name = bind
version = 9.8.1
-release = 2
+release = 3
groups = Networking/Tools
url = http://www.isc.org/products/BIND/
libidn-devel
pkg-config
openssl-devel
+ shadow-utils
end
configure_options += \
libtoolize -c -f
aclocal -I m4 --force
autoconf -f
+
+ # Create user and group for /run directory.
+ %{create_user}
end
install
ln -svf ../../lib/libirs-export.so.80 %{BUILDROOT}/usr/lib/libirs-export.so
ln -svf ../../lib/libisccfg-export.so.82 %{BUILDROOT}/usr/lib/libisccfg-export.so
ln -svf ../../lib/libisc-export.so.83 %{BUILDROOT}/usr/lib/libisc-export.so
+
+ # Create /run/named.
+ mkdir -pv %{BUILDROOT}/run/named
+ chown -Rv named.named %{BUILDROOT}/run/named/
end
end
+create_user
+ getent group named >/dev/null || /usr/sbin/groupadd -r named
+ getent passwd named >/dev/null || /usr/sbin/useradd -r -g named \
+ -d /var/named -c "User for bind DNS server" -s /sbin/nologin named
+end
+
packages
package %{name}
requires
prerequires += shadow-utils
script prein
- # Create unprivileged user and group.
- getent group named > /dev/null || groupadd -r named
- getent passwd named > /dev/null || \
- useradd -r -g named -d /var/named -s /sbin/nologin \
- -c "User for bind DNS server" named
- exit 0
+ %{create_user}
end
# XXX Add systemd scriptlet if a service file becomes available
-d /var/run/named 0755 named named -
+d /run/named 0755 named named -
name = binutils
version = 2.21.51.0.8
-release = 2
+release = 3
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = Development/Tools
build
BINUTILS_TARGET_PLATFORM=$(echo "%{DISTRO_MACHINE}" | sed -e "s/-gnu//")
- cd %{DIR_SRC}/binutils-build && \
- ../%{thisapp}/configure \
- --host=${BINUTILS_TARGET_PLATFORM} \
- --build=${BINUTILS_TARGET_PLATFORM} \
- --target=${BINUTILS_TARGET_PLATFORM} \
- --prefix=/usr \
- --mandir=/usr/share/man \
- --enable-shared \
- --disable-nls \
- --disable-werror \
- --disable-static
-
- cd %{DIR_SRC}/binutils-build && make tooldir=/usr %{PARALLELISMFLAGS}
+ cd %{DIR_SRC}/binutils-build
+ ../%{thisapp}/configure \
+ --host=${BINUTILS_TARGET_PLATFORM} \
+ --build=${BINUTILS_TARGET_PLATFORM} \
+ --target=${BINUTILS_TARGET_PLATFORM} \
+ --prefix=/usr \
+ --mandir=/usr/share/man \
+ --enable-shared \
+ --disable-nls \
+ --disable-werror \
+ --disable-static
+
+ make tooldir=/usr %{PARALLELISMFLAGS}
end
#def test
cp -fv %{DIR_APP}/include/libiberty.h %{BUILDROOT}/usr/include
end
+
+ # Keep static version of libiberty.
+ keep_libraries
+ /usr/lib/libiberty.a
+ end
end
packages
###############################################################################
name = c_icap
-version = 0.1.5
+version = 0.1.7
release = 1
maintainer = Christian Schmidt <christian.schmidt@ipfire.org>
adaptation and filtering services.
end
+source_dl = http://downloads.sourceforge.net/project/c-icap/c-icap/0.1.x/
+
build
requires
autoconf
###############################################################################
name = c_icap_modules
-version = 0.1.4
+version = 0.1.6
release = 1
maintainer = Christian Schmidt <christian.schmidt@ipfire.org>
adaptation and filtering services.
end
+source_dl = http://downloads.sourceforge.net/project/c-icap/c-icap-modules/0.1.x/
+
build
requires
autoconf
name = flex
version = 2.5.35
-release = 2
+release = 3
groups = Development/Tools
url = http://flex.sourceforge.net/
m4
end
+ keep_libraries = /usr/lib/libfl_pic.a
+
configure_options += \
--mandir=/usr/share/man
###############################################################################
name = freeradius-server
-version = 2.1.9
-release = 2
+version = 2.1.12
+release = 3
groups = System/Daemons
url = http://www.freeradius.org
summary = High-performance and highly configurable free RADIUS server.
description
- The FreeRADIUS Server Project is a high performance and highly \
- configurable GPL'd free RADIUS server. \
- FreeRADIUS is an Internet authentication daemon, which implements \
- the RADIUS protocol, as defined in RFC 2865. It allows \
+ The FreeRADIUS Server Project is a high performance and highly
+ configurable GPL'd free RADIUS server.
+ FreeRADIUS is an Internet authentication daemon, which implements
+ the RADIUS protocol, as defined in RFC 2865. It allows
Network Access Servers to perform authentication for dial-up users.
end
-source_dl =
+source_dl = ftp://ftp.freeradius.org/pub/freeradius/
build
requires
libtool-devel
openssl-devel
perl
+ shadow-utils
end
- build
- ./configure \
- %{CONFIGURE_ARCH} \
- --prefix=/usr \
- --sysconfdir=/etc \
- --libdir=/usr/lib/freeradius \
- --localstatedir=/var \
- --with-system-libtool \
- --with-threads \
- --with-thread-pool \
- --disable-ltdl-install \
- --with-gnu-ld \
- --without-rlm_eap_ikev2 \
- --without-rlm_sql_iodbc \
- --without-rlm_sql_firebird \
- --without-rlm_sql_db2 \
- --without-rlm_sql_oracle
-
- make LIBTOOL="libtool --tag=CC" #%{PARALLELISMFLAGS}
+ PARALLELISMFLAGS = # Disabled
+
+ configure_options +=\
+ %{CONFIGURE_ARCH} \
+ --sysconfdir=/etc \
+ --libdir=/usr/lib/freeradius \
+ --localstatedir=/var \
+ --with-system-libtool \
+ --with-threads \
+ --with-thread-pool \
+ --disable-ltdl-install \
+ --with-gnu-ld \
+ --without-rlm_eap_ikev2 \
+ --without-rlm_sql_iodbc \
+ --without-rlm_sql_firebird \
+ --without-rlm_sql_db2 \
+ --without-rlm_sql_oracle
+
+ prepare_cmds
+ %{create_user}
end
+ make_build_targets = LINK_MODE=-pie
+
install
- R=%{BUILDROOT} make install
- end
+ make install R=%{BUILDROOT}
+
+ # Change freeradius user and group.
+ perl -i -pe 's/^#user =.*$/user = radiusd/' %{BUILDROOT}/etc/raddb/radiusd.conf
+ perl -i -pe 's/^#group =.*$/group = radiusd/' %{BUILDROOT}/etc/raddb/radiusd.conf
+
+ # Create emty logfiles.
+ mkdir -pv %{BUILDROOT}/var/log/radius/radacct
+ touch %{BUILDROOT}/var/log/radius/{radutmp,radius.log}
+ chown -Rv radiusd.radiusd %{BUILDROOT}/var/log/radius/
+
+ # Create tmpfiles folder.
+ mkdir -pv %{BUILDROOT}/run/radiusd
+ chown -Rv radiusd.radiusd %{BUILDROOT}/run/radiusd/
+
+ # Remove unneeded stuff.
+ rm -vf %{BUILDROOT}/usr/sbin/rc.radiusd
+ rm -rvf %{BUILDROOT}/etc/raddb/sql/
+ rm -rvf %{BUILDROOT}/var/run/
+
+ # Remove header files, we don't ship a devel package.
+ rm -rvf %{BUILDROOT}/usr/include/
- install_cmds
- mkdir -pv %{BUILDROOT}/etc/logrotate.d/
- cp -vf %{DIR_SOURCE}/logrotate/freeradius %{BUILDROOT}/etc/logrotate.d/
+ # remove unsupported config file.
+ rm -vf %{BUILDROOT}/etc/raddb/experimental.conf
+
+ # Fix permissions.
+ chown -Rv root.radiusd %{BUILDROOT}/etc/raddb
end
end
+create_user
+ getent group radiusd >/dev/null || /usr/sbin/groupadd -r radiusd
+ getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd \
+ -d /var/lib/radiusd -s /sbin/nologin radiusd
+end
+
quality-agent
whitelist_rpath
/usr/lib/freeradius
end
end
-# Generate certificates after installation
-# Command: cd /etc/raddb/certs/ && make Makefile
-
packages
package %{name}
- requires = make
+ configfiles
+ /etc/raddb/radiusd.conf
+ end
+
+ prerequires = shadow-utils systemd-units
+
+ script prein
+ %{create_user}
+ end
+
+ script postin
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ end
+
+ script preun
+ /bin/systemctl --no-reload disable freeradius.service >/dev/null 2>&1 || :
+ /bin/systemctl stop freeradius.service >/dev/null 2>&1 || :
+ end
+
+ script postup
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ /bin/systemctl try-restart freeradius.service >/dev/null 2>&1 || :
+ end
+ end
+
+ package freeradius-utils
+ summary = FreeRADIUS utilities.
+ description
+ Additional utilities to configure and manage FreeRADUIS
+ Servers.
+ end
+
+ files
+ /usr/bin/*
+ /usr/share/man/man1/radclient.1
+ /usr/share/man/man1/radeapclient.1
+ /usr/share/man/man1/radlast.1
+ /usr/share/man/man1/radtest.1
+ /usr/share/man/man1/radwho.1
+ /usr/share/man/man1/radzap.1
+ /usr/share/man/man1/smbencrypt.1
+ /usr/share/man/man5/checkrad.5
+ /usr/share/man/man8/radconf2xml.8
+ /usr/share/man/man8/radcrypt.8
+ /usr/share/man/man8/radsniff.8
+ /usr/share/man/man8/radsqlrelay.8
+ /usr/share/man/man8/rlm_ippool_tool.8
+ end
end
end
-d /var/run/radiusd 0750 root root -
+d /run/radiusd 0750 radiusd radiusd
+++ /dev/null
-diff -r -u freeradius-server-2.1.8.orig/raddb/certs/ca.cnf freeradius-server-2.1.8/raddb/certs/ca.cnf
---- freeradius-server-2.1.8.orig/raddb/certs/ca.cnf 2009-12-30 10:44:35.000000000 -0500
-+++ freeradius-server-2.1.8/raddb/certs/ca.cnf 2010-01-08 12:35:23.000000000 -0500
-@@ -14,9 +14,9 @@
- RANDFILE = $dir/.rand
- name_opt = ca_default
- cert_opt = ca_default
--default_days = 365
-+default_days = 60
- default_crl_days = 30
--default_md = md5
-+default_md = sha1
- preserve = no
- policy = policy_match
-
-Only in freeradius-server-2.1.8/raddb/certs: ca.cnf~
-diff -r -u freeradius-server-2.1.8.orig/raddb/certs/client.cnf freeradius-server-2.1.8/raddb/certs/client.cnf
---- freeradius-server-2.1.8.orig/raddb/certs/client.cnf 2009-12-30 10:44:35.000000000 -0500
-+++ freeradius-server-2.1.8/raddb/certs/client.cnf 2010-01-08 12:35:37.000000000 -0500
-@@ -14,9 +14,9 @@
- RANDFILE = $dir/.rand
- name_opt = ca_default
- cert_opt = ca_default
--default_days = 365
-+default_days = 60
- default_crl_days = 30
--default_md = md5
-+default_md = sha1
- preserve = no
- policy = policy_match
-
-Only in freeradius-server-2.1.8/raddb/certs: client.cnf~
-diff -r -u freeradius-server-2.1.8.orig/raddb/certs/server.cnf freeradius-server-2.1.8/raddb/certs/server.cnf
---- freeradius-server-2.1.8.orig/raddb/certs/server.cnf 2009-12-30 10:44:35.000000000 -0500
-+++ freeradius-server-2.1.8/raddb/certs/server.cnf 2010-01-08 12:35:05.000000000 -0500
-@@ -14,9 +14,9 @@
- RANDFILE = $dir/.rand
- name_opt = ca_default
- cert_opt = ca_default
--default_days = 365
-+default_days = 60
- default_crl_days = 30
--default_md = md5
-+default_md = sha1
- preserve = no
- policy = policy_match
-
-Only in freeradius-server-2.1.8/raddb/certs: server.cnf~
-diff -r -u freeradius-server-2.1.8.orig/raddb/eap.conf freeradius-server-2.1.8/raddb/eap.conf
---- freeradius-server-2.1.8.orig/raddb/eap.conf 2009-12-30 10:44:35.000000000 -0500
-+++ freeradius-server-2.1.8/raddb/eap.conf 2010-01-08 12:36:04.000000000 -0500
-@@ -251,15 +251,6 @@
- cipher_list = "DEFAULT"
-
- #
--
-- # This configuration entry should be deleted
-- # once the server is running in a normal
-- # configuration. It is here ONLY to make
-- # initial deployments easier.
-- #
-- make_cert_command = "${certdir}/bootstrap"
--
-- #
- # Session resumption / fast reauthentication
- # cache.
- #
-Only in freeradius-server-2.1.8/raddb: eap.conf~
--- /dev/null
+diff -r -u freeradius-server-2.1.12.orig/raddb/certs/ca.cnf freeradius-server-2.1.12/raddb/certs/ca.cnf
+--- freeradius-server-2.1.12.orig/raddb/certs/ca.cnf 2011-09-07 06:59:21.000000000 -0400
++++ freeradius-server-2.1.12/raddb/certs/ca.cnf 2011-09-07 10:28:28.000000000 -0400
+@@ -14,9 +14,9 @@
+ RANDFILE = $dir/.rand
+ name_opt = ca_default
+ cert_opt = ca_default
+-default_days = 365
++default_days = 60
+ default_crl_days = 30
+-default_md = md5
++default_md = sha1
+ preserve = no
+ policy = policy_match
+
+diff -r -u freeradius-server-2.1.12.orig/raddb/certs/client.cnf freeradius-server-2.1.12/raddb/certs/client.cnf
+--- freeradius-server-2.1.12.orig/raddb/certs/client.cnf 2011-09-07 06:59:21.000000000 -0400
++++ freeradius-server-2.1.12/raddb/certs/client.cnf 2011-09-07 10:28:28.000000000 -0400
+@@ -14,9 +14,9 @@
+ RANDFILE = $dir/.rand
+ name_opt = ca_default
+ cert_opt = ca_default
+-default_days = 365
++default_days = 60
+ default_crl_days = 30
+-default_md = md5
++default_md = sha1
+ preserve = no
+ policy = policy_match
+
+diff -r -u freeradius-server-2.1.12.orig/raddb/certs/server.cnf freeradius-server-2.1.12/raddb/certs/server.cnf
+--- freeradius-server-2.1.12.orig/raddb/certs/server.cnf 2011-09-07 06:59:21.000000000 -0400
++++ freeradius-server-2.1.12/raddb/certs/server.cnf 2011-09-07 10:28:28.000000000 -0400
+@@ -14,9 +14,9 @@
+ RANDFILE = $dir/.rand
+ name_opt = ca_default
+ cert_opt = ca_default
+-default_days = 365
++default_days = 60
+ default_crl_days = 30
+-default_md = md5
++default_md = sha1
+ preserve = no
+ policy = policy_match
+
+diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12/raddb/eap.conf
+--- freeradius-server-2.1.12.orig/raddb/eap.conf 2011-09-07 06:59:21.000000000 -0400
++++ freeradius-server-2.1.12/raddb/eap.conf 2011-09-07 10:28:28.000000000 -0400
+@@ -281,7 +281,11 @@
+ # for the server to print out an error message,
+ # and refuse to start.
+ #
+- make_cert_command = "${certdir}/bootstrap"
++ # Redhat RPM's run the bootstrap certificate creation
++ # as part of the RPM install (not upgrade), therefore
++ # the make_cert_command is commented out.
++ #
++ #make_cert_command = "${certdir}/bootstrap"
+
+ #
+ # Elliptical cryptography configuration
+Only in freeradius-server-2.1.12/raddb: eap.conf.orig
[Unit]
-Description=Freeradius Server
+Description=FreeRADIUS Server
After=network.target
[Service]
-ExecStart=/usr/sbin/radiusd -f -d /etc/radvd/freeradius.conf
+ExecStartPre=/etc/raddb/certs/bootstrap
+ExecStartPre=/usr/sbin/radiusd -C
+ExecStart=/usr/sbin/radiusd -f -d /etc/raddb
+ExecReload=/usr/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID
-ExecPostStop=/bin/rm -vf /var/run/radiusd/radiusd.sock
[Install]
WantedBy=multi-user.target
###############################################################################
name = freetype
-version = 2.3.9
+version = 2.4.7
release = 1
groups = System/Graphics
summary = A free and portable font rendering engine.
description
- The FreeType engine is a free and portable font rendering \
- engine, developed to provide advanced font support for a variety of \
- platforms and environments. FreeType is a library which can open and \
- manages font files as well as efficiently load, hint and render \
- individual glyphs. FreeType is not a font server or a complete \
+ The FreeType engine is a free and portable font rendering
+ engine, developed to provide advanced font support for a variety of
+ platforms and environments. FreeType is a library which can open and
+ manages font files as well as efficiently load, hint and render
+ individual glyphs. FreeType is not a font server or a complete
text-rendering library.
end
-source_dl =
-sources = %{thisapp}.tar.bz2
+source_dl = http://download.savannah.gnu.org/releases/freetype/
build
requires
+ pkg-config
zlib-devel
end
-
- prepare_cmds
- sed -i -r -e 's:.*(#.*BYTE.*) .*:\1:' \
- -e 's:.*(#.*SUBPIX.*) .*:\1:' \
- include/freetype/config/ftoption.h
- end
end
packages
build_cloog_ppl = 0
name = gcc
-version = 4.6.1
-release = 4
+version = 4.6.2
+release = 2
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = Development/Compilers
# This is the at least required version of binutils.
required_binutils_version = 2.21.51.0.8-1
-source_dl = http://ftp.gnu.org/gnu/gcc/
+source_dl = http://ftp.gnu.org/gnu/gcc/%{thisapp}/
sources = %{thisapp}.tar.gz
patches
# Remove some GNU debugger stuff.
rm -vf %{BUILDROOT}/usr/lib/lib*.py
end
+
+ keep_libraries
+ /usr/lib/gcc/%{DISTRO_BUILDTARGET}/%{version}/libgcc.a
+ /usr/lib/gcc/%{DISTRO_BUILDTARGET}/%{version}/libgcc_eh.a
+ end
end
packages
name = glibc
version = 2.14
-release = 2
+release = 3
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = System/Base
# Move some libs to correct place
mv -v %{BUILDROOT}/lib/lib{memusage,pcprofile}.so %{BUILDROOT}/usr/lib/
end
+
+ keep_libraries
+ /usr/lib/libc_nonshared.a
+ /usr/lib/libpthread_nonshared.a
+ end
end
packages
###############################################################################
name = hostapd
-version = 0.6.9
+version = 0.7.3
release = 1
groups = Networking/Tools
RADIUS authentication server.
end
-source_dl =
+source_dl = http://hostap.epitest.fi/releases/
build
requires
# Copyright (C) - IPFire Development Team <info@ipfire.org> #
###############################################################################
-# XXX initscripts for daemons are missing
-
name = icecream
version = 0.9.7
-release = 1
+release = 2
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = Development/Compilers
rm -rvf %{BUILDROOT}/usr/bin/cc
rm -rvf %{BUILDROOT}/usr/bin/g++
rm -rvf %{BUILDROOT}/usr/bin/gcc
+
+ # Create Logfiles.
+ mkdir -pv %{BUILDROOT}/var/log
+ touch %{BUILDROOT}/var/log/icecc{d,-scheduler}.log
end
end
gcc-c++
/usr/bin/ldd
end
+
+ prerequires += systemd-units
+
+ script postin
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ end
+
+ script preun
+ /bin/systemctl --no-reload disable iceccd.service \
+ icecc-scheduler.service >/dev/null 2>&1 || :
+ /bin/systemctl stop iceccd.service \
+ icecc-scheduler.service >/dev/null 2>&1 || :
+ end
+
+ script postun
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ end
+
+ script postup
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ /bin/systemctl try-restart iceccd.service \
+ icecc-scheduler.service >/dev/null 2>&1 || :
+ end
end
package %{name}-devel
--- /dev/null
+[Unit]
+Description=Icecream job scheduler
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/icecc-scheduler -vvv -d -p 8765 -l /var/log/icecc-scheduler.log
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Icecream daemon
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/iceccd -vvv -d -s localhost -m 2 -l /var/log/iceccd.log
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-#!/bin/sh
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2007, 2008 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-#
-# Partly based on scripts by DJ Lucas - dj@linuxfromscratch.org
-#
-
-# Distro Information
-DISTRO="$(</etc/system-release)" # The distro name
-DISTRO_CONTACT="http://bugtracker.ipfire.org" # Bug report address
-
-# This sets default terminal options.
-# stty sane - this has been removed as nobody recalls
-# the reason for it in the first place - if no problems arize,
-# then it will be removed completely at a later date.
-
-# Setup default values for the environment
-umask 022
-
-# If we boot, we should only allow the
-# use tools that are available in /bin:/sbin
-if [ -n "${UPSTART_JOB}" ]; then
- PATH="/bin:/sbin"
-fi
-
-# Find current screen size
-if [ -z "${COLUMNS}" ]; then
- COLUMNS=$(stty size)
- COLUMNS=${COLUMNS##* }
-fi
-
-# When using remote connections, such as a serial port, stty size returns 0
-if [ "${COLUMNS}" = "0" ]; then
- COLUMNS=80
-fi
-
-## Measurements for positioning result messages
-COL=$((${COLUMNS} - 8))
-WCOL=$((${COL} - 2))
-
-# Set Cursur Position Commands, used via echo -e
-SET_COL="\\033[${COL}G" # at the $COL char
-SET_WCOL="\\033[${WCOL}G" # at the $WCOL char
-CURS_UP="\\033[1A\\033[0G" # Up one line, at the 0'th char
-
-# Normal colors
-CLR_NORM_BLK="\\033[0;30m" # black
-CLR_NORM_RED="\\033[0;31m" # red
-CLR_NORM_GRN="\\033[0;32m" # green
-CLR_NORM_YEL="\\033[0;33m" # yellow
-CLR_NORM_BLU="\\033[0;34m" # blue
-CLR_NORM_MAG="\\033[0;35m" # magenta
-CLR_NORM_CYN="\\033[0;36m" # cyan
-CLR_NORM_WHT="\\033[0;37m" # white
-CLR_NORM_GRY="\\033[0;39m" # grey
-
-# Emphased colors
-CLR_BOLD_BLK="\\033[1;30m" # black
-CLR_BOLD_RED="\\033[1;31m" # red
-CLR_BOLD_GRN="\\033[1;32m" # green
-CLR_BOLD_YEL="\\033[1;33m" # yellow
-CLR_BOLD_BLU="\\033[1;34m" # blue
-CLR_BOLD_MAG="\\033[1;35m" # magenta
-CLR_BOLD_CYN="\\033[1;36m" # cyan
-CLR_BOLD_WHT="\\033[1;37m" # white
-CLR_BOLD_GRY="\\033[1;39m" # grey
-
-# Background colors
-CLR_BACK_BLK="\\033[40m" # black
-CLR_BACK_RED="\\033[41m" # red
-CLR_BACK_GRN="\\033[42m" # green
-CLR_BACK_YEL="\\033[43m" # yellow
-CLR_BACK_BLU="\\033[44m" # blue
-CLR_BACK_MAG="\\033[45m" # magenta
-CLR_BACK_CYN="\\033[46m" # cyan
-CLR_BACK_WHT="\\033[47m" # white
-
-# Action colors
-BOLD=$CLR_BOLD_GRY
-DONE=$CLR_BOLD_GRN
-SKIP=$CLR_BOLD_BLU
-WARN=$CLR_BOLD_MAG
-FAIL=$CLR_BOLD_RED
-NORMAL=$CLR_NORM_GRY
-
-# Color hooks
-BRACKET_L="${CLR_BOLD_BLU}[${NORMAL}"
-BRACKET_R="${CLR_BOLD_BLU}]${NORMAL}"
-
-# Define custom colors used in messages printed to the screen
-BRACKET=${CLR_BOLD_BLU} # Blue
-FAILURE=${CLR_BOLD_RED} # Red
-INFO=${CLR_BOLD_CYN} # Cyan
-NORMAL=${CLR_NORM_GRY} # Grey
-SUCCESS=${CLR_BOLD_GRN} # Green
-WARNING=${CLR_BOLD_YEL} # Yellow
-
-# Prefix boot messages for easier reading on framebuffer consoles
-PREFIX_SUCCESS=" ${SUCCESS}*${NORMAL} "
-PREFIX_WARNING="${WARNING}**${NORMAL} "
-PREFIX_FAILURE="${FAILURE}***${NORMAL}"
-
-welcome_message="Welcome to ${INFO}${DISTRO}${NORMAL}"
-welcome_message_length=$((${#DISTRO} + 11))
-
-# Error message displayed when a script's exit value is not zero
-print_error_msg() {
- # ${link} and ${error_value} are defined by the rc script
- echo -e "${FAILURE}FAILURE: You should not be reading this error message."
- echo -e ""
- echo -e -n "${FAILURE}It means that an unforseen error took place in"
- echo -e -n "${INFO} ${link}"
- echo -e "${FAILURE},"
- echo -e "${FAILURE}which exited with a return value of ${error_value}."
- echo -e ""
- echo -e -n "${FAILURE}If you are able to track this error down to a bug"
- echo -e "${FAILURE}in one of the files"
- echo -e -n "provided by ${INFO}${DISTRO}${FAILURE}, "
- echo -e -n "${FAILURE}please be so kind to inform us at "
- echo -e "${INFO}${DISTRO_CONTACT}${FAILURE}.${NORMAL}"
- echo -e ""
- echo -e "${INFO}Press Enter to continue..."
- echo -e "${NORMAL}"
- read ENTER
-}
-
-################################################################################
-# log_success_msg() #
-# Usage: log_success_msg [$MESSAGE | "message"] #
-# #
-# Purpose: Print a successful status message to the screen and optionally #
-# a boot log file. #
-# #
-# Inputs: accepts one string value, either a quoted string or optionally #
-# the value of $MESSAGE if set in the running environment. #
-# #
-# Return values: Not used #
-################################################################################
-log_success_msg() {
- echo -n -e "${PREFIX_SUCCESS}${INDENT}${@}"
- echo -e "${SET_COL}${BRACKET}[${SUCCESS} OK ${BRACKET}]${NORMAL}"
-}
-
-################################################################################
-# log_failure_msg() #
-# Usage: log_failure_msg [$MESSAGE | "message"] #
-# #
-# Purpose: Print a failure status message to the screen and optionally #
-# a boot log file. #
-# #
-# Inputs: accepts one string value, either a quoted string or optionally #
-# the value of $MESSAGE if set in the running environment. #
-# #
-# Return values: Not used #
-################################################################################
-log_failure_msg() {
- echo -n -e "${PREFIX_FAILURE}${INDENT}${@}"
- echo -e "${SET_COL}${BRACKET}[${FAILURE} FAIL ${BRACKET}]${NORMAL}"
-}
-
-################################################################################
-# log_warning_msg() #
-# Usage: log_warning_msg [$MESSAGE | "message"] #
-# #
-# Purpose: Print a warning status message to the screen and optionally #
-# a boot log file. #
-# #
-# Inputs: accepts one string value, either a quoted string or optionally #
-# the value of $MESSAGE if set in the running environment. #
-# #
-# Return values: Not used #
-################################################################################
-log_warning_msg() {
- echo -n -e "${PREFIX_WARNING}${INDENT}${@}"
- echo -e "${SET_COL}${BRACKET}[${WARNING} WARN ${BRACKET}]${NORMAL}"
-}
-
-############################## evaluate_retval() ###############################
-# evaluate_retval requires that you pass exactly one evaluation parameter of #
-# (start, stop, other) based on the previous action that is being evaluated. #
-# This function is intended for use with start_daemon and killproc to #
-# interpret the LSB exit codes properly, othewise the checks only for success #
-# or failure. #
-################################################################################
-evaluate_retval() {
- local error_value="${?}"
-
- # Handle LSB defined return values
- case "${1}" in
- start)
- case "${error_value}" in
- 0)
- log_success_msg "Starting ${MESSAGE} "
- return "${error_value}"
- ;;
- 2)
- log_failure_msg "Starting ${MESSAGE} Error: Invalid argument!"
- return "${error_value}"
- ;;
- 5)
- log_failure_msg "Starting ${MESSAGE} Error: Not available!"
- return "${error_value}"
- ;;
- *)
- log_failure_msg "Starting ${MESSAGE} Error: General failure!"
- return "${error_value}"
- ;;
- esac
- ;;
-
- stop)
- case "${error_value}" in
- 0)
- log_success_msg "Stopping ${MESSAGE} "
- return "${error_value}"
- ;;
- 2)
- log_failure_msg "Stopping ${MESSAGE} Error: Invalid argument!"
- return "${error_value}"
- ;;
- 5)
- log_failure_msg "Stopping ${MESSAGE} Error: Not available!"
- return "${error_value}"
- ;;
- 7)
- log_warning_msg "Stopping ${MESSAGE} Warning: Not running!"
- return "${error_value}"
- ;;
- *)
- log_failure_msg "Stopping ${MESSAGE} Error: General failure!"
- return "${error_value}"
- ;;
- esac
- ;;
-
- force-reload)
- message="Forcefully reloading "
- ;;
-
- reload)
- message="Reloading "
- ;;
-
- restart)
- message="Restarting "
- ;;
-
- try-restart)
- message="Trying restart "
- ;;
-
- standard)
- # $message or $MESSAGE must be set, but not both in order
- # to use the 'standard' target.
- ;;
- esac
-
- # Print messages for the generic force-reload, reload, restart,
- # and try-restart targets
- if [ "${error_value}" = "0" ]; then
- log_success_msg "${message}${MESSAGE} "
- return "${error_value}"
- else
- log_failure_msg "${message}${MESSAGE} "
- return "${error_value}"
- fi
-}
name = initscripts
epoch = 1
version = 2.99
-release = 8
+release = 11
groups = Base System/Boot
url =
install
cd src && make install clean DESTDIR=%{BUILDROOT}
- mkdir -pv %{BUILDROOT}/etc/{init,sysconfig}
-
- cp -vf %{DIR_SOURCE}/functions %{BUILDROOT}/etc/init/
-
- for i in %{DIR_SOURCE}/sysconfig/*; do
- install -v -m 644 $i %{BUILDROOT}/etc/sysconfig/
- done
- chmod -v 755 %{BUILDROOT}/etc/sysconfig/rc.local
-
- cp -vf %{DIR_SOURCE}/sysctl.conf %{BUILDROOT}/etc
+ # Install rc.local
+ install -v -m 755 %{DIR_SOURCE}/rc.local %{BUILDROT}/etc/rc.local
# Install udev rules
mkdir -pv %{BUILDROOT}/lib/udev/rules.d/
util-linux
end
+ configfiles
+ /etc/rc.local
+ end
+
prerequires = coreutils shadow-utils
script prein
chown root:utmp /var/log/{b,w}tmp /var/run/utmp
chmod 664 /var/log/wtmp /var/run/utmp
chmod 600 /var/log/btmp
+
+ # Just search for new unit files that were just installed.
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+
+ # Enable rc.local as default.
+ /bin/systemctl --no-reload enable rc-local.service >/dev/null 2>&1 || :
+ end
+
+ # Disable the service that is to be removed and stop it if it is still running.
+ script preun
+ /bin/systemctl --no-reload disable rc-local.service >/dev/null 2>&1 || :
+ /bin/systemctl stop rc-local.service >/dev/null 2>&1 || :
+ end
+
+ # Just tell systemd that unitfiles have been removed.
+ script postun
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
end
end
end
--- /dev/null
+#!/bin/sh
+#
+# This script will be executed at the end of the boot process.
+# You can put your own initialization stuff in here.
+++ /dev/null
-########################################################################
-# Begin /etc/sysconfig/createfiles
-#
-# Description : Createfiles script config file
-#
-# Authors :
-#
-# Version : 00.00
-#
-# Notes : The syntax of this file is as follows:
-# if type is equal to "file" or "dir"
-# <filename> <type> <permissions> <user> <group>
-# if type is equal to "dev"
-# <filename> <type> <permissions> <user> <group> <devtype> <major> <minor>
-#
-# <filename> is the name of the file which is to be created
-# <type> is either file, dir, or dev.
-# file creates a new file
-# dir creates a new directory
-# dev creates a new device
-# <devtype> is either block, char or pipe
-# block creates a block device
-# char creates a character deivce
-# pipe creates a pipe, this will ignore the <major> and <minor> fields
-# <major> and <minor> are the major and minor numbers used for the device.
-########################################################################
-
-# End /etc/sysconfig/createfiles
+++ /dev/null
-########################################################################
-# Begin /etc/sysconfig/modules
-#
-# Description : Module auto-loading configuration
-#
-# Authors :
-#
-# Version : 00.00
-#
-# Notes : The syntax of this file is as follows:
-# <module> [<arg1> <arg2> ...]
-#
-# Each module should be on it's own line, and any options that you want
-# passed to the module should follow it. The line deliminator is either
-# a space or a tab.
-########################################################################
-
-# For dialin with pppd
-ppp_generic
-
-# End /etc/sysconfig/modules
+++ /dev/null
-HOSTNAME=ipfire.localdomain
+++ /dev/null
-# Begin /etc/sysconfig/rc
-
-# Author: DJ Lucas - dj@linuxfromscratch.org
-# Version: 1.0 LSB V.3.1
-
-# Global variable inherited by initscripts are in caps
-# Local variables for the rc script are in lowercase
-
-# Source site specific rc configuration
-. /etc/sysconfig/rc.site
-
-# This sets default terminal options.
-# stty sane - this has been removed as nobody recalls
-# the reason for it in the first place - if no problems arize,
-# then it will be removed completely at a later date.
-
-# Setup default values for the environment
-umask 022
-PATH="/bin:/sbin"
-
-# Find current screen size
-if [ -z "${COLUMNS}" ]; then
- COLUMNS=$(stty size)
- COLUMNS=${COLUMNS##* }
-fi
-
-# When using remote connections, such as a serial port, stty size returns 0
-if [ "${COLUMNS}" = "0" ]; then
- COLUMNS=80
-fi
-
-## Measurements for positioning result messages
-COL=$((${COLUMNS} - 8))
-WCOL=$((${COL} - 2))
-
-# Set Cursur Position Commands, used via echo -e
-SET_COL="\\033[${COL}G" # at the $COL char
-SET_WCOL="\\033[${WCOL}G" # at the $WCOL char
-CURS_UP="\\033[1A\\033[0G" # Up one line, at the 0'th char
-
-# Bootlogging and interactive startup require a valid tempfs mount
-# if this mount is not present, disable them
-if [ "${TEMPFS_MOUNT}" = "" -o ! -d "${TEMPFS_MOUNT}" ]; then
- TEMPFS_MOUNT=""
- iprompt=""
- BOOTLOG_ENAB=""
-fi
-
-# Export the environment variables so they are inherited by the scripts
-export PATH SET_COL SET_WCOL CURS_UP TEMPFS_MOUNT BOOTLOG_ENAB RUNLEVEL
-
-# End /etc/sysconfig/rc
+++ /dev/null
-#!/bin/sh
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-# Used for private calls after boot #
-###############################################################################
-
-# power button shutdown
-if grep -q '^button' /proc/modules ; then
- head -1 /proc/acpi/event | grep -q 'button/power PWRF' && init 0 &
-fi
+++ /dev/null
-# Set base directory information
-RC_BASE="/etc"
-RC_FUNCTIONS="${RC_BASE}/init.d/ipfire-functions"
-
-# Location of network device scripts and config files
-NETWORK_SCRIPTS="/etc/init.d/networking"
-NETWORK_DEVICES="/etc/sysconfig/network-devices"
-
-# Directory to store boot process accounting information
-# Used for boot logging and interactive flag when rootfs
-# is not writable
-TEMPFS_MOUNT="${RC_BASE}/init.d/boottemp"
-
-# Bootlogging (requires a tempfs mount)
-BOOTLOG_ENAB="yes"
-
-# Distro Information
-DISTRO="$(cat /etc/system-release)" # The distro name
-DISTRO_CONTACT="http://bugtracker.ipfire.org" # Bug report address
-DISTRO_MINI="ipfire" # Short name used in filenames for distro config
-
-# Define custom colors used in messages printed to the screen
-BRACKET="\\033[1;34m" # Blue
-FAILURE="\\033[1;31m" # Red
-INFO="\\033[1;36m" # Cyan
-NORMAL="\\033[0;39m" # Grey
-SUCCESS="\\033[1;32m" # Green
-WARNING="\\033[1;33m" # Yellow
-
-# Prefix boot messages for easier reading on framebuffer consoles
-PREFIX_SUCCESS=" ${SUCCESS}*${NORMAL} "
-PREFIX_WARNING="${WARNING}**${NORMAL} "
-PREFIX_FAILURE="${FAILURE}***${NORMAL}"
-
-# Export varialbles so that they are inherited by the initscripts
-export RC_BASE RC_FUNCTIONS TEMPFS_MOUNT BOOTLOG_ENAB
-export NETWORK_DEVICES NETWORK_SCRIPTS
-export DISTRO DISTRO_CONTACT DISTRO_MINI
-export BRACKET FAILURE INFO NORMAL SUCCESS WARNING
-export PREFIX_SUCCESS PREFIX_WARNING PREFIX_FAILURE
-
-# Interactive startup
-iprompt="yes" # Wether to display the interactive boot promp
-itime="2" # The ammount of time (in seconds) to display the prompt
-dlen="$(( 11 + ${#DISTRO} ))" # The total length of the distro welcome string
-ilen="38" # The total length of the interactive message
-welcome_message="Welcome to ${INFO}${DISTRO}${NORMAL}"
-i_message="Press '${FAILURE}I${NORMAL}' to enter interactive startup"
-
-# Error message displayed when a script's exit value is not zero
-print_error_msg()
-{
- # ${link} and ${error_value} are defined by the rc script
- echo -e "${FAILURE}FAILURE: You should not be reading this error message."
- echo -e ""
- echo -e -n "${FAILURE}It means that an unforseen error took place in"
- echo -e -n "${INFO} ${link}"
- echo -e "${FAILURE},"
- echo -e "${FAILURE}which exited with a return value of ${error_value}."
- echo -e ""
- echo -e -n "${FAILURE}If you are able to track this error down to a bug"
- echo -e "${FAILURE}in one of the files"
- echo -e -n "provided by ${INFO}${DISTRO}${FAILURE}, "
- echo -e -n "${FAILURE}please be so kind to inform us at "
- echo -e "${INFO}${DISTRO_CONTACT}${FAILURE}.${NORMAL}"
- echo -e ""
- echo -e "${INFO}Press Enter to continue..."
- echo -e "${NORMAL}"
- read ENTER
-}
-
+++ /dev/null
-net.ipv4.ip_forward = 1
-net.ipv4.ip_dynaddr = 1
-net.ipv4.icmp_echo_ignore_broadcasts = 1
-net.ipv4.icmp_ignore_bogus_error_responses = 1
-
-net.ipv4.tcp_sack = 0
-net.ipv4.tcp_timestamps = 0
-net.ipv4.tcp_syncookies = 1
-net.ipv4.tcp_fin_timeout = 30
-net.ipv4.tcp_window_scaling = 0
-net.ipv4.tcp_syn_retries = 3
-net.ipv4.tcp_synack_retries = 3
-
-net.ipv4.conf.default.rp_filter = 0
-net.ipv4.conf.default.accept_redirects = 0
-net.ipv4.conf.default.accept_source_route = 0
-net.ipv4.conf.default.log_martians = 1
-
-net.ipv4.conf.all.rp_filter = 0
-net.ipv4.conf.all.accept_redirects = 0
-net.ipv4.conf.all.accept_source_route = 0
-net.ipv4.conf.all.log_martians = 1
-
-# IPv6 settings
-net.ipv6.conf.default.forwarding = 1
-net.ipv6.conf.default.autoconf = 0
-
-kernel.printk = 1 4 1 7
--- /dev/null
+[Unit]
+Description=/etc/rc.local Compatiblity
+ConditionFileIsExecuteable=/etc/rc.local
+Requires=multi-user.target
+After=multi-user.target network.target
+
+[Service]
+Type=forking
+ExecStart=/etc/rc.local
+TimeoutSec=0
+StandardOutput=tty
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
###############################################################################
name = intltool
-version = 0.40.5
-release = 2
+version = 0.40.6
+release = 1
arch = noarch
groups = Localization/Tools
them in the po files.
end
-source_dl =
+source_dl = http://ftp.gnome.org/pub/gnome/sources/intltool/0.40/
sources = %{thisapp}.tar.bz2
build
--- /dev/null
+###############################################################################
+# IPFire.org - An Open Source Firewall Solution #
+# Copyright (C) - IPFire Development Team <info@ipfire.org> #
+###############################################################################
+
+name = iperf
+version = 2.0.5
+release = 1
+
+maintainer = Christian Schmidt <christian.schmidt@ipfire.org>
+groups = Applications/Internet
+url = http://www..sourceforge.net/projects/iperf/files/
+license = GPLv3+ and LGPLv3+
+summary = Measurement tool for TCP/UDP bandwidth performance
+
+description
+ Iperf is a tool to measure maximum TCP bandwidth, allowing the tuning of
+ various parameters and UDP characteristics. Iperf reports bandwidth, delay
+ jitter, datagram loss.
+end
+
+source_dl = http://sourceforge.net/projects/iperf/files
+
+build
+ requires
+ gcc-c++
+ end
+end
+
+packages
+ package %{name}
+ end
+end
name = keepalived
version = 1.2.2
-release = 1
+release = 2
groups = Applications/System
url = http://www.keepalived.org/
[Service]
Type=forking
-EnvironmentFile=-/etc/sysconfig/keepalived
-ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS
+ExecStart=/usr/sbin/keepalived
[Install]
WantedBy=multi-user.target
name = libsolv
version = 0.0.0
git_ver = 0db9d7f
-release = 1
+release = 2.git%{git_ver}
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = System/Libraries
name = lighttpd
version = 1.4.29
-release = 1
+ver_major = 1.4
+release = 2
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = Networking/Webservers
summary = Lightning fast webserver with light system requirements.
description
- Secure, fast, compliant and very flexible web-server which has been optimized \
- for high-performance environments. It has a very low memory footprint compared \
- to other webservers and takes care of cpu-load. Its advanced feature-set \
- (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make \
- it the perfect webserver-software for every server that is suffering load \
+ Secure, fast, compliant and very flexible web-server which has been optimized
+ for high-performance environments. It has a very low memory footprint compared
+ to other webservers and takes care of cpu-load. Its advanced feature-set
+ (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make
+ it the perfect webserver-software for every server that is suffering load
problems.
end
-source_dl =
+source_dl = http://download.lighttpd.net/lighttpd/releases-%{ver_major}.x/
build
requires
openssl-devel
pcre-devel
pkg-config
+ shadow-utils
zlib-devel
end
--with-ldap \
--with-openssl
+ prepare_cmds
+ %{create_user}
+ end
+
install_cmds
mkdir -pv %{BUILDROOT}/etc
cp -vf %{DIR_SOURCE}/%{name}.conf %{BUILDROOT}/etc/%{name}.conf
mkdir -pv %{BUILDROOT}/var/log/%{name}
touch %{BUILDROOT}/var/log/%{name}/{access,error}.log
- chown nobody.nobody -R %{BUILDROOT}/var/log/%{name}
+ chown lighttpd.lighttpd -R %{BUILDROOT}/var/log/%{name}
mkdir -pv %{BUILDROOT}/var/cache/lighttpd/compress
- chown nobody.nobody -Rv %{BUILDROOT}/var/cache/lighttpd/
+ chown lighttpd.lighttpd -Rv %{BUILDROOT}/var/cache/lighttpd/
+
+ mkdir -pv %{BUILDROOT}/run/lighttpd
+ chown lighttpd.lighttpd -Rv %{BUILDROOT}/run/lighttpd/
end
end
+create_user
+ getent group lighttpd >/dev/null || /usr/sbin/groupadd -r lighttpd
+ getent passwd lighttpd >/dev/null || /usr/sbin/useradd -r -g lighttpd \
+ -d /var/www/lighttpd -s /sbin/nologin lighttpd
+end
+
packages
package %{name}
+ configfiles
+ /etc/lighttpd.conf
+ end
+
+ prerequires = shadow-utils systemd-units
+
+ script prein
+ %{create_user}
+ end
+
+ script postin
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ end
+
+ script preun
+ /bin/systemctl --no-reload disable lighttpd.service >/dev/null 2>&1 || :
+ /bin/systemctl stop lighttpd.service >/dev/null 2>&1 || :
+ end
+
+ script postup
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ /bin/systemctl try-restart lighttpd.service >/dev/null 2>&1 || :
+ end
end
end
-d /var/run/lighttpd 0750 lighttpd lighttpd -
+d /run/lighttpd 0750 lighttpd lighttpd -
###############################################################################
name = lldpd
-version = 0.5.2
-release = 5
+version = 0.5.4
+release = 1
groups = Networking/Tools
url = https://trac.luffy.cx/lldpd/
summary = Utilities for the Link Layer Discovery Protocol.
description
- The LLDPD project aims to provide a comprehensive implementation of \
+ The LLDPD project aims to provide a comprehensive implementation of
the IEEE standard 802.1AB Link Layer Discovery Protocol.
end
requires
libxml2-devel
pkg-config
+ shadow-utils
zlib-devel
end
--with-xml \
--with-privsep-user=lldpd \
--with-privsep-group=lldpd
+
+ prepare_cmds
+ %{create_user}
+ end
+
+ install_cmds
+ # Create tmp directory.
+ mkdir -pv -m 700 %{BUILDROOT}/run/lldpd
+ chown -v lldpd.lldpd %{BUILDROOT}/run/lldpd
+ end
+end
+
+create_user
+ getent group lldpd >/dev/null || groupadd -r lldpd
+ getent passwd lldpd >/dev/null || \
+ useradd -r -g lldpd -d / -s /sbin/nologin lldpd
end
packages
package %{name}
+ prerequires = shadow-utils systemd-units
+
+ script prein
+ %{create_user}
+ end
+
+ script postin
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ end
+
+ script preun
+ /bin/systemctl --no-reload disable lldpd.service >/dev/null 2>&1 || :
+ /bin/systemctl stop lldpd.service >/dev/null 2>&1 || :
+ end
+
+ script postun
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ end
+
+ script postup
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ /bin/systemctl try-restart lldpd.service >/dev/null 2>&1 || :
+ end
end
end
-d /var/run/lldpd 0700 lldpd lldpd -
+d /run/lldpd 0700 lldpd lldpd -
+++ /dev/null
-commit ae87586a12eaf4e8329b88f6e0c629e7b14f27bc
-Author: Michael Tremer <michael.tremer@ipfire.org>
-Date: Sat May 28 14:29:33 2011 +0200
-
- Add support to read /etc/os-release for system information.
-
- /etc/os-release is introduced with systemd which will be in all the
- major distributions, soon. For backwards-compatibility, the lsb_release
- method is still there and will be used if no /etc/os-release is available.
-
-diff --git a/src/lldpd.c b/src/lldpd.c
-index b19af11..1641f13 100644
---- a/src/lldpd.c
-+++ b/src/lldpd.c
-@@ -89,6 +89,7 @@ static void lldpd_decode(struct lldpd *, char *, int,
- static void lldpd_update_chassis(struct lldpd_chassis *,
- const struct lldpd_chassis *);
- static char *lldpd_get_lsb_release(void);
-+static char *lldpd_get_os_release(void);
- #ifdef ENABLE_LLDPMED
- static void lldpd_med(struct lldpd_chassis *);
- #endif
-@@ -553,6 +554,46 @@ lldpd_get_lsb_release() {
- return NULL;
- }
-
-+/* Same like lldpd_get_lsb_release but reads /etc/os-release for PRETTY_NAME=. */
-+static char *
-+lldpd_get_os_release() {
-+ static char release[1024];
-+
-+ FILE *fp = fopen("/etc/os-release", "r");
-+ if (!fp) {
-+ LLOG_WARN("Could not open /etc/os-release to read system information");
-+ return NULL;
-+ }
-+
-+ char line[1024];
-+ char *key, *val;
-+
-+ while ((fgets(line, 1024, fp) != NULL)) {
-+ key = strtok(line, "=");
-+ val = strtok(NULL, "=");
-+
-+ if (strncmp(key, "PRETTY_NAME", 1024) == 0) {
-+ strncpy(release, val, 1024);
-+ break;
-+ }
-+ }
-+ fclose(fp);
-+
-+ /* Remove trailing newline and all " in the string. */
-+ char *ptr1 = release;
-+ char *ptr2 = release;
-+ while (*ptr1 != 0) {
-+ if ((*ptr1 == '"') || (*ptr1 == '\n')) {
-+ ++ptr1;
-+ } else {
-+ *ptr2++ = *ptr1++;
-+ }
-+ }
-+ *ptr2 = 0;
-+
-+ return release;
-+}
-+
- int
- lldpd_callback_add(struct lldpd *cfg, int fd, void(*fn)(CALLBACK_SIG), void *data)
- {
-@@ -889,7 +930,7 @@ lldpd_update_localchassis(struct lldpd *cfg)
- fatal("failed to set full system description");
- } else {
- if (cfg->g_advertise_version) {
-- if (asprintf(&LOCAL_CHASSIS(cfg)->c_descr, "%s%s %s %s",
-+ if (asprintf(&LOCAL_CHASSIS(cfg)->c_descr, "%s %s %s %s",
- cfg->g_lsb_release?cfg->g_lsb_release:"",
- un.sysname, un.release, un.machine)
- == -1)
-@@ -1189,7 +1230,12 @@ lldpd_main(int argc, char *argv[])
- close(pid);
- }
-
-- lsb_release = lldpd_get_lsb_release();
-+ /* Try to read system information from /etc/os-release if possible.
-+ Fall back to lsb_release for compatibility. */
-+ lsb_release = lldpd_get_os_release();
-+ if (!lsb_release) {
-+ lsb_release = lldpd_get_lsb_release();
-+ }
-
- priv_init(PRIVSEP_CHROOT);
-
[Service]
RemainAfterExit=yes
ExecStartPre=/sbin/modprobe 8021q
-ExecStart=/usr/sbin/lldpd -c
+ExecStart=/usr/sbin/lldpd -d -c
+Restart=on-failure
[Install]
WantedBy=multi-user.target
name = module-init-tools
version = 3.16
-release = 1
+release = 2
groups = System/Base
url = http://ftp.kernel.org/pub/linux/utils/kernel/module-init-tools/
unloaded modules.
end
-source_dl =
+source_dl = http://ftp.kernel.org/pub/linux/utils/kernel/module-init-tools/
build
requires
+ docbook-utils
zlib-devel
end
CFLAGS += -DCONFIG_NO_BACKWARDS_COMPAT=1
- # Set docbooktoman=true, because this package is not available
- # in IPFire and prevents us from errors
- export DOCBOOKTOMAN=true
-
configure_options += \
--bindir=/bin \
--sbindir=/sbin \
name = nano
version = 2.3.0
-release = 1
+release = 2
groups = Application/Editors
url = http://www.nano-editor.org/
end
configure_options += \
- --bindir=/bin \
--sysconfdir=/etc/nano \
--enable-color \
--enable-multibuffer \
name = network
epoch = 1
-version = 002
+version = 003
release = 1
arch = noarch
--- /dev/null
+###############################################################################
+# IPFire.org - An Open Source Firewall Solution #
+# Copyright (C) - IPFire Development Team <info@ipfire.org> #
+###############################################################################
+
+name = open-vm-tools
+version = 2011.09.23-491607
+release = 1
+
+groups = Virtualization/Applications
+url = http://open-vm-tools.sourceforge.net/
+license = GPLv2
+summary = Open source implementation of VMware Tools.
+
+description
+ The open Virtual Machine Tools (open-vm-tools) are the open \
+ source implementation of VMware Tools. They are a set of guest \
+ operation system virtualization components that enhance \
+ performance and user experience of virtual machines.
+end
+
+source_dl = http://sourceforge.net/projects/open-vm-tools/files/open-vm-tools/2011.09.23/
+
+build
+ requires
+ glib2-devel
+ end
+
+ configure_options += \
+ --sysconfdir=/etc \
+ --without-kernel-modules \
+ --without-x \
+ --without-procps \
+ --without-dnet \
+ --without-icu \
+ --without-pam \
+
+ prepare_cmds
+ sed -e "s/-Werror//g" -i configure
+ end
+
+ install_cmds
+ rm -vf %{BUILDROOT}/sbin/mount.vmhgfs
+ rm -vf %{BUILDROOT}/usr/sbin/mount.vmhgfs
+ end
+
+end
+
+packages
+ package %{name}
+ end
+end
###############################################################################
name = openssh
-version = 5.8p1
-release = 9
+version = 5.9p1
+release = 2
-maintainer =
groups = Application/Internet
url = http://www.openssh.com/portable.html
license = MIT
summary = An open source implementation of SSH protocol versions 1 and 2.
description
- SSH (Secure SHell) is a program for logging into and executing \
- commands on a remote machine. SSH is intended to replace rlogin and \
- rsh, and to provide secure encrypted communications between two \
+ SSH (Secure SHell) is a program for logging into and executing
+ commands on a remote machine. SSH is intended to replace rlogin and
+ rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network.
end
-source_dl =
+source_dl = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
build
requires
audit-devel
+ autoconf
+ automake
libselinux-devel
nss-devel
openssl-devel>=1.0.0d-2
# Apply patches in a special order
patches
- openssh-5.6p1-redhat.patch
+ openssh-5.9p1-coverity.patch
openssh-5.8p1-fingerprint.patch
- openssh-5.8p1-authorized-keys-command.patch
- openssh-5.8p1-selinux.patch
- openssh-5.8p1-selinux-role.patch
- openssh-5.8p1-mls.patch
- openssh-5.6p1-keygen.patch
+ openssh-5.8p1-getaddrinfo.patch
+ openssh-5.8p1-packet.patch
+ openssh-5.9p1-2auth.patch
+ openssh-5.9p1-role.patch
+ openssh-5.9p1-mls.patch
+ openssh-5.9p1-sftp-chroot.patch
+ openssh-5.9p1-akc.patch
+ openssh-5.9p1-keygen.patch
openssh-5.2p1-allow-ip-opts.patch
- openssh-5.8p1-randclean.patch
- openssh-5.8p1-kuserok.patch
+ openssh-5.9p1-randclean.patch
+ openssh-5.8p1-keyperm.patch
+ openssh-5.8p2-remove-stale-control-socket.patch
+ openssh-5.9p1-ipv6man.patch
+ openssh-5.8p2-sigpipe.patch
+ openssh-5.8p2-askpass-ld.patch
openssh-5.5p1-x11.patch
openssh-5.6p1-exit-deadlock.patch
openssh-5.1p1-askpass-progress.patch
openssh-4.3p2-askpass-grab-info.patch
- openssh-5.2p1-edns.patch
+ openssh-5.9p1-edns.patch
openssh-5.1p1-scp-manpage.patch
+ openssh-5.8p1-localdomain.patch
+ openssh-5.9p1-ipfire.patch
+ openssh-5.9p1-entropy.patch
+ openssh-5.9p1-vendor.patch
+ openssh-5.8p2-force_krb.patch
+ openssh-5.9p1-kuserok.patch
end
configure_options += \
--with-privsep-path=/var/lib/sshd \
--with-pam \
--with-selinux \
- --with-nss \
--with-audit=linux
+ prepare_cmds
+ autoreconf
+ end
+
install_cmds
- mkdir -pv %{BUILDROOT}/etc/ssh
- cp -vf %{DIR_SOURCE}/sshd_config %{BUILDROOT}/etc/ssh/sshd_config
+ # Disable GSS API authentication because KRB5 is required for that.
+ sed -e "s/^.*GSSAPIAuthentication/#&/" -i %{BUILDROOT}/etc/ssh/ssh_config
# Install scriptfile for key generation
install -m 754 %{DIR_SOURCE}/ssh-keygen %{BUILDROOT}/usr/lib/openssh/
/usr/share/man/cat5/ssh_config.5
/usr/share/man/cat8/ssh-pkcs11-helper.8
end
+
+ configfiles
+ /etc/ssh/ssh_config
+ end
end
package openssh-server
/var/lib/sshd
end
+ configfiles
+ /etc/ssh/sshd_config
+ end
+
prerequires = shadow-utils systemd-units
script prein
+++ /dev/null
-diff -up openssh-5.6p1/ssh-keygen.0.keygen openssh-5.6p1/ssh-keygen.0
---- openssh-5.6p1/ssh-keygen.0.keygen 2010-08-22 16:30:03.000000000 +0200
-+++ openssh-5.6p1/ssh-keygen.0 2010-08-23 12:37:19.000000000 +0200
-@@ -4,7 +4,7 @@ NAME
- ssh-keygen - authentication key generation, management and conversion
-
- SYNOPSIS
-- ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
-+ ssh-keygen [-q] [-o] [-b bits] -t type [-N new_passphrase] [-C comment]
- [-f output_keyfile]
- ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
- ssh-keygen -i [-m key_format] [-f input_keyfile]
-@@ -232,6 +232,8 @@ DESCRIPTION
-
- -q Silence ssh-keygen. Used by /etc/rc when creating a new key.
-
-+ -o Overwrite the key without prompting user.
-+
- -R hostname
- Removes all keys belonging to hostname from a known_hosts file.
- This option is useful to delete hashed hosts (see the -H option
-diff -up openssh-5.6p1/ssh-keygen.1.keygen openssh-5.6p1/ssh-keygen.1
---- openssh-5.6p1/ssh-keygen.1.keygen 2010-08-05 05:05:32.000000000 +0200
-+++ openssh-5.6p1/ssh-keygen.1 2010-08-23 12:36:25.000000000 +0200
-@@ -47,6 +47,7 @@
- .Bk -words
- .Nm ssh-keygen
- .Op Fl q
-+.Op Fl o
- .Op Fl b Ar bits
- .Fl t Ar type
- .Op Fl N Ar new_passphrase
-@@ -397,6 +398,8 @@ Silence
- Used by
- .Pa /etc/rc
- when creating a new key.
-+.It Fl o
-+Overwrite the key without prompting user.
- .It Fl R Ar hostname
- Removes all keys belonging to
- .Ar hostname
-diff -up openssh-5.6p1/ssh-keygen.c.keygen openssh-5.6p1/ssh-keygen.c
---- openssh-5.6p1/ssh-keygen.c.keygen 2010-08-05 05:05:32.000000000 +0200
-+++ openssh-5.6p1/ssh-keygen.c 2010-08-23 12:34:40.000000000 +0200
-@@ -72,6 +72,7 @@ int change_passphrase = 0;
- int change_comment = 0;
-
- int quiet = 0;
-+int overwrite = 0;
-
- int log_level = SYSLOG_LEVEL_INFO;
-
-@@ -1798,7 +1799,7 @@ main(int argc, char **argv)
- exit(1);
- }
-
-- while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
-+ while ((opt = getopt(argc, argv, "degiqopclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
- "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
- switch (opt) {
- case 'b':
-@@ -1878,6 +1879,9 @@ main(int argc, char **argv)
- case 'q':
- quiet = 1;
- break;
-+ case 'o':
-+ overwrite = 1;
-+ break;
- case 'e':
- case 'x':
- /* export key */
-@@ -2124,7 +2128,7 @@ main(int argc, char **argv)
- }
- }
- /* If the file already exists, ask the user to confirm. */
-- if (stat(identity_file, &st) >= 0) {
-+ if (!overwrite && stat(identity_file, &st) >= 0) {
- char yesno[3];
- printf("%s already exists.\n", identity_file);
- printf("Overwrite (y/n)? ");
diff -up openssh-5.6p1/ssh_config.redhat openssh-5.6p1/ssh_config
--- openssh-5.6p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
+++ openssh-5.6p1/ssh_config 2010-09-03 15:21:17.000000000 +0200
-@@ -45,3 +45,14 @@
+@@ -45,3 +45,16 @@
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
++# Look up the host key SSHFP records
++ VerifyHostKeyDNS ask
+# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
--- /dev/null
+diff -up openssh-5.8p1/sshconnect.c.getaddrinfo openssh-5.8p1/sshconnect.c
+--- openssh-5.8p1/sshconnect.c.getaddrinfo 2011-04-27 09:51:44.521384633 +0200
++++ openssh-5.8p1/sshconnect.c 2011-04-27 09:53:21.224443308 +0200
+@@ -355,6 +355,7 @@ ssh_connect(const char *host, struct soc
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = family;
+ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG;
+ snprintf(strport, sizeof strport, "%u", port);
+ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+ fatal("%s: Could not resolve hostname %.100s: %s", __progname,
--- /dev/null
+diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c
+--- openssh-5.8p1/authfile.c.keyperm 2010-12-01 02:03:39.000000000 +0100
++++ openssh-5.8p1/authfile.c 2011-04-21 16:43:36.859648916 +0200
+@@ -57,6 +57,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <grp.h>
+
+ #include "xmalloc.h"
+ #include "cipher.h"
+@@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename
+ #ifdef HAVE_CYGWIN
+ if (check_ntsec(filename))
+ #endif
++ if (st.st_mode & 040) {
++ struct group *gr;
++
++ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
++ st.st_mode &= ~040;
++ }
++
+ if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
--- /dev/null
+diff -up openssh-5.8p1/sshd_config.localdomain openssh-5.8p1/sshd_config
+--- openssh-5.8p1/sshd_config.localdomain 2011-04-22 11:37:49.273648812 +0200
++++ openssh-5.8p1/sshd_config 2011-04-22 11:39:31.758648401 +0200
+@@ -130,6 +130,10 @@ X11Forwarding yes
+ # override default of no subsystems
+ Subsystem sftp /usr/libexec/sftp-server
+
++# Uncomment this if you want to use .local domain
++#Host *.local
++# CheckHostIP no
++
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
--- /dev/null
+diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c
+--- openssh-5.8p1/packet.c.packet 2011-04-05 13:29:06.998648899 +0200
++++ openssh-5.8p1/packet.c 2011-04-05 13:30:32.967648596 +0200
+@@ -294,6 +294,8 @@ packet_connection_is_on_socket(void)
+ struct sockaddr_storage from, to;
+ socklen_t fromlen, tolen;
+
++ if (!active_state)
++ return 0;
+ /* filedescriptors in and out are the same, so it's a socket */
+ if (active_state->connection_in == active_state->connection_out)
+ return 1;
+++ /dev/null
-diff -up openssh-5.8p1/entropy.c.randclean openssh-5.8p1/entropy.c
---- openssh-5.8p1/entropy.c.randclean 2011-01-13 11:05:29.000000000 +0100
-+++ openssh-5.8p1/entropy.c 2011-02-14 00:26:31.000000000 +0100
-@@ -159,6 +159,9 @@ init_rng(void)
- fatal("OpenSSL version mismatch. Built against %lx, you "
- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
-
-+ /* clean the PRNG status when exiting the program */
-+ atexit(RAND_cleanup);
-+
- #ifndef OPENSSL_PRNG_ONLY
- original_uid = getuid();
- original_euid = geteuid();
+++ /dev/null
-diff -up openssh-5.8p1/openbsd-compat/port-linux.c.selinux openssh-5.8p1/openbsd-compat/port-linux.c
---- openssh-5.8p1/openbsd-compat/port-linux.c.selinux 2011-02-12 09:38:45.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 09:39:10.000000000 +0100
-@@ -213,7 +213,7 @@ ssh_selinux_setfscreatecon(const char *p
-
- if (!ssh_selinux_enabled())
- return;
-- if (path == NULL)
-+ if (path == NULL) {
- setfscreatecon(NULL);
- return;
- }
--- /dev/null
+diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile
+--- openssh-5.8p2/contrib/Makefile.askpass-ld 2011-08-08 22:54:06.050546199 +0200
++++ openssh-5.8p2/contrib/Makefile 2011-08-08 22:54:43.364420118 +0200
+@@ -2,12 +2,12 @@ all:
+ @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
+
+ gnome-ssh-askpass1: gnome-ssh-askpass1.c
+- $(CC) `gnome-config --cflags gnome gnomeui` \
++ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
+ gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
+ `gnome-config --libs gnome gnomeui`
+
+ gnome-ssh-askpass2: gnome-ssh-askpass2.c
+- $(CC) `pkg-config --cflags gtk+-2.0` \
++ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
+ gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
+ `pkg-config --libs gtk+-2.0 x11`
+
--- /dev/null
+diff -up openssh-5.8p2/gss-serv-krb5.c.force_krb openssh-5.8p2/gss-serv-krb5.c
+--- openssh-5.8p2/gss-serv-krb5.c.force_krb 2006-09-01 07:38:36.000000000 +0200
++++ openssh-5.8p2/gss-serv-krb5.c 2011-05-19 03:41:45.801109545 +0200
+@@ -32,7 +32,9 @@
+ #include <sys/types.h>
+
+ #include <stdarg.h>
++#include <stdio.h>
+ #include <string.h>
++#include <unistd.h>
+
+ #include "xmalloc.h"
+ #include "key.h"
+@@ -40,12 +42,11 @@
+ #include "auth.h"
+ #include "log.h"
+ #include "servconf.h"
++#include "misc.h"
+
+ #include "buffer.h"
+ #include "ssh-gss.h"
+
+-extern ServerOptions options;
+-
+ #ifdef HEIMDAL
+ # include <krb5.h>
+ #else
+@@ -56,6 +57,16 @@ extern ServerOptions options;
+ # endif
+ #endif
+
++extern Authctxt *the_authctxt;
++extern ServerOptions options;
++
++/* all commands are allowed by default */
++char **k5users_allowed_cmds = NULL;
++
++static int ssh_gssapi_k5login_exists();
++static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
++ int);
++
+ static krb5_context krb_context = NULL;
+
+ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
+@@ -83,10 +94,11 @@ ssh_gssapi_krb5_init(void)
+ */
+
+ static int
+-ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
++ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *luser)
+ {
+ krb5_principal princ;
+ int retval;
++ int k5login_exists;
+
+ if (ssh_gssapi_krb5_init() == 0)
+ return 0;
+@@ -97,10 +109,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+ krb5_get_err_text(krb_context, retval));
+ return 0;
+ }
+- if (krb5_kuserok(krb_context, princ, name)) {
++ /* krb5_kuserok() returns 1 if .k5login DNE and this is self-login.
++ * We have to make sure to check .k5users in that case. */
++ k5login_exists = ssh_gssapi_k5login_exists();
++ /* NOTE: .k5login and .k5users must opened as root, not the user,
++ * because if they are on a krb5-protected filesystem, user credentials
++ * to access these files aren't available yet. */
++ if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
+ retval = 1;
+ logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+- name, (char *)client->displayname.value);
++ luser, (char *)client->displayname.value);
++ } else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
++ luser, k5login_exists)) {
++ retval = 1;
++ logit("Authorized to %s, krb5 principal %s "
++ "(ssh_gssapi_krb5_cmdok)",
++ luser, (char *)client->displayname.value);
+ } else
+ retval = 0;
+
+@@ -108,6 +132,134 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+ return retval;
+ }
+
++/* Test for existence of .k5login.
++ * We need this as part of our .k5users check, because krb5_kuserok()
++ * returns success if .k5login DNE and user is logging in as himself.
++ * With .k5login absent and .k5users present, we don't want absence
++ * of .k5login to authorize self-login. (absence of both is required)
++ * Returns 1 if .k5login is available, 0 otherwise.
++ */
++static int
++ssh_gssapi_k5login_exists()
++{
++ char file[MAXPATHLEN];
++ struct passwd *pw = the_authctxt->pw;
++
++ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
++ return access(file, F_OK) == 0;
++}
++
++/* check .k5users for login or command authorization
++ * Returns 1 if principal is authorized, 0 otherwise.
++ * If principal is authorized, (global) k5users_allowed_cmds may be populated.
++ */
++static int
++ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
++ const char *luser, int k5login_exists)
++{
++ FILE *fp;
++ char file[MAXPATHLEN];
++ char line[BUFSIZ];
++ char kuser[65]; /* match krb5_kuserok() */
++ struct stat st;
++ struct passwd *pw = the_authctxt->pw;
++ int found_principal = 0;
++ int ncommands = 0, allcommands = 0;
++ u_long linenum;
++
++ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
++ /* If both .k5login and .k5users DNE, self-login is ok. */
++ if (!k5login_exists && (access(file, F_OK) == -1)) {
++ return (krb5_aname_to_localname(krb_context, principal,
++ sizeof(kuser), kuser) == 0) &&
++ (strcmp(kuser, luser) == 0);
++ }
++ if ((fp = fopen(file, "r")) == NULL) {
++ int saved_errno = errno;
++ /* 2nd access check to ease debugging if file perms are wrong.
++ * But we don't want to report this if .k5users simply DNE. */
++ if (access(file, F_OK) == 0) {
++ logit("User %s fopen %s failed: %s",
++ pw->pw_name, file, strerror(saved_errno));
++ }
++ return 0;
++ }
++ /* .k5users must be owned either by the user or by root */
++ if (fstat(fileno(fp), &st) == -1) {
++ /* can happen, but very wierd error so report it */
++ logit("User %s fstat %s failed: %s",
++ pw->pw_name, file, strerror(errno));
++ fclose(fp);
++ return 0;
++ }
++ if (!(st.st_uid == pw->pw_uid || st.st_uid == 0)) {
++ logit("User %s %s is not owned by root or user",
++ pw->pw_name, file);
++ fclose(fp);
++ return 0;
++ }
++ /* .k5users must be a regular file. krb5_kuserok() doesn't do this
++ * check, but we don't want to be deficient if they add a check. */
++ if (!S_ISREG(st.st_mode)) {
++ logit("User %s %s is not a regular file", pw->pw_name, file);
++ fclose(fp);
++ return 0;
++ }
++ /* file exists; initialize k5users_allowed_cmds (to none!) */
++ k5users_allowed_cmds = xcalloc(++ncommands,
++ sizeof(*k5users_allowed_cmds));
++
++ /* Check each line. ksu allows unlimited length lines. We don't. */
++ while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line),
++ &linenum) != -1) {
++ char *token;
++
++ /* we parse just like ksu, even though we could do better */
++ token = strtok(line, " \t\n");
++ if (strcmp(name, token) == 0) {
++ /* we matched on client principal */
++ found_principal = 1;
++ if ((token = strtok(NULL, " \t\n")) == NULL) {
++ /* only shell is allowed */
++ k5users_allowed_cmds[ncommands-1] =
++ xstrdup(pw->pw_shell);
++ k5users_allowed_cmds =
++ xrealloc(k5users_allowed_cmds, ++ncommands,
++ sizeof(*k5users_allowed_cmds));
++ break;
++ }
++ /* process the allowed commands */
++ while (token) {
++ if (strcmp(token, "*") == 0) {
++ allcommands = 1;
++ break;
++ }
++ k5users_allowed_cmds[ncommands-1] =
++ xstrdup(token);
++ k5users_allowed_cmds =
++ xrealloc(k5users_allowed_cmds, ++ncommands,
++ sizeof(*k5users_allowed_cmds));
++ token = strtok(NULL, " \t\n");
++ }
++ }
++ }
++ if (k5users_allowed_cmds) {
++ /* terminate vector */
++ k5users_allowed_cmds[ncommands-1] = NULL;
++ /* if all commands are allowed, free vector */
++ if (allcommands) {
++ int i;
++ for (i = 0; i < ncommands; i++) {
++ free(k5users_allowed_cmds[i]);
++ }
++ free(k5users_allowed_cmds);
++ k5users_allowed_cmds = NULL;
++ }
++ }
++ fclose(fp);
++ return found_principal;
++}
++
+
+ /* This writes out any forwarded credentials from the structure populated
+ * during userauth. Called after we have setuid to the user */
+diff -up openssh-5.8p2/session.c.force_krb openssh-5.8p2/session.c
+--- openssh-5.8p2/session.c.force_krb 2011-05-19 03:41:41.000000000 +0200
++++ openssh-5.8p2/session.c 2011-05-19 03:43:32.437173662 +0200
+@@ -816,6 +816,29 @@ do_exec(Session *s, const char *command)
+ debug("Forced command (key option) '%.900s'", command);
+ }
+
++#ifdef GSSAPI
++#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
++ else if (k5users_allowed_cmds) {
++ const char *match = command;
++ int allowed = 0, i = 0;
++
++ if (!match)
++ match = s->pw->pw_shell;
++ while (k5users_allowed_cmds[i]) {
++ if (strcmp(match, k5users_allowed_cmds[i++]) == 0) {
++ debug("Allowed command '%.900s'", match);
++ allowed = 1;
++ break;
++ }
++ }
++ if (!allowed) {
++ debug("command '%.900s' not allowed", match);
++ return 1;
++ }
++ }
++#endif
++#endif
++
+ #ifdef SSH_AUDIT_EVENTS
+ if (s->command != NULL || s->command_handle != -1)
+ fatal("do_exec: command already set");
+diff -up openssh-5.8p2/sshd.8.force_krb openssh-5.8p2/sshd.8
+--- openssh-5.8p2/sshd.8.force_krb 2011-05-19 03:41:30.582114401 +0200
++++ openssh-5.8p2/sshd.8 2011-05-19 03:41:46.159106308 +0200
+@@ -320,6 +320,7 @@ Finally, the server and the client enter
+ The client tries to authenticate itself using
+ host-based authentication,
+ public key authentication,
++GSSAPI authentication,
+ challenge-response authentication,
+ or password authentication.
+ .Pp
+@@ -788,6 +789,12 @@ This file is used in exactly the same wa
+ but allows host-based authentication without permitting login with
+ rlogin/rsh.
+ .Pp
++.It Pa ~/.k5login
++.It Pa ~/.k5users
++These files enforce GSSAPI/Kerberos authentication access control.
++Further details are described in
++.Xr ksu 1 .
++.Pp
+ .It Pa ~/.ssh/
+ This directory is the default location for all user-specific configuration
+ and authentication information.
+diff -up openssh-5.8p2/ssh-gss.h.force_krb openssh-5.8p2/ssh-gss.h
+--- openssh-5.8p2/ssh-gss.h.force_krb 2007-06-12 15:40:39.000000000 +0200
++++ openssh-5.8p2/ssh-gss.h 2011-05-19 03:41:46.302234118 +0200
+@@ -48,6 +48,10 @@
+ #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+ #endif /* GSS_C_NT_... */
+ #endif /* !HEIMDAL */
++
++/* .k5users support */
++extern char **k5users_allowed_cmds;
++
+ #endif /* KRB5 */
+
+ /* draft-ietf-secsh-gsskeyex-06 */
--- /dev/null
+diff -up openssh-5.8p2/mux.c.remove_stale openssh-5.8p2/mux.c
+--- openssh-5.8p2/mux.c.remove_stale 2011-01-14 02:01:32.000000000 +0100
++++ openssh-5.8p2/mux.c 2011-06-09 15:27:42.556360291 +0200
+@@ -1867,6 +1867,9 @@ muxclient(const char *path)
+ unlink(path);
+ } else if (errno == ENOENT) {
+ debug("Control socket \"%.100s\" does not exist", path);
++ } else if (errno == ECONNREFUSED) {
++ debug("Removing stale control socket \"%.100s\"", path);
++ unlink(path);
+ } else {
+ error("Control socket connect(%.100s): %s", path,
+ strerror(errno));
--- /dev/null
+diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
+--- openssh-5.8p2/ssh-keyscan.c.sigpipe 2011-08-23 18:30:33.873025916 +0200
++++ openssh-5.8p2/ssh-keyscan.c 2011-08-23 18:32:24.574025362 +0200
+@@ -715,6 +715,8 @@ main(int argc, char **argv)
+ fdlim_set(maxfd);
+ fdcon = xcalloc(maxfd, sizeof(con));
+
++ signal(SIGPIPE, SIG_IGN);
++
+ read_wait_nfdset = howmany(maxfd, NFDBITS);
+ read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
+
--- /dev/null
+diff -up openssh-5.9p1/auth.h.2auth openssh-5.9p1/auth.h
+--- openssh-5.9p1/auth.h.2auth 2011-05-29 13:39:38.000000000 +0200
++++ openssh-5.9p1/auth.h 2011-09-17 11:36:54.314522599 +0200
+@@ -149,6 +149,8 @@ int auth_root_allowed(char *);
+
+ char *auth2_read_banner(void);
+
++void userauth_restart(const char *);
++
+ void privsep_challenge_enable(void);
+
+ int auth2_challenge(Authctxt *, char *);
+diff -up openssh-5.9p1/auth2.c.2auth openssh-5.9p1/auth2.c
+--- openssh-5.9p1/auth2.c.2auth 2011-05-05 06:04:11.000000000 +0200
++++ openssh-5.9p1/auth2.c 2011-09-17 11:36:54.402521709 +0200
+@@ -290,6 +290,24 @@ input_userauth_request(int type, u_int32
+ }
+
+ void
++userauth_restart(const char *method)
++{
++ options.two_factor_authentication = 0;
++
++ debug2("userauth restart, method = %s", method);
++ options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
++#ifdef GSSAPI
++ options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
++#endif
++#ifdef JPAKE
++ options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
++#endif
++ options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
++ options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
++ options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
++}
++
++void
+ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
+ {
+ char *methods;
+@@ -337,6 +355,12 @@ userauth_finish(Authctxt *authctxt, int
+
+ /* XXX todo: check if multiple auth methods are needed */
+ if (authenticated == 1) {
++ if (options.two_factor_authentication) {
++ userauth_restart(method);
++ debug("1st factor authentication done go to 2nd factor");
++ goto ask_methods;
++ }
++
+ /* turn off userauth */
+ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
+ packet_start(SSH2_MSG_USERAUTH_SUCCESS);
+@@ -356,7 +380,9 @@ userauth_finish(Authctxt *authctxt, int
+ #endif
+ packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+ }
++ask_methods:
+ methods = authmethods_get();
++ debug2("next auth methods = %s", methods);
+ packet_start(SSH2_MSG_USERAUTH_FAILURE);
+ packet_put_cstring(methods);
+ packet_put_char(0); /* XXX partial success, unused */
+diff -up openssh-5.9p1/monitor.c.2auth openssh-5.9p1/monitor.c
+--- openssh-5.9p1/monitor.c.2auth 2011-08-05 22:15:18.000000000 +0200
++++ openssh-5.9p1/monitor.c 2011-09-17 11:36:54.513491937 +0200
+@@ -417,6 +417,10 @@ monitor_child_preauth(Authctxt *_authctx
+ }
+ }
+ #endif
++ if (authenticated && options.two_factor_authentication) {
++ userauth_restart(auth_method);
++ authenticated = 0;
++ }
+ }
+
+ /* Drain any buffered messages from the child */
+diff -up openssh-5.9p1/servconf.c.2auth openssh-5.9p1/servconf.c
+--- openssh-5.9p1/servconf.c.2auth 2011-06-23 00:30:03.000000000 +0200
++++ openssh-5.9p1/servconf.c 2011-09-17 11:36:54.632461730 +0200
+@@ -92,6 +92,13 @@ initialize_server_options(ServerOptions
+ options->hostbased_uses_name_from_packet_only = -1;
+ options->rsa_authentication = -1;
+ options->pubkey_authentication = -1;
++ options->two_factor_authentication = -1;
++ options->second_pubkey_authentication = -1;
++ options->second_gss_authentication = -1;
++ options->second_password_authentication = -1;
++ options->second_kbd_interactive_authentication = -1;
++ options->second_zero_knowledge_password_authentication = -1;
++ options->second_hostbased_authentication = -1;
+ options->kerberos_authentication = -1;
+ options->kerberos_or_local_passwd = -1;
+ options->kerberos_ticket_cleanup = -1;
+@@ -237,6 +244,20 @@ fill_default_server_options(ServerOption
+ options->permit_empty_passwd = 0;
+ if (options->permit_user_env == -1)
+ options->permit_user_env = 0;
++ if (options->two_factor_authentication == -1)
++ options->two_factor_authentication = 0;
++ if (options->second_pubkey_authentication == -1)
++ options->second_pubkey_authentication = 1;
++ if (options->second_gss_authentication == -1)
++ options->second_gss_authentication = 0;
++ if (options->second_password_authentication == -1)
++ options->second_password_authentication = 1;
++ if (options->second_kbd_interactive_authentication == -1)
++ options->second_kbd_interactive_authentication = 0;
++ if (options->second_zero_knowledge_password_authentication == -1)
++ options->second_zero_knowledge_password_authentication = 0;
++ if (options->second_hostbased_authentication == -1)
++ options->second_hostbased_authentication = 0;
+ if (options->use_login == -1)
+ options->use_login = 0;
+ if (options->compression == -1)
+@@ -316,8 +337,11 @@ typedef enum {
+ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
+ sMaxStartups, sMaxAuthTries, sMaxSessions,
+ sBanner, sUseDNS, sHostbasedAuthentication,
+- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+- sClientAliveCountMax, sAuthorizedKeysFile,
++ sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
++ sSecondPubkeyAuthentication, sSecondGssAuthentication,
++ sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
++ sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication,
++ sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+@@ -395,6 +419,21 @@ static struct {
+ #else
+ { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
+ #endif
++ { "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL },
++ { "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL },
++#ifdef GSSAPI
++ { "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL },
++#else
++ { "secondgssapiauthentication", sUnsupported, SSHCFG_ALL },
++#endif
++ { "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL },
++ { "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL },
++#ifdef JPAKE
++ { "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
++#else
++ { "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
++#endif
++ { "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL },
+ { "checkmail", sDeprecated, SSHCFG_GLOBAL },
+ { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
+ { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+@@ -982,6 +1021,34 @@ process_server_config_line(ServerOptions
+ intptr = &options->challenge_response_authentication;
+ goto parse_flag;
+
++ case sTwoFactorAuthentication:
++ intptr = &options->two_factor_authentication;
++ goto parse_flag;
++
++ case sSecondPubkeyAuthentication:
++ intptr = &options->second_pubkey_authentication;
++ goto parse_flag;
++
++ case sSecondGssAuthentication:
++ intptr = &options->second_gss_authentication;
++ goto parse_flag;
++
++ case sSecondPasswordAuthentication:
++ intptr = &options->second_password_authentication;
++ goto parse_flag;
++
++ case sSecondKbdInteractiveAuthentication:
++ intptr = &options->second_kbd_interactive_authentication;
++ goto parse_flag;
++
++ case sSecondZeroKnowledgePasswordAuthentication:
++ intptr = &options->second_zero_knowledge_password_authentication;
++ goto parse_flag;
++
++ case sSecondHostbasedAuthentication:
++ intptr = &options->second_hostbased_authentication;
++ goto parse_flag;
++
+ case sPrintMotd:
+ intptr = &options->print_motd;
+ goto parse_flag;
+@@ -1491,14 +1558,21 @@ void
+ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ {
+ M_CP_INTOPT(password_authentication);
++ M_CP_INTOPT(second_password_authentication);
+ M_CP_INTOPT(gss_authentication);
++ M_CP_INTOPT(second_gss_authentication);
+ M_CP_INTOPT(rsa_authentication);
+ M_CP_INTOPT(pubkey_authentication);
++ M_CP_INTOPT(second_pubkey_authentication);
+ M_CP_INTOPT(kerberos_authentication);
+ M_CP_INTOPT(hostbased_authentication);
++ M_CP_INTOPT(second_hostbased_authentication);
+ M_CP_INTOPT(hostbased_uses_name_from_packet_only);
+ M_CP_INTOPT(kbd_interactive_authentication);
++ M_CP_INTOPT(second_kbd_interactive_authentication);
+ M_CP_INTOPT(zero_knowledge_password_authentication);
++ M_CP_INTOPT(second_zero_knowledge_password_authentication);
++ M_CP_INTOPT(two_factor_authentication);
+ M_CP_INTOPT(permit_root_login);
+ M_CP_INTOPT(permit_empty_passwd);
+
+@@ -1720,17 +1794,24 @@ dump_config(ServerOptions *o)
+ #endif
+ #ifdef GSSAPI
+ dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
++ dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication);
+ dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+ #endif
+ #ifdef JPAKE
+ dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
+ o->zero_knowledge_password_authentication);
++ dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication,
++ o->second_zero_knowledge_password_authentication);
+ #endif
+ dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
++ dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication);
+ dump_cfg_fmtint(sKbdInteractiveAuthentication,
+ o->kbd_interactive_authentication);
++ dump_cfg_fmtint(sSecondKbdInteractiveAuthentication,
++ o->second_kbd_interactive_authentication);
+ dump_cfg_fmtint(sChallengeResponseAuthentication,
+ o->challenge_response_authentication);
++ dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication);
+ dump_cfg_fmtint(sPrintMotd, o->print_motd);
+ dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
+ dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
+diff -up openssh-5.9p1/servconf.h.2auth openssh-5.9p1/servconf.h
+--- openssh-5.9p1/servconf.h.2auth 2011-06-23 00:30:03.000000000 +0200
++++ openssh-5.9p1/servconf.h 2011-09-17 11:36:54.749584245 +0200
+@@ -112,6 +112,14 @@ typedef struct {
+ /* If true, permit jpake auth */
+ int permit_empty_passwd; /* If false, do not permit empty
+ * passwords. */
++ int two_factor_authentication; /* If true, the first sucessful authentication
++ * will be followed by the second one from anorher set */
++ int second_pubkey_authentication; /* second set of authentications */
++ int second_gss_authentication;
++ int second_password_authentication;
++ int second_kbd_interactive_authentication;
++ int second_zero_knowledge_password_authentication;
++ int second_hostbased_authentication;
+ int permit_user_env; /* If true, read ~/.ssh/environment */
+ int use_login; /* If true, login(1) is used */
+ int compression; /* If true, compression is allowed */
+diff -up openssh-5.9p1/sshd_config.2auth openssh-5.9p1/sshd_config
+--- openssh-5.9p1/sshd_config.2auth 2011-05-29 13:39:39.000000000 +0200
++++ openssh-5.9p1/sshd_config 2011-09-17 11:36:54.859588726 +0200
+@@ -87,6 +87,13 @@ AuthorizedKeysFile .ssh/authorized_keys
+ # and ChallengeResponseAuthentication to 'no'.
+ #UsePAM no
+
++#TwoFactorAuthentication no
++#SecondPubkeyAuthentication yes
++#SecondHostbasedAuthentication no
++#SecondPasswordAuthentication yes
++#SecondKBDInteractiveAuthentication yes
++#SecondGSSAPIAuthentication no
++
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+diff -up openssh-5.9p1/sshd_config.5.2auth openssh-5.9p1/sshd_config.5
+--- openssh-5.9p1/sshd_config.5.2auth 2011-08-05 22:17:33.000000000 +0200
++++ openssh-5.9p1/sshd_config.5 2011-09-17 13:45:49.022521436 +0200
+@@ -726,6 +726,12 @@ Available keywords are
+ .Cm PubkeyAuthentication ,
+ .Cm RhostsRSAAuthentication ,
+ .Cm RSAAuthentication ,
++.Cm SecondGSSAPIAuthentication ,
++.Cm SecondHostbasedAuthentication ,
++.Cm SecondKbdInteractiveAuthentication ,
++.Cm SecondPasswordAuthentication ,
++.Cm SecondPubkeyAuthentication ,
++.Cm TwoFactorAuthentication ,
+ .Cm X11DisplayOffset ,
+ .Cm X11Forwarding
+ and
+@@ -931,6 +937,45 @@ Specifies whether pure RSA authenticatio
+ The default is
+ .Dq yes .
+ This option applies to protocol version 1 only.
++.It Cm SecondGSSAPIAuthentication
++Specifies whether the
++.Cm GSSAPIAuthentication
++may be used on the second authentication while
++.Cm TwoFactorAuthentication
++is set.
++The default is
++.Dq no .
++.It Cm SecondHostbasedAuthentication
++Specifies whether the
++.Cm HostbasedAuthentication
++may be used on the second authentication while
++.Cm TwoFactorAuthentication
++is set.
++The default is
++.Dq no .
++.It Cm SecondKbdInteractiveAuthentication
++Specifies whether the
++.Cm KbdInteractiveAuthentication
++may be used on the second authentication while
++.Cm TwoFactorAuthentication
++is set.
++The default is
++.Dq yes .
++.It Cm SecondPasswordAuthentication
++Specifies whether the
++.Cm PasswordAuthentication
++may be used on the second authentication while
++.Cm TwoFactorAuthentication
++is set.
++The default is
++.Dq yes .
++Specifies whether the
++.Cm PubkeyAuthentication
++may be used on the second authentication while
++.Cm TwoFactorAuthentication
++is set.
++The default is
++.Dq yes .
+ .It Cm ServerKeyBits
+ Defines the number of bits in the ephemeral protocol version 1 server key.
+ The minimum value is 512, and the default is 1024.
+@@ -1011,6 +1056,23 @@ For more details on certificates, see th
+ .Sx CERTIFICATES
+ section in
+ .Xr ssh-keygen 1 .
++.It Cm TwoFactorAuthentication
++Specifies whether for a successful login is necessary to meet two independent authentications.
++If select the first method is selected from the set of allowed methods from
++.Cm GSSAPIAuthentication ,
++.Cm HostbasedAuthentication ,
++.Cm KbdInteractiveAuthentication ,
++.Cm PasswordAuthentication ,
++.Cm PubkeyAuthentication .
++And the second method is selected from the set of allowed methods from
++.Cm SecondGSSAPIAuthentication ,
++.Cm SecondHostbasedAuthentication ,
++.Cm SecondKbdInteractiveAuthentication ,
++.Cm SecondPasswordAuthentication ,
++.Cm SecondPubkeyAuthentication
++without the method used for the first authentication.
++The default is
++.Dq no .
+ .It Cm UseDNS
+ Specifies whether
+ .Xr sshd 8
-diff -up openssh-5.8p1/auth2-pubkey.c.akc openssh-5.8p1/auth2-pubkey.c
---- openssh-5.8p1/auth2-pubkey.c.akc 2011-02-10 13:21:27.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c 2011-02-10 13:21:28.000000000 +0100
+diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
+--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-14 07:24:40.876512251 +0200
++++ openssh-5.9p1/auth2-pubkey.c 2011-09-14 07:24:43.318458515 +0200
@@ -27,6 +27,7 @@
#include <sys/types.h>
#include <fcntl.h>
#include <pwd.h>
-@@ -268,27 +269,15 @@ match_principals_file(char *file, struct
+@@ -276,27 +277,15 @@ match_principals_file(char *file, struct
/* return 1 if user allows given key */
static int
found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
-@@ -381,8 +370,6 @@ user_key_allowed2(struct passwd *pw, Key
+@@ -389,8 +378,6 @@ user_key_allowed2(struct passwd *pw, Key
break;
}
}
key_free(found);
if (!found_key)
debug2("key not found");
-@@ -444,13 +431,191 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw,
return ret;
}
+ pid_t pstat, pid, child;
+
+ if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/')
-+ return -1;
++ return 0;
+
+ /* get the run as identity from config */
+ runas_pw = (options.authorized_keys_command_runas == NULL)? pw
int
user_key_allowed(struct passwd *pw, Key *key)
{
- int success;
+ u_int success, i;
char *file;
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
-diff -up openssh-5.8p1/configure.ac.akc openssh-5.8p1/configure.ac
---- openssh-5.8p1/configure.ac.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/configure.ac 2011-02-10 13:21:28.000000000 +0100
-@@ -1422,6 +1422,18 @@ AC_ARG_WITH(audit,
+diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
+--- openssh-5.9p1/configure.ac.akc 2011-09-14 07:24:42.863494886 +0200
++++ openssh-5.9p1/configure.ac 2011-09-14 07:24:43.441583848 +0200
+@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
esac ]
)
+)
+
dnl Checks for library functions. Please keep in alphabetical order
- AC_CHECK_FUNCS( \
+ AC_CHECK_FUNCS([ \
arc4random \
-@@ -4325,6 +4337,7 @@ echo " SELinux support
+@@ -4239,6 +4251,7 @@ echo " SELinux support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
-diff -up openssh-5.8p1/servconf.c.akc openssh-5.8p1/servconf.c
---- openssh-5.8p1/servconf.c.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/servconf.c 2011-02-10 13:28:21.000000000 +0100
-@@ -134,6 +134,8 @@ initialize_server_options(ServerOptions
+diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
+--- openssh-5.9p1/servconf.c.akc 2011-09-14 07:24:29.402475399 +0200
++++ openssh-5.9p1/servconf.c 2011-09-14 07:56:27.158585590 +0200
+@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
-@@ -331,6 +333,7 @@ typedef enum {
+@@ -348,6 +350,7 @@ typedef enum {
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS,
sDeprecated, sUnsupported
} ServerOpCodes;
-@@ -456,6 +459,13 @@ static struct {
+@@ -487,6 +490,13 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
-@@ -1406,6 +1416,20 @@ process_server_config_line(ServerOptions
+@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions
}
break;
+ charptr = &options->authorized_keys_command_runas;
+
+ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing account.",
++ filename, linenum);
++
+ if (*activep && *charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
-@@ -1499,6 +1523,8 @@ copy_set_server_options(ServerOptions *d
- M_CP_INTOPT(gss_authentication);
- M_CP_INTOPT(rsa_authentication);
- M_CP_INTOPT(pubkey_authentication);
+@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d
+ M_CP_INTOPT(zero_knowledge_password_authentication);
+ M_CP_INTOPT(second_zero_knowledge_password_authentication);
+ M_CP_INTOPT(two_factor_authentication);
+ M_CP_STROPT(authorized_keys_command);
+ M_CP_STROPT(authorized_keys_command_runas);
- M_CP_INTOPT(kerberos_authentication);
- M_CP_INTOPT(hostbased_authentication);
- M_CP_INTOPT(hostbased_uses_name_from_packet_only);
-@@ -1753,6 +1779,8 @@ dump_config(ServerOptions *o)
+ M_CP_INTOPT(permit_root_login);
+ M_CP_INTOPT(permit_empty_passwd);
+
+@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-diff -up openssh-5.8p1/servconf.h.akc openssh-5.8p1/servconf.h
---- openssh-5.8p1/servconf.h.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/servconf.h 2011-02-10 13:21:28.000000000 +0100
-@@ -161,6 +161,8 @@ typedef struct {
+diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
+--- openssh-5.9p1/servconf.h.akc 2011-09-14 07:24:29.511480441 +0200
++++ openssh-5.9p1/servconf.h 2011-09-14 07:24:43.678459183 +0200
+@@ -174,6 +174,8 @@ typedef struct {
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
+ char *authorized_keys_command_runas;
} ServerOptions;
- void initialize_server_options(ServerOptions *);
-diff -up openssh-5.8p1/sshd_config.0.akc openssh-5.8p1/sshd_config.0
---- openssh-5.8p1/sshd_config.0.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config.0 2011-02-10 13:21:28.000000000 +0100
+ /*
+diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
+--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
++++ openssh-5.9p1/sshd_config.0 2011-09-14 07:24:43.791460201 +0200
@@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns.
AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication. The format is described in the
-@@ -398,7 +415,8 @@ DESCRIPTION
+@@ -401,7 +418,8 @@ DESCRIPTION
Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are AllowAgentForwarding,
Banner, ChrootDirectory, ForceCommand, GatewayPorts,
GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
-diff -up openssh-5.8p1/sshd_config.5.akc openssh-5.8p1/sshd_config.5
---- openssh-5.8p1/sshd_config.5.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config.5 2011-02-10 13:21:28.000000000 +0100
-@@ -703,6 +703,8 @@ Available keywords are
+diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
+--- openssh-5.9p1/sshd_config.5.akc 2011-09-14 07:24:29.793520372 +0200
++++ openssh-5.9p1/sshd_config.5 2011-09-14 07:24:43.912583678 +0200
+@@ -706,6 +706,8 @@ Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
-@@ -715,6 +717,7 @@ Available keywords are
+@@ -718,6 +720,7 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
-@@ -917,6 +920,20 @@ Specifies a list of revoked public keys.
+@@ -926,6 +929,20 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
-diff -up openssh-5.8p1/sshd_config.akc openssh-5.8p1/sshd_config
---- openssh-5.8p1/sshd_config.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config 2011-02-10 13:21:28.000000000 +0100
-@@ -46,6 +46,8 @@ SyslogFacility AUTHPRIV
- #RSAAuthentication yes
- #PubkeyAuthentication yes
- #AuthorizedKeysFile .ssh/authorized_keys
+diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
+--- openssh-5.9p1/sshd_config.akc 2011-09-14 07:24:29.620461608 +0200
++++ openssh-5.9p1/sshd_config 2011-09-14 07:24:44.034462546 +0200
+@@ -49,6 +49,9 @@
+ # but this is overridden so installations will only check .ssh/authorized_keys
+ AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
-
++
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
+ # similar for protocol version 2
--- /dev/null
+diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
+--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
++++ openssh-5.9p1/auth-pam.c 2011-09-14 08:09:47.074520582 +0200
+@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
+ if (sshpam_thread_status != -1)
+ return (sshpam_thread_status);
+ signal(SIGCHLD, sshpam_oldsig);
+- waitpid(thread, &status, 0);
++ while (waitpid(thread, &status, 0) < 0) {
++ if (errno == EINTR)
++ continue;
++ fatal("%s: waitpid: %s", __func__,
++ strerror(errno));
++ }
+ return (status);
+ }
+ #endif
+diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
+--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
++++ openssh-5.9p1/channels.c 2011-09-14 08:09:47.556582810 +0200
+@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
+ channel_max_fd = MAX(channel_max_fd, wfd);
+ channel_max_fd = MAX(channel_max_fd, efd);
+
+- if (rfd != -1)
++ if (rfd >= 0)
+ fcntl(rfd, F_SETFD, FD_CLOEXEC);
+- if (wfd != -1 && wfd != rfd)
++ if (wfd >= 0 && wfd != rfd)
+ fcntl(wfd, F_SETFD, FD_CLOEXEC);
+- if (efd != -1 && efd != rfd && efd != wfd)
++ if (efd >= 0 && efd != rfd && efd != wfd)
+ fcntl(efd, F_SETFD, FD_CLOEXEC);
+
+ c->rfd = rfd;
+@@ -248,11 +248,11 @@ channel_register_fds(Channel *c, int rfd
+
+ /* enable nonblocking mode */
+ if (nonblock) {
+- if (rfd != -1)
++ if (rfd >= 0)
+ set_nonblock(rfd);
+- if (wfd != -1)
++ if (wfd >= 0)
+ set_nonblock(wfd);
+- if (efd != -1)
++ if (efd >= 0)
+ set_nonblock(efd);
+ }
+ }
+diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
+--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
++++ openssh-5.9p1/clientloop.c 2011-09-14 08:17:41.556521887 +0200
+@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_
+ char *rtype;
+ int want_reply;
+ int success = 0;
++/* success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
+
+ rtype = packet_get_string(NULL);
+ want_reply = packet_get_char();
+ debug("client_input_global_request: rtype %s want_reply %d",
+ rtype, want_reply);
+ if (want_reply) {
+- packet_start(success ?
+- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
++ packet_start(/*success ?
++ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
+ packet_send();
+ packet_write_wait();
+ }
+diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
+--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
++++ openssh-5.9p1/key.c 2011-09-14 08:09:47.803458435 +0200
+@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
+ success = 1;
+ /*XXXX*/
+ key_free(k);
++/*XXXX
+ if (success != 1)
+ break;
++XXXX*/
+ /* advance cp: skip whitespace and data */
+ while (*cp == ' ' || *cp == '\t')
+ cp++;
+diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c
+diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
+--- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200
++++ openssh-5.9p1/monitor.c 2011-09-14 08:09:47.914584009 +0200
+@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx
+ }
+
+ /* Drain any buffered messages from the child */
+- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
++ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
+ ;
+
+ if (!authctxt->valid)
+@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
+ break;
+ }
+ }
++
++ debug3("%s: key %p is %s",
++ __func__, key, allowed ? "allowed" : "not allowed");
++
+ if (key != NULL)
+ key_free(key);
+
+@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m
+ xfree(chost);
+ }
+
+- debug3("%s: key %p is %s",
+- __func__, key, allowed ? "allowed" : "not allowed");
+-
+ buffer_clear(m);
+ buffer_put_int(m, allowed);
+ buffer_put_int(m, forced_command != NULL);
+diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
+--- openssh-5.9p1/monitor_wrap.c.coverity 2011-09-14 08:11:36.480500123 +0200
++++ openssh-5.9p1/monitor_wrap.c 2011-09-14 08:14:11.279520598 +0200
+@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
+ if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
+ (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
+ error("%s: cannot allocate fds for pty", __func__);
+- if (tmp1 > 0)
++ if (tmp1 >= 0)
+ close(tmp1);
+- if (tmp2 > 0)
+- close(tmp2);
++ /*DEAD CODE if (tmp2 >= 0)
++ close(tmp2);*/
+ return 0;
+ }
+ close(tmp1);
+diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
+--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
++++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-14 08:09:48.084459344 +0200
+@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
+ struct sockaddr_in6 *in6;
+ u_int16_t *portp;
+ u_int16_t port;
+- socklen_t salen;
++ socklen_t salen = sizeof(struct sockaddr_storage);
+ int i;
+
+ if (sa == NULL) {
+diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
+--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
++++ openssh-5.9p1/packet.c 2011-09-14 08:09:48.184587842 +0200
+@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
+ case DEATTACK_DETECTED:
+ packet_disconnect("crc32 compensation attack: "
+ "network attack detected");
++ break;
+ case DEATTACK_DOS_DETECTED:
+ packet_disconnect("deattack denial of "
+ "service detected");
+@@ -1684,7 +1685,7 @@ void
+ packet_write_wait(void)
+ {
+ fd_set *setp;
+- int ret, ms_remain;
++ int ret, ms_remain = 0;
+ struct timeval start, timeout, *timeoutp = NULL;
+
+ setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
+diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
+--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
++++ openssh-5.9p1/progressmeter.c 2011-09-14 08:09:48.300586004 +0200
+@@ -65,7 +65,7 @@ static void update_progress_meter(int);
+
+ static time_t start; /* start progress */
+ static time_t last_update; /* last progress update */
+-static char *file; /* name of the file being transferred */
++static const char *file; /* name of the file being transferred */
+ static off_t end_pos; /* ending position of transfer */
+ static off_t cur_pos; /* transfer position as of last refresh */
+ static volatile off_t *counter; /* progress counter */
+@@ -247,7 +247,7 @@ update_progress_meter(int ignore)
+ }
+
+ void
+-start_progress_meter(char *f, off_t filesize, off_t *ctr)
++start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+ {
+ start = last_update = time(NULL);
+ file = f;
+diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
+--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
++++ openssh-5.9p1/progressmeter.h 2011-09-14 08:09:48.420645724 +0200
+@@ -23,5 +23,5 @@
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+-void start_progress_meter(char *, off_t, off_t *);
++void start_progress_meter(const char *, off_t, off_t *);
+ void stop_progress_meter(void);
+diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
+--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
++++ openssh-5.9p1/scp.c 2011-09-14 08:09:48.531505457 +0200
+@@ -155,7 +155,7 @@ killchild(int signo)
+ {
+ if (do_cmd_pid > 1) {
+ kill(do_cmd_pid, signo ? signo : SIGTERM);
+- waitpid(do_cmd_pid, NULL, 0);
++ (void) waitpid(do_cmd_pid, NULL, 0);
+ }
+
+ if (signo)
+diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
+--- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200
++++ openssh-5.9p1/servconf.c 2011-09-14 08:30:17.557468182 +0200
+@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin
+ debug3("checking syntax for 'Match %s'", cp);
+ else
+ debug3("checking match for '%s' user %s host %s addr %s", cp,
+- user ? user : "(null)", host ? host : "(null)",
++ user /* User is not NULL ? user : "(null)" */, host ? host : "(null)",
+ address ? address : "(null)");
+
+ while ((attrib = strdelim(&cp)) && *attrib != '\0') {
+@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
+ fatal("%s line %d: Missing subsystem name.",
+ filename, linenum);
+ if (!*activep) {
+- arg = strdelim(&cp);
++ /*arg =*/ (void) strdelim(&cp);
+ break;
+ }
+ for (i = 0; i < options->num_subsystems; i++)
+@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions
+ if (*activep && *charptr == NULL) {
+ *charptr = tilde_expand_filename(arg, getuid());
+ /* increase optional counter */
+- if (intptr != NULL)
+- *intptr = *intptr + 1;
++ /* DEAD CODE intptr is still NULL ;)
++ if (intptr != NULL)
++ *intptr = *intptr + 1; */
+ }
+ break;
+
+diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
+--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
++++ openssh-5.9p1/serverloop.c 2011-09-14 08:09:48.793586380 +0200
+@@ -147,13 +147,13 @@ notify_setup(void)
+ static void
+ notify_parent(void)
+ {
+- if (notify_pipe[1] != -1)
++ if (notify_pipe[1] >= 0)
+ write(notify_pipe[1], "", 1);
+ }
+ static void
+ notify_prepare(fd_set *readset)
+ {
+- if (notify_pipe[0] != -1)
++ if (notify_pipe[0] >= 0)
+ FD_SET(notify_pipe[0], readset);
+ }
+ static void
+@@ -161,8 +161,8 @@ notify_done(fd_set *readset)
+ {
+ char c;
+
+- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
+- while (read(notify_pipe[0], &c, 1) != -1)
++ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
++ while (read(notify_pipe[0], &c, 1) >= 0)
+ debug2("notify_done: reading");
+ }
+
+@@ -330,7 +330,7 @@ wait_until_can_do_something(fd_set **rea
+ * If we have buffered data, try to write some of that data
+ * to the program.
+ */
+- if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
++ if (fdin >= 0 && buffer_len(&stdin_buffer) > 0)
+ FD_SET(fdin, *writesetp);
+ }
+ notify_prepare(*readsetp);
+@@ -470,7 +470,7 @@ process_output(fd_set *writeset)
+ int len;
+
+ /* Write buffered data to program stdin. */
+- if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
++ if (!compat20 && fdin >= 0 && FD_ISSET(fdin, writeset)) {
+ data = buffer_ptr(&stdin_buffer);
+ dlen = buffer_len(&stdin_buffer);
+ len = write(fdin, data, dlen);
+@@ -583,7 +583,7 @@ server_loop(pid_t pid, int fdin_arg, int
+ set_nonblock(fdin);
+ set_nonblock(fdout);
+ /* we don't have stderr for interactive terminal sessions, see below */
+- if (fderr != -1)
++ if (fderr >= 0)
+ set_nonblock(fderr);
+
+ if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
+@@ -607,7 +607,7 @@ server_loop(pid_t pid, int fdin_arg, int
+ max_fd = MAX(connection_in, connection_out);
+ max_fd = MAX(max_fd, fdin);
+ max_fd = MAX(max_fd, fdout);
+- if (fderr != -1)
++ if (fderr >= 0)
+ max_fd = MAX(max_fd, fderr);
+ #endif
+
+@@ -637,7 +637,7 @@ server_loop(pid_t pid, int fdin_arg, int
+ * If we have received eof, and there is no more pending
+ * input data, cause a real eof by closing fdin.
+ */
+- if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
++ if (stdin_eof && fdin >= 0 && buffer_len(&stdin_buffer) == 0) {
+ if (fdin != fdout)
+ close(fdin);
+ else
+@@ -735,15 +735,15 @@ server_loop(pid_t pid, int fdin_arg, int
+ buffer_free(&stderr_buffer);
+
+ /* Close the file descriptors. */
+- if (fdout != -1)
++ if (fdout >= 0)
+ close(fdout);
+ fdout = -1;
+ fdout_eof = 1;
+- if (fderr != -1)
++ if (fderr >= 0)
+ close(fderr);
+ fderr = -1;
+ fderr_eof = 1;
+- if (fdin != -1)
++ if (fdin >= 0)
+ close(fdin);
+ fdin = -1;
+
+@@ -937,7 +937,7 @@ server_input_window_size(int type, u_int
+
+ debug("Window change received.");
+ packet_check_eom();
+- if (fdin != -1)
++ if (fdin >= 0)
+ pty_change_window_size(fdin, row, col, xpixel, ypixel);
+ }
+
+@@ -990,7 +990,7 @@ server_request_tun(void)
+ }
+
+ tun = packet_get_int();
+- if (forced_tun_device != -1) {
++ if (forced_tun_device >= 0) {
+ if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
+ goto done;
+ tun = forced_tun_device;
+diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
+--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
++++ openssh-5.9p1/sftp-client.c 2011-09-14 08:09:48.910470343 +0200
+@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
+ }
+
+ static void
+-send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
++send_string_request(struct sftp_conn *conn, u_int id, u_int code, const char *s,
+ u_int len)
+ {
+ Buffer msg;
+@@ -165,7 +165,7 @@ send_string_request(struct sftp_conn *co
+
+ static void
+ send_string_attrs_request(struct sftp_conn *conn, u_int id, u_int code,
+- char *s, u_int len, Attrib *a)
++ const char *s, u_int len, Attrib *a)
+ {
+ Buffer msg;
+
+@@ -422,7 +422,7 @@ sftp_proto_version(struct sftp_conn *con
+ }
+
+ int
+-do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
++do_close(struct sftp_conn *conn, const char *handle, u_int handle_len)
+ {
+ u_int id, status;
+ Buffer msg;
+@@ -447,7 +447,7 @@ do_close(struct sftp_conn *conn, char *h
+
+
+ static int
+-do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
++do_lsreaddir(struct sftp_conn *conn, const char *path, int printflag,
+ SFTP_DIRENT ***dir)
+ {
+ Buffer msg;
+@@ -571,7 +571,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
+ }
+
+ int
+-do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
++do_readdir(struct sftp_conn *conn, const char *path, SFTP_DIRENT ***dir)
+ {
+ return(do_lsreaddir(conn, path, 0, dir));
+ }
+@@ -589,7 +589,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
+ }
+
+ int
+-do_rm(struct sftp_conn *conn, char *path)
++do_rm(struct sftp_conn *conn, const char *path)
+ {
+ u_int status, id;
+
+@@ -604,7 +604,7 @@ do_rm(struct sftp_conn *conn, char *path
+ }
+
+ int
+-do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int printflag)
++do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int printflag)
+ {
+ u_int status, id;
+
+@@ -620,7 +620,7 @@ do_mkdir(struct sftp_conn *conn, char *p
+ }
+
+ int
+-do_rmdir(struct sftp_conn *conn, char *path)
++do_rmdir(struct sftp_conn *conn, const char *path)
+ {
+ u_int status, id;
+
+@@ -636,7 +636,7 @@ do_rmdir(struct sftp_conn *conn, char *p
+ }
+
+ Attrib *
+-do_stat(struct sftp_conn *conn, char *path, int quiet)
++do_stat(struct sftp_conn *conn, const char *path, int quiet)
+ {
+ u_int id;
+
+@@ -650,7 +650,7 @@ do_stat(struct sftp_conn *conn, char *pa
+ }
+
+ Attrib *
+-do_lstat(struct sftp_conn *conn, char *path, int quiet)
++do_lstat(struct sftp_conn *conn, const char *path, int quiet)
+ {
+ u_int id;
+
+@@ -684,7 +684,7 @@ do_fstat(struct sftp_conn *conn, char *h
+ #endif
+
+ int
+-do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
++do_setstat(struct sftp_conn *conn, const char *path, Attrib *a)
+ {
+ u_int status, id;
+
+@@ -701,7 +701,7 @@ do_setstat(struct sftp_conn *conn, char
+ }
+
+ int
+-do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
++do_fsetstat(struct sftp_conn *conn, const char *handle, u_int handle_len,
+ Attrib *a)
+ {
+ u_int status, id;
+@@ -718,12 +718,12 @@ do_fsetstat(struct sftp_conn *conn, char
+ }
+
+ char *
+-do_realpath(struct sftp_conn *conn, char *path)
++do_realpath(struct sftp_conn *conn, const char *path)
+ {
+ Buffer msg;
+ u_int type, expected_id, count, id;
+ char *filename, *longname;
+- Attrib *a;
++/*UNUSED Attrib *a; */
+
+ expected_id = id = conn->msg_id++;
+ send_string_request(conn, id, SSH2_FXP_REALPATH, path,
+@@ -754,7 +754,7 @@ do_realpath(struct sftp_conn *conn, char
+
+ filename = buffer_get_string(&msg, NULL);
+ longname = buffer_get_string(&msg, NULL);
+- a = decode_attrib(&msg);
++ /*a =*/ (void) decode_attrib(&msg);
+
+ debug3("SSH_FXP_REALPATH %s -> %s", path, filename);
+
+@@ -766,7 +766,7 @@ do_realpath(struct sftp_conn *conn, char
+ }
+
+ int
+-do_rename(struct sftp_conn *conn, char *oldpath, char *newpath)
++do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath)
+ {
+ Buffer msg;
+ u_int status, id;
+@@ -800,7 +800,7 @@ do_rename(struct sftp_conn *conn, char *
+ }
+
+ int
+-do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
++do_hardlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
+ {
+ Buffer msg;
+ u_int status, id;
+@@ -833,7 +833,7 @@ do_hardlink(struct sftp_conn *conn, char
+ }
+
+ int
+-do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
++do_symlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
+ {
+ Buffer msg;
+ u_int status, id;
+@@ -984,7 +984,7 @@ send_read_request(struct sftp_conn *conn
+ }
+
+ int
+-do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
++do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
+ Attrib *a, int pflag)
+ {
+ Attrib junk;
+@@ -1223,7 +1223,7 @@ do_download(struct sftp_conn *conn, char
+ }
+
+ static int
+-download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
++download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
+ Attrib *dirattrib, int pflag, int printflag, int depth)
+ {
+ int i, ret = 0;
+@@ -1313,7 +1313,7 @@ download_dir_internal(struct sftp_conn *
+ }
+
+ int
+-download_dir(struct sftp_conn *conn, char *src, char *dst,
++download_dir(struct sftp_conn *conn, const char *src, const char *dst,
+ Attrib *dirattrib, int pflag, int printflag)
+ {
+ char *src_canon;
+@@ -1331,7 +1331,7 @@ download_dir(struct sftp_conn *conn, cha
+ }
+
+ int
+-do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
++do_upload(struct sftp_conn *conn, const char *local_path, const char *remote_path,
+ int pflag)
+ {
+ int local_fd;
+@@ -1514,7 +1514,7 @@ do_upload(struct sftp_conn *conn, char *
+ }
+
+ static int
+-upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
++upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
+ int pflag, int printflag, int depth)
+ {
+ int ret = 0, status;
+@@ -1605,7 +1605,7 @@ upload_dir_internal(struct sftp_conn *co
+ }
+
+ int
+-upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag,
++upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int printflag,
+ int pflag)
+ {
+ char *dst_canon;
+@@ -1622,7 +1622,7 @@ upload_dir(struct sftp_conn *conn, char
+ }
+
+ char *
+-path_append(char *p1, char *p2)
++path_append(const char *p1, const char *p2)
+ {
+ char *ret;
+ size_t len = strlen(p1) + strlen(p2) + 2;
+diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
+--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
++++ openssh-5.9p1/sftp-client.h 2011-09-14 08:09:49.021583940 +0200
+@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
+ u_int sftp_proto_version(struct sftp_conn *);
+
+ /* Close file referred to by 'handle' */
+-int do_close(struct sftp_conn *, char *, u_int);
++int do_close(struct sftp_conn *, const char *, u_int);
+
+ /* Read contents of 'path' to NULL-terminated array 'dir' */
+-int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);
++int do_readdir(struct sftp_conn *, const char *, SFTP_DIRENT ***);
+
+ /* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */
+ void free_sftp_dirents(SFTP_DIRENT **);
+
+ /* Delete file 'path' */
+-int do_rm(struct sftp_conn *, char *);
++int do_rm(struct sftp_conn *, const char *);
+
+ /* Create directory 'path' */
+-int do_mkdir(struct sftp_conn *, char *, Attrib *, int);
++int do_mkdir(struct sftp_conn *, const char *, Attrib *, int);
+
+ /* Remove directory 'path' */
+-int do_rmdir(struct sftp_conn *, char *);
++int do_rmdir(struct sftp_conn *, const char *);
+
+ /* Get file attributes of 'path' (follows symlinks) */
+-Attrib *do_stat(struct sftp_conn *, char *, int);
++Attrib *do_stat(struct sftp_conn *, const char *, int);
+
+ /* Get file attributes of 'path' (does not follow symlinks) */
+-Attrib *do_lstat(struct sftp_conn *, char *, int);
++Attrib *do_lstat(struct sftp_conn *, const char *, int);
+
+ /* Set file attributes of 'path' */
+-int do_setstat(struct sftp_conn *, char *, Attrib *);
++int do_setstat(struct sftp_conn *, const char *, Attrib *);
+
+ /* Set file attributes of open file 'handle' */
+-int do_fsetstat(struct sftp_conn *, char *, u_int, Attrib *);
++int do_fsetstat(struct sftp_conn *, const char *, u_int, Attrib *);
+
+ /* Canonicalise 'path' - caller must free result */
+-char *do_realpath(struct sftp_conn *, char *);
++char *do_realpath(struct sftp_conn *, const char *);
+
+ /* Get statistics for filesystem hosting file at "path" */
+ int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
+
+ /* Rename 'oldpath' to 'newpath' */
+-int do_rename(struct sftp_conn *, char *, char *);
++int do_rename(struct sftp_conn *, const char *, const char *);
+
+ /* Link 'oldpath' to 'newpath' */
+-int do_hardlink(struct sftp_conn *, char *, char *);
++int do_hardlink(struct sftp_conn *, const char *, const char *);
+
+-/* Rename 'oldpath' to 'newpath' */
+-int do_symlink(struct sftp_conn *, char *, char *);
++/* Symlink 'oldpath' to 'newpath' */
++int do_symlink(struct sftp_conn *, const char *, const char *);
+
+ /* XXX: add callbacks to do_download/do_upload so we can do progress meter */
+
+@@ -106,27 +106,27 @@ int do_symlink(struct sftp_conn *, char
+ * Download 'remote_path' to 'local_path'. Preserve permissions and times
+ * if 'pflag' is set
+ */
+-int do_download(struct sftp_conn *, char *, char *, Attrib *, int);
++int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int);
+
+ /*
+ * Recursively download 'remote_directory' to 'local_directory'. Preserve
+ * times if 'pflag' is set
+ */
+-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int);
++int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
+
+ /*
+ * Upload 'local_path' to 'remote_path'. Preserve permissions and times
+ * if 'pflag' is set
+ */
+-int do_upload(struct sftp_conn *, char *, char *, int);
++int do_upload(struct sftp_conn *, const char *, const char *, int);
+
+ /*
+ * Recursively upload 'local_directory' to 'remote_directory'. Preserve
+ * times if 'pflag' is set
+ */
+-int upload_dir(struct sftp_conn *, char *, char *, int, int);
++int upload_dir(struct sftp_conn *, const char *, const char *, int, int);
+
+ /* Concatenate paths, taking care of slashes. Caller must free result. */
+-char *path_append(char *, char *);
++char *path_append(const char *, const char *);
+
+ #endif
+diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
+--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
++++ openssh-5.9p1/sftp.c 2011-09-14 08:09:49.468493585 +0200
+@@ -206,7 +206,7 @@ killchild(int signo)
+ {
+ if (sshpid > 1) {
+ kill(sshpid, SIGTERM);
+- waitpid(sshpid, NULL, 0);
++ (void) waitpid(sshpid, NULL, 0);
+ }
+
+ _exit(1);
+@@ -316,7 +316,7 @@ local_do_ls(const char *args)
+
+ /* Strip one path (usually the pwd) from the start of another */
+ static char *
+-path_strip(char *path, char *strip)
++path_strip(const char *path, const char *strip)
+ {
+ size_t len;
+
+@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
+ }
+
+ static char *
+-make_absolute(char *p, char *pwd)
++make_absolute(char *p, const char *pwd)
+ {
+ char *abs_str;
+
+@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
+ }
+
+ static int
+-is_dir(char *path)
++is_dir(const char *path)
+ {
+ struct stat sb;
+
+@@ -494,7 +494,7 @@ is_dir(char *path)
+ }
+
+ static int
+-remote_is_dir(struct sftp_conn *conn, char *path)
++remote_is_dir(struct sftp_conn *conn, const char *path)
+ {
+ Attrib *a;
+
+@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
+
+ /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
+ static int
+-pathname_is_dir(char *pathname)
++pathname_is_dir(const char *pathname)
+ {
+ size_t l = strlen(pathname);
+
+@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
+ }
+
+ static int
+-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
++process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
+ int pflag, int rflag)
+ {
+ char *abs_src = NULL;
+@@ -590,7 +590,7 @@ out:
+ }
+
+ static int
+-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
++process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
+ int pflag, int rflag)
+ {
+ char *tmp_dst = NULL;
+@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
+
+ /* sftp ls.1 replacement for directories */
+ static int
+-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
++do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
+ {
+ int n;
+ u_int c = 1, colspace = 0, columns = 1;
+@@ -780,10 +780,10 @@ do_ls_dir(struct sftp_conn *conn, char *
+
+ /* sftp ls.1 replacement which handles path globs */
+ static int
+-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
++do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
+ int lflag)
+ {
+- Attrib *a = NULL;
++/*UNUSED Attrib *a = NULL;*/
+ char *fname, *lname;
+ glob_t g;
+ int err;
+@@ -828,7 +828,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
+ colspace = width / columns;
+ }
+
+- for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) {
++ for (i = 0; g.gl_pathv[i] && !interrupted; i++/*, a = NULL*/) {
+ fname = path_strip(g.gl_pathv[i], strip_path);
+ if (lflag & LS_LONG_VIEW) {
+ if (g.gl_statv[i] == NULL) {
+@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
+ }
+
+ static int
+-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
++do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
+ {
+ struct sftp_statvfs st;
+ char s_used[FMT_SCALED_STRSIZE];
+diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
+--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
++++ openssh-5.9p1/ssh-agent.c 2011-09-14 08:09:49.572460295 +0200
+@@ -1147,8 +1147,8 @@ main(int ac, char **av)
+ sanitise_stdfd();
+
+ /* drop */
+- setegid(getgid());
+- setgid(getgid());
++ (void) setegid(getgid());
++ (void) setgid(getgid());
+
+ #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ /* Disable ptrace on Linux without sgid bit */
+diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
+--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
++++ openssh-5.9p1/sshd.c 2011-09-14 08:09:49.687509968 +0200
+@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt)
+ if (getuid() == 0 || geteuid() == 0)
+ privsep_preauth_child();
+ setproctitle("%s", "[net]");
+- if (box != NULL)
++ if (box != NULL) {
+ ssh_sandbox_child(box);
++ xfree(box);
++ }
+
+ return 0;
+ }
+@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so
+ if (num_listen_socks < 0)
+ break;
+ }
++
++ if (fdset != NULL)
++ xfree(fdset);
+ }
+
+
+@@ -1774,7 +1779,7 @@ main(int ac, char **av)
+
+ /* Chdir to the root directory so that the current disk can be
+ unmounted if desired. */
+- chdir("/");
++ (void) chdir("/");
+
+ /* ignore SIGPIPE */
+ signal(SIGPIPE, SIG_IGN);
-diff -up openssh-5.2p1/dns.c.rh205842 openssh-5.2p1/dns.c
---- openssh-5.2p1/dns.c.rh205842 2009-07-27 16:25:28.000000000 +0200
-+++ openssh-5.2p1/dns.c 2009-07-27 16:40:59.000000000 +0200
-@@ -176,6 +176,7 @@ verify_host_key_dns(const char *hostname
+diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c
+--- openssh-5.9p1/dns.c.edns 2010-08-31 14:41:14.000000000 +0200
++++ openssh-5.9p1/dns.c 2011-09-09 08:05:27.782440497 +0200
+@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname
{
u_int counter;
int result;
struct rrsetinfo *fingerprints = NULL;
u_int8_t hostkey_algorithm;
-@@ -199,8 +200,19 @@ verify_host_key_dns(const char *hostname
+@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname
return -1;
}
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
-diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 openssh-5.2p1/openbsd-compat/getrrsetbyname.c
---- openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 2009-07-27 16:22:23.000000000 +0200
-+++ openssh-5.2p1/openbsd-compat/getrrsetbyname.c 2009-07-27 16:41:55.000000000 +0200
+diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c
+--- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns 2009-07-13 03:38:23.000000000 +0200
++++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c 2011-09-09 15:03:39.930500801 +0200
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns
goto fail;
}
- /* don't allow flags yet, unimplemented */
- if (flags) {
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
-+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
++ if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
result = ERRSET_INVAL;
goto fail;
}
#endif /* RES_USE_DNSEC */
/* make query */
-diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.h.rh205842 openssh-5.2p1/openbsd-compat/getrrsetbyname.h
---- openssh-5.2p1/openbsd-compat/getrrsetbyname.h.rh205842 2009-07-27 16:35:02.000000000 +0200
-+++ openssh-5.2p1/openbsd-compat/getrrsetbyname.h 2009-07-27 16:36:09.000000000 +0200
+diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h
+--- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns 2007-10-26 08:26:50.000000000 +0200
++++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h 2011-09-09 08:05:27.965438689 +0200
@@ -72,6 +72,9 @@
#ifndef RRSET_VALIDATED
# define RRSET_VALIDATED 1
--- /dev/null
+diff -up openssh-5.9p0/entropy.c.entropy openssh-5.9p0/entropy.c
+--- openssh-5.9p0/entropy.c.entropy 2011-08-31 13:20:59.660150441 +0200
++++ openssh-5.9p0/entropy.c 2011-08-31 13:21:05.072024970 +0200
+@@ -232,6 +232,9 @@ seed_rng(void)
+ memset(buf, '\0', sizeof(buf));
+
+ #endif /* OPENSSL_PRNG_ONLY */
++#ifdef __linux__
++ linux_seed();
++#endif /* __linux__ */
+ if (RAND_status() != 1)
+ fatal("PRNG is not seeded");
+ }
+diff -up openssh-5.9p0/openbsd-compat/Makefile.in.entropy openssh-5.9p0/openbsd-compat/Makefile.in
+--- openssh-5.9p0/openbsd-compat/Makefile.in.entropy 2011-08-31 13:20:54.000000000 +0200
++++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 13:44:25.138151565 +0200
+@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
+
+ COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+
+-PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
++PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
+
+ .c.o:
+ $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+diff -up openssh-5.9p0/openbsd-compat/port-linux-prng.c.entropy openssh-5.9p0/openbsd-compat/port-linux-prng.c
+--- openssh-5.9p0/openbsd-compat/port-linux-prng.c.entropy 2011-08-31 13:21:05.382024083 +0200
++++ openssh-5.9p0/openbsd-compat/port-linux-prng.c 2011-08-31 13:21:05.386024776 +0200
+@@ -0,0 +1,59 @@
++/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
++
++/*
++ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++/*
++ * Linux-specific portability code - prng support
++ */
++
++#include "includes.h"
++
++#include <errno.h>
++#include <stdarg.h>
++#include <string.h>
++#include <stdio.h>
++#include <openssl/rand.h>
++
++#include "log.h"
++#include "xmalloc.h"
++#include "servconf.h"
++#include "port-linux.h"
++#include "key.h"
++#include "hostfile.h"
++#include "auth.h"
++
++void
++linux_seed(void)
++{
++ int len;
++ char *env = getenv("SSH_USE_STRONG_RNG");
++ char *random = "/dev/random";
++ size_t ienv, randlen = 6;
++
++ if (!env || !strcmp(env, "0"))
++ random = "/dev/urandom";
++ else if ((ienv = atoi(env)) > 6)
++ randlen = ienv;
++
++ errno = 0;
++ if ((len = RAND_load_file(random, randlen)) != randlen) {
++ if (errno)
++ fatal ("cannot read from %s, %s", random, strerror(errno));
++ else
++ fatal ("EOF reading %s", random);
++ }
++}
+diff -up openssh-5.9p0/ssh-add.1.entropy openssh-5.9p0/ssh-add.1
+--- openssh-5.9p0/ssh-add.1.entropy 2010-11-05 00:20:14.000000000 +0100
++++ openssh-5.9p0/ssh-add.1 2011-08-31 13:21:05.597122030 +0200
+@@ -158,6 +158,20 @@ Identifies the path of a
+ .Ux Ns -domain
+ socket used to communicate with the agent.
+ .El
++.It Ev SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to
++be blocked until enough entropy is available.
+ .Sh FILES
+ .Bl -tag -width Ds
+ .It Pa ~/.ssh/identity
+diff -up openssh-5.9p0/ssh-agent.1.entropy openssh-5.9p0/ssh-agent.1
+--- openssh-5.9p0/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
++++ openssh-5.9p0/ssh-agent.1 2011-08-31 13:21:05.735150196 +0200
+@@ -198,6 +198,24 @@ sockets used to contain the connection t
+ These sockets should only be readable by the owner.
+ The sockets should get automatically removed when the agent exits.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to
++be blocked until enough entropy is available.
++.El
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+diff -up openssh-5.9p0/ssh-keygen.1.entropy openssh-5.9p0/ssh-keygen.1
+--- openssh-5.9p0/ssh-keygen.1.entropy 2011-08-31 13:20:59.200212619 +0200
++++ openssh-5.9p0/ssh-keygen.1 2011-08-31 13:21:06.077150115 +0200
+@@ -669,6 +669,24 @@ Contains Diffie-Hellman groups used for
+ The file format is described in
+ .Xr moduli 5 .
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to
++be blocked until enough entropy is available.
++.El
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+diff -up openssh-5.9p0/ssh-keysign.8.entropy openssh-5.9p0/ssh-keysign.8
+--- openssh-5.9p0/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
++++ openssh-5.9p0/ssh-keysign.8 2011-08-31 13:21:06.207024356 +0200
+@@ -78,6 +78,24 @@ must be set-uid root if host-based authe
+ If these files exist they are assumed to contain public certificate
+ information corresponding with the private keys above.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to
++be blocked until enough entropy is available.
++.El
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-keygen 1 ,
+diff -up openssh-5.9p0/ssh.1.entropy openssh-5.9p0/ssh.1
+--- openssh-5.9p0/ssh.1.entropy 2011-08-31 13:21:00.835103535 +0200
++++ openssh-5.9p0/ssh.1 2011-08-31 13:21:05.482032754 +0200
+@@ -1255,6 +1255,23 @@ For more information, see the
+ .Cm PermitUserEnvironment
+ option in
+ .Xr sshd_config 5 .
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.It Ev SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to
++be blocked until enough entropy is available.
++.El
+ .Sh FILES
+ .Bl -tag -width Ds -compact
+ .It Pa ~/.rhosts
+diff -up openssh-5.9p0/sshd.8.entropy openssh-5.9p0/sshd.8
+--- openssh-5.9p0/sshd.8.entropy 2011-08-31 13:21:00.000000000 +0200
++++ openssh-5.9p0/sshd.8 2011-08-31 13:46:27.341025537 +0200
+@@ -940,6 +940,24 @@ concurrently for different ports, this c
+ started last).
+ The content of this file is not sensitive; it can be world-readable.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to
++be blocked until enough entropy is available.
++.El
+ .Sh IPV6
+ IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
--- /dev/null
+diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
+--- openssh-5.9p0/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
++++ openssh-5.9p0/ssh_config 2011-09-05 14:48:16.386439023 +0200
+@@ -45,3 +45,14 @@
+ # PermitLocalCommand no
+ # VisualHostKey no
+ # ProxyCommand ssh -q -W %h:%p gateway.example.com
++Host *
++ GSSAPIAuthentication yes
++# If this option is set to yes then remote X11 clients will have full access
++# to the original X11 display. As virtually no X11 client supports the untrusted
++# mode correctly we set this to yes.
++ ForwardX11Trusted yes
++# Send locale-related environment variables
++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
++ SendEnv XMODIFIERS
+diff -up openssh-5.9p0/sshd_config.0.redhat openssh-5.9p0/sshd_config.0
+--- openssh-5.9p0/sshd_config.0.redhat 2011-09-05 14:48:08.522441255 +0200
++++ openssh-5.9p0/sshd_config.0 2011-09-05 14:48:16.477443868 +0200
+@@ -581,9 +581,9 @@ DESCRIPTION
+
+ SyslogFacility
+ Gives the facility code that is used when logging messages from
+- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
+- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
+- default is AUTH.
++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
++ The default is AUTH.
+
+ TCPKeepAlive
+ Specifies whether the system should send TCP keepalive messages
+diff -up openssh-5.9p0/sshd_config.5.redhat openssh-5.9p0/sshd_config.5
+--- openssh-5.9p0/sshd_config.5.redhat 2011-09-05 14:48:08.657564688 +0200
++++ openssh-5.9p0/sshd_config.5 2011-09-05 14:48:16.589501736 +0200
+@@ -1029,7 +1029,7 @@ Note that this option applies to protoco
+ .It Cm SyslogFacility
+ Gives the facility code that is used when logging messages from
+ .Xr sshd 8 .
+-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
+ LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
+ .It Cm TCPKeepAlive
+diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
+--- openssh-5.9p0/sshd_config.redhat 2011-09-05 14:48:16.250626793 +0200
++++ openssh-5.9p0/sshd_config 2011-09-05 15:06:01.513443553 +0200
+@@ -32,6 +32,7 @@
+ # Logging
+ # obsoletes QuietMode and FascistLogging
+ #SyslogFacility AUTH
++SyslogFacility AUTHPRIV
+ #LogLevel INFO
+
+ # Authentication:
+@@ -65,9 +66,11 @@ AuthorizedKeysFile .ssh/authorized_keys
+ # To disable tunneled clear text passwords, change to no here!
+ #PasswordAuthentication yes
+ #PermitEmptyPasswords no
++PasswordAuthentication yes
+
+ # Change to no to disable s/key passwords
+ #ChallengeResponseAuthentication yes
++ChallengeResponseAuthentication no
+
+ # Kerberos options
+ #KerberosAuthentication no
+@@ -77,7 +80,9 @@ AuthorizedKeysFile .ssh/authorized_keys
+
+ # GSSAPI options
+ #GSSAPIAuthentication no
++GSSAPIAuthentication yes
+ #GSSAPICleanupCredentials yes
++GSSAPICleanupCredentials yes
+
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+@@ -89,6 +94,7 @@ AuthorizedKeysFile .ssh/authorized_keys
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+ #UsePAM no
++UsePAM yes
+
+ #TwoFactorAuthentication no
+ #SecondPubkeyAuthentication yes
+@@ -101,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+ #X11Forwarding no
++X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PrintMotd yes
+@@ -121,6 +128,12 @@ AuthorizedKeysFile .ssh/authorized_keys
+ # no default banner path
+ #Banner none
+
++# Accept locale-related environment variables
++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
++AcceptEnv XMODIFIERS
++
+ # override default of no subsystems
+ Subsystem sftp /usr/libexec/sftp-server
+
--- /dev/null
+diff -up openssh-5.9p0/ssh.1.ipv6man openssh-5.9p0/ssh.1
+--- openssh-5.9p0/ssh.1.ipv6man 2011-08-05 22:17:32.000000000 +0200
++++ openssh-5.9p0/ssh.1 2011-08-31 13:08:34.880024485 +0200
+@@ -1400,6 +1400,8 @@ manual page for more information.
+ .Nm
+ exits with the exit status of the remote command or with 255
+ if an error occurred.
++.Sh IPV6
++IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
+diff -up openssh-5.9p0/sshd.8.ipv6man openssh-5.9p0/sshd.8
+--- openssh-5.9p0/sshd.8.ipv6man 2011-08-05 22:17:32.000000000 +0200
++++ openssh-5.9p0/sshd.8 2011-08-31 13:10:34.129039094 +0200
+@@ -940,6 +940,8 @@ concurrently for different ports, this c
+ started last).
+ The content of this file is not sensitive; it can be world-readable.
+ .El
++.Sh IPV6
++IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
--- /dev/null
+diff -up openssh-5.9p0/ssh-keygen.0.keygen openssh-5.9p0/ssh-keygen.0
+--- openssh-5.9p0/ssh-keygen.0.keygen 2011-08-29 16:30:02.000000000 +0200
++++ openssh-5.9p0/ssh-keygen.0 2011-08-30 13:47:56.208087184 +0200
+@@ -4,7 +4,7 @@ NAME
+ ssh-keygen - authentication key generation, management and conversion
+
+ SYNOPSIS
+- ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
++ ssh-keygen [-q] [-o] [-b bits] -t type [-N new_passphrase] [-C comment]
+ [-f output_keyfile]
+ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
+ ssh-keygen -i [-m key_format] [-f input_keyfile]
+@@ -181,6 +181,8 @@ DESCRIPTION
+ principals may be specified, separated by commas. Please see the
+ CERTIFICATES section for details.
+
++ -o Overwrite the key without prompting user.
++
+ -O option
+ Specify a certificate option when signing a key. This option may
+ be specified multiple times. Please see the CERTIFICATES section
+diff -up openssh-5.9p0/ssh-keygen.1.keygen openssh-5.9p0/ssh-keygen.1
+--- openssh-5.9p0/ssh-keygen.1.keygen 2011-08-30 13:32:30.787149917 +0200
++++ openssh-5.9p0/ssh-keygen.1 2011-08-30 13:46:42.638087171 +0200
+@@ -45,6 +45,7 @@
+ .Bk -words
+ .Nm ssh-keygen
+ .Op Fl q
++.Op Fl o
+ .Op Fl b Ar bits
+ .Fl t Ar type
+ .Op Fl N Ar new_passphrase
+@@ -339,6 +340,8 @@ Multiple principals may be specified, se
+ Please see the
+ .Sx CERTIFICATES
+ section for details.
++.It Fl o
++Overwrite the key without prompting user.
+ .It Fl O Ar option
+ Specify a certificate option when signing a key.
+ This option may be specified multiple times.
+diff -up openssh-5.9p0/ssh-keygen.c.keygen openssh-5.9p0/ssh-keygen.c
+--- openssh-5.9p0/ssh-keygen.c.keygen 2011-08-30 13:32:20.268149992 +0200
++++ openssh-5.9p0/ssh-keygen.c 2011-08-30 13:39:34.550214102 +0200
+@@ -73,6 +73,7 @@ int change_passphrase = 0;
+ int change_comment = 0;
+
+ int quiet = 0;
++int overwrite = 0;
+
+ int log_level = SYSLOG_LEVEL_INFO;
+
+@@ -1959,7 +1960,7 @@ main(int argc, char **argv)
+ exit(1);
+ }
+
+- while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
++ while ((opt = getopt(argc, argv, "AegiqopclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
+ "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
+ switch (opt) {
+ case 'A':
+@@ -2042,6 +2043,9 @@ main(int argc, char **argv)
+ case 'q':
+ quiet = 1;
+ break;
++ case 'o':
++ overwrite = 1;
++ break;
+ case 'e':
+ case 'x':
+ /* export key */
+@@ -2278,7 +2282,7 @@ main(int argc, char **argv)
+ }
+ }
+ /* If the file already exists, ask the user to confirm. */
+- if (stat(identity_file, &st) >= 0) {
++ if (!overwrite && stat(identity_file, &st) >= 0) {
+ char yesno[3];
+ printf("%s already exists.\n", identity_file);
+ printf("Overwrite (y/n)? ");
-diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
---- openssh-5.8p1/auth-krb5.c.kuserok 2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.8p1/auth-krb5.c 2011-02-14 09:15:12.000000000 +0100
+diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
+--- openssh-5.9p0/auth-krb5.c.kuserok 2011-08-30 16:37:32.651150128 +0200
++++ openssh-5.9p0/auth-krb5.c 2011-08-30 16:37:37.549087368 +0200
@@ -54,6 +54,20 @@
extern ServerOptions options;
problem = -1;
goto out;
}
-diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c
---- openssh-5.8p1/gss-serv-krb5.c.kuserok 2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 09:15:12.000000000 +0100
-@@ -57,6 +57,7 @@ extern ServerOptions options;
- #endif
+diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
+--- openssh-5.9p0/gss-serv-krb5.c.kuserok 2011-08-30 16:37:36.988024804 +0200
++++ openssh-5.9p0/gss-serv-krb5.c 2011-08-30 16:37:37.659088030 +0200
+@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
+ int);
static krb5_context krb_context = NULL;
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
- krb5_get_err_text(krb_context, retval));
- return 0;
- }
-- if (krb5_kuserok(krb_context, princ, name)) {
-+ if (ssh_krb5_kuserok(krb_context, princ, name)) {
+@@ -115,7 +116,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+ /* NOTE: .k5login and .k5users must opened as root, not the user,
+ * because if they are on a krb5-protected filesystem, user credentials
+ * to access these files aren't available yet. */
+- if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
++ if (ssh_krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- name, (char *)client->displayname.value);
-diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
---- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100
-@@ -142,6 +142,7 @@ initialize_server_options(ServerOptions
+ luser, (char *)client->displayname.value);
+diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
+--- openssh-5.9p0/servconf.c.kuserok 2011-08-30 16:37:35.093073603 +0200
++++ openssh-5.9p0/servconf.c 2011-08-30 16:41:13.568087145 +0200
+@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions
options->authorized_principals_file = NULL;
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
void
@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
- if (use_privsep == -1)
- use_privsep = 1;
-
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
- #ifndef HAVE_MMAP
- if (use_privsep && options->compression == 1) {
- error("This platform does not support both privilege "
-@@ -312,7 +315,7 @@ typedef enum {
+
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+@@ -317,7 +320,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
-@@ -381,11 +384,13 @@ static struct {
+@@ -388,11 +391,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions
+@@ -1371,6 +1376,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1580,6 +1589,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok);
- M_CP_STROPT(banner);
- if (preauth)
-@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o)
+ /* See comment in servconf.h */
+ COPY_MATCH_STRING_OPTS();
+@@ -1816,6 +1826,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
---- openssh-5.8p1/servconf.h.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/servconf.h 2011-02-14 09:15:12.000000000 +0100
-@@ -157,6 +157,7 @@ typedef struct {
+diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
+--- openssh-5.9p0/servconf.h.kuserok 2011-08-30 16:37:35.201051957 +0200
++++ openssh-5.9p0/servconf.h 2011-08-30 16:37:37.926087431 +0200
+@@ -166,6 +166,7 @@ typedef struct {
int num_permitted_opens;
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
-diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
---- openssh-5.8p1/sshd_config.5.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/sshd_config.5 2011-02-14 09:17:11.000000000 +0100
-@@ -574,6 +574,10 @@ Specifies whether to automatically destr
+diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
+--- openssh-5.9p0/sshd_config.5.kuserok 2011-08-30 16:37:35.979024607 +0200
++++ openssh-5.9p0/sshd_config.5 2011-08-30 16:37:38.040087843 +0200
+@@ -603,6 +603,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-@@ -715,6 +719,7 @@ Available keywords are
+@@ -746,6 +750,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PubkeyAuthentication ,
-diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config
---- openssh-5.8p1/sshd_config.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/sshd_config 2011-02-14 09:15:12.000000000 +0100
-@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
+diff -up openssh-5.9p0/sshd_config.kuserok openssh-5.9p0/sshd_config
+--- openssh-5.9p0/sshd_config.kuserok 2011-08-30 16:37:36.808026328 +0200
++++ openssh-5.9p0/sshd_config 2011-08-30 16:37:38.148071520 +0200
+@@ -77,6 +77,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
-diff -up openssh-5.8p1/misc.c.mls openssh-5.8p1/misc.c
---- openssh-5.8p1/misc.c.mls 2011-01-13 02:21:36.000000000 +0100
-+++ openssh-5.8p1/misc.c 2011-02-12 15:05:06.000000000 +0100
+diff -up openssh-5.9p0/misc.c.mls openssh-5.9p0/misc.c
+--- openssh-5.9p0/misc.c.mls 2011-05-05 06:14:34.000000000 +0200
++++ openssh-5.9p0/misc.c 2011-08-30 12:29:29.157087474 +0200
@@ -427,6 +427,7 @@ char *
colon(char *cp)
{
}
return NULL;
}
-diff -up openssh-5.8p1/openbsd-compat/port-linux.c.mls openssh-5.8p1/openbsd-compat/port-linux.c
---- openssh-5.8p1/openbsd-compat/port-linux.c.mls 2011-02-12 15:05:06.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 15:09:23.000000000 +0100
-@@ -40,13 +40,164 @@
+diff -up openssh-5.9p0/openbsd-compat/port-linux.c.mls openssh-5.9p0/openbsd-compat/port-linux.c
+--- openssh-5.9p0/openbsd-compat/port-linux.c.mls 2011-08-30 12:29:28.873086987 +0200
++++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-30 13:28:12.584149668 +0200
+@@ -40,7 +40,15 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
+#include <unistd.h>
+#endif
- extern ServerOptions options;
- extern Authctxt *the_authctxt;
+ #ifndef SSH_SELINUX_UNCONFINED_TYPE
+ # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
+@@ -51,6 +59,149 @@ extern Authctxt *the_authctxt;
extern int inetd_flag;
extern int rexeced_flag;
static void
ssh_selinux_get_role_level(char **role, const char **level)
{
-@@ -65,14 +216,16 @@ ssh_selinux_get_role_level(char **role,
+@@ -69,14 +220,15 @@ ssh_selinux_get_role_level(char **role,
}
/* Return the default security context for the given username */
+ssh_selinux_getctxbyname(char *pwname,
+ security_context_t *default_sc, security_context_t *user_sc)
{
- security_context_t sc = NULL;
+- security_context_t sc = NULL;
char *sename, *lvl;
char *role;
const char *reqlvl;
int r = 0;
-+ context_t con;
-
++ context_t con = NULL;
+
ssh_selinux_get_role_level(&role, &reqlvl);
- #ifdef HAVE_GETSEUSERBYNAME
-@@ -82,38 +235,63 @@ ssh_selinux_getctxbyname(char *pwname)
+
+@@ -87,37 +239,62 @@ ssh_selinux_getctxbyname(char *pwname)
}
#else
sename = pwname;
+ reqlvl = "";
+
+ debug("%s: current connection level '%s'", __func__, reqlvl);
-+ }
+ }
+
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
+ r = get_user_context(sename, role, reqlvl, user_sc);
+ }
+ } else {
+ *user_sc = *default_sc;
- }
- }
++ }
++ }
+ if (r != 0) {
+ error("%s: Failed to get default SELinux security "
+ "context for %s", __func__, pwname);
-+ }
+ }
#ifdef HAVE_GETSEUSERBYNAME
- if (sename != NULL)
-@@ -121,8 +299,12 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -126,8 +303,12 @@ ssh_selinux_getctxbyname(char *pwname)
if (lvl != NULL)
xfree(lvl);
#endif
}
/* Setup environment variables for pam_selinux */
-@@ -160,6 +342,8 @@ void
+@@ -165,6 +346,8 @@ void
ssh_selinux_setup_exec_context(char *pwname)
{
security_context_t user_ctx = NULL;
if (!ssh_selinux_enabled())
return;
-@@ -184,22 +368,45 @@ ssh_selinux_setup_exec_context(char *pwn
+@@ -189,22 +372,45 @@ ssh_selinux_setup_exec_context(char *pwn
debug3("%s: setting execution context", __func__);
debug3("%s: done", __func__);
}
-@@ -217,7 +424,10 @@ ssh_selinux_setup_pty(char *pwname, cons
+@@ -222,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
/* XXX: should these calls fatal() upon failure in enforcing mode? */
-diff -up openssh-5.8p1/sshd.c.mls openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.mls 2011-02-12 15:05:05.000000000 +0100
-+++ openssh-5.8p1/sshd.c 2011-02-12 15:05:06.000000000 +0100
-@@ -2011,6 +2011,9 @@ main(int ac, char **av)
+diff -up openssh-5.9p0/sshd.c.mls openssh-5.9p0/sshd.c
+--- openssh-5.9p0/sshd.c.mls 2011-08-30 12:29:22.663149706 +0200
++++ openssh-5.9p0/sshd.c 2011-08-30 12:29:29.524024777 +0200
+@@ -2082,6 +2082,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
--- /dev/null
+diff -up openssh-5.9p0/entropy.c.randclean openssh-5.9p0/entropy.c
+--- openssh-5.9p0/entropy.c.randclean 2011-08-30 13:52:45.000000000 +0200
++++ openssh-5.9p0/entropy.c 2011-08-30 13:57:44.630111338 +0200
+@@ -217,6 +217,9 @@ seed_rng(void)
+ fatal("OpenSSL version mismatch. Built against %lx, you "
+ "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+
++ /* clean the PRNG status when exiting the program */
++ atexit(RAND_cleanup);
++
+ #ifndef OPENSSL_PRNG_ONLY
+ if (RAND_status() == 1) {
+ debug3("RNG is ready, skipping seeding");
-diff -up openssh-5.8p1/auth1.c.role openssh-5.8p1/auth1.c
---- openssh-5.8p1/auth1.c.role 2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.8p1/auth1.c 2011-02-12 14:34:11.000000000 +0100
+diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c
+--- openssh-5.9p0/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200
++++ openssh-5.9p0/auth-pam.c 2011-08-31 11:42:54.870087433 +0200
+@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
+ * during the ssh authentication process.
+ */
+ int
+-do_pam_putenv(char *name, char *value)
++do_pam_putenv(char *name, const char *value)
+ {
+ int ret = 1;
+ #ifdef HAVE_PAM_PUTENV
+diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h
+--- openssh-5.9p0/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
++++ openssh-5.9p0/auth-pam.h 2011-08-31 11:42:54.979086333 +0200
+@@ -38,7 +38,7 @@ void do_pam_session(void);
+ void do_pam_set_tty(const char *);
+ void do_pam_setcred(int );
+ void do_pam_chauthtok(void);
+-int do_pam_putenv(char *, char *);
++int do_pam_putenv(char *, const char *);
+ char ** fetch_pam_environment(void);
+ char ** fetch_pam_child_environment(void);
+ void free_pam_environment(char **);
+diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
+--- openssh-5.9p0/auth.h.role 2011-08-31 11:42:47.760024631 +0200
++++ openssh-5.9p0/auth.h 2011-08-31 11:42:55.090151027 +0200
+@@ -59,6 +59,9 @@ struct Authctxt {
+ char *service;
+ struct passwd *pw; /* set if 'valid' */
+ char *style;
++#ifdef WITH_SELINUX
++ char *role;
++#endif
+ void *kbdintctxt;
+ void *jpake_ctx;
+ #ifdef BSD_AUTH
+diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
+--- openssh-5.9p0/auth1.c.role 2010-08-31 14:36:39.000000000 +0200
++++ openssh-5.9p0/auth1.c 2011-08-31 11:42:55.215033075 +0200
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff -up openssh-5.8p1/auth2.c.role openssh-5.8p1/auth2.c
---- openssh-5.8p1/auth2.c.role 2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.8p1/auth2.c 2011-02-12 14:34:11.000000000 +0100
-@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
- Authctxt *authctxt = ctxt;
- Authmethod *m = NULL;
- char *user, *service, *method, *style = NULL;
-+#ifdef WITH_SELINUX
-+ char *role = NULL;
-+#endif
- int authenticated = 0;
-
- if (authctxt == NULL)
-@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
- debug("userauth-request for user %s service %s method %s", user, service, method);
- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
-
-+#ifdef WITH_SELINUX
-+ if ((role = strchr(user, '/')) != NULL)
-+ *role++ = 0;
-+#endif
-+
- if ((style = strchr(user, ':')) != NULL)
- *style++ = 0;
-
-@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32
- use_privsep ? " [net]" : "");
- authctxt->service = xstrdup(service);
- authctxt->style = style ? xstrdup(style) : NULL;
-- if (use_privsep)
-+#ifdef WITH_SELINUX
-+ authctxt->role = role ? xstrdup(role) : NULL;
-+#endif
-+ if (use_privsep) {
- mm_inform_authserv(service, style);
-+#ifdef WITH_SELINUX
-+ mm_inform_authrole(role);
-+#endif
-+ }
- userauth_banner();
- } else if (strcmp(user, authctxt->user) != 0 ||
- strcmp(service, authctxt->service) != 0) {
-diff -up openssh-5.8p1/auth2-gss.c.role openssh-5.8p1/auth2-gss.c
---- openssh-5.8p1/auth2-gss.c.role 2007-12-02 12:59:45.000000000 +0100
-+++ openssh-5.8p1/auth2-gss.c 2011-02-12 14:34:11.000000000 +0100
-@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
+diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c
+--- openssh-5.9p0/auth2-gss.c.role 2011-05-05 06:04:11.000000000 +0200
++++ openssh-5.9p0/auth2-gss.c 2011-08-31 11:42:55.313025576 +0200
+@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
-@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
-@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
xfree(mic.value);
authctxt->postponed = 0;
-diff -up openssh-5.8p1/auth2-hostbased.c.role openssh-5.8p1/auth2-hostbased.c
---- openssh-5.8p1/auth2-hostbased.c.role 2011-02-12 14:34:10.000000000 +0100
-+++ openssh-5.8p1/auth2-hostbased.c 2011-02-12 14:34:11.000000000 +0100
+diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c
+--- openssh-5.9p0/auth2-hostbased.c.role 2011-08-31 11:42:47.863023264 +0200
++++ openssh-5.9p0/auth2-hostbased.c 2011-08-31 11:42:55.421024814 +0200
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
-diff -up openssh-5.8p1/auth2-pubkey.c.role openssh-5.8p1/auth2-pubkey.c
---- openssh-5.8p1/auth2-pubkey.c.role 2011-02-12 14:34:11.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c 2011-02-12 14:34:11.000000000 +0100
-@@ -122,7 +122,15 @@ userauth_pubkey(Authctxt *authctxt)
+diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c
+--- openssh-5.9p0/auth2-pubkey.c.role 2011-08-31 11:42:47.978087418 +0200
++++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:42:55.551025263 +0200
+@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
-diff -up openssh-5.8p1/auth.h.role openssh-5.8p1/auth.h
---- openssh-5.8p1/auth.h.role 2011-02-12 14:34:10.000000000 +0100
-+++ openssh-5.8p1/auth.h 2011-02-12 14:34:11.000000000 +0100
-@@ -58,6 +58,9 @@ struct Authctxt {
- char *service;
- struct passwd *pw; /* set if 'valid' */
- char *style;
+diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
+--- openssh-5.9p0/auth2.c.role 2011-08-31 11:42:45.409026065 +0200
++++ openssh-5.9p0/auth2.c 2011-08-31 11:42:55.676024869 +0200
+@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
+ Authctxt *authctxt = ctxt;
+ Authmethod *m = NULL;
+ char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
-+ char *role;
++ char *role = NULL;
+#endif
- void *kbdintctxt;
- void *jpake_ctx;
- #ifdef BSD_AUTH
-diff -up openssh-5.8p1/auth-pam.c.role openssh-5.8p1/auth-pam.c
---- openssh-5.8p1/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200
-+++ openssh-5.8p1/auth-pam.c 2011-02-12 14:34:11.000000000 +0100
-@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
- * during the ssh authentication process.
- */
- int
--do_pam_putenv(char *name, char *value)
-+do_pam_putenv(char *name, const char *value)
- {
- int ret = 1;
- #ifdef HAVE_PAM_PUTENV
-diff -up openssh-5.8p1/auth-pam.h.role openssh-5.8p1/auth-pam.h
---- openssh-5.8p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
-+++ openssh-5.8p1/auth-pam.h 2011-02-12 14:34:11.000000000 +0100
-@@ -38,7 +38,7 @@ void do_pam_session(void);
- void do_pam_set_tty(const char *);
- void do_pam_setcred(int );
- void do_pam_chauthtok(void);
--int do_pam_putenv(char *, char *);
-+int do_pam_putenv(char *, const char *);
- char ** fetch_pam_environment(void);
- char ** fetch_pam_child_environment(void);
- void free_pam_environment(char **);
-diff -up openssh-5.8p1/monitor.c.role openssh-5.8p1/monitor.c
---- openssh-5.8p1/monitor.c.role 2011-02-12 14:34:11.000000000 +0100
-+++ openssh-5.8p1/monitor.c 2011-02-12 14:34:11.000000000 +0100
-@@ -138,6 +138,9 @@ int mm_answer_sign(int, Buffer *);
+ int authenticated = 0;
+
+ if (authctxt == NULL)
+@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
+ debug("userauth-request for user %s service %s method %s", user, service, method);
+ debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+
++#ifdef WITH_SELINUX
++ if ((role = strchr(user, '/')) != NULL)
++ *role++ = 0;
++#endif
++
+ if ((style = strchr(user, ':')) != NULL)
+ *style++ = 0;
+
+@@ -249,8 +257,15 @@ input_userauth_request(int type, u_int32
+ use_privsep ? " [net]" : "");
+ authctxt->service = xstrdup(service);
+ authctxt->style = style ? xstrdup(style) : NULL;
+- if (use_privsep)
++#ifdef WITH_SELINUX
++ authctxt->role = role ? xstrdup(role) : NULL;
++#endif
++ if (use_privsep) {
+ mm_inform_authserv(service, style);
++#ifdef WITH_SELINUX
++ mm_inform_authrole(role);
++#endif
++ }
+ userauth_banner();
+ } else if (strcmp(user, authctxt->user) != 0 ||
+ strcmp(service, authctxt->service) != 0) {
+diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
+--- openssh-5.9p0/monitor.c.role 2011-08-31 11:42:53.301024819 +0200
++++ openssh-5.9p0/monitor.c 2011-08-31 11:42:55.796025812 +0200
+@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -218,6 +221,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -703,6 +709,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
+@@ -819,6 +825,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#endif
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
-
-@@ -747,6 +756,25 @@ mm_answer_authserv(int sock, Buffer *m)
+ #ifdef USE_PAM
+@@ -862,6 +871,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
int
mm_answer_authpassword(int sock, Buffer *m)
{
-@@ -1112,7 +1140,7 @@ static int
+@@ -1227,7 +1255,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
u_int len;
int fail = 0;
-@@ -1138,6 +1166,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1253,6 +1281,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
-@@ -1169,7 +1199,7 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1284,7 +1314,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
u_int len;
int fail = 0;
-@@ -1186,6 +1216,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1301,6 +1331,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
-diff -up openssh-5.8p1/monitor.h.role openssh-5.8p1/monitor.h
---- openssh-5.8p1/monitor.h.role 2011-02-12 14:34:11.000000000 +0100
-+++ openssh-5.8p1/monitor.h 2011-02-12 14:34:11.000000000 +0100
+diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
+--- openssh-5.9p0/monitor.h.role 2011-08-31 11:42:53.409025333 +0200
++++ openssh-5.9p0/monitor.h 2011-08-31 11:42:55.889024801 +0200
@@ -31,6 +31,9 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
-diff -up openssh-5.8p1/monitor_wrap.c.role openssh-5.8p1/monitor_wrap.c
---- openssh-5.8p1/monitor_wrap.c.role 2011-02-12 14:34:11.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c 2011-02-12 14:34:11.000000000 +0100
-@@ -298,6 +298,25 @@ mm_inform_authserv(char *service, char *
+diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
+--- openssh-5.9p0/monitor_wrap.c.role 2011-08-31 11:42:53.548024503 +0200
++++ openssh-5.9p0/monitor_wrap.c 2011-08-31 11:42:56.029024553 +0200
+@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
-diff -up openssh-5.8p1/monitor_wrap.h.role openssh-5.8p1/monitor_wrap.h
---- openssh-5.8p1/monitor_wrap.h.role 2011-02-12 14:34:11.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h 2011-02-12 14:34:11.000000000 +0100
-@@ -41,6 +41,9 @@ int mm_is_monitor(void);
+diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
+--- openssh-5.9p0/monitor_wrap.h.role 2011-08-31 11:42:53.660025271 +0200
++++ openssh-5.9p0/monitor_wrap.h 2011-08-31 11:42:56.131025748 +0200
+@@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh-5.8p1/openbsd-compat/Makefile.in.role openssh-5.8p1/openbsd-compat/Makefile.in
---- openssh-5.8p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
-+++ openssh-5.8p1/openbsd-compat/Makefile.in 2011-02-12 14:34:11.000000000 +0100
+diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-compat/Makefile.in
+--- openssh-5.9p0/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
++++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 11:48:02.404091479 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh-5.8p1/openbsd-compat/port-linux.c.role openssh-5.8p1/openbsd-compat/port-linux.c
---- openssh-5.8p1/openbsd-compat/port-linux.c.role 2011-02-12 14:34:11.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 14:37:31.000000000 +0100
-@@ -31,48 +31,73 @@
+diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-compat/port-linux.c
+--- openssh-5.9p0/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200
++++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:42:56.492087969 +0200
+@@ -31,7 +31,11 @@
#include "log.h"
#include "xmalloc.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
- #include <selinux/flask.h>
- #include <selinux/get_context_list.h>
+@@ -42,41 +46,63 @@
+ # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
+ #endif
-/* Wrapper around is_selinux_enabled() to log its return value once only */
-int
+ char *role;
+ const char *reqlvl;
+ int r = 0;
-
++
+ ssh_selinux_get_role_level(&role, &reqlvl);
+
#ifdef HAVE_GETSEUSERBYNAME
- if (getseuserbyname(pwname, &sename, &lvl) != 0)
- return NULL;
if (r != 0) {
switch (security_getenforce()) {
-@@ -100,6 +125,36 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -104,6 +130,36 @@ ssh_selinux_getctxbyname(char *pwname)
return (sc);
}
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
-@@ -109,6 +164,24 @@ ssh_selinux_setup_exec_context(char *pwn
+@@ -113,6 +169,24 @@ ssh_selinux_setup_exec_context(char *pwn
if (!ssh_selinux_enabled())
return;
debug3("%s: setting execution context", __func__);
user_ctx = ssh_selinux_getctxbyname(pwname);
-@@ -206,21 +279,6 @@ ssh_selinux_change_context(const char *n
+@@ -220,21 +294,6 @@ ssh_selinux_change_context(const char *n
xfree(newctx);
}
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
-diff -up openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role openssh-5.8p1/openbsd-compat/port-linux_part_2.c
---- openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role 2011-02-12 14:34:11.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/port-linux_part_2.c 2011-02-12 14:34:11.000000000 +0100
+diff -up openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role openssh-5.9p0/openbsd-compat/port-linux_part_2.c
+--- openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role 2011-08-31 11:42:56.583047619 +0200
++++ openssh-5.9p0/openbsd-compat/port-linux_part_2.c 2011-08-31 11:42:56.586178005 +0200
@@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
--- /dev/null
+diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.c
+--- openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot 2011-09-01 04:12:22.743024608 +0200
++++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-09-01 04:12:23.069088065 +0200
+@@ -503,6 +503,23 @@ ssh_selinux_change_context(const char *n
+ xfree(newctx);
+ }
+
++void
++ssh_selinux_copy_context(void)
++{
++ char *ctx;
++
++ if (!ssh_selinux_enabled())
++ return;
++
++ if (getexeccon((security_context_t *)&ctx) < 0) {
++ logit("%s: getcon failed with %s", __func__, strerror (errno));
++ return;
++ }
++ if (setcon(ctx) < 0)
++ logit("%s: setcon failed with %s", __func__, strerror (errno));
++ xfree(ctx);
++}
++
+ #endif /* WITH_SELINUX */
+
+ #ifdef LINUX_OOM_ADJUST
+diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.h
+--- openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot 2011-01-25 02:16:18.000000000 +0100
++++ openssh-5.9p0/openbsd-compat/port-linux.h 2011-09-01 04:12:23.163088777 +0200
+@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
+ void ssh_selinux_setup_pty(char *, const char *);
+ void ssh_selinux_setup_exec_context(char *);
+ void ssh_selinux_change_context(const char *);
++void ssh_selinux_chopy_context(void);
+ void ssh_selinux_setfscreatecon(const char *);
+ #endif
+
+diff -up openssh-5.9p0/session.c.sftp-chroot openssh-5.9p0/session.c
+--- openssh-5.9p0/session.c.sftp-chroot 2011-09-01 04:12:19.698049195 +0200
++++ openssh-5.9p0/session.c 2011-09-01 04:40:03.598148719 +0200
+@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
+ pw->pw_uid);
+ chroot_path = percent_expand(tmp, "h", pw->pw_dir,
+ "u", pw->pw_name, (char *)NULL);
++#ifdef WITH_SELINUX
++ ssh_selinux_change_context("chroot_user_t");
++#endif
+ safely_chroot(chroot_path, pw->pw_uid);
+ free(tmp);
+ free(chroot_path);
+@@ -1788,7 +1791,10 @@ do_child(Session *s, const char *command
+ optind = optreset = 1;
+ __progname = argv[0];
+ #ifdef WITH_SELINUX
+- ssh_selinux_change_context("sftpd_t");
++ if (options.chroot_directory == NULL ||
++ strcasecmp(options.chroot_directory, "none") == 0) {
++ ssh_selinux_copy_context();
++ }
+ #endif
+ exit(sftp_server_main(i, argv, s->pw));
+ }
--- /dev/null
+diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
+--- openssh-5.9p0/configure.ac.vendor 2011-09-03 20:24:29.899501572 +0200
++++ openssh-5.9p0/configure.ac 2011-09-03 20:24:39.153501595 +0200
+@@ -4131,6 +4131,12 @@ AC_ARG_WITH([lastlog],
+ fi
+ ]
+ )
++AC_ARG_ENABLE(vendor-patchlevel,
++ [ --enable-vendor-patchlevel=TAG specify a vendor patch level],
++ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
++ SSH_VENDOR_PATCHLEVEL="$enableval"],
++ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
++ SSH_VENDOR_PATCHLEVEL=none])
+
+ dnl lastlog, [uw]tmpx? detection
+ dnl NOTE: set the paths in the platform section to avoid the
+@@ -4357,6 +4363,7 @@ echo " Translate v4 in v6 hack
+ echo " BSD Auth support: $BSD_AUTH_MSG"
+ echo " Random number source: $RAND_MSG"
+ echo " Privsep sandbox style: $SANDBOX_STYLE"
++echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
+
+ echo ""
+
+diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
+--- openssh-5.9p0/servconf.c.vendor 2011-09-03 20:24:29.080500853 +0200
++++ openssh-5.9p0/servconf.c 2011-09-03 20:27:15.727564566 +0200
+@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions
+ options->max_authtries = -1;
+ options->max_sessions = -1;
+ options->banner = NULL;
++ options->show_patchlevel = -1;
+ options->use_dns = -1;
+ options->client_alive_interval = -1;
+ options->client_alive_count_max = -1;
+@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
++ if (options->show_patchlevel == -1)
++ options->show_patchlevel = 0;
+
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+@@ -338,7 +341,7 @@ typedef enum {
+ sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
+ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
+ sMaxStartups, sMaxAuthTries, sMaxSessions,
+- sBanner, sUseDNS, sHostbasedAuthentication,
++ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
+ sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
+ sSecondPubkeyAuthentication, sSecondGssAuthentication,
+ sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
+@@ -470,6 +473,7 @@ static struct {
+ { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
+ { "maxsessions", sMaxSessions, SSHCFG_ALL },
+ { "banner", sBanner, SSHCFG_ALL },
++ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
+ { "usedns", sUseDNS, SSHCFG_GLOBAL },
+ { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
+ { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
+@@ -1152,6 +1156,10 @@ process_server_config_line(ServerOptions
+ multistate_ptr = multistate_privsep;
+ goto parse_multistate;
+
++ case sShowPatchLevel:
++ intptr = &options->show_patchlevel;
++ goto parse_flag;
++
+ case sAllowUsers:
+ while ((arg = strdelim(&cp)) && *arg != '\0') {
+ if (options->num_allow_users >= MAX_ALLOW_USERS)
+@@ -1849,6 +1857,7 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sUseLogin, o->use_login);
+ dump_cfg_fmtint(sCompression, o->compression);
+ dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
++ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
+ dump_cfg_fmtint(sUseDNS, o->use_dns);
+ dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
+--- openssh-5.9p0/servconf.h.vendor 2011-09-03 20:24:29.179632045 +0200
++++ openssh-5.9p0/servconf.h 2011-09-03 20:24:39.426502323 +0200
+@@ -148,6 +148,7 @@ typedef struct {
+ int max_authtries;
+ int max_sessions;
+ char *banner; /* SSH-2 banner message */
++ int show_patchlevel; /* Show vendor patch level to clients */
+ int use_dns;
+ int client_alive_interval; /*
+ * poke the client this often to
+diff -up openssh-5.9p0/sshd.c.vendor openssh-5.9p0/sshd.c
+--- openssh-5.9p0/sshd.c.vendor 2011-09-03 20:24:35.987501565 +0200
++++ openssh-5.9p0/sshd.c 2011-09-03 20:24:39.542501643 +0200
+@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
+ minor = PROTOCOL_MINOR_1;
+ }
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
+- SSH_VERSION, newline);
++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
+ server_version_string = xstrdup(buf);
+
+ /* Send our protocol version identification. */
+@@ -1627,7 +1627,8 @@ main(int ac, char **av)
+ exit(1);
+ }
+
+- debug("sshd version %.100s", SSH_RELEASE);
++ debug("sshd version %.100s",
++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
+
+ /* Store privilege separation user for later use if required. */
+ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
+--- openssh-5.9p0/sshd_config.0.vendor 2011-09-03 20:24:37.524438185 +0200
++++ openssh-5.9p0/sshd_config.0 2011-09-03 20:24:39.677508255 +0200
+@@ -556,6 +556,11 @@ DESCRIPTION
+ Defines the number of bits in the ephemeral protocol version 1
+ server key. The minimum value is 512, and the default is 1024.
+
++ ShowPatchLevel
++ Specifies whether sshd will display the specific patch level of
++ the binary in the server identification string. The patch level
++ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
++
+ StrictModes
+ Specifies whether sshd(8) should check file modes and ownership
+ of the user's files and home directory before accepting login.
+diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
+--- openssh-5.9p0/sshd_config.5.vendor 2011-09-03 20:24:37.640442022 +0200
++++ openssh-5.9p0/sshd_config.5 2011-09-03 20:24:40.176544206 +0200
+@@ -952,6 +952,14 @@ This option applies to protocol version
+ .It Cm ServerKeyBits
+ Defines the number of bits in the ephemeral protocol version 1 server key.
+ The minimum value is 512, and the default is 1024.
++.It Cm ShowPatchLevel
++Specifies whether
++.Nm sshd
++will display the patch level of the binary in the identification string.
++The patch level is set at compile-time.
++The default is
++.Dq no .
++This option applies to protocol version 1 only.
+ .It Cm StrictModes
+ Specifies whether
+ .Xr sshd 8
+diff -up openssh-5.9p0/sshd_config.vendor openssh-5.9p0/sshd_config
+--- openssh-5.9p0/sshd_config.vendor 2011-09-03 20:24:37.770439735 +0200
++++ openssh-5.9p0/sshd_config 2011-09-03 20:24:40.278628002 +0200
+@@ -120,6 +120,7 @@ X11Forwarding yes
+ #Compression delayed
+ #ClientAliveInterval 0
+ #ClientAliveCountMax 3
++#ShowPatchLevel no
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+ #MaxStartups 10
+++ /dev/null
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
-# default value.
-
-Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-# Disable legacy (protocol version 1) support in the server for new
-# installations. In future the default will change to require explicit
-# activation of protocol 1
-Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
-# Logging
-# obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-LoginGraceTime 30s
-#PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-RSAAuthentication yes
-PubkeyAuthentication yes
-#AuthorizedKeysFile .ssh/authorized_keys
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-IgnoreUserKnownHosts yes
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to no to disable s/key passwords
-ChallengeResponseAuthentication yes
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-MaxStartups 5
-#PermitTunnel no
-#ChrootDirectory none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem sftp /usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# ForceCommand cvs server
name = pdns-recursor
version = 3.3
-release = 5
+release = 6
groups = Networking/DNS
url = http://powerdns.com/
package if you need a dns cache for your network.
end
-source_dl =
+source_dl = http://downloads.powerdns.com/releases/
sources = %{thisapp}.tar.bz2
build
gcc-c++
boost-devel
lua-devel
+ shadow-utils
+ end
+
+ prepare_cmds
+ %{create_user}
end
build
# Create folder for chroot
mkdir -pv %{BUILDROOT}/var/lib/pdns-recursor
+
+ # Create directory for socket and stuff.
+ mkdir -pv %{BUILDROOT}/run/pdns-recursor
+ chown -v pdns-recursor.pdns-recursor %{BUILDROOT}/run/pdns-recursor
end
end
+create_user
+ getent group pdns-recursor >/dev/null || groupadd -r pdns-recursor
+ getent passwd pdns-recursor >/dev/null || \
+ useradd -r -g pdns-recursor -d /var/lib/pdns-recursor -s /sbin/nologin \
+ pdns-recursor
+end
+
packages
package %{name}
configfiles
prerequires = shadow-utils systemd-units
script prein
- getent group pdns-recursor >/dev/null || groupadd -r pdns-recursor
- getent passwd pdns-recursor >/dev/null || \
- useradd -r -g pdns-recursor -d /var/lib/pdns-recursor -s /sbin/nologin \
- pdns-recursor
+ %{create_user}
end
script postin
name = ppl
version = 0.11.2
-release = 1
+release = 2
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = Development/Libraries
packages
package %{name}
+
+ package %{name}-devel
+ template DEVEL
+ end
end
###############################################################################
name = python
-version = 2.7.2
-release = 1
+major_ver = 2.7
+version = %{major_ver}.2
+release = 2
thisapp = Python-%{version}
groups = Development/Languages
install_cmds
# All *.py files don't need to be executeable...
find %{BUILDROOT}/usr/lib/python*/ -name "*.py" | xargs chmod a-x -v
+
+ # Create symlink for shared lib.
+ ln -svf ../../libpython%{major_ver}.so %{BUILDROOT}/usr/lib/python%{major_ver}/config/
end
end
name = radvd
version = 1.8.3
-release = 2
+release = 4
groups = System/Daemons
url = http://www.litech.org/radvd/
flex
flex-devel
bison
+ shadow-utils
end
configure_options += \
--with-pidfile=/run/radvd/radvd.pid
prepare_cmds
+ %{create_user}
+
sed -e "s/-lfl/-lfl_pic/g" -i Makefile.*
end
+
+ install_cmds
+ mkdir -pv -m 750 %{BUILDROOT}/run/radvd
+ chown -v radvd.radvd %{BUILDROOT}/run/radvd
+ end
+end
+
+create_user
+ getent group radvd >/dev/null || groupadd -r radvd
+
+ # The radvd user also needs to be in the wheel group to get access to
+ # /proc.
+ getent passwd radvd >/dev/null || \
+ useradd -r -g radvd -G wheel -d / -s /sbin/nologin \
+ -c "User for the Router Advertisement daemon." radvd
end
packages
prerequires += shadow-utils
script prein
- getent group radvd >/dev/null || groupadd -r radvd
-
- # The radvd user also needs to be in the wheel group to get access to
- # /proc.
- getent passwd radvd >/dev/null || \
- useradd -r -g radvd -G wheel -d / -s /sbin/nologin \
- -c "User for the Router Advertisement daemon." radvd
- exit 0
+ %{create_user}
end
# Just search for new unit files that were just installed.
-d /var/run/radvd 0750 radvd radvd -
+d /run/radvd 0750 radvd radvd -
[Service]
ExecStartPre=/lib/network/network-radvd-config start
ExecStart=/usr/sbin/radvd -C /etc/radvd.conf -u radvd
-ExecStopPre=/lib/network/network-radvd-config stop
ExecReload=/bin/kill -HUP $MAINPID
+ExecStopPost=/lib/network/network-radvd-config stop
Type=forking
PIDFile=/run/radvd/radvd.pid
Restart=on-failure
--- /dev/null
+From 434d24bae108dbb21461a13a4abcf014afa8b029 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger@vyatta.com>
+Date: Tue, 11 Oct 2011 16:07:27 -0700
+Subject: [PATCH] fix bridge port state in netlink message
+
+The IFLA_PROTINFO is a u8 not u32, and sending a bigger value
+to kernel means extra bytes are ignored, leaving state as always 0.
+---
+ brstate.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/brstate.c b/brstate.c
+index 1fe792e..889c2ea 100644
+--- a/brstate.c
++++ b/brstate.c
+@@ -42,7 +42,7 @@ static int br_set_state(struct rtnl_handle *rth, unsigned ifindex, __u8 state)
+ req.ifi.ifi_family = AF_BRIDGE;
+ req.ifi.ifi_index = ifindex;
+
+- addattr32(&req.n, sizeof(req.buf), IFLA_PROTINFO, state);
++ addattr_l(&req.n, sizeof(req.buf), IFLA_PROTINFO, &state, sizeof(state));
+
+ return rtnl_talk(rth, &req.n, 0, 0, NULL, NULL, NULL);
+ }
+--
+1.7.6.2
+
+++ /dev/null
-diff --git a/Makefile b/Makefile
-index c65dd39..f672a45 100644
---- a/Makefile
-+++ b/Makefile
-@@ -9,7 +9,8 @@ CTLSOURCES = ctl_main.c ctl_cli_wrap.c ctl_socket_client.c
- CTLOBJECTS = $(CTLSOURCES:.c=.o)
-
- CC=gcc
--CFLAGS = -Wall -Werror -O2 -g -D_REENTRANT -D__LINUX__ -DVERSION=$(version) -DBUILD=$(build) -I. -I./include
-+CFLAGS = -Wall -Werror -fno-strict-aliasing -O2 -g -D_REENTRANT -D__LINUX__ \
-+ -DVERSION=$(version) -DBUILD=$(build) -I. -I./include -I./rstplib
-
- all: rstpd rstpctl
-
-diff --git a/bridge-stp b/bridge-stp
-index 49d5a41..5e663a9 100755
---- a/bridge-stp
-+++ b/bridge-stp
-@@ -53,9 +53,9 @@ start() {
- case $2 in
- start)
- daemon
-- exec /sbin/rstpctl $bridge on ;;
-+ exec /sbin/rstpctl rstp $bridge on ;;
- stop)
-- exec /sbin/rstpctl $bridge off ;;
-+ exec /sbin/rstpctl rstp $bridge off ;;
- *)
- echo "Unknown action:" $2
- echo "Usage: bridge-stp <bridge> {start|stop}"
-diff --git a/bridge_track.c b/bridge_track.c
-index c685935..f5efa3f 100644
---- a/bridge_track.c
-+++ b/bridge_track.c
-@@ -449,7 +449,7 @@ void bridge_bpdu_rcv(int if_index, const unsigned char *data, int len)
- struct ifdata *ifc = find_if(if_index);
-
- LOG("ifindex %d, len %d", if_index, len);
-- if (!ifc)
-+ if (!ifc || !ifc->master)
- return;
-
- TST(ifc->up,);
-diff --git a/brmon.c b/brmon.c
-index d29e7f5..fd4dacd 100644
---- a/brmon.c
-+++ b/brmon.c
-@@ -30,32 +30,10 @@
-
- static const char SNAPSHOT[] = "v0.1";
-
--
--/* RFC 2863 operational status */
--enum {
-- IF_OPER_UNKNOWN,
-- IF_OPER_NOTPRESENT,
-- IF_OPER_DOWN,
-- IF_OPER_LOWERLAYERDOWN,
-- IF_OPER_TESTING,
-- IF_OPER_DORMANT,
-- IF_OPER_UP,
--};
--
--/* link modes */
--enum {
-- IF_LINK_MODE_DEFAULT,
-- IF_LINK_MODE_DORMANT, /* limit upward transition to dormant */
--};
--
--static const char *port_states[] = {
-- [BR_STATE_DISABLED] = "disabled",
-- [BR_STATE_LISTENING] = "listening",
-- [BR_STATE_LEARNING] = "learning",
-- [BR_STATE_FORWARDING] = "forwarding",
-- [BR_STATE_BLOCKING] = "blocking",
--};
--
-+static int is_up(const struct ifinfomsg *ifi)
-+{
-+ return (ifi->ifi_flags & IFF_UP) && (ifi->ifi_flags & IFF_RUNNING);
-+}
-
- static int dump_msg(const struct sockaddr_nl *who, struct nlmsghdr *n,
- void *arg)
-@@ -64,25 +42,16 @@ static int dump_msg(const struct sockaddr_nl *who, struct nlmsghdr *n,
- struct ifinfomsg *ifi = NLMSG_DATA(n);
- struct rtattr * tb[IFLA_MAX+1];
- int len = n->nlmsg_len;
-+ int master = -1;
- char b1[IFNAMSIZ];
-- int af_family = ifi->ifi_family;
-
- if (n->nlmsg_type == NLMSG_DONE)
- return 0;
--
-+
- len -= NLMSG_LENGTH(sizeof(*ifi));
-- if (len < 0) {
-+ if (len < 0)
- return -1;
-- }
--
--#if 0
--
-- if (filter.ifindex && ifi->ifi_index != filter.ifindex)
-- return 0;
-
-- if (filter.up && !(ifi->ifi_flags&IFF_UP))
-- return 0;
--#endif
- if (ifi->ifi_family != AF_BRIDGE && ifi->ifi_family != AF_UNSPEC)
- return 0;
-
-@@ -93,73 +62,41 @@ static int dump_msg(const struct sockaddr_nl *who, struct nlmsghdr *n,
- parse_rtattr(tb, IFLA_MAX, IFLA_RTA(ifi), len);
-
- /* Check if we got this from bonding */
-- if (tb[IFLA_MASTER] && af_family != AF_BRIDGE)
-- return 0;
-+ if (tb[IFLA_MASTER] && ifi->ifi_family != AF_BRIDGE)
-+ return 0;
-+
-+ /* Check if hearing our own state changes */
-+ if (n->nlmsg_type == RTM_NEWLINK && tb[IFLA_PROTINFO]) {
-+ uint8_t state = *(uint8_t *)RTA_DATA(tb[IFLA_PROTINFO]);
-+
-+ if (state != BR_STATE_DISABLED)
-+ return 0;
-+ }
-
- if (tb[IFLA_IFNAME] == NULL) {
-- fprintf(stderr, "BUG: nil ifname\n");
-- return -1;
-+ fprintf(stderr, "BUG: nil ifname\n");
-+ return -1;
- }
-
- if (n->nlmsg_type == RTM_DELLINK)
-- fprintf(fp, "Deleted ");
-+ fprintf(fp, "Deleted ");
-
- fprintf(fp, "%d: %s ", ifi->ifi_index,
-- tb[IFLA_IFNAME] ? (char*)RTA_DATA(tb[IFLA_IFNAME]) : "<nil>");
--
--
-- if (tb[IFLA_OPERSTATE]) {
-- int state = *(int*)RTA_DATA(tb[IFLA_OPERSTATE]);
-- switch (state) {
-- case IF_OPER_UNKNOWN:
-- fprintf(fp, "Unknown "); break;
-- case IF_OPER_NOTPRESENT:
-- fprintf(fp, "Not Present "); break;
-- case IF_OPER_DOWN:
-- fprintf(fp, "Down "); break;
-- case IF_OPER_LOWERLAYERDOWN:
-- fprintf(fp, "Lowerlayerdown "); break;
-- case IF_OPER_TESTING:
-- fprintf(fp, "Testing "); break;
-- case IF_OPER_DORMANT:
-- fprintf(fp, "Dormant "); break;
-- case IF_OPER_UP:
-- fprintf(fp, "Up "); break;
-- default:
-- fprintf(fp, "State(%d) ", state);
-- }
-- }
--
-- if (tb[IFLA_MTU])
-- fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
-+ (const char*)RTA_DATA(tb[IFLA_IFNAME]));
-
- if (tb[IFLA_MASTER]) {
-- fprintf(fp, "master %s ",
-- if_indextoname(*(int*)RTA_DATA(tb[IFLA_MASTER]), b1));
-- }
--
-- if (tb[IFLA_PROTINFO]) {
-- uint8_t state = *(uint8_t *)RTA_DATA(tb[IFLA_PROTINFO]);
-- if (state <= BR_STATE_BLOCKING)
-- fprintf(fp, "state %s", port_states[state]);
-- else
-- fprintf(fp, "state (%d)", state);
-+ master = *(int*)RTA_DATA(tb[IFLA_MASTER]);
-+ fprintf(fp, "master %s ", if_indextoname(master, b1));
- }
-
--
- fprintf(fp, "\n");
- fflush(fp);
-- {
-- int newlink = (n->nlmsg_type == RTM_NEWLINK);
-- int up = 0;
-- if (newlink && tb[IFLA_OPERSTATE]) {
-- int state = *(int*)RTA_DATA(tb[IFLA_OPERSTATE]);
-- up = (state == IF_OPER_UP) || (state == IF_OPER_UNKNOWN);
-- }
--
-- bridge_notify((tb[IFLA_MASTER]?*(int*)RTA_DATA(tb[IFLA_MASTER]):-1),
-- ifi->ifi_index, newlink, up);
-- }
-+
-+
-+ bridge_notify(master, ifi->ifi_index,
-+ (n->nlmsg_type == RTM_NEWLINK),
-+ is_up(ifi));
-+
- return 0;
- }
-
-@@ -252,7 +189,7 @@ int init_bridge_ops(void)
- fprintf(stderr, "Couldn't open rtnl socket for monitoring\n");
- return -1;
- }
--
-+
- if (rtnl_open(&rth_state, 0) < 0) {
- fprintf(stderr, "Couldn't open rtnl socket for setting state\n");
- return -1;
-@@ -262,7 +199,7 @@ int init_bridge_ops(void)
- fprintf(stderr, "Cannot send dump request: %m\n");
- return -1;
- }
--
-+
- if (rtnl_dump_filter(&rth, dump_msg, stdout, NULL, NULL) < 0) {
- fprintf(stderr, "Dump terminated\n");
- return -1;
-@@ -276,10 +213,10 @@ int init_bridge_ops(void)
- br_handler.fd = rth.fd;
- br_handler.arg = NULL;
- br_handler.handler = br_ev_handler;
--
-+
- if (add_epoll(&br_handler) < 0)
- return -1;
--
-+
- return 0;
- }
-
-diff --git a/include/linux/llc.h b/include/linux/llc.h
-index 09f2e6d..6bb32fe 100644
---- a/include/linux/llc.h
-+++ b/include/linux/llc.h
-@@ -49,9 +49,9 @@ enum llc_sockopts {
-
- /* LLC SAP types. */
- #define LLC_SAP_NULL 0x00 /* NULL SAP. */
--#define LLC_SAP_LLC 0x02 /* LLC Sublayer Managment. */
-+#define LLC_SAP_LLC 0x02 /* LLC Sublayer Management. */
- #define LLC_SAP_SNA 0x04 /* SNA Path Control. */
--#define LLC_SAP_PNM 0x0E /* Proway Network Managment. */
-+#define LLC_SAP_PNM 0x0E /* Proway Network Management. */
- #define LLC_SAP_IP 0x06 /* TCP/IP. */
- #define LLC_SAP_BSPAN 0x42 /* Bridge Spanning Tree Proto */
- #define LLC_SAP_MMS 0x4E /* Manufacturing Message Srv. */
-@@ -70,11 +70,4 @@ enum llc_sockopts {
- #define LLC_SAP_RM 0xD4 /* Resource Management */
- #define LLC_SAP_GLOBAL 0xFF /* Global SAP. */
-
--#ifdef __KERNEL__
--#define LLC_SAP_DYN_START 0xC0
--#define LLC_SAP_DYN_STOP 0xDE
--#define LLC_SAP_DYN_TRIES 4
--
--#define llc_ui_skb_cb(__skb) ((struct sockaddr_llc *)&((__skb)->cb[0]))
--#endif /* __KERNEL__ */
- #endif /* __LINUX_LLC_H */
-diff --git a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h
-index 5e33a20..ba9e46c 100644
---- a/include/linux/rtnetlink.h
-+++ b/include/linux/rtnetlink.h
-@@ -1,7 +1,11 @@
- #ifndef __LINUX_RTNETLINK_H
- #define __LINUX_RTNETLINK_H
-
-+#include <linux/types.h>
- #include <linux/netlink.h>
-+#include <linux/if_link.h>
-+#include <linux/if_addr.h>
-+#include <linux/neighbour.h>
-
- /****
- * Routing/neighbour discovery messages.
-@@ -80,8 +84,6 @@ enum {
-
- RTM_NEWPREFIX = 52,
- #define RTM_NEWPREFIX RTM_NEWPREFIX
-- RTM_GETPREFIX = 54,
--#define RTM_GETPREFIX RTM_GETPREFIX
-
- RTM_GETMULTICAST = 58,
- #define RTM_GETMULTICAST RTM_GETMULTICAST
-@@ -96,6 +98,21 @@ enum {
- RTM_SETNEIGHTBL,
- #define RTM_SETNEIGHTBL RTM_SETNEIGHTBL
-
-+ RTM_NEWNDUSEROPT = 68,
-+#define RTM_NEWNDUSEROPT RTM_NEWNDUSEROPT
-+
-+ RTM_NEWADDRLABEL = 72,
-+#define RTM_NEWADDRLABEL RTM_NEWADDRLABEL
-+ RTM_DELADDRLABEL,
-+#define RTM_NEWADDRLABEL RTM_NEWADDRLABEL
-+ RTM_GETADDRLABEL,
-+#define RTM_GETADDRLABEL RTM_GETADDRLABEL
-+
-+ RTM_GETDCB = 78,
-+#define RTM_GETDCB RTM_GETDCB
-+ RTM_SETDCB,
-+#define RTM_SETDCB RTM_SETDCB
-+
- __RTM_MAX,
- #define RTM_MAX (((__RTM_MAX + 3) & ~3) - 1)
- };
-@@ -235,13 +252,12 @@ enum rt_class_t
- {
- RT_TABLE_UNSPEC=0,
- /* User defined values */
-+ RT_TABLE_COMPAT=252,
- RT_TABLE_DEFAULT=253,
- RT_TABLE_MAIN=254,
- RT_TABLE_LOCAL=255,
-- __RT_TABLE_MAX
-+ RT_TABLE_MAX=0xFFFFFFFF
- };
--#define RT_TABLE_MAX (__RT_TABLE_MAX - 1)
--
-
-
- /* Routing message attributes */
-@@ -258,11 +274,12 @@ enum rtattr_type_t
- RTA_PREFSRC,
- RTA_METRICS,
- RTA_MULTIPATH,
-- RTA_PROTOINFO,
-+ RTA_PROTOINFO, /* no longer used */
- RTA_FLOW,
- RTA_CACHEINFO,
-- RTA_SESSION,
-- RTA_MP_ALGO,
-+ RTA_SESSION, /* no longer used */
-+ RTA_MP_ALGO, /* no longer used */
-+ RTA_TABLE,
- __RTA_MAX
- };
-
-@@ -351,6 +368,8 @@ enum
- #define RTAX_INITCWND RTAX_INITCWND
- RTAX_FEATURES,
- #define RTAX_FEATURES RTAX_FEATURES
-+ RTAX_RTO_MIN,
-+#define RTAX_RTO_MIN RTAX_RTO_MIN
- __RTAX_MAX
- };
-
-@@ -383,226 +402,6 @@ struct rta_session
- } u;
- };
-
--
--/*********************************************************
-- * Interface address.
-- ****/
--
--struct ifaddrmsg
--{
-- unsigned char ifa_family;
-- unsigned char ifa_prefixlen; /* The prefix length */
-- unsigned char ifa_flags; /* Flags */
-- unsigned char ifa_scope; /* See above */
-- int ifa_index; /* Link index */
--};
--
--enum
--{
-- IFA_UNSPEC,
-- IFA_ADDRESS,
-- IFA_LOCAL,
-- IFA_LABEL,
-- IFA_BROADCAST,
-- IFA_ANYCAST,
-- IFA_CACHEINFO,
-- IFA_MULTICAST,
-- __IFA_MAX
--};
--
--#define IFA_MAX (__IFA_MAX - 1)
--
--/* ifa_flags */
--
--#define IFA_F_SECONDARY 0x01
--#define IFA_F_TEMPORARY IFA_F_SECONDARY
--
--#define IFA_F_DEPRECATED 0x20
--#define IFA_F_TENTATIVE 0x40
--#define IFA_F_PERMANENT 0x80
--
--struct ifa_cacheinfo
--{
-- __u32 ifa_prefered;
-- __u32 ifa_valid;
-- __u32 cstamp; /* created timestamp, hundredths of seconds */
-- __u32 tstamp; /* updated timestamp, hundredths of seconds */
--};
--
--
--#define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg))))
--#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg))
--
--/*
-- Important comment:
-- IFA_ADDRESS is prefix address, rather than local interface address.
-- It makes no difference for normally configured broadcast interfaces,
-- but for point-to-point IFA_ADDRESS is DESTINATION address,
-- local address is supplied in IFA_LOCAL attribute.
-- */
--
--/**************************************************************
-- * Neighbour discovery.
-- ****/
--
--struct ndmsg
--{
-- unsigned char ndm_family;
-- unsigned char ndm_pad1;
-- unsigned short ndm_pad2;
-- int ndm_ifindex; /* Link index */
-- __u16 ndm_state;
-- __u8 ndm_flags;
-- __u8 ndm_type;
--};
--
--enum
--{
-- NDA_UNSPEC,
-- NDA_DST,
-- NDA_LLADDR,
-- NDA_CACHEINFO,
-- NDA_PROBES,
-- __NDA_MAX
--};
--
--#define NDA_MAX (__NDA_MAX - 1)
--
--#define NDA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg))))
--#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg))
--
--/*
-- * Neighbor Cache Entry Flags
-- */
--
--#define NTF_PROXY 0x08 /* == ATF_PUBL */
--#define NTF_ROUTER 0x80
--
--/*
-- * Neighbor Cache Entry States.
-- */
--
--#define NUD_INCOMPLETE 0x01
--#define NUD_REACHABLE 0x02
--#define NUD_STALE 0x04
--#define NUD_DELAY 0x08
--#define NUD_PROBE 0x10
--#define NUD_FAILED 0x20
--
--/* Dummy states */
--#define NUD_NOARP 0x40
--#define NUD_PERMANENT 0x80
--#define NUD_NONE 0x00
--
--
--struct nda_cacheinfo
--{
-- __u32 ndm_confirmed;
-- __u32 ndm_used;
-- __u32 ndm_updated;
-- __u32 ndm_refcnt;
--};
--
--
--/*****************************************************************
-- * Neighbour tables specific messages.
-- *
-- * To retrieve the neighbour tables send RTM_GETNEIGHTBL with the
-- * NLM_F_DUMP flag set. Every neighbour table configuration is
-- * spread over multiple messages to avoid running into message
-- * size limits on systems with many interfaces. The first message
-- * in the sequence transports all not device specific data such as
-- * statistics, configuration, and the default parameter set.
-- * This message is followed by 0..n messages carrying device
-- * specific parameter sets.
-- * Although the ordering should be sufficient, NDTA_NAME can be
-- * used to identify sequences. The initial message can be identified
-- * by checking for NDTA_CONFIG. The device specific messages do
-- * not contain this TLV but have NDTPA_IFINDEX set to the
-- * corresponding interface index.
-- *
-- * To change neighbour table attributes, send RTM_SETNEIGHTBL
-- * with NDTA_NAME set. Changeable attribute include NDTA_THRESH[1-3],
-- * NDTA_GC_INTERVAL, and all TLVs in NDTA_PARMS unless marked
-- * otherwise. Device specific parameter sets can be changed by
-- * setting NDTPA_IFINDEX to the interface index of the corresponding
-- * device.
-- ****/
--
--struct ndt_stats
--{
-- __u64 ndts_allocs;
-- __u64 ndts_destroys;
-- __u64 ndts_hash_grows;
-- __u64 ndts_res_failed;
-- __u64 ndts_lookups;
-- __u64 ndts_hits;
-- __u64 ndts_rcv_probes_mcast;
-- __u64 ndts_rcv_probes_ucast;
-- __u64 ndts_periodic_gc_runs;
-- __u64 ndts_forced_gc_runs;
--};
--
--enum {
-- NDTPA_UNSPEC,
-- NDTPA_IFINDEX, /* u32, unchangeable */
-- NDTPA_REFCNT, /* u32, read-only */
-- NDTPA_REACHABLE_TIME, /* u64, read-only, msecs */
-- NDTPA_BASE_REACHABLE_TIME, /* u64, msecs */
-- NDTPA_RETRANS_TIME, /* u64, msecs */
-- NDTPA_GC_STALETIME, /* u64, msecs */
-- NDTPA_DELAY_PROBE_TIME, /* u64, msecs */
-- NDTPA_QUEUE_LEN, /* u32 */
-- NDTPA_APP_PROBES, /* u32 */
-- NDTPA_UCAST_PROBES, /* u32 */
-- NDTPA_MCAST_PROBES, /* u32 */
-- NDTPA_ANYCAST_DELAY, /* u64, msecs */
-- NDTPA_PROXY_DELAY, /* u64, msecs */
-- NDTPA_PROXY_QLEN, /* u32 */
-- NDTPA_LOCKTIME, /* u64, msecs */
-- __NDTPA_MAX
--};
--#define NDTPA_MAX (__NDTPA_MAX - 1)
--
--struct ndtmsg
--{
-- __u8 ndtm_family;
-- __u8 ndtm_pad1;
-- __u16 ndtm_pad2;
--};
--
--struct ndt_config
--{
-- __u16 ndtc_key_len;
-- __u16 ndtc_entry_size;
-- __u32 ndtc_entries;
-- __u32 ndtc_last_flush; /* delta to now in msecs */
-- __u32 ndtc_last_rand; /* delta to now in msecs */
-- __u32 ndtc_hash_rnd;
-- __u32 ndtc_hash_mask;
-- __u32 ndtc_hash_chain_gc;
-- __u32 ndtc_proxy_qlen;
--};
--
--enum {
-- NDTA_UNSPEC,
-- NDTA_NAME, /* char *, unchangeable */
-- NDTA_THRESH1, /* u32 */
-- NDTA_THRESH2, /* u32 */
-- NDTA_THRESH3, /* u32 */
-- NDTA_CONFIG, /* struct ndt_config, read-only */
-- NDTA_PARMS, /* nested TLV NDTPA_* */
-- NDTA_STATS, /* struct ndt_stats, read-only */
-- NDTA_GC_INTERVAL, /* u64, msecs */
-- __NDTA_MAX
--};
--#define NDTA_MAX (__NDTA_MAX - 1)
--
--#define NDTA_RTA(r) ((struct rtattr*)(((char*)(r)) + \
-- NLMSG_ALIGN(sizeof(struct ndtmsg))))
--#define NDTA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndtmsg))
--
--
- /****
- * General form of address family dependent message.
- ****/
-@@ -663,138 +462,6 @@ struct prefix_cacheinfo
- __u32 valid_time;
- };
-
--/* The struct should be in sync with struct net_device_stats */
--struct rtnl_link_stats
--{
-- __u32 rx_packets; /* total packets received */
-- __u32 tx_packets; /* total packets transmitted */
-- __u32 rx_bytes; /* total bytes received */
-- __u32 tx_bytes; /* total bytes transmitted */
-- __u32 rx_errors; /* bad packets received */
-- __u32 tx_errors; /* packet transmit problems */
-- __u32 rx_dropped; /* no space in linux buffers */
-- __u32 tx_dropped; /* no space available in linux */
-- __u32 multicast; /* multicast packets received */
-- __u32 collisions;
--
-- /* detailed rx_errors: */
-- __u32 rx_length_errors;
-- __u32 rx_over_errors; /* receiver ring buff overflow */
-- __u32 rx_crc_errors; /* recved pkt with crc error */
-- __u32 rx_frame_errors; /* recv'd frame alignment error */
-- __u32 rx_fifo_errors; /* recv'r fifo overrun */
-- __u32 rx_missed_errors; /* receiver missed packet */
--
-- /* detailed tx_errors */
-- __u32 tx_aborted_errors;
-- __u32 tx_carrier_errors;
-- __u32 tx_fifo_errors;
-- __u32 tx_heartbeat_errors;
-- __u32 tx_window_errors;
--
-- /* for cslip etc */
-- __u32 rx_compressed;
-- __u32 tx_compressed;
--};
--
--/* The struct should be in sync with struct ifmap */
--struct rtnl_link_ifmap
--{
-- __u64 mem_start;
-- __u64 mem_end;
-- __u64 base_addr;
-- __u16 irq;
-- __u8 dma;
-- __u8 port;
--};
--
--enum
--{
-- IFLA_UNSPEC,
-- IFLA_ADDRESS,
-- IFLA_BROADCAST,
-- IFLA_IFNAME,
-- IFLA_MTU,
-- IFLA_LINK,
-- IFLA_QDISC,
-- IFLA_STATS,
-- IFLA_COST,
--#define IFLA_COST IFLA_COST
-- IFLA_PRIORITY,
--#define IFLA_PRIORITY IFLA_PRIORITY
-- IFLA_MASTER,
--#define IFLA_MASTER IFLA_MASTER
-- IFLA_WIRELESS, /* Wireless Extension event - see wireless.h */
--#define IFLA_WIRELESS IFLA_WIRELESS
-- IFLA_PROTINFO, /* Protocol specific information for a link */
--#define IFLA_PROTINFO IFLA_PROTINFO
-- IFLA_TXQLEN,
--#define IFLA_TXQLEN IFLA_TXQLEN
-- IFLA_MAP,
--#define IFLA_MAP IFLA_MAP
-- IFLA_WEIGHT,
--#define IFLA_WEIGHT IFLA_WEIGHT
-- IFLA_OPERSTATE,
-- IFLA_LINKMODE,
-- __IFLA_MAX
--};
--
--
--#define IFLA_MAX (__IFLA_MAX - 1)
--
--#define IFLA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg))))
--#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg))
--
--/* ifi_flags.
--
-- IFF_* flags.
--
-- The only change is:
-- IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are
-- more not changeable by user. They describe link media
-- characteristics and set by device driver.
--
-- Comments:
-- - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid
-- - If neither of these three flags are set;
-- the interface is NBMA.
--
-- - IFF_MULTICAST does not mean anything special:
-- multicasts can be used on all not-NBMA links.
-- IFF_MULTICAST means that this media uses special encapsulation
-- for multicast frames. Apparently, all IFF_POINTOPOINT and
-- IFF_BROADCAST devices are able to use multicasts too.
-- */
--
--/* IFLA_LINK.
-- For usual devices it is equal ifi_index.
-- If it is a "virtual interface" (f.e. tunnel), ifi_link
-- can point to real physical interface (f.e. for bandwidth calculations),
-- or maybe 0, what means, that real media is unknown (usual
-- for IPIP tunnels, when route to endpoint is allowed to change)
-- */
--
--/* Subtype attributes for IFLA_PROTINFO */
--enum
--{
-- IFLA_INET6_UNSPEC,
-- IFLA_INET6_FLAGS, /* link flags */
-- IFLA_INET6_CONF, /* sysctl parameters */
-- IFLA_INET6_STATS, /* statistics */
-- IFLA_INET6_MCAST, /* MC things. What of them? */
-- IFLA_INET6_CACHEINFO, /* time values and max reasm size */
-- __IFLA_INET6_MAX
--};
--
--#define IFLA_INET6_MAX (__IFLA_INET6_MAX - 1)
--
--struct ifla_cacheinfo
--{
-- __u32 max_reasm_len;
-- __u32 tstamp; /* ipv6InterfaceTable updated timestamp */
-- __u32 reachable_time;
-- __u32 retrans_time;
--};
-
- /*****************************************************************
- * Traffic control messages.
-@@ -821,6 +488,7 @@ enum
- TCA_RATE,
- TCA_FCNT,
- TCA_STATS2,
-+ TCA_STAB,
- __TCA_MAX
- };
-
-@@ -829,6 +497,32 @@ enum
- #define TCA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg))))
- #define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg))
-
-+/********************************************************************
-+ * Neighbor Discovery userland options
-+ ****/
-+
-+struct nduseroptmsg
-+{
-+ unsigned char nduseropt_family;
-+ unsigned char nduseropt_pad1;
-+ unsigned short nduseropt_opts_len; /* Total length of options */
-+ int nduseropt_ifindex;
-+ __u8 nduseropt_icmp_type;
-+ __u8 nduseropt_icmp_code;
-+ unsigned short nduseropt_pad2;
-+ unsigned int nduseropt_pad3;
-+ /* Followed by one or more ND options */
-+};
-+
-+enum
-+{
-+ NDUSEROPT_UNSPEC,
-+ NDUSEROPT_SRCADDR,
-+ __NDUSEROPT_MAX
-+};
-+
-+#define NDUSEROPT_MAX (__NDUSEROPT_MAX - 1)
-+
- /* RTnetlink multicast groups - backwards compatibility for userspace */
- #define RTMGRP_LINK 1
- #define RTMGRP_NOTIFY 2
-@@ -883,10 +577,19 @@ enum rtnetlink_groups {
- RTNLGRP_NOP2,
- RTNLGRP_DECnet_ROUTE,
- #define RTNLGRP_DECnet_ROUTE RTNLGRP_DECnet_ROUTE
-- RTNLGRP_NOP3,
-+ RTNLGRP_DECnet_RULE,
-+#define RTNLGRP_DECnet_RULE RTNLGRP_DECnet_RULE
- RTNLGRP_NOP4,
- RTNLGRP_IPV6_PREFIX,
- #define RTNLGRP_IPV6_PREFIX RTNLGRP_IPV6_PREFIX
-+ RTNLGRP_IPV6_RULE,
-+#define RTNLGRP_IPV6_RULE RTNLGRP_IPV6_RULE
-+ RTNLGRP_ND_USEROPT,
-+#define RTNLGRP_ND_USEROPT RTNLGRP_ND_USEROPT
-+ RTNLGRP_PHONET_IFADDR,
-+#define RTNLGRP_PHONET_IFADDR RTNLGRP_PHONET_IFADDR
-+ RTNLGRP_PHONET_ROUTE,
-+#define RTNLGRP_PHONET_ROUTE RTNLGRP_PHONET_ROUTE
- __RTNLGRP_MAX
- };
- #define RTNLGRP_MAX (__RTNLGRP_MAX - 1)
name = rstp
version = 0.21
-release = 6
+release = 7
groups = Networking/Tools
url = http://git.ipfire.org/?p=thirdparty/rstp.git;a=summary
###############################################################################
name = rsyslog
-version = 5.8.0
-release = 3
+version = 5.8.6
+release = 1
groups = Base System/Daemons
url = http://www.rsyslog.com/
###############################################################################
name = samba
-version = 3.6.0
-release = 2
+version = 3.6.1
+release = 1
maintainer = Christian Schmidt <christian.schmidt@ipfire.org>
groups = Networking/Daemons
packages
package %{name}
- end
-
+
package %{name}-libs
template LIBS
end
-
+
package %{name}-devel
template DEVEL
requires += %{name}-libs=%{thisver}
end
end
-
--- /dev/null
+#!/bin/bash
+if [ -f /etc/sysconfig/squid ]; then
+ . /etc/sysconfig/squid
+fi
+
+SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
+
+CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
+ grep cache_dir | awk '{ print $3 }'`
+
+for adir in $CACHE_SWAP; do
+ if [ ! -d $adir/00 ]; then
+ echo -n "init_cache_dir $adir... "
+ squid -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
+ fi
+done
+++ /dev/null
-diff -up squid-3.0.STABLE7/helpers/basic_auth/NCSA/ncsa_auth.8.from_manpg squid-3.0.STABLE7/helpers/basic_auth/NCSA/ncsa_auth.8
---- squid-3.0.STABLE7/helpers/basic_auth/NCSA/ncsa_auth.8.from_manpg 2008-06-22 05:35:49.000000000 +0200
-+++ squid-3.0.STABLE7/helpers/basic_auth/NCSA/ncsa_auth.8 2007-06-06 18:25:30.000000000 +0200
-@@ -1,38 +1,38 @@
--.\" This file is distributed in the hope that it will be useful,
--.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
--.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
--.\" the GNU General Public License for more details.
--.\"
--.\" You should have received a copy of the GNU General Public License
--.\" along with this file; if not, write to the Free Software
--.\" Foundation, Inc., 59 Temple Place, Suite 330, Boston,
--.\" MA 02111-1307 USA
--.\"
--.\" HISTORY:
--.\" 2006-05-16, created by Rodrigo Rubira Branco <rrbranco@br.ibm.com>
--.TH ncsa_auth 8 "May 16, 2006" "Squid NCSA Auth helper"
--.SH NAME
--ncsa_auth \- NCSA httpd-style password file authentication helper for Squid
--\fB
--.SH SYNOPSIS
--.nf
--.fam C
--\fBncsa_auth\fP \fIpasswdfile\fP
--.fam T
--.fi
--.SH DESCRIPTION
--\fBncsa_auth\fP allows Squid to read and authenticate user and password information from an NCSA/Apache httpd-style password file when using basic HTTP authentication.
--.PP
--The only parameter is the password file. It must have permissions to be read by the user that Squid is running as (cache_effective_user in squid.conf).
--.PP
--This password file can be manipulated using htpasswd.
--.SH OPTIONS
--Only specify the password file name.
--.SH EXAMPLE
--\fBncsa_auth\fP /etc/squid/squid.pass
--.SH SECURITY
--\fBncsa_auth\fP must have access to the password file to be executed.
--.SH SEE ALSO
--\fBhtpasswd\fP(1), \fBsquid\fP(8)
--.SH AUTHOR
--Manpage written by Rodrigo Rubira Branco <rrbranco@br.ibm.com>
-+.\" This file is distributed in the hope that it will be useful,\r
-+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of\r
-+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See\r
-+.\" the GNU General Public License for more details.\r
-+.\"\r
-+.\" You should have received a copy of the GNU General Public License\r
-+.\" along with this file; if not, write to the Free Software\r
-+.\" Foundation, Inc., 59 Temple Place, Suite 330, Boston,\r
-+.\" MA 02111-1307 USA\r
-+.\"\r
-+.\" HISTORY:\r
-+.\" 2006-05-16, created by Rodrigo Rubira Branco <rrbranco@br.ibm.com>\r
-+.TH ncsa_auth 8 "May 16, 2006" "User Manuals" "User Manuals"\r
-+.SH NAME\r
-+ncsa_auth \- NCSA httpd-style password file authentication helper for Squid\r
-+\fB\r
-+.SH SYNOPSIS\r
-+.nf\r
-+.fam C\r
-+\fBncsa_auth\fP \fIpasswdfile\fP \r
-+.fam T\r
-+.fi\r
-+.SH DESCRIPTION\r
-+\fBncsa_auth\fP allows Squid to read and authenticate user and password information from an NCSA httpd-style password file when using basic HTTP authentication.\r
-+.PP\r
-+The only parameter is the password file. It must have permissions to be read by the user that Squid is running as. By default this user is proxy. This can be changed using the cache_effective_user directive in the squid.conf file.\r
-+.PP\r
-+This password file can be manipulated using htpasswd.\r
-+.SH OPTIONS\r
-+Only specify the password file name.\r
-+.SH EXAMPLE\r
-+\fBncsa_auth\fP /etc/squid/squid.pass\r
-+.SH SECURITY\r
-+\fBncsa_auth\fP must have access to the password file to be executed.\r
-+.SH SEE ALSO\r
-+\fBhtpasswd\fP(1), \fBsquid\fP(8)\r
-+.SH AUTHOR\r
-+Manpage written by Rodrigo Rubira Branco <rrbranco@br.ibm.com>\r
name = squid
major_ver = 3.1
-version = %{major_ver}.12
-release = 2
+version = %{major_ver}.16
+release = 4
maintainer = Christian Schmidt <christian.schmidt@ipfire.org>
groups = Networking/Daemons
pam-devel
libcap-devel
/usr/bin/smbclient
+ shadow-utils
end
CFLAGS += -Wno-error
--libexecdir=/usr/lib/squid \
--localstatedir=/var \
--sysconfdir=/etc/squid \
+ --with-logdir=/var/log/squid \
--enable-storeio="aufs,diskd,ufs" \
--enable-removal-policies="heap,lru" \
--enable-icmp \
--enable-delay-pools \
--disable-esi \
- --disable-icap-client \
+ --enable-icap-client \
--enable-useragent-log \
--enable-referrer-log \
- --disable-wccp \
- --disable-wccpv2 \
+ --enable-wccp \
+ --enable-wccpv2 \
--enable-kill-parent-hack \
--enable-snmp \
--enable-arp-acl \
--with-dl \
--with-large-files
+ prepare_cmds
+ %{create_user}
+ end
+
install_cmds
rm -vf %{BUILDROOT}/etc/squid/errors
- rmdir %{BUILDROOT}/var/logs
mkdir -pv %{BUILDROOT}/var/log/cache %{BUILDROOT}/var/log/squid
touch %{BUILDROOT}/var/log/squid/access.log
+ touch %{BUILDROOT}/var/log/squid/cache.log
mkdir -pv %{BUILDROOT}/var/cache/squid
- # What is this?????
- #groupadd -r squid && useradd -r -g squid -d %{BUILDROOT}/var/cache/squid -s /bin/false -p '*' squid
- #chown -Rv squid:squid %{BUILDROOT}/var/log/squid %{BUILDROOT}/var/log/cache %{BUILDROOT}/var/cache/squid
- #chmod 600 %{BUILDROOT}/var/cache/squid
- #chown squid:squid %{BUILDROOT}/var/log/squid
+ echo "visible_hostname %{DISTRO_NAME}" >> %{BUILDROOT}/etc/squid/squid.conf
+ echo "cache_effective_user squid" >> %{BUILDROOT}/etc/squid/squid.conf
+ echo "cache_effective_group squid" >> %{BUILDROOT}/etc/squid/squid.conf
+
+ chown -Rv squid:squid %{BUILDROOT}/var/log/squid %{BUILDROOT}/var/log/cache %{BUILDROOT}/var/cache/squid
+ chmod 600 %{BUILDROOT}/var/cache/squid
+ mkdir -pv %{BUILDROOT}/etc/sysconfig
+ cp -vf %{DIR_SOURCE}/squid.sysconfig %{BUILDROOT}/etc/sysconfig/squid
+ cp -vf %{DIR_SOURCE}/cache_swap.sh %{BUILDROOT}/usr/lib/squid/
+ chmod 755 %{BUILDROOT}/usr/lib/squid/cache_swap.sh
+ chown -Rv squid:squid %{BUILDROOT}/usr/lib/squid/cache_swap.sh
end
end
+create_user
+ getent group squid >/dev/null || /usr/sbin/groupadd -r squid
+ getent passwd squid >/dev/null || /usr/sbin/useradd -r -g squid \
+ -d /var/cache/squid -s /sbin/nologin squid
+end
+
packages
package %{name}
+ prerequires = shadow-utils systemd-units
+
+ configfiles
+ /etc/squid.conf
+ /etc/sysconfig/squid
+ end
+
+ script prein
+ %{create_user}
+ end
+
+ script postin
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ end
+
+ script preun
+ /bin/systemctl --no-reload disable squid.service >/dev/null 2>&1 || :
+ /bin/systemctl stop squid.service >/dev/null 2>&1 || :
+ end
+
+ script postun
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ end
+
+ script postup
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ /bin/systemctl try-restart squid.service >/dev/null 2>&1 || :
+ end
+
requires = /usr/bin/smbclient
filter_requires = perl\(Authen::Smb\)
--- /dev/null
+# default squid options
+SQUID_OPTS=""
+
+# Time to wait for Squid to shut down when asked. Should not be necessary
+# most of the time.
+SQUID_SHUTDOWN_TIMEOUT=100
+
+# default squid conf file
+SQUID_CONF="/etc/squid/squid.conf"
--- /dev/null
+[Unit]
+Description=Squid caching proxy
+After=syslog.target network.target
+
+[Service]
+Type=forking
+EnvironmentFile=/etc/sysconfig/squid
+ExecStartPre=/usr/lib/squid/cache_swap.sh
+ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF
+ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF
+ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF
+
+[Install]
+WantedBy=multi-user.target
###############################################################################
name = sudo
-version = 1.7.4p3
+version = 1.8.3
release = 1
groups = Base Applications/System
name = tcl
version = 8.5.10
-release = 1
+release = 2
groups = Development/Languages
url = http://tcl.sourceforge.net/
end
test
- make test
+ # Skip remote tests http, httpold and socket.
+ # Also skip unixInit-1.1. This test fails because "kill -PIPE"
+ # will be executed and we don't support that.
+ make test TESTFLAGS="-skip 'http* socket* unixInit-1.1'"
end
install_cmds
--- /dev/null
+###############################################################################
+# IPFire.org - An Open Source Firewall Solution #
+# Copyright (C) - IPFire Development Team <info@ipfire.org> #
+###############################################################################
+
+name = usb-modeswitch-data
+version = 20111023
+release = 1
+arch = noarch
+
+groups = Applications/System
+url = http://www.draisberghof.de/usb_modeswitch
+license = GPLv2
+summary = A USB mode switching tool.
+
+description
+ USB_ModeSwitch is (surprise!) a mode switching tool for controlling
+ "flip flop" (multiple device) USB gear.
+end
+
+source_dl = http://www.draisberghof.de/usb_modeswitch/
+sources = %{thisapp}.tar.bz2
+
+build
+ build
+ # Nothing to do here.
+ end
+
+ install
+ mkdir -pv %{BUILDROOT}/etc/usb_modeswitch.d/
+ mkdir -pv %{BUILDROOT}/lib/udev/rules.d/
+
+ install -p -m 644 usb_modeswitch.d/* %{BUILDROOT}/etc/usb_modeswitch.d/
+ install -p -m 644 40-usb_modeswitch.rules %{BUILDROOT}/lib/udev/rules.d/
+ end
+end
+
+packages
+ package %{name}
+ requires
+ udev
+ usb-modeswitch
+ end
+ end
+end
###############################################################################
name = usb-modeswitch
-version = 1.1.9
+version = 1.2.0
release = 1
groups = Applications/System
packages
package %{name}
+ requires += usb-modeswitch-data
+ end
end
name = xorg-x11-server
version = 1.8.2
-release = 3
+release = 4
maintainer = Stefan Schantl <stefan.schantl@ipfire.org>
groups = X/Server
pixman
udev
xkeyboard-config
+ xorg-x11-drv-evdev
+ xorg-x11-drv-keyboard
+ xorg-x11-drv-mouse
+ xorg-x11-drv-vesa
xorg-x11-fonts
xorg-x11-font-utils
xorg-x11-xkb-utils
--- /dev/null
+diff -up zlib-1.2.5/zlib.h.pom zlib-1.2.5/zlib.h
+--- zlib-1.2.5/zlib.h.pom 2010-04-20 06:12:48.000000000 +0200
++++ zlib-1.2.5/zlib.h 2010-06-16 13:08:59.000000000 +0200
+@@ -1578,7 +1578,7 @@ ZEXTERN int ZEXPORT inflateBackInit_ OF(
+ # define gzoffset gzoffset64
+ # define adler32_combine adler32_combine64
+ # define crc32_combine crc32_combine64
+-# ifdef _LARGEFILE64_SOURCE
++# ifndef _LARGEFILE64_SOURCE
+ ZEXTERN gzFile ZEXPORT gzopen64 OF((const char *, const char *));
+ ZEXTERN z_off_t ZEXPORT gzseek64 OF((gzFile, z_off_t, int));
+ ZEXTERN z_off_t ZEXPORT gztell64 OF((gzFile));
name = zlib
version = 1.2.5
-release = 1
+release = 2
groups = System/Libraries
url = http://www.gzip.org/zlib/