diff options
Diffstat (limited to 'source/n/openssh')
-rw-r--r-- | source/n/openssh/doinst.sh | 16 | ||||
-rw-r--r-- | source/n/openssh/openssh-7.2p1-libwrap.diff | 156 | ||||
-rwxr-xr-x | source/n/openssh/openssh.SlackBuild | 10 | ||||
-rw-r--r-- | source/n/openssh/rc.sshd | 9 |
4 files changed, 184 insertions, 7 deletions
diff --git a/source/n/openssh/doinst.sh b/source/n/openssh/doinst.sh index d696245d..73ce6283 100644 --- a/source/n/openssh/doinst.sh +++ b/source/n/openssh/doinst.sh @@ -9,10 +9,24 @@ config() { fi # Otherwise, we leave the .new copy for the admin to consider... } +preserve_perms() { + NEW="$1" + OLD="$(dirname ${NEW})/$(basename ${NEW} .new)" + if [ -e ${OLD} ]; then + cp -a ${OLD} ${NEW}.incoming + cat ${NEW} > ${NEW}.incoming + touch -r ${NEW} ${NEW}.incoming + mv ${NEW}.incoming ${NEW} + fi + config ${NEW} +} config etc/ssh/ssh_config.new config etc/ssh/sshd_config.new -config etc/rc.d/rc.sshd.new +preserve_perms etc/rc.d/rc.sshd.new +if [ -e etc/rc.d/rc.sshd.new ]; then + mv etc/rc.d/rc.sshd.new etc/rc.d/rc.sshd +fi # If the sshd user/group/shadow don't exist, add them: diff --git a/source/n/openssh/openssh-7.2p1-libwrap.diff b/source/n/openssh/openssh-7.2p1-libwrap.diff new file mode 100644 index 00000000..546e63ce --- /dev/null +++ b/source/n/openssh/openssh-7.2p1-libwrap.diff @@ -0,0 +1,156 @@ +From 8c59bae0e4bdc0e3456d1802b391370bdf9975f3 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Mon, 6 Oct 2014 +Subject: Re-introduce TCP Wrappers support + +Support for TCP Wrappers was dropped as of OpenSSH 6.7. This patch +resurrects the feature. + +Relevant upstream commits: + + https://anongit.mindrot.org/openssh.git/commit/?id=f2719b7c2b8a + https://anongit.mindrot.org/openssh.git/commit/?id=f9696566fb41 + +--- + configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + sshd.8 | 7 +++++++ + sshd.c | 25 +++++++++++++++++++++++ + 3 files changed, 89 insertions(+) + +--- a/configure.ac ++++ b/configure.ac +@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey], + ] + ) + ++# Check whether user wants TCP wrappers support ++TCPW_MSG="no" ++AC_ARG_WITH([tcp-wrappers], ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], ++ [ ++ if test "x$withval" != "xno" ; then ++ saved_LIBS="$LIBS" ++ saved_LDFLAGS="$LDFLAGS" ++ saved_CPPFLAGS="$CPPFLAGS" ++ if test -n "${withval}" && \ ++ test "x${withval}" != "xyes"; then ++ if test -d "${withval}/lib"; then ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ else ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval} ${LDFLAGS}" ++ fi ++ fi ++ if test -d "${withval}/include"; then ++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" ++ else ++ CPPFLAGS="-I${withval} ${CPPFLAGS}" ++ fi ++ fi ++ LIBS="-lwrap -lnsl $LIBS" ++ AC_MSG_CHECKING([for libwrap]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++#include <sys/types.h> ++#include <sys/socket.h> ++#include <netinet/in.h> ++#include <tcpd.h> ++int deny_severity = 0, allow_severity = 0; ++ ]], [[ ++ hosts_access(0); ++ ]])], [ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([LIBWRAP], [1], ++ [Define if you want ++ TCP Wrappers support]) ++ SSHDLIBS="$SSHDLIBS -lwrap -lnsl" ++ TCPW_MSG="yes" ++ ], [ ++ AC_MSG_ERROR([*** libwrap missing]) ++ ++ ]) ++ LIBS="$saved_LIBS" ++ fi ++ ] ++) ++ + # Check whether user wants to use ldns + LDNS_MSG="no" + AC_ARG_WITH(ldns, +@@ -4829,6 +4885,7 @@ echo " KerberosV support + echo " SELinux support: $SELINUX_MSG" + echo " Smartcard support: $SCARD_MSG" + echo " S/KEY support: $SKEY_MSG" ++echo " TCP Wrappers support: $TCPW_MSG" + echo " MD5 password support: $MD5_MSG" + echo " libedit support: $LIBEDIT_MSG" + echo " Solaris process contract support: $SPC_MSG" +--- a/sshd.8 ++++ b/sshd.8 +@@ -851,6 +851,12 @@ the user's home directory becomes access + This file should be writable only by the user, and need not be + readable by anyone else. + .Pp ++.It Pa /etc/hosts.allow ++.It Pa /etc/hosts.deny ++Access controls that should be enforced by tcp-wrappers are defined here. ++Further details are described in ++.Xr hosts_access 5 . ++.Pp + .It Pa /etc/hosts.equiv + This file is for host-based authentication (see + .Xr ssh 1 ) . +@@ -954,6 +960,7 @@ The content of this file is not sensitiv + .Xr ssh-keygen 1 , + .Xr ssh-keyscan 1 , + .Xr chroot 2 , ++.Xr hosts_access 5 , + .Xr login.conf 5 , + .Xr moduli 5 , + .Xr sshd_config 5 , +--- a/sshd.c ++++ b/sshd.c +@@ -123,6 +123,13 @@ + #include "ssh-sandbox.h" + #include "version.h" + ++#ifdef LIBWRAP ++#include <tcpd.h> ++#include <syslog.h> ++int allow_severity; ++int deny_severity; ++#endif /* LIBWRAP */ ++ + #ifndef O_NOCTTY + #define O_NOCTTY 0 + #endif +@@ -2054,6 +2061,24 @@ main(int ac, char **av) + #ifdef SSH_AUDIT_EVENTS + audit_connection_from(remote_ip, remote_port); + #endif ++#ifdef LIBWRAP ++ allow_severity = options.log_facility|LOG_INFO; ++ deny_severity = options.log_facility|LOG_WARNING; ++ /* Check whether logins are denied from this host. */ ++ if (packet_connection_is_on_socket()) { ++ struct request_info req; ++ ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); ++ fromhost(&req); ++ ++ if (!hosts_access(&req)) { ++ debug("Connection refused by tcp wrapper"); ++ refuse(&req); ++ /* NOTREACHED */ ++ fatal("libwrap refuse returns"); ++ } ++ } ++#endif /* LIBWRAP */ + + /* Log the connection. */ + verbose("Connection from %s port %d on %s port %d", diff --git a/source/n/openssh/openssh.SlackBuild b/source/n/openssh/openssh.SlackBuild index 07ea1615..a917ee80 100755 --- a/source/n/openssh/openssh.SlackBuild +++ b/source/n/openssh/openssh.SlackBuild @@ -36,15 +36,15 @@ NUMJOBS=${NUMJOBS:--j6} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then case "$( uname -m )" in - i?86) export ARCH=i486 ;; + i?86) export ARCH=i586 ;; arm*) export ARCH=arm ;; # Unless $ARCH is already set, use uname -m for all other archs: *) export ARCH=$( uname -m ) ;; esac fi -if [ "$ARCH" = "i486" ]; then - SLKCFLAGS="-O2 -march=i486 -mtune=i686" +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" elif [ "$ARCH" = "s390" ]; then SLKCFLAGS="-O2" elif [ "$ARCH" = "x86_64" ]; then @@ -68,6 +68,10 @@ tar xvf $CWD/openssh-$VERSION.tar.gz || tar xvf $CWD/openssh-$VERSION.tar.?z* || cd openssh-$VERSION chown -R root:root . +# Restore support for tcpwrappers: +zcat $CWD/openssh-7.2p1-libwrap.diff.gz | patch -p1 --verbose || exit 1 +autoreconf -vif + # Compile package: CFLAGS="$SLKCFLAGS" \ ./configure \ diff --git a/source/n/openssh/rc.sshd b/source/n/openssh/rc.sshd index cb2dfa41..2da2ab30 100644 --- a/source/n/openssh/rc.sshd +++ b/source/n/openssh/rc.sshd @@ -3,9 +3,6 @@ sshd_start() { # Create host keys if needed. - if [ ! -r /etc/ssh/ssh_host_key ]; then - /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' - fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' fi @@ -15,6 +12,12 @@ sshd_start() { if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' fi + if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then + /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' + fi + # Catch any new host key types not yet created above: + /usr/bin/ssh-keygen -A + # Start the sshd daemon: /usr/sbin/sshd } |