@redhat.com> 6.3p1-1.1 + 0.9.3-6
a92e916
- new upstream release (#1007769)
a92e916
c33ef55
* Tue Oct 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-9 + 0.9.3-5
c33ef55
- use dracut-fips package to determine if a FIPS module is installed
c33ef55
- revert -fips subpackages and hmac files suffixes
c33ef55
f344f84
* Wed Sep 25 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-8 + 0.9.3-5
f344f84
- sshd-keygen: generate only RSA keys by default (#1010092)
f344f84
- use dist tag in suffixes for hmac checksum files
f344f84
eba55f9
* Wed Sep 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-7 + 0.9.3-5
eba55f9
- use hmac_suffix for ssh{,d} hmac checksums
eba55f9
- bump the minimum value of SSH_USE_STRONG_RNG to 14 according to SP800-131A
eba55f9
- automatically restart sshd.service on-failure after 42s interval
eba55f9
a19397f
* Thu Aug 29 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-6.1 + 0.9.3-5
f4e927b
- add -fips subpackages that contains the FIPS module files
f4e927b
631ffb2
* Wed Jul 31 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-5 + 0.9.3-5
631ffb2
- gssapi credentials need to be stored before a pam session opened (#987792)
631ffb2
115aad3
* Tue Jul 23 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-4 + 0.9.3-5
115aad3
- don't show Success for EAI_SYSTEM (#985964)
115aad3
- make sftp's libedit interface marginally multibyte aware (#841771)
115aad3
66608a1
* Mon Jun 17 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-3 + 0.9.3-5
66608a1
- move default gssapi cache to /run/user/<uid> (#848228)
66608a1
e99c484
* Tue May 21 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-2 + 0.9.3-5
e99c484
- add socket activated sshd units to the package (#963268)
e99c484
- fix the example in the HOWTO.ldap-keys
e99c484
21acbc4
* Mon May 20 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-1 + 0.9.3-5
21acbc4
- new upstream release (#963582)
21acbc4
a92d744
* Wed Apr 17 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-4 + 0.9.3-4
a92d744
- don't use export in sysconfig file (#953111)
a92d744
c276d31
* Tue Apr 16 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-3 + 0.9.3-4
c276d31
- sshd.service: use KillMode=process (#890376)
c276d31
- add latest config.{sub,guess} to support aarch64 (#926284)
c276d31
1042786
* Tue Apr 09 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-2 + 0.9.3-4
1042786
- keep track of which IndentityFile options were manually supplied and
1042786
  which were default options, and don't warn if the latter are missing.
1042786
  (mindrot#2084)
1042786
b6f89ab
* Tue Apr 09 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p1-1 + 0.9.3-4
b6f89ab
- new upstream release (#924727)
b6f89ab
1b95bc3
* Wed Mar 06 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-7 + 0.9.3-3
1b95bc3
- use SELinux type sshd_net_t for [net] childs (#915085)
1b95bc3
2a7883d
* Thu Feb 14 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-6 + 0.9.3-3
2a7883d
- fix AuthorizedKeysCommand option
2a7883d
cab7f53
* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-5 + 0.9.3-3
cab7f53
- change default value of MaxStartups - CVE-2010-5107 (#908707)
cab7f53
7642de9
* Mon Dec 03 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-4 + 0.9.3-3
7642de9
- fix segfault in openssh-5.8p2-force_krb.patch (#882541)
7642de9
790103e
* Mon Dec 03 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-3 + 0.9.3-3
790103e
- replace RequiredAuthentications2 with AuthenticationMethods based on upstream
790103e
- obsolete RequiredAuthentications[12] options
790103e
- fix openssh-6.1p1-privsep-selinux.patch
790103e
af2ebf7
* Fri Oct 26 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-2
af2ebf7
- add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400)
af2ebf7
- drop required chkconfig (#865498)
af2ebf7
- drop openssh-5.9p1-sftp-chroot.patch (#830237)
af2ebf7
d0630aa
* Sat Sep 15 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-1 + 0.9.3-3
d0630aa
- new upstream release (#852651)
d0630aa
- use DIR: kerberos type cache (#848228)
d0630aa
- don't use chroot_user_t for chrooted users (#830237)
d0630aa
- replace scriptlets with systemd macros (#850249)
d0630aa
- don't use /bin and /sbin paths (#856590)
d0630aa
65ba94e
* Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 6.0p1-1 + 0.9.3-2
65ba94e
- new upstream release
65ba94e
90e11f3
* Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-26 + 0.9.3-1
90e11f3
- change SELinux context also for root user (#827109)
90e11f3
b648890
* Fri Jul 27 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-25 + 0.9.3-1
b648890
- fix various issues in openssh-5.9p1-required-authentications.patch
b648890
e962030
* Tue Jul 17 2012 Tomas Mraz <tmraz@redhat.com> 5.9p1-24 + 0.9.3-1
e962030
- allow sha256 and sha512 hmacs in the FIPS mode
e962030
4f4687c
* Fri Jun 22 2012 Tomas Mraz <tmraz@redhat.com> 5.9p1-23 + 0.9.3-1
4f4687c
- fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent
4f4687c
  is not running, most probably not exploitable
4f4687c
- update pam_ssh_agent_auth to 0.9.3 upstream version
4f4687c
2649d91
* Fri Apr 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-22 + 0.9.2-32
2649d91
- don't create RSA1 key in FIPS mode
2649d91
- don't install sshd-keygen.service (#810419)
2649d91
7294a99
* Fri Mar 30 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-21 + 0.9.2-32
7294a99
- fix various issues in openssh-5.9p1-required-authentications.patch
7294a99
22f0191
* Wed Mar 21 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-20 + 0.9.2-32
22f0191
- Fix dependencies in systemd units, don't enable sshd-keygen.service (#805338)
22f0191
33e0acc
* Wed Feb 22 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-19 + 0.9.2-32
33e0acc
- Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo (#735889)
33e0acc
d3ab957
* Mon Feb 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-18 + 0.9.2-32
d3ab957
- replace TwoFactorAuth with RequiredAuthentications[12]
d3ab957
  https://bugzilla.mindrot.org/show_bug.cgi?id=983
d3ab957
21699d5
* Tue Jan 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-17 + 0.9.2-32
21699d5
- run privsep slave process as the users SELinux context (#781634)
21699d5
19725a9
* Tue Dec 13 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-16 + 0.9.2-32
017c65d
- add CAVS test driver for the aes-ctr ciphers
017c65d
19725a9
* Sun Dec 11 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-15 + 0.9.2-32
6148abd
- enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI
6148abd
2e12878
* Tue Dec 06 2011 Petr Lautrbach <plautrba@redhat.com> 5.9p1-14 + 0.9.2-32
2e12878
- warn about unsupported option UsePAM=no (#757545)
2e12878
4fc1674
* Mon Nov 21 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-13 + 0.9.2-32
4fc1674
- add back the restorecon call to ssh-copy-id - it might be needed on older
4fc1674
  distributions (#739989)
4fc1674
17eb103
* Fri Nov 18 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-12 + 0.9.2-32
17eb103
- still support /etc/sysconfig/sshd loading in sshd service (#754732)
81da99e
- fix incorrect key permissions generated by sshd-keygen script (#754779)
17eb103
0fcb25a
* Fri Oct 14 2011 Tomas Mraz <tmraz@redhat.com> - 5.9p1-11 + 0.9.2-32
0fcb25a
- remove unnecessary requires on initscripts
0fcb25a
- set VerifyHostKeyDNS to ask in the default configuration (#739856)
0fcb25a
Jan F. Chadima 28b0dc6
* Mon Sep 19 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-10 + 0.9.2-32
Jan F. Chadima 28b0dc6
- selinux sandbox rewrite
Jan F. Chadima 28b0dc6
- two factor authentication tweaking
Jan F. Chadima 28b0dc6
Jan F. Chadima cff1d0c
* Wed Sep 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-9 + 0.9.2-32
Jan F. Chadima cff1d0c
- coverity upgrade
Jan F. Chadima cff1d0c
- wipe off nonfunctional nss
Jan F. Chadima cff1d0c
- selinux sandbox tweaking
Jan F. Chadima cff1d0c
Jan F. Chadima c870e66
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-8 + 0.9.2-32
Jan F. Chadima c870e66
- coverity upgrade
Jan F. Chadima c870e66
- experimental selinux sandbox
Jan F. Chadima c870e66
JFCH c2ea13d
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-7 + 0.9.2-32
JFCH c2ea13d
- fully reanable auditing
JFCH c2ea13d
Jan F. Chadima 1df0cf4
* Mon Sep 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-6 + 0.9.2-32
Jan F. Chadima 1df0cf4
- repair signedness in akc patch
Jan F. Chadima 1df0cf4
Jan F. Chadima 026db1c
* Mon Sep 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-5 + 0.9.2-32
Jan F. Chadima 39b26b5
- temporarily disable part of audit4 patch
Jan F. Chadima 39b26b5
Jan F. Chadima ea97ffa
* Fri Sep  9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-3 + 0.9.2-32
Jan F. Chadima ea97ffa
- Coverity second pass
Jan F. Chadima ea97ffa
- Reenable akc patch
Jan F. Chadima ea97ffa
Jan F. Chadima 3b545be
* Thu Sep  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-2 + 0.9.2-32
Jan F. Chadima 3b545be
- Coverity first pass
Jan F. Chadima 3b545be
Jan F. Chadima 311e6bb
* Wed Sep  7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-1 + 0.9.2-32
Jan F. Chadima 311e6bb
- Rebase to 5.9p1
Jan F. Chadima 311e6bb
- Add chroot sftp patch
Jan F. Chadima 311e6bb
- Add two factor auth patch
Jan F. Chadima 311e6bb
Jan F. Chadima 19d4c79
* Tue Aug 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-21 + 0.9.2-31
Jan F. Chadima 19d4c79
- ignore SIGPIPE in ssh keyscan
Jan F. Chadima 19d4c79
Jan F. Chadima 2b67a53
* Tue Aug  9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-20 + 0.9.2-31
Jan F. Chadima 2b67a53
- save ssh-askpass's debuginfo
Jan F. Chadima 2b67a53
Jan F. Chadima 56b50ec
* Mon Aug  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-19 + 0.9.2-31
Jan F. Chadima 56b50ec
- compile ssh-askpass with corect CFLAGS
Jan F. Chadima 56b50ec
Jan F. Chadima 54f33f6
* Mon Aug  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-18 + 0.9.2-31
Jan F. Chadima 54f33f6
- improve selinux's change context log 
Jan F. Chadima 54f33f6
Jan F. Chadima ec36224
* Mon Aug  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-17 + 0.9.2-31
Jan F. Chadima ec36224
- repair broken man pages
Jan F. Chadima ec36224
Jan F. Chadima d704eab
* Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-16 + 0.9.2-31
Jan F. Chadima ec36224
- rebuild due to broken rpmbiild
Jan F. Chadima d704eab
Jan F. Chadima 294ca75
* Thu Jul 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-15 + 0.9.2-31
Jan F. Chadima 294ca75
- Do not change context when run under unconfined_t
Jan F. Chadima 294ca75
Jan F. Chadima d3d3406
* Thu Jul 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-14 + 0.9.2-31
Jan F. Chadima 0d4fd57
- Add postlogin to pam. (#718807)
Jan F. Chadima 0d4fd57
Jan F. Chadima d56cc37
* Tue Jun 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-12 + 0.9.2-31
Jan F 5c8b5cb
- Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org>
Jan F 5c8b5cb
- Split out the host keygen into their own command, to ease future migration
Jan F 5c8b5cb
  to systemd. Compatitbility with the init script was kept.
Jan F 5c8b5cb
- Migrate the package to full native systemd unit files, according to the Fedora
Jan F 5c8b5cb
  packaging guidelines.
Jan F 5c8b5cb
- Prepate the unit files for running an ondemand server. (do not add it actually)
Jan F 5c8b5cb
Jan F 29b683c
* Tue Jun 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-10 + 0.9.2-31
Jan F 29b683c
- Mention IPv6 usage in man pages
Jan F 29b683c
Jan F d3542d5
* Mon Jun 20 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-9 + 0.9.2-31
Jan F ef264f5
- Improve init script
Jan F ef264f5
Jan F 6bd5ca2
* Thu Jun 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-7 + 0.9.2-31
Jan F 6bd5ca2
- Add possibility to compile openssh without downstream patches
Jan F 6bd5ca2
Jan F. Chadima 6a2cfe2
* Thu Jun  9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-6 + 0.9.2-31
Jan F. Chadima 6a2cfe2
- remove stale control sockets (#706396)
Jan F. Chadima 6a2cfe2
Jan F bc60f31
* Tue May 31 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-5 + 0.9.2-31
Jan F bc60f31
- improove entropy manuals
Jan F bc60f31
Jan F 0e9135f
* Fri May 27 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-4 + 0.9.2-31
Jan F 0e9135f
- improove entropy handling
Jan F 0e9135f
- concat ldap patches
Jan F 0e9135f
Jan F ba32c8e
* Tue May 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-3 + 0.9.2-31
Jan F ba32c8e
- improove ldap manuals
Jan F ba32c8e
Jan F 5b4ccb3
* Mon May 23 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-2 + 0.9.2-31
Jan F 5b4ccb3
- add gssapi forced command
Jan F 5b4ccb3
Jan F 87ae976
* Tue May  3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-1 + 0.9.2-31
Jan F c2c99d4
- update the openssh version
Jan F 87ae976
Jan F c0cd660
* Thu Apr 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-34 + 0.9.2-30
Jan F c0cd660
- temporarily disabling systemd units
Jan F c0cd660
Jan F 9c4d06a
* Wed Apr 27 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-33 + 0.9.2-30
Jan F 9c4d06a
- add flags AI_V4MAPPED and AI_ADDRCONFIG to getaddrinfo
Jan F 9c4d06a
Jan F 6077c76
* Tue Apr 26 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-32 + 0.9.2-30
Jan F 2cd304e
- update scriptlets
Jan F 2cd304e
Jan F 56091ff
* Fri Apr 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-30 + 0.9.2-30
Jan F 53f618d
- add systemd units
Jan F 53f618d
Jan F 53f618d
* Fri Apr 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-28 + 0.9.2-30
Jan F e93cf27
- improving sshd -> passwd transation
Jan F 0e46f27
- add template for .local domain to sshd_config
Jan F e93cf27
Jan F 1ddd0ee
* Thu Apr 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-27 + 0.9.2-30
Jan F 1ddd0ee
- the private keys may be 640 root:ssh_keys ssh_keysign is sgid
Jan F 1ddd0ee
Jan F c7ffe02
* Wed Apr 20 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-26 + 0.9.2-30
Jan F c7ffe02
- improving sshd -> passwd transation
Jan F c7ffe02
Jan F 439c349
* Tue Apr  5 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-25 + 0.9.2-30
Jan F 8bc65c4
- the intermediate context is set to sshd_sftpd_t
Jan F 8bc65c4
- do not crash in packet.c if no connection
Jan F 8bc65c4
Jan F 8a77a1d
* Thu Mar 31 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-24 + 0.9.2-30
Jan F 8a77a1d
- resolve warnings in port_linux.c
Jan F 8a77a1d
Jan F 11896aa
* Tue Mar 29 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-23 + 0.9.2-30
Jan F 11896aa
- add /etc/sysconfig/sshd
Jan F 11896aa
Jan F 0553df8
* Mon Mar 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-22 + 0.9.2-30
Jan F 0553df8
- improve reseeding and seed source (documentation)
Jan F e6d33e3
Jan F 39c7b05
* Tue Mar 22 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-20 + 0.9.2-30
Jan F 3657adf
- use /dev/random or /dev/urandom for seeding prng
Jan F 39c7b05
- improve periodical reseeding of random generator
Jan F 3657adf
Jan F 8fe1509
* Thu Mar 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-18 + 0.9.2-30
Jan F 8fe1509
- add periodical reseeding of random generator 
Jan F 8fe1509
- change selinux contex for internal sftp in do_usercontext
Jan F 8fe1509
- exit(0) after sigterm
Jan F 8fe1509
Jan F 9404cdd
* Thu Mar 10 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-17 + 0.9.2-30
Jan F 9404cdd
- improove ssh-ldap (documentation)
Jan F 9404cdd
Jan F d1fc5c2
* Tue Mar  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-16 + 0.9.2-30
Jan F d1fc5c2
- improve session keys audit
Jan F d1fc5c2
Jan F 71d3d9c
* Mon Mar  7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30
Jan F 71d3d9c
- CVE-2010-4755
Jan F 71d3d9c
Jan F 825921b
* Fri Mar  4 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-14 + 0.9.2-30
Jan F 9404cdd
- improove ssh-keycat (documentation)
Jan F 825921b
Jan F edc1723
* Thu Mar  3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-13 + 0.9.2-30
Jan F edc1723
- improve audit of logins and auths
Jan F edc1723
Jan F 1499a28
* Tue Mar  1 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-12 + 0.9.2-30
Jan F 1499a28
- improove ssk-keycat
Jan F 1499a28
Jan F 99f4276
* Mon Feb 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-11 + 0.9.2-30
Jan F 99f4276
- add ssk-keycat
Jan F 99f4276
Jan F b934981
* Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-10 + 0.9.2-30
Jan F b934981
- reenable auth-keys ldap backend
Jan F b934981
Jan F 48446f1
* Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-9 + 0.9.2-30
Jan F 48446f1
- another audit improovements
Jan F 48446f1
Jan F f9ff105
* Thu Feb 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-8 + 0.9.2-30
Jan F 9cefae0
- another audit improovements
Jan F 48446f1
- switchable fingerprint mode
Jan F 9cefae0
Jan F 2c1a4ad
* Thu Feb 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-4 + 0.9.2-30
Jan F 48446f1
- improve audit of server key management
Jan F 2c1a4ad
Jan F b9127ef
* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-3 + 0.9.2-30
Jan F 483c733
- improve audit of logins and auths
Jan F 483c733
Jan F 003cb0b
* Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30
Jan F 003cb0b
- bump openssh version to 5.8p1
Jan F 003cb0b
fa335ee
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6p1-30.1
fa335ee
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
fa335ee
Jan F cfb0f30
* Mon Feb  7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-30 + 0.9.2-29
Jan F cfb0f30
- clean the data structures in the non privileged process
Jan F 865391f
- clean the data structures when roaming
Jan F 865391f
19725a9
* Wed Feb  2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-28 + 0.9.2-29
Jan F 6f93166
- clean the data structures in the privileged process
Jan F 6f93166
Jan F f00e4a3
* Tue Jan 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-25 + 0.9.2-29
Jan F f00e4a3
- clean the data structures before exit net process
Jan F f00e4a3
Jan F af87384
* Mon Jan 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-24 + 0.9.2-29
Jan F af87384
- make audit compatible with the fips mode
Jan F af87384
Jan F 92eab14
* Fri Jan 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-23 + 0.9.2-29
Jan F 92eab14
- add audit of destruction the server keys
Jan F 92eab14
Jan F 5c20fa8
* Wed Jan 12 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-22 + 0.9.2-29
Jan F 5c20fa8
- add audit of destruction the session keys
Jan F 5c20fa8
Jan F. Chadima a7cb7d2
* Fri Dec 10 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-21 + 0.9.2-29
Jan F. Chadima a7cb7d2
- reenable run sshd as non root user
Jan F. Chadima a7cb7d2
- renable rekeying
Jan F. Chadima a7cb7d2
Jan F 436639a
* Wed Nov 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-20 + 0.9.2-29
Jan F 436639a
- reapair clientloop crash (#627332)
Jan F bb5eb00
- properly restore euid in case connect to the ssh-agent socket fails
Jan F bb5eb00
Jan F. Chadima d2ed53b
* Mon Nov 22 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-19 + 0.9.2-28
Jan F. Chadima d2ed53b
- striped read permissions from suid and sgid binaries
Jan F. Chadima d2ed53b
Jan F 7c53d7e
* Mon Nov 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-18 + 0.9.2-27
Jan F 7c53d7e
- used upstream version of the biguid patch
Jan F 7c53d7e
Jan F 82036ab
* Mon Nov 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-17 + 0.9.2-27
Jan F 82036ab
- improoved kuserok patch
Jan F 82036ab
Jan F 5daee12
* Fri Nov  5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-16 + 0.9.2-27
Jan F 5daee12
- add auditing the host based key ussage
Jan F 5daee12
- repait X11 abstract layer socket (#648896)
Jan F 5daee12
Jan F. Chadima f44bdee
* Wed Nov  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-15 + 0.9.2-27
Jan F. Chadima f44bdee
- add auditing the kex result
Jan F. Chadima f44bdee
19725a9
* Tue Nov  2 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-14 + 0.9.2-27
Jan F 0f4c82e
- add auditing the key ussage
Jan F 0f4c82e
19725a9
* Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-12 + 0.9.2-27
Jan F 2d0bc8b
- update gsskex patch (#645389)
Jan F 2d0bc8b
Jan F ba25ecf
* Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-11 + 0.9.2-27
Jan F ba25ecf
- rebase linux audit according to upstream
Jan F ba25ecf
Jan F. Chadima cf74d50
* Fri Oct  1 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-10 + 0.9.2-27
Jan F. Chadima cf74d50
- add missing headers to linux audit
Jan F. Chadima cf74d50
Jan F faae1e8
* Wed Sep 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-9 + 0.9.2-27
Jan F faae1e8
- audit module now uses openssh audit framevork
Jan F faae1e8
Jan F 46c77f5
* Wed Sep 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-8 + 0.9.2-27
Jan F 46c77f5
- Add the GSSAPI kuserok switch to the kuserok patch
Jan F 46c77f5
Jan F 4c4aa13
* Wed Sep 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-7 + 0.9.2-27
Jan F 4c4aa13
- Repaired the kuserok patch
Jan F 4c4aa13
Jan F ce0606e
* Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-6 + 0.9.2-27
Jan F ce0606e
- Repaired the problem with puting entries with very big uid into lastlog
Jan F ce0606e
Jan F 84d568a
* Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-5 + 0.9.2-27
Jan F 84d568a
- Merging selabel patch with the upstream version. (#632914)
Jan F 84d568a
Jan F 93909d9
* Mon Sep 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-4 + 0.9.2-27
Jan F 84d568a
- Tweaking selabel patch to work properly without selinux rules loaded. (#632914)
Jan F 93909d9
13fa787
* Wed Sep  8 2010 Tomas Mraz <tmraz@redhat.com> - 5.6p1-3 + 0.9.2-27
13fa787
- Make fipscheck hmacs compliant with FHS - requires new fipscheck
13fa787
Jan F f7e15d5
* Fri Sep  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-2 + 0.9.2-27
Jan F f7e15d5
- Added -z relro -z now to LDFLAGS
Jan F f7e15d5
Jan F. Chadima c6801b9
* Fri Sep  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-1 + 0.9.2-27
Jan F. Chadima c6801b9
- Rebased to openssh5.6p1
Jan F. Chadima c6801b9
7818e56
* Wed Jul  7 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-18 + 0.9.2-26
7818e56
- merged with newer bugzilla's version of authorized keys command patch
7818e56
eb358aa
* Wed Jun 30 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-17 + 0.9.2-26
eb358aa
- improved the x11 patch according to upstream (#598671)
eb358aa
19725a9
* Fri Jun 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-16 + 0.9.2-26
a3dee6b
- improved the x11 patch (#598671)
a3dee6b
41a56c5
* Thu Jun 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-15 + 0.9.2-26
41a56c5
- changed _PATH_UNIX_X to unexistent file name (#598671)
41a56c5
411b917
* Wed Jun 23 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-14 + 0.9.2-26
411b917
- sftp works in deviceless chroot again (broken from 5.5p1-3)
411b917
59d42d3
* Tue Jun  8 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-13 + 0.9.2-26
59d42d3
- add option to switch out krb5_kuserok
59d42d3
2fd1054
* Fri May 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-12 + 0.9.2-26
2fd1054
- synchronize uid and gid for the user sshd
2fd1054
b1a625a
* Thu May 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-11 + 0.9.2-26
b1a625a
- Typo in ssh-ldap.conf(5) and ssh-ladap-helper(8)
b1a625a
99d9a39
* Fri May 14 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-10 + 0.9.2-26
99d9a39
- Repair the reference in man ssh-ldap-helper(8)
99d9a39
- Repair the PubkeyAgent section in sshd_config(5)
99d9a39
- Provide example ldap.conf
99d9a39
222d52d
* Thu May 13 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-9 + 0.9.2-26
222d52d
- Make the Ldap configuration widely compatible
222d52d
- create the aditional docs for LDAP support.
222d52d
4669c37
* Thu May  6 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-8 + 0.9.2-26
4669c37
- Make LDAP config elements TLS_CACERT and TLS_REQCERT compatiple with pam_ldap (#589360)
4669c37
b6bdf18
* Thu May  6 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-7 + 0.9.2-26
b6bdf18
- Make LDAP config element tls_checkpeer compatiple with nss_ldap (#589360)
b6bdf18
6fa4d80
* Tue May  4 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-6 + 0.9.2-26
6fa4d80
- Comment spec.file
6fa4d80
- Sync patches from upstream
6fa4d80
3fdf10c
* Mon May  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-5 + 0.9.2-26
3fdf10c
- Create separate ldap package
3fdf10c
- Tweak the ldap patch
3fdf10c
- Rename stderr patch properly
3fdf10c
19725a9
* Thu Apr 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-4 + 0.9.2-26
7e7fb42
- Added LDAP support
7e7fb42
2220e68
* Mon Apr 26 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-3 + 0.9.2-26
2220e68
- Ignore .bashrc output to stderr in the subsystems
2220e68
9e777a2
* Tue Apr 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-2 + 0.9.2-26
9e777a2
- Drop dependency on man
9e777a2
82bc825
* Fri Apr 16 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-1 + 0.9.2-26
82bc825
- Update to 5.5p1
82bc825
b823409
* Fri Mar 12 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-3 + 0.9.2-25
50a3ddb
- repair configure script of pam_ssh_agent
b823409
- repair error mesage in ssh-keygen
50a3ddb
2640293
* Fri Mar 12 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-2
2640293
- source krb5-devel profile script only if exists
2640293
d1a73d1
* Tue Mar  9 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-1
d1a73d1
- Update to 5.4p1
04cab1d
- discontinued support for nss-keys
04cab1d
- discontinued support for scard
d1a73d1
974c89c
* Wed Mar  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-0.snap20100302.1
974c89c
- Prepare update to 5.4p1
974c89c
806a11f
* Mon Feb 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-22
806a11f
- ImplicitDSOLinking (#564824)
806a11f
a2a0cf4
* Fri Jan 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-21
a2a0cf4
- Allow to use hardware crypto if awailable (#559555)
a2a0cf4
606b55d
* Mon Jan 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-20
606b55d
- optimized FD_CLOEXEC on accept socket (#541809)
606b55d
7451555
* Mon Jan 25 2010 Tomas Mraz <tmraz@redhat.com> - 5.3p1-19
7451555
- updated pam_ssh_agent_auth to new version from upstream (just
7451555
  a licence change)
7451555
e39eb5b
* Thu Jan 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-18
e39eb5b
- optimized RAND_cleanup patch (#557166)
e39eb5b
28355b8
* Wed Jan 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-17
28355b8
- add RAND_cleanup at the exit of each program using RAND (#557166)
28355b8
3131004
* Tue Jan 19 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-16
3131004
- set FD_CLOEXEC on accepted socket (#541809)
3131004
37c0ae0
* Fri Jan  8 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-15
b8bdc7c
- replaced define by global in macros
b8bdc7c
9051e57
* Tue Jan  5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-14
9051e57
- Update the pka patch
9051e57
ecd50fd
* Mon Dec 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-13
ecd50fd
- Update the audit patch
ecd50fd
c32d4ac
* Fri Dec  4 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-12
c32d4ac
- Add possibility to autocreate only RSA key into initscript (#533339)
c32d4ac
6323f67
* Fri Nov 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-11
6323f67
- Prepare NSS key patch for future SEC_ERROR_LOCKED_PASSWORD (#537411)
6323f67
0a64234
* Tue Nov 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-10
0a64234
- Update NSS key patch (#537411, #356451)
0a64234
0a64234
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-9
3d742c1
- Add gssapi key exchange patch (#455351)
3d742c1
3d742c1
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-8
201f4ac
- Add public key agent patch (#455350)
201f4ac
d2767e5
* Mon Nov  2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-7
d2767e5
- Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy (#531849)
d2767e5
5fb555b
* Thu Oct 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-6
5fb555b
- Modify the init script to prevent it to hang during generating the keys (#515145)
5fb555b
838d936
* Tue Oct 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-5
838d936
- Add README.nss
838d936
e47cb00
* Mon Oct 19 2009 Tomas Mraz <tmraz@redhat.com> - 5.3p1-4
e47cb00
- Add pam_ssh_agent_auth module to a subpackage.
e47cb00
2ed3f9b
* Fri Oct 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-3
2ed3f9b
- Reenable audit.
2ed3f9b
c54a8b0
* Fri Oct  2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-2
35695c0
- Upgrade to new wersion 5.3p1
35695c0
71e8744
* Tue Sep 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-29
71e8744
- Resolve locking in ssh-add (#491312)
71e8744
f013bee
* Thu Sep 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-28
cee78eb
- Repair initscript to be acord to guidelines (#521860)
cee78eb
- Add bugzilla# to application of edns and xmodifiers patch
cee78eb
4330e6a
* Wed Sep 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-26
4330e6a
- Changed pam stack to password-auth
4330e6a
0447c9e
* Fri Sep 11 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-25
0447c9e
- Dropped homechroot patch
0447c9e
257d66a
* Mon Sep  7 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-24
257d66a
- Add check for nosuid, nodev in homechroot
257d66a
49d0cf7
* Tue Sep  1 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-23
49d0cf7
- add correct patch for ip-opts
49d0cf7
bd8eb96
* Tue Sep  1 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-22
bd8eb96
- replace ip-opts patch by an upstream candidate version
bd8eb96
ce94dae
* Mon Aug 31 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-21
726565c
- rearange selinux patch to be acceptable for upstream
726565c
- replace seftp patch by an upstream version
726565c
15914f2
* Fri Aug 28 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-20
15914f2
- merged xmodifiers to redhat patch
15914f2
- merged gssapi-role to selinux patch
15914f2
- merged cve-2007_3102 to audit patch
15914f2
- sesftp patch only with WITH_SELINUX flag
56bb420
- rearange sesftp patch according to upstream request
15914f2
214b7b9
* Wed Aug 26 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-19
214b7b9
- minor change in sesftp patch
214b7b9
80bcb17
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-18
80bcb17
- rebuilt with new openssl
80bcb17
986cee7
* Thu Jul 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-17
cee78eb
- Added dnssec support. (#205842)
986cee7
42c5391
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2p1-16
42c5391
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
42c5391
aa89838
* Fri Jul 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-15
aa89838
- only INTERNAL_SFTP can be home-chrooted
aa89838
- save _u and _r parts of context changing to sftpd_t
aa89838
3d6b00a
* Fri Jul 17 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-14
3d6b00a
- changed internal-sftp context to sftpd_t
3d6b00a
3d6b00a
* Fri Jul  3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-13
3d6b00a
- changed home length path patch to upstream version
3d6b00a
3d6b00a
* Tue Jun 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-12
ca05b36
- create '~/.ssh/known_hosts' within proper context
ca05b36
f4b0b4b
* Mon Jun 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-11
f4b0b4b
- length of home path in ssh now limited by PATH_MAX
ca05b36
- correct timezone with daylight processing
f4b0b4b
eca05fc
* Sat Jun 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-10
eca05fc
- final version chroot %%h (sftp only)
eca05fc
c1398b8
* Tue Jun 23 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-9
c1398b8
- repair broken ls in chroot %%h
c1398b8
ecd8460
* Fri Jun 12 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-8
cee78eb
- add XMODIFIERS to exported environment (#495690)
e45f2ca
76f329e
* Fri May 15 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-6
76f329e
- allow only protocol 2 in the FIPS mode
76f329e
685b623
* Thu Apr 30 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-5
685b623
- do integrity verification only on binaries which are part
685b623
  of the OpenSSH FIPS modules
685b623
0a4fa5d
* Mon Apr 20 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-4
0a4fa5d
- log if FIPS mode is initialized
0a4fa5d
- make aes-ctr cipher modes work in the FIPS mode
0a4fa5d
061e214
* Fri Apr  3 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-3
061e214
- fix logging after chroot
3a94ae1
- enable non root users to use chroot %%h in internal-sftp
061e214
0f07b4a
* Fri Mar 13 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-2
0f07b4a
- add AES-CTR ciphers to the FIPS mode proposal
0f07b4a
0f07b4a
* Mon Mar  9 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-1
a3ba41c
- upgrade to new upstream release
a3ba41c
c5f25a5
* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.1p1-8
c5f25a5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
c5f25a5
d93958d
* Thu Feb 12 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-7
d93958d
- drop obsolete triggers
d93958d
- add testing FIPS mode support
d93958d
- LSBize the initscript (#247014)
d93958d
ff6d597
* Fri Jan 30 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-6
ff6d597
- enable use of ssl engines (#481100)
ff6d597
6a5e296
* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-5
6a5e296
- remove obsolete --with-rsh (#478298)
6a5e296
- add pam_sepermit to allow blocking confined users in permissive mode
6a5e296
  (#471746)
6a5e296
- move system-auth after pam_selinux in the session stack
6a5e296
9e5c6ec
* Thu Dec 11 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-4
9e5c6ec
- set FD_CLOEXEC on channel sockets (#475866)
9e5c6ec
- adjust summary
9e5c6ec
- adjust nss-keys patch so it is applicable without selinux patches (#470859)
9e5c6ec
b9a07ad
* Fri Oct 17 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-3
b9a07ad
- fix compatibility with some servers (#466818)
b9a07ad
578f0d0
* Thu Jul 31 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-2
578f0d0
- fixed zero length banner problem (#457326)
578f0d0
93a4744
* Wed Jul 23 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-1
93a4744
- upgrade to new upstream release
93a4744
- fixed a problem with public key authentication and explicitely
93a4744
  specified SELinux role
93a4744
077dad7
* Wed May 21 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-3
077dad7
- pass the connection socket to ssh-keysign (#447680)
077dad7
1961bc1
* Mon May 19 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-2
1961bc1
- add LANGUAGE to accepted/sent environment variables (#443231)
1961bc1
- use pam_selinux to obtain the user context instead of doing it itself
1961bc1
- unbreak server keep alive settings (patch from upstream)
1961bc1
- small addition to scp manpage
1961bc1
ca47f63
* Mon Apr  7 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-1
ca47f63
- upgrade to new upstream (#441066)
ca47f63
- prevent initscript from killing itself on halt with upstart (#438449)
ca47f63
- initscript status should show that the daemon is running
ca47f63
  only when the main daemon is still alive (#430882)
ca47f63
ca47f63
* Thu Mar  6 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-10
ca47f63
- fix race on control master and cleanup stale control socket (#436311)
ca47f63
  patches by David Woodhouse
ca47f63
2cb0e73
* Fri Feb 29 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-9
2cb0e73
- set FD_CLOEXEC on client socket
2cb0e73
- apply real fix for window size problem (#286181) from upstream
2cb0e73
- apply fix for the spurious failed bind from upstream
2cb0e73
- apply open handle leak in sftp fix from upstream
2cb0e73
91bdf49
* Tue Feb 12 2008 Dennis Gilmore <dennis@ausil.us> - 4.7p1-8
91bdf49
- we build for sparcv9 now  and it needs -fPIE
91bdf49
993dd1a
* Thu Jan  3 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-7
993dd1a
- fix gssapi auth with explicit selinux role requested (#427303) - patch
993dd1a
  by Nalin Dahyabhai
993dd1a
3457e3e
* Tue Dec  4 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-6
2cc09c6
- explicitly source krb5-devel profile script
3457e3e
3457e3e
* Tue Dec 04 2007 Release Engineering <rel-eng at fedoraproject dot org> - 4.7p1-5
3457e3e
- Rebuild for openssl bump
9eac427
b1ffa00
* Tue Nov 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-4
8b8c4dc
- do not copy /etc/localtime into the chroot as it is not
8b8c4dc
  necessary anymore (#193184)
8b8c4dc
- call setkeycreatecon when selinux context is established
8b8c4dc
- test for NULL privk when freeing key (#391871) - patch by
8b8c4dc
  Pierre Ossman
8b8c4dc
95be083
* Mon Sep 17 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-2
95be083
- revert default window size adjustments (#286181)
95be083
c9833c9
* Thu Sep  6 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-1
c9833c9
- upgrade to latest upstream
c9833c9
- use libedit in sftp (#203009)
c9833c9
- fixed audit log injection problem (CVE-2007-3102)
c9833c9
f370730
* Thu Aug  9 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-8
f370730
- fix sftp client problems on write error (#247802)
f370730
- allow disabling autocreation of server keys (#235466)
f370730
c3274cc
* Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7
c3274cc
- experimental NSS keys support
c3274cc
- correctly setup context when empty level requested (#234951)
c3274cc
7210c01
* Tue Mar 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-6
7210c01
- mls level check must be done with default role same as requested
7210c01
b40baab
* Mon Mar 19 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-5
b40baab
- make profile.d/gnome-ssh-askpass.* regular files (#226218)
b40baab
19725a9
* Tue Feb 27 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-4
546fdd9
- reject connection if requested mls range is not obtained (#229278)
546fdd9
19725a9
* Thu Feb 22 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-3
9d725bd
- improve Buildroot
9d725bd
- remove duplicate /etc/ssh from files
9d725bd
c2b35d0
* Tue Jan 16 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-2
c2b35d0
- support mls on labeled networks (#220487)
c2b35d0
- support mls level selection on unlabeled networks
c2b35d0
- allow / in usernames in scp (only beginning /, ./, and ../ is special) 
c2b35d0
ad07b99
* Thu Dec 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.5p1-1
ad07b99
- update to 4.5p1 (#212606)
ad07b99
914284f
* Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-14
914284f
- fix gssapi with DNS loadbalanced clusters (#216857)
914284f
d63dc67
* Tue Nov 28 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-13
d63dc67
- improved pam_session patch so it doesn't regress, the patch is necessary
d63dc67
  for the pam_session_close to be called correctly as uid 0
d63dc67
ad61b11
* Fri Nov 10 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-12
ad61b11
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
ad61b11
19675af
* Thu Nov  2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-11
19675af
- merge sshd initscript patches
19675af
- kill all ssh sessions when stop is called in halt or reboot runlevel
19675af
- remove -TERM option from killproc so we don't race on sshd restart
19675af
7114c42
* Mon Oct  2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-10
7114c42
- improve gssapi-no-spnego patch (#208102)
7114c42
- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
7114c42
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
7114c42
ac4818c
* Wed Aug 23 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-9
ac4818c
- don't report duplicate syslog messages, use correct local time (#189158)
ac4818c
- don't allow spnego as gssapi mechanism (from upstream)
ac4818c
- fixed memleaks found by Coverity (from upstream)
ac4818c
- allow ip options except source routing (#202856) (patch by HP)
ac4818c
c12d6ba
* Tue Aug  8 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-8
c12d6ba
- drop the pam-session patch from the previous build (#201341)
c12d6ba
- don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
c12d6ba
762e407
* Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-7
762e407
- dropped old ssh obsoletes
762e407
- call the pam_session_open/close from the monitor when privsep is
762e407
  enabled so it is always called as root (patch by Darren Tucker)
762e407
ef32423
* Mon Jul 17 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-6
ef32423
- improve selinux patch (by Jan Kiszka)
ef32423
- upstream patch for buffer append space error (#191940)
ef32423
- fixed typo in configure.ac (#198986)
ef32423
- added pam_keyinit to pam configuration (#198628)
ef32423
- improved error message when askpass dialog cannot grab
ef32423
  keyboard input (#198332)
ef32423
- buildrequires xauth instead of xorg-x11-xauth
ef32423
- fixed a few rpmlint warnings
ef32423
d446e97
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 4.3p2-5.1
d446e97
- rebuild
d446e97
7e1c558
* Fri Apr 14 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-5
7e1c558
- don't request pseudoterminal allocation if stdin is not tty (#188983)
7e1c558
5f29aca
* Thu Mar  2 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-4
5f29aca
- allow access if audit is not compiled in kernel (#183243)
5f29aca
e01ed66
* Fri Feb 24 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-3
e01ed66
- enable the subprocess in chroot to send messages to system log
e01ed66
- sshd should prevent login if audit call fails
e01ed66
b5e849f
* Tue Feb 21 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-2
b5e849f
- print error from scp if not remote (patch by Bjorn Augustsson #178923)
b5e849f
f16d34e
* Mon Feb 13 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-1
f16d34e
- new version
f16d34e
3de0ff3
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 4.3p1-2.1
3de0ff3
- bump again for double-long bug on ppc(64)
3de0ff3
f223ebd
* Mon Feb  6 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p1-2
f223ebd
- fixed another place where syslog was called in signal handler
f223ebd
- pass locale environment variables to server, accept them there (#179851)
f223ebd
fd638ab
* Wed Feb  1 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p1-1
fd638ab
- new version, dropped obsolete patches
fd638ab
bb93ea2
* Tue Dec 20 2005 Tomas Mraz <tmraz@redhat.com> - 4.2p1-10
bb93ea2
- hopefully make the askpass dialog less confusing (#174765)
bb93ea2
6e3ae48
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
6e3ae48
- rebuilt
6e3ae48
09d7e68
* Tue Nov 22 2005 Tomas Mraz <tmraz@redhat.com> - 4.2p1-9
09d7e68
- drop x11-ssh-askpass from the package
09d7e68
- drop old build_6x ifs from spec file
09d7e68
- improve gnome-ssh-askpass so it doesn't reveal number of passphrase 
09d7e68
  characters to person looking at the display
09d7e68
- less hackish fix for the __USE_GNU problem
09d7e68
05c945b
* Fri Nov 18 2005 Nalin Dahyabhai <nalin@redhat.com> - 4.2p1-8
05c945b
- work around missing gccmakedep by wrapping makedepend in a local script
db25651
- remove now-obsolete build dependency on "xauth"
05c945b
d40b8ce
* Thu Nov 17 2005 Warren Togami <wtogami@redhat.com> - 4.2p1-7
19e22ad
- xorg-x11-devel -> libXt-devel
19e22ad
- rebuild for new xauth location so X forwarding works
0e58628
- buildreq audit-libs-devel
0e58628
- buildreq automake for aclocal
0e58628
- buildreq imake for xmkmf
0e58628
-  -D_GNU_SOURCE in flags in order to get it to build
0e58628
   Ugly hack to workaround openssh defining __USE_GNU which is
0e58628
   not allowed and causes problems according to Ulrich Drepper
0e58628
   fix this the correct way after FC5test1
d40b8ce
35e1e0c
* Wed Nov  9 2005 Jeremy Katz <katzj@redhat.com> - 4.2p1-6
35e1e0c
- rebuild against new openssl
35e1e0c
fc72c21
* Fri Oct 28 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-5
fc72c21
- put back the possibility to skip SELinux patch
fc72c21
- add patch for user login auditing by Steve Grubb
fc72c21
5312560
* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 4.2p1-4
5312560
- Change selinux patch to use get_default_context_with_rolelevel in libselinux.
5312560
0e07edf
* Thu Oct 13 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-3
0e07edf
- Update selinux patch to use getseuserbyname
0e07edf
5bab487
* Fri Oct  7 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-2
5bab487
- use include instead of pam_stack in pam config
fd638ab
- use fork+exec instead of system in scp - CVE-2006-0225 (#168167)
5bab487
- upstream patch for displaying authentication errors
5bab487
de2e7a3
* Tue Sep 06 2005 Tomas Mraz <tmraz@redhat.com> 4.2p1-1
de2e7a3
- upgrade to a new upstream version
de2e7a3
f94d8f5
* Tue Aug 16 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-5
f94d8f5
- use x11-ssh-askpass if openssh-askpass-gnome is not installed (#165207)
f94d8f5
- install ssh-copy-id from contrib (#88707)
f94d8f5
fa14815
* Wed Jul 27 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-4
fa14815
- don't deadlock on exit with multiple X forwarded channels (#152432)
fa14815
- don't use X11 port which can't be bound on all IP families (#163732)
fa14815
79c9686
* Wed Jun 29 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-3
79c9686
- fix small regression caused by the nologin patch (#161956)
79c9686
- fix race in getpeername error checking (mindrot #1054)
79c9686
9ac1c8b
* Thu Jun  9 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-2
9ac1c8b
- use only pam_nologin for nologin testing
9ac1c8b
9cf4ab1
* Mon Jun  6 2005 Tomas Mraz <tmraz@redhat.com> 4.1p1-1
9cf4ab1
- upgrade to a new upstream version
9cf4ab1
- call pam_loginuid as a pam session module
9cf4ab1
9c57713
* Mon May 16 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-3
9c57713
- link libselinux only to sshd (#157678)
9c57713
1e27c05
* Mon Apr  4 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-2
1e27c05
- fixed Local/RemoteForward in ssh_config.5 manpage
1e27c05
- fix fatal when Local/RemoteForward is used and scp run (#153258)
1e27c05
- don't leak user validity when using krb5 authentication
1e27c05
5de53f1
* Thu Mar 24 2005 Tomas Mraz <tmraz@redhat.com> 4.0p1-1
5de53f1
- upgrade to 4.0p1
5de53f1
- remove obsolete groups patch
5de53f1
Elliot Lee 683f4f3
* Wed Mar 16 2005 Elliot Lee <sopwith@redhat.com>
Elliot Lee 683f4f3
- rebuilt