rpms/openssh/devel openssh-4.5p1-audit.patch, NONE, 1.1 openssh-4.5p1-redhat.patch, NONE, 1.1 openssh-4.5p1-selinux.patch, NONE, 1.1 openssh-4.5p1-vendor.patch, NONE, 1.1 .cvsignore, 1.18, 1.19 openssh.spec, 1.101, 1.102 sources, 1.18, 1.19 openssh-3.9p1-cve-2006-5051.patch, 1.1, NONE openssh-3.9p1-gssapimitm.patch, 1.1, NONE openssh-3.9p1-no-log-signal.patch, 1.2, NONE openssh-4.3p1-audit.patch, 1.3, NONE openssh-4.3p1-redhat.patch, 1.2, NONE openssh-4.3p1-vendor.patch, 1.1, NONE openssh-4.3p2-buffer-len.patch, 1.1, NONE openssh-4.3p2-configure-typo.patch, 1.1, NONE openssh-4.3p2-coverity-memleaks.patch, 1.1, NONE openssh-4.3p2-cve-2006-4924.patch, 1.1, NONE openssh-4.3p2-cve-2006-5794.patch, 1.1, NONE openssh-4.3p2-gssapi-no-spnego.patch, 1.2, NONE openssh-4.3p2-no-dup-logs.patch, 1.1, NONE openssh-4.3p2-scp-print-err.patch, 1.1, NONE openssh-selinux.patch, 1.18, NONE

[fedora-cvs-commits at redhat.com]

Author: tmraz

Update of /cvs/dist/rpms/openssh/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv2759

Modified Files:
	.cvsignore openssh.spec sources 
Added Files:
	openssh-4.5p1-audit.patch openssh-4.5p1-redhat.patch 
	openssh-4.5p1-selinux.patch openssh-4.5p1-vendor.patch 
Removed Files:
	openssh-3.9p1-cve-2006-5051.patch 
	openssh-3.9p1-gssapimitm.patch 
	openssh-3.9p1-no-log-signal.patch openssh-4.3p1-audit.patch 
	openssh-4.3p1-redhat.patch openssh-4.3p1-vendor.patch 
	openssh-4.3p2-buffer-len.patch 
	openssh-4.3p2-configure-typo.patch 
	openssh-4.3p2-coverity-memleaks.patch 
	openssh-4.3p2-cve-2006-4924.patch 
	openssh-4.3p2-cve-2006-5794.patch 
	openssh-4.3p2-gssapi-no-spnego.patch 
	openssh-4.3p2-no-dup-logs.patch 
	openssh-4.3p2-scp-print-err.patch openssh-selinux.patch 
Log Message:
* Thu Dec 21 2006 Tomas Mraz <tmraz at redhat.com> - 4.5p1-1
- update to 4.5p1 (#212606)


openssh-4.5p1-audit.patch:
 Makefile.in  |    3 ++-
 auth.c       |   10 ++++++++++
 config.h.in  |    3 +++
 configure.ac |   15 +++++++++++++++
 loginrec.c   |   56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 loginrec.h   |    4 ++++
 6 files changed, 90 insertions(+), 1 deletion(-)

--- NEW FILE openssh-4.5p1-audit.patch ---
--- openssh-4.5p1/loginrec.c.audit	2006-09-07 14:57:54.000000000 +0200
+++ openssh-4.5p1/loginrec.c	2006-12-21 12:17:35.000000000 +0100
@@ -175,6 +175,10 @@
 #include "auth.h"
 #include "buffer.h"
 
+#ifdef HAVE_LINUX_AUDIT
+# include <libaudit.h>
+#endif
+
 #ifdef HAVE_UTIL_H
 # include <util.h>
 #endif
@@ -201,6 +205,9 @@
 int utmpx_write_entry(struct logininfo *li);
 int wtmp_write_entry(struct logininfo *li);
 int wtmpx_write_entry(struct logininfo *li);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_write_entry(struct logininfo *li);
+#endif
 int lastlog_write_entry(struct logininfo *li);
 int syslogin_write_entry(struct logininfo *li);
 
@@ -439,6 +446,10 @@
 
 	/* set the timestamp */
 	login_set_current_time(li);
+#ifdef HAVE_LINUX_AUDIT
+	if (linux_audit_write_entry(li) == 0)
+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+#endif
 #ifdef USE_LOGIN
 	syslogin_write_entry(li);
 #endif
@@ -1393,6 +1404,51 @@
 }
 #endif /* USE_WTMPX */
 
+#ifdef HAVE_LINUX_AUDIT
+int
+linux_audit_record_event(int uid, const char *username,
+	const char *hostname, const char *ip, const char *ttyn, int success)
+{
+	char buf[64];
+	int audit_fd, rc;
+
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+					errno == EAFNOSUPPORT)
+			return 1; /* No audit support in kernel */
+		else
+			return 0; /* Must prevent login */
+	}
+	if (username == NULL)
+		snprintf(buf, sizeof(buf), "uid=%d", uid);
+	else
+		snprintf(buf, sizeof(buf), "acct=%s", username);
+	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+		buf, hostname, ip, ttyn, success);
+	close(audit_fd);
+	if (rc >= 0)
+		return 1;
+	else
+		return 0;
+}
+
+int
+linux_audit_write_entry(struct logininfo *li)
+{
+	switch(li->type) {
+	case LTYPE_LOGIN:
+		return (linux_audit_record_event(li->uid, NULL, li->hostname,
+			NULL, li->line, 1));
+	case LTYPE_LOGOUT:
+		return (1);	/* We only care about logins */
+	default:
+		logit("%s: invalid type field", __func__);
+		return (0);
+	}
+}
+#endif /* HAVE_LINUX_AUDIT */
+
 /**
  ** Low-level libutil login() functions
  **/
--- openssh-4.5p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.5p1/loginrec.h	2006-12-21 12:17:35.000000000 +0100
@@ -127,5 +127,9 @@
 char *line_abbrevname(char *dst, const char *src, int dstsize);
 
 void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
+	const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
 
 #endif /* _HAVE_LOGINREC_H_ */
--- openssh-4.5p1/Makefile.in.audit	2006-10-23 23:44:47.000000000 +0200
+++ openssh-4.5p1/Makefile.in	2006-12-21 12:19:39.000000000 +0100
@@ -45,6 +45,7 @@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 LIBSELINUX=@LIBSELINUX@
+LIBAUDIT=@LIBAUDIT@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
@@ -139,7 +140,7 @@
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-4.5p1/config.h.in.audit	2006-11-07 14:07:01.000000000 +0100
+++ openssh-4.5p1/config.h.in	2006-12-21 12:17:35.000000000 +0100
@@ -1305,6 +1305,9 @@
 /* Define if you want SELinux support. */
 #undef WITH_SELINUX
 
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
 /* Define to 1 if your processor stores words with the most significant byte
    first (like Motorola and SPARC, unlike Intel and VAX). */
 #undef WORDS_BIGENDIAN
--- openssh-4.5p1/configure.ac.audit	2006-12-21 12:17:34.000000000 +0100
+++ openssh-4.5p1/configure.ac	2006-12-21 12:17:35.000000000 +0100
@@ -3161,6 +3161,20 @@
 )
 AC_SUBST(LIBSELINUX)
 
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+LIBAUDIT=""
+AC_ARG_WITH(linux-audit,
+	[  --with-linux-audit   Enable Linux audit support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+		LINUX_AUDIT_MSG="yes"
+		AC_CHECK_HEADERS(libaudit.h)
+		LIBAUDIT="-laudit"
+	fi
+	])
+AC_SUBST(LIBAUDIT)
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
@@ -3982,6 +3996,7 @@
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "               Linux audit support: $LINUX_AUDIT_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
--- openssh-4.5p1/auth.c.audit	2006-10-27 17:10:16.000000000 +0200
+++ openssh-4.5p1/auth.c	2006-12-21 12:17:35.000000000 +0100
@@ -286,6 +286,12 @@
 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
 # endif
 #endif
+#if HAVE_LINUX_AUDIT
+	if (authenticated == 0 && !authctxt->postponed) {
+		linux_audit_record_event(-1, authctxt->user, NULL,
+			get_remote_ipaddr(), "sshd", 0);
+	}
+#endif
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)
 		audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef HAVE_LINUX_AUDIT
+		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+			"sshd", 0);
+#endif
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
 #endif /* SSH_AUDIT_EVENTS */

openssh-4.5p1-redhat.patch:
 ssh_config    |   10 ++++++++++
 sshd_config   |   12 ++++++++++++
 sshd_config.0 |    6 +++---
 sshd_config.5 |    2 +-
 4 files changed, 26 insertions(+), 4 deletions(-)

--- NEW FILE openssh-4.5p1-redhat.patch ---
--- openssh-4.5p1/sshd_config.0.redhat	2006-11-07 14:07:28.000000000 +0100
+++ openssh-4.5p1/sshd_config.0	2006-12-20 22:04:16.000000000 +0100
@@ -430,9 +430,9 @@
 
      SyslogFacility
              Gives the facility code that is used when logging messages from
-             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
-             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The de-
-             fault is AUTH.
+             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+             The default is AUTH.
 
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
--- openssh-4.5p1/sshd_config.redhat	2006-07-24 06:06:47.000000000 +0200
+++ openssh-4.5p1/sshd_config	2006-12-20 21:59:15.000000000 +0100
@@ -12,6 +12,7 @@
 
 #Port 22
 #Protocol 2,1
+Protocol 2
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
@@ -29,6 +30,7 @@
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
+SyslogFacility AUTHPRIV
 #LogLevel INFO
 
 # Authentication:
@@ -55,9 +57,11 @@
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
+PasswordAuthentication yes
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -67,7 +71,9 @@
 
 # GSSAPI options
 #GSSAPIAuthentication no
+GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials yes
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
@@ -79,10 +85,16 @@
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
+UsePAM yes
 
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+AcceptEnv LC_IDENTIFICATION LC_ALL
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
--- openssh-4.5p1/ssh_config.redhat	2006-06-13 05:01:10.000000000 +0200
+++ openssh-4.5p1/ssh_config	2006-12-20 21:59:15.000000000 +0100
@@ -42,3 +42,13 @@
 #   Tunnel no
 #   TunnelDevice any:any
 #   PermitLocalCommand no
+Host *
+	GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+	ForwardX11Trusted yes
+# Send locale-related environment variables
+	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+	SendEnv LC_IDENTIFICATION LC_ALL
--- openssh-4.5p1/sshd_config.5.redhat	2006-08-30 03:06:34.000000000 +0200
+++ openssh-4.5p1/sshd_config.5	2006-12-20 22:05:18.000000000 +0100
@@ -740,7 +740,7 @@
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive

openssh-4.5p1-selinux.patch:
 auth.h                      |    1 +
 auth1.c                     |   10 +++++++++-
 auth2.c                     |   10 ++++++++--
 configure.ac                |   10 +++++++++-
 monitor.c                   |   20 ++++++++++++++++++++
 monitor.h                   |    2 +-
 monitor_wrap.c              |   17 +++++++++++++++++
 monitor_wrap.h              |    1 +
 openbsd-compat/port-linux.c |   32 +++++++++++++++++++++++++-------
 9 files changed, 91 insertions(+), 12 deletions(-)

--- NEW FILE openssh-4.5p1-selinux.patch ---
--- openssh-4.5p1/auth.h.selinux	2006-08-18 16:32:46.000000000 +0200
+++ openssh-4.5p1/auth.h	2006-12-20 22:10:48.000000000 +0100
@@ -58,6 +58,7 @@
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
+	char		*role;
 	void		*kbdintctxt;
 #ifdef BSD_AUTH
 	auth_session_t	*as;
--- openssh-4.5p1/auth1.c.selinux	2006-12-20 22:10:35.000000000 +0100
+++ openssh-4.5p1/auth1.c	2006-12-20 22:10:48.000000000 +0100
@@ -388,7 +388,7 @@
 do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
-	char *user, *style = NULL;
+	char *user, *style = NULL, *role=NULL;
 
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
@@ -397,11 +397,19 @@
 	user = packet_get_string(&ulen);
 	packet_check_eom();
 
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = '\0';
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
+	else
+		if (role && (style = strchr(role, ':')) != NULL)
+			*style++ = '\0';
+			
 
 	authctxt->user = user;
 	authctxt->style = style;
+	authctxt->role = role;
 
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
--- openssh-4.5p1/monitor.c.selinux	2006-11-07 13:16:08.000000000 +0100
+++ openssh-4.5p1/monitor.c	2006-12-20 22:10:48.000000000 +0100
@@ -133,6 +133,7 @@
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -204,6 +205,7 @@
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -653,6 +655,7 @@
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 
@@ -698,6 +701,23 @@
 }
 
 int
+mm_answer_authrole(int sock, Buffer *m)
+{
+	monitor_permit_authentications(1);
+
+	authctxt->role = buffer_get_string(m, NULL);
+	debug3("%s: role=%s",
+	    __func__, authctxt->role);
+
+	if (strlen(authctxt->role) == 0) {
+		xfree(authctxt->role);
+		authctxt->role = NULL;
+	}
+
+	return (0);
+}
+
+int
 mm_answer_authpassword(int sock, Buffer *m)
 {
 	static int call_count;
--- openssh-4.5p1/openbsd-compat/port-linux.c.selinux	2006-09-01 07:38:41.000000000 +0200
+++ openssh-4.5p1/openbsd-compat/port-linux.c	2006-12-21 12:15:59.000000000 +0100
@@ -30,11 +30,16 @@
 #ifdef WITH_SELINUX
 #include "log.h"
 #include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 
 #include <selinux/selinux.h>
 #include <selinux/flask.h>
 #include <selinux/get_context_list.h>
 
+extern Authctxt *the_authctxt;
+
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 static int
 ssh_selinux_enabled(void)
@@ -53,23 +58,36 @@
 static security_context_t
 ssh_selinux_getctxbyname(char *pwname)
 {
-	security_context_t sc;
-	char *sename = NULL, *lvl = NULL;
-	int r;
+	security_context_t sc = NULL;
+	char *sename, *lvl;
+	char *role = NULL;
+	int r = 0;
 
+	if (the_authctxt) 
+		role=the_authctxt->role;
 #ifdef HAVE_GETSEUSERBYNAME
-	if (getseuserbyname(pwname, &sename, &lvl) != 0)
-		return NULL;
+	if (r=getseuserbyname(pwname, &sename, &lvl) != 0) {
+		sename = NULL;
+		lvl = NULL;
+	}
 #else
 	sename = pwname;
 	lvl = NULL;
 #endif
 
+	if (r == 0) {
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-	r = get_default_context_with_level(sename, lvl, NULL, &sc);
+		if (role != NULL && role[0])
+			r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
+		else
+			r = get_default_context_with_level(sename, lvl, NULL, &sc);
 #else
-	r = get_default_context(sename, NULL, &sc);
+		if (role != NULL && role[0])
+			r = get_default_context_with_role(sename, role, NULL, &sc);
+		else
+			r = get_default_context(sename, NULL, &sc);
 #endif
+	}
 
 	if (r != 0) {
 		switch (security_getenforce()) {
--- openssh-4.5p1/configure.ac.selinux	2006-12-20 22:10:35.000000000 +0100
+++ openssh-4.5p1/configure.ac	2006-12-21 11:18:48.000000000 +0100
@@ -3137,8 +3137,16 @@
 SELINUX_MSG="no"
 LIBSELINUX=""
 AC_ARG_WITH(selinux,
-	[  --with-selinux   Enable SELinux support],
+	[  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
 	[ if test "x$withval" != "xno" ; then
+		if test "x$withval" != "xyes"; then
+			CPPFLAGS="$CPPFLAGS -I${withval}/include"
+			if test -n "${need_dash_r}"; then
+				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+			else
+				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+			fi
+        	fi 
 		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
 		SELINUX_MSG="yes"
 		AC_CHECK_HEADER([selinux/selinux.h], ,
--- openssh-4.5p1/auth2.c.selinux	2006-08-05 04:39:39.000000000 +0200
+++ openssh-4.5p1/auth2.c	2006-12-20 22:10:48.000000000 +0100
@@ -145,7 +145,7 @@
 {
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
-	char *user, *service, *method, *style = NULL;
+	char *user, *service, *method, *style = NULL, *role = NULL;
 	int authenticated = 0;
 
 	if (authctxt == NULL)
@@ -157,6 +157,9 @@
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = 0;
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
 
@@ -182,8 +185,11 @@
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
+		authctxt->role = role ? xstrdup(role) : NULL;
+		if (use_privsep) {
 			mm_inform_authserv(service, style);
+			mm_inform_authrole(role);
+		}
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of username or service not allowed: "
--- openssh-4.5p1/monitor_wrap.h.selinux	2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.5p1/monitor_wrap.h	2006-12-20 22:10:48.000000000 +0100
@@ -41,6 +41,7 @@
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *);
+void mm_inform_authrole(char *);
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
--- openssh-4.5p1/monitor_wrap.c.selinux	2006-09-01 07:38:37.000000000 +0200
+++ openssh-4.5p1/monitor_wrap.c	2006-12-20 22:10:48.000000000 +0100
@@ -282,6 +282,23 @@
 	buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, role ? role : "");
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+	buffer_free(&m);
+}
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
--- openssh-4.5p1/monitor.h.selinux	2006-03-26 05:30:02.000000000 +0200
+++ openssh-4.5p1/monitor.h	2006-12-20 22:10:35.000000000 +0100
@@ -30,7 +30,7 @@
 
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,

openssh-4.5p1-vendor.patch:
 configure.ac  |    7 +++++++
 servconf.c    |   10 ++++++++++
 servconf.h    |    1 +
 sshd.c        |    6 ++++--
 sshd_config   |    1 +
 sshd_config.0 |    5 +++++
 sshd_config.5 |    8 ++++++++
 7 files changed, 36 insertions(+), 2 deletions(-)

--- NEW FILE openssh-4.5p1-vendor.patch ---
--- openssh-4.5p1/servconf.h.vendor	2006-08-18 16:23:15.000000000 +0200
+++ openssh-4.5p1/servconf.h	2006-12-20 22:06:27.000000000 +0100
@@ -120,6 +120,7 @@
 	int	max_startups;
 	int	max_authtries;
 	char   *banner;			/* SSH-2 banner message */
+	int	show_patchlevel;	/* Show vendor patch level to clients */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
--- openssh-4.5p1/sshd_config.vendor	2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/sshd_config	2006-12-20 22:06:27.000000000 +0100
@@ -106,6 +106,7 @@
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
+#ShowPatchLevel no
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
--- openssh-4.5p1/sshd.c.vendor	2006-11-07 13:14:42.000000000 +0100
+++ openssh-4.5p1/sshd.c	2006-12-20 22:06:27.000000000 +0100
@@ -418,7 +418,8 @@
 		major = PROTOCOL_MAJOR_1;
 		minor = PROTOCOL_MINOR_1;
 	}
-	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
+	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
+		 (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
 	server_version_string = xstrdup(buf);
 
 	/* Send our protocol version identification. */
@@ -1429,7 +1430,8 @@
 		exit(1);
 	}
 
-	debug("sshd version %.100s", SSH_RELEASE);
+	debug("sshd version %.100s",
+	      (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
 
 	/* Store privilege separation user for later use if required. */
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
--- openssh-4.5p1/configure.ac.vendor	2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/configure.ac	2006-12-20 22:06:27.000000000 +0100
@@ -3729,6 +3729,12 @@
 		fi
 	]
 )
+AC_ARG_ENABLE(vendor-patchlevel,
+  [  --enable-vendor-patchlevel=TAG  specify a vendor patch level],
+  [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
+   SSH_VENDOR_PATCHLEVEL="$enableval"],
+  [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
+   SSH_VENDOR_PATCHLEVEL=none])
 
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
@@ -3978,6 +3984,7 @@
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
+echo "                Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
 if test ! -z "$USE_RAND_HELPER" ; then
 echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
 fi
--- openssh-4.5p1/sshd_config.0.vendor	2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/sshd_config.0	2006-12-20 22:06:27.000000000 +0100
@@ -413,6 +413,11 @@
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 768.
 
+     ShowPatchLevel
+	     Specifies whether sshd will display the specific patch level of
+	     the binary in the server identification string.  The patch level
+	     is set at compile-time.  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
      StrictModes
              Specifies whether sshd(8) should check file modes and ownership
              of the user's files and home directory before accepting login.
--- openssh-4.5p1/servconf.c.vendor	2006-08-18 16:23:15.000000000 +0200
+++ openssh-4.5p1/servconf.c	2006-12-20 22:08:41.000000000 +0100
@@ -113,6 +113,7 @@
 	options->max_startups = -1;
 	options->max_authtries = -1;
 	options->banner = NULL;
+	options->show_patchlevel = -1;
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
@@ -250,6 +251,9 @@
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
 
+	if (options->show_patchlevel == -1)
+		options->show_patchlevel = 0;
+
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = 1;
@@ -293,6 +297,7 @@
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand,
 	sUsePrivilegeSeparation,
+	sShowPatchLevel,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -390,6 +395,7 @@
 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
 	{ "banner", sBanner, SSHCFG_GLOBAL },
+	{ "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1006,6 +1012,10 @@
 		intptr = &use_privsep;
 		goto parse_flag;
 
+	case sShowPatchLevel:
+		intptr = &options->show_patchlevel;
+		goto parse_flag;
+
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
--- openssh-4.5p1/sshd_config.5.vendor	2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/sshd_config.5	2006-12-20 22:06:27.000000000 +0100
@@ -717,6 +717,14 @@
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 768.
+.It Cm ShowPatchLevel
+Specifies whether
+.Nm sshd
+will display the patch level of the binary in the identification string.
+The patch level is set at compile-time.
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8


Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/openssh/devel/.cvsignore,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- .cvsignore	13 Feb 2006 14:11:40 -0000	1.18
+++ .cvsignore	21 Dec 2006 13:42:47 -0000	1.19
@@ -1 +1 @@
-openssh-4.3p2-noacss.tar.bz2
+openssh-4.5p1-noacss.tar.bz2


Index: openssh.spec
===================================================================
RCS file: /cvs/dist/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -r1.101 -r1.102
--- openssh.spec	30 Nov 2006 10:50:12 -0000	1.101
+++ openssh.spec	21 Dec 2006 13:42:47 -0000	1.102
@@ -60,8 +60,8 @@
 
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
-Version: 4.3p2
-Release: 14%{?dist}%{?rescue_rel}
+Version: 4.5p1
+Release: 1%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -69,34 +69,23 @@
 # removes the ACSS cipher.
 Source0: openssh-%{version}-noacss.tar.bz2
 Source1: openssh-nukeacss.sh
-Patch0: openssh-4.3p1-redhat.patch
+Patch0: openssh-4.5p1-redhat.patch
 Patch2: openssh-3.8.1p1-skip-initial.patch
 Patch3: openssh-3.8.1p1-krb5-config.patch
-Patch4: openssh-4.3p1-vendor.patch
+Patch4: openssh-4.5p1-vendor.patch
 Patch5: openssh-4.3p2-initscript.patch
-Patch12: openssh-selinux.patch
-Patch16: openssh-4.3p1-audit.patch
-Patch20: openssh-3.9p1-gssapimitm.patch
+Patch12: openssh-4.5p1-selinux.patch
+Patch16: openssh-4.5p1-audit.patch
 Patch22: openssh-3.9p1-askpass-keep-above.patch
-Patch23: openssh-3.9p1-no-log-signal.patch
 Patch24: openssh-4.3p1-fromto-remote.patch
-Patch25: openssh-4.3p2-scp-print-err.patch
 Patch26: openssh-4.2p1-pam-no-stack.patch
 Patch27: openssh-3.9p1-log-in-chroot.patch
 Patch30: openssh-4.0p1-exit-deadlock.patch
 Patch31: openssh-3.9p1-skip-used.patch
 Patch35: openssh-4.2p1-askpass-progress.patch
-Patch36: openssh-4.3p2-buffer-len.patch
-Patch37: openssh-4.3p2-configure-typo.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
 Patch39: openssh-4.3p2-no-v6only.patch
-Patch40: openssh-4.3p2-coverity-memleaks.patch
-Patch41: openssh-4.3p2-gssapi-no-spnego.patch
-Patch42: openssh-4.3p2-no-dup-logs.patch
 Patch44: openssh-4.3p2-allow-ip-opts.patch
-Patch45: openssh-4.3p2-cve-2006-4924.patch
-Patch46: openssh-3.9p1-cve-2006-5051.patch
-Patch47: openssh-4.3p2-cve-2006-5794.patch
 Patch48: openssh-4.3p2-pam-session.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
 License: BSD
@@ -212,27 +201,16 @@
 %patch16 -p1 -b .audit
 %endif
 
-#%patch20 -p0 -b .gssapimitm
 %patch22 -p1 -b .keep-above
-%patch23 -p1 -b .signal
 %patch24 -p1 -b .fromto-remote
-%patch25 -p1 -b .print-err
 %patch26 -p1 -b .stack
 %patch27 -p1 -b .log-chroot
 %patch30 -p1 -b .exit-deadlock
 %patch31 -p1 -b .skip-used
 %patch35 -p1 -b .progress
-%patch36 -p0 -b .buffer-len
-%patch37 -p1 -b .typo
 %patch38 -p1 -b .grab-info
 %patch39 -p1 -b .no-v6only
-%patch40 -p1 -b .memleaks
-%patch41 -p1 -b .no-spnego
-%patch42 -p1 -b .no-dups
 %patch44 -p1 -b .ip-opts
-%patch45 -p1 -b .deattack-dos
-%patch46 -p1 -b .sig-no-cleanup
-%patch47 -p1 -b .verify
 %patch48 -p1 -b .pam-sesssion
 %patch49 -p1 -b .canohost
 
@@ -393,10 +371,10 @@
 
 %pre server
 %if %{nologin}
-/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
+/usr/sbin/useradd -c "Privilege-separated SSH" -u %{sshd_uid} \
 	-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
 %else
-/usr/sbin/useradd -c "Privilege-separated SSH" -u 74 \
+/usr/sbin/useradd -c "Privilege-separated SSH" -u %{sshd_uid} \
 	-s /dev/null -r -d /var/empty/sshd sshd 2> /dev/null || :
 %endif
 
@@ -479,6 +457,9 @@
 %endif
 
 %changelog
+* Thu Dec 21 2006 Tomas Mraz <tmraz at redhat.com> - 4.5p1-1
+- update to 4.5p1 (#212606)
+
 * Thu Nov 30 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-14
 - fix gssapi with DNS loadbalanced clusters (#216857)
 


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/openssh/devel/sources,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- sources	13 Feb 2006 14:11:41 -0000	1.18
+++ sources	21 Dec 2006 13:42:47 -0000	1.19
@@ -1 +1 @@
-8dcce96be628a67ce992f089d9db81ff  openssh-4.3p2-noacss.tar.bz2
+9ef9bf019945105f2ac1760c95c9b339  openssh-4.5p1-noacss.tar.bz2


--- openssh-3.9p1-cve-2006-5051.patch DELETED ---


--- openssh-3.9p1-gssapimitm.patch DELETED ---


--- openssh-3.9p1-no-log-signal.patch DELETED ---


--- openssh-4.3p1-audit.patch DELETED ---


--- openssh-4.3p1-redhat.patch DELETED ---


--- openssh-4.3p1-vendor.patch DELETED ---


--- openssh-4.3p2-buffer-len.patch DELETED ---


--- openssh-4.3p2-configure-typo.patch DELETED ---


--- openssh-4.3p2-coverity-memleaks.patch DELETED ---


--- openssh-4.3p2-cve-2006-4924.patch DELETED ---


--- openssh-4.3p2-cve-2006-5794.patch DELETED ---


--- openssh-4.3p2-gssapi-no-spnego.patch DELETED ---


--- openssh-4.3p2-no-dup-logs.patch DELETED ---


--- openssh-4.3p2-scp-print-err.patch DELETED ---


--- openssh-selinux.patch DELETED ---