From 24149d6160d17747758ea25a486db290e5730348 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Jun 13 2012 23:30:43 +0000 Subject: Merge branch 'f17' into f16 --- diff --git a/0001-Assorted-SSH-fixes.patch b/0001-Assorted-SSH-fixes.patch new file mode 100644 index 0000000..c2d6ab7 --- /dev/null +++ b/0001-Assorted-SSH-fixes.patch @@ -0,0 +1,246 @@ +From cb79e6cad17849be94dff05309a5ca0b9ea62613 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Wed, 30 May 2012 09:40:13 -0400 +Subject: [PATCH 1/2] Assorted SSH fixes + +SSH: Update sss_ssh_knownhostsproxy manual page + +Don't use GlobalKnownHostsFile2 in ssh_config, as it has been deprecated in +OpenSSH 5.9. + +SSH: Supress error message output in sss_ssh_knownhostsproxy + +SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing + +https://fedorahosted.org/sssd/ticket/1356 +--- + src/man/sss_ssh_knownhostsproxy.1.xml | 2 +- + src/sss_client/ssh/sss_ssh_client.c | 8 +-- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 94 ++++++++++++++------------ + 3 files changed, 55 insertions(+), 49 deletions(-) + +diff --git a/src/man/sss_ssh_knownhostsproxy.1.xml b/src/man/sss_ssh_knownhostsproxy.1.xml +index 241e8a7ffbef102f367ba108b2f5fe3e6e68103c..5767e8426da34fb0124c927162aae6448ed8f89e 100644 +--- a/src/man/sss_ssh_knownhostsproxy.1.xml ++++ b/src/man/sss_ssh_knownhostsproxy.1.xml +@@ -53,7 +53,7 @@ + 1 configuration: + + ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h +-GlobalKnownHostsFile2 /var/lib/sss/pubconf/known_hosts ++GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts + + + +diff --git a/src/sss_client/ssh/sss_ssh_client.c b/src/sss_client/ssh/sss_ssh_client.c +index 8520cd1b1704f1387a105a854ea72a9fcd2c85fc..645f2928985637f26213ab7a0d48a626b088ad58 100644 +--- a/src/sss_client/ssh/sss_ssh_client.c ++++ b/src/sss_client/ssh/sss_ssh_client.c +@@ -146,14 +146,14 @@ sss_ssh_get_ent(TALLOC_CTX *mem_ctx, + rd.len = req_len; + + req_ret = sss_ssh_make_request(command, &rd, &rep, &rep_len, &req_errno); +- if (req_ret != SSS_STATUS_SUCCESS) { +- ret = EFAULT; +- goto done; +- } + if (req_errno != EOK) { + ret = req_errno; + goto done; + } ++ if (req_ret != SSS_STATUS_SUCCESS) { ++ ret = EFAULT; ++ goto done; ++ } + + /* parse reply */ + c = 0; +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index 6424d7b7c3c17375ad4ac8dc6ec2276786bf0560..cac8eb7ef47eb70591dfb274a01cfbb392eee8aa 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -73,7 +73,6 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len) + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, ("socket() failed (%d): %s\n", + ret, strerror(ret))); +- ERROR("Failed to open a socket\n"); + goto done; + } + +@@ -83,7 +82,6 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len) + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, ("connect() failed (%d): %s\n", + ret, strerror(ret))); +- ERROR("Failed to connect to the server\n"); + goto done; + } + +@@ -176,7 +174,6 @@ connect_proxy_command(char **args) + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, ("execv() failed (%d): %s\n", + ret, strerror(ret))); +- ERROR("Failed to execute proxy command\n"); + + return ret; + } +@@ -185,7 +182,7 @@ int main(int argc, const char **argv) + { + TALLOC_CTX *mem_ctx = NULL; + int pc_debug = SSSDBG_DEFAULT; +- const char *pc_port = "22"; ++ int pc_port = 22; + const char *pc_domain = NULL; + const char *pc_host = NULL; + const char **pc_args = NULL; +@@ -193,17 +190,18 @@ int main(int argc, const char **argv) + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, + _("The debug level to run with"), NULL }, +- { "port", 'p', POPT_ARG_STRING, &pc_port, 0, ++ { "port", 'p', POPT_ARG_INT, &pc_port, 0, + _("The port to use to connect to the host"), NULL }, + { "domain", 'd', POPT_ARG_STRING, &pc_domain, 0, + _("The SSSD domain to use"), NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; ++ char strport[6]; + struct addrinfo ai_hint; + struct addrinfo *ai = NULL; + char canonhost[NI_MAXHOST]; +- const char *host; ++ const char *host = NULL; + struct sss_ssh_ent *ent; + int ret; + +@@ -213,14 +211,13 @@ int main(int argc, const char **argv) + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("set_locale() failed (%d): %s\n", ret, strerror(ret))); +- ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + mem_ctx = talloc_new(NULL); + if (!mem_ctx) { +- ERROR("Not enough memory\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ("Not enough memory\n")); + ret = EXIT_FAILURE; + goto fini; + } +@@ -237,6 +234,10 @@ int main(int argc, const char **argv) + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + ++ if (pc_port < 1 || pc_port > 65535) { ++ BAD_POPT_PARAMS(pc, _("Invalid port\n"), ret, fini); ++ } ++ + pc_host = poptGetArg(pc); + if (pc_host == NULL) { + BAD_POPT_PARAMS(pc, _("Host not specified\n"), ret, fini); +@@ -249,59 +250,64 @@ int main(int argc, const char **argv) + ret, fini); + } + +- /* get IP addresses of the host */ ++ /* canonicalize hostname */ ++ snprintf(strport, 6, "%d", pc_port); ++ + memset(&ai_hint, 0, sizeof(struct addrinfo)); + ai_hint.ai_family = AF_UNSPEC; + ai_hint.ai_socktype = SOCK_STREAM; + ai_hint.ai_protocol = IPPROTO_TCP; +- ai_hint.ai_flags = AI_ADDRCONFIG | AI_NUMERICSERV; ++ ai_hint.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST | AI_NUMERICSERV; + +- ret = getaddrinfo(pc_host, pc_port, &ai_hint, &ai); ++ ret = getaddrinfo(pc_host, strport, &ai_hint, &ai); + if (ret) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- ("getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret))); +- ERROR("Host name cannot be resolved\n"); +- ret = EXIT_FAILURE; +- goto fini; +- } ++ ai_hint.ai_flags = AI_ADDRCONFIG | AI_CANONNAME | AI_NUMERICSERV; + +- /* canonicalize hostname */ +- ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen, +- canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD); +- if (ret) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- ("getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret))); +- ERROR("Reverse lookup failed\n"); +- ret = EXIT_FAILURE; +- goto fini; +- } +- +- /* append domain to hostname if domain is specified */ +- if (pc_domain) { +- host = talloc_asprintf(mem_ctx, "%s@%s", canonhost, pc_domain); +- if (!host) { +- ERROR("Not enough memory\n"); +- ret = EXIT_FAILURE; +- goto fini; ++ ret = getaddrinfo(pc_host, strport, &ai_hint, &ai); ++ if (ret) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret))); ++ } else { ++ host = ai[0].ai_canonname; + } + } else { +- host = canonhost; ++ ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen, ++ canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD); ++ if (ret) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("getnameinfo() failed (%d): %s\n", ret, gai_strerror(ret))); ++ } else { ++ host = canonhost; ++ } + } + +- /* look up public keys */ +- ret = sss_ssh_get_ent(mem_ctx, SSS_SSH_GET_HOST_PUBKEYS, +- host, pc_host, &ent); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- ("sss_ssh_get_ent() failed (%d): %s\n", ret, strerror(ret))); +- ERROR("Error looking up public keys\n"); ++ if (host) { ++ /* append domain to hostname if domain is specified */ ++ if (pc_domain) { ++ host = talloc_asprintf(mem_ctx, "%s@%s", host, pc_domain); ++ if (!host) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ("Not enough memory\n")); ++ ret = EXIT_FAILURE; ++ goto fini; ++ } ++ } ++ ++ /* look up public keys */ ++ ret = sss_ssh_get_ent(mem_ctx, SSS_SSH_GET_HOST_PUBKEYS, ++ host, pc_host, &ent); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("sss_ssh_get_ent() failed (%d): %s\n", ret, strerror(ret))); ++ } + } + + /* connect to server */ + if (pc_args) { + ret = connect_proxy_command(discard_const(pc_args)); +- } else { ++ } else if (ai) { + ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen); ++ } else { ++ ret = EFAULT; + } + ret = (ret == EOK) ? EXIT_SUCCESS : EXIT_FAILURE; + +-- +1.7.10.2 + diff --git a/0002-Use-HTML_TIMESTAMP-instead-of-HTML_FOOTER_DESCRIPTIO.patch b/0002-Use-HTML_TIMESTAMP-instead-of-HTML_FOOTER_DESCRIPTIO.patch new file mode 100644 index 0000000..702258a --- /dev/null +++ b/0002-Use-HTML_TIMESTAMP-instead-of-HTML_FOOTER_DESCRIPTIO.patch @@ -0,0 +1,75 @@ +From d3c702624e0e83b3f1b33ba31d3583dbfa5292c9 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 2 Apr 2012 00:17:15 +0200 +Subject: [PATCH 2/2] Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION + +https://fedorahosted.org/sssd/ticket/1271 + +Conflicts: + src/lib/idmap/sss_idmap.doxy.in +--- + src/doxy.config.in | 7 ++++--- + src/providers/ipa/ipa_hbac.doxy.in | 7 ++++--- + src/sss_client/sudo/sss_sudo.doxy.in | 7 ++++--- + 3 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/doxy.config.in b/src/doxy.config.in +index dc41b1fd156613808efa00cf9fe95bef4247c781..1f9b5a324f68aa189b309d5b7293d769c8ca5acf 100644 +--- a/src/doxy.config.in ++++ b/src/doxy.config.in +@@ -784,10 +784,11 @@ IGNORE_PREFIX = + + GENERATE_HTML = YES + +-# If the HTML_FOOTER_DESCRIPTION tag is set to YES, Doxygen will +-# add generated date, project name and doxygen version to HTML footer. ++# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated ++# HTML page will contain the date and time when the page was generated. Setting ++# this to NO can help when comparing the output of multiple runs. + +-HTML_FOOTER_DESCRIPTION= NO ++HTML_TIMESTAMP = NO + + # The HTML_OUTPUT tag is used to specify where the HTML docs will be put. + # If a relative path is entered the value of OUTPUT_DIRECTORY will be +diff --git a/src/providers/ipa/ipa_hbac.doxy.in b/src/providers/ipa/ipa_hbac.doxy.in +index 3c9672f01c04c5f42cdfffee8603cf6fb181b25f..37528efc2a0d7849b09763a6a0a91c54451f2cf2 100644 +--- a/src/providers/ipa/ipa_hbac.doxy.in ++++ b/src/providers/ipa/ipa_hbac.doxy.in +@@ -782,10 +782,11 @@ IGNORE_PREFIX = + + GENERATE_HTML = YES + +-# If the HTML_FOOTER_DESCRIPTION tag is set to YES, Doxygen will +-# add generated date, project name and doxygen version to HTML footer. ++# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated ++# HTML page will contain the date and time when the page was generated. Setting ++# this to NO can help when comparing the output of multiple runs. + +-HTML_FOOTER_DESCRIPTION= NO ++HTML_TIMESTAMP = NO + + # The HTML_OUTPUT tag is used to specify where the HTML docs will be put. + # If a relative path is entered the value of OUTPUT_DIRECTORY will be +diff --git a/src/sss_client/sudo/sss_sudo.doxy.in b/src/sss_client/sudo/sss_sudo.doxy.in +index ee4a03885ca844a9e7c556a8fd8c4d705f7d3e57..4e777f427823b33d0ca286ae0a032c0dceb5f803 100644 +--- a/src/sss_client/sudo/sss_sudo.doxy.in ++++ b/src/sss_client/sudo/sss_sudo.doxy.in +@@ -782,10 +782,11 @@ IGNORE_PREFIX = + + GENERATE_HTML = YES + +-# If the HTML_FOOTER_DESCRIPTION tag is set to YES, Doxygen will +-# add generated date, project name and doxygen version to HTML footer. ++# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated ++# HTML page will contain the date and time when the page was generated. Setting ++# this to NO can help when comparing the output of multiple runs. + +-HTML_FOOTER_DESCRIPTION= NO ++HTML_TIMESTAMP = NO + + # The HTML_OUTPUT tag is used to specify where the HTML docs will be put. + # If a relative path is entered the value of OUTPUT_DIRECTORY will be +-- +1.7.10.2 + diff --git a/sssd.spec b/sssd.spec index a555fcb..1614847 100644 --- a/sssd.spec +++ b/sssd.spec @@ -16,7 +16,7 @@ Name: sssd Version: 1.8.4 -Release: 12%{?dist} +Release: 13%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -26,6 +26,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-Assorted-SSH-fixes.patch +Patch0002: 0002-Use-HTML_TIMESTAMP-instead-of-HTML_FOOTER_DESCRIPTIO.patch + ### Dependencies ### Conflicts: selinux-policy < 3.10.0-46 @@ -454,6 +457,12 @@ fi %postun -n libipa_hbac -p /sbin/ldconfig %changelog +* Wed Jun 13 2012 Stephen Gallagher - 1.8.4-13 +- Fix several issues with the SSH key integration +- Fix for multilib issuss with libipa_hbac-devel and libsss_sudo-devel +- Resolves: rhbz#831411 - libipa_hbac-devel and libsss_sudo-devel multilib + conflicts + * Wed May 30 2012 Stephen Gallagher - 1.8.4-12 - New upstream release 1.8.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.4