diff options
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/Makefile | 7 | ||||
| -rw-r--r-- | contrib/README | 2 | ||||
| -rw-r--r-- | contrib/aix/README | 3 | ||||
| -rwxr-xr-x | contrib/aix/buildbff.sh | 17 | ||||
| -rwxr-xr-x | contrib/aix/inventory.sh | 1 | ||||
| -rw-r--r-- | contrib/cygwin/Makefile | 11 | ||||
| -rw-r--r-- | contrib/cygwin/README | 5 | ||||
| -rw-r--r-- | contrib/cygwin/ssh-host-config | 104 | ||||
| -rw-r--r-- | contrib/cygwin/ssh-user-config | 2 | ||||
| -rw-r--r-- | contrib/findssl.sh | 2 | ||||
| -rw-r--r-- | contrib/gnome-ssh-askpass2.c | 143 | ||||
| -rw-r--r-- | contrib/redhat/openssh.spec | 118 | ||||
| -rwxr-xr-x | contrib/redhat/sshd.init | 1 | ||||
| -rwxr-xr-x | contrib/redhat/sshd.init.old | 17 | ||||
| -rw-r--r-- | contrib/solaris/README | 2 | ||||
| -rw-r--r-- | contrib/ssh-copy-id | 72 | ||||
| -rw-r--r-- | contrib/ssh-copy-id.1 | 7 | ||||
| -rw-r--r-- | contrib/suse/openssh.spec | 10 |
18 files changed, 290 insertions, 234 deletions
diff --git a/contrib/Makefile b/contrib/Makefile index eaf7fe2f..3a36387b 100644 --- a/contrib/Makefile +++ b/contrib/Makefile @@ -13,5 +13,10 @@ gnome-ssh-askpass2: gnome-ssh-askpass2.c gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ `$(PKG_CONFIG) --libs gtk+-2.0 x11` +gnome-ssh-askpass3: gnome-ssh-askpass2.c + $(CC) $(CFLAGS) `$(PKG_CONFIG) --cflags gtk+-3.0` \ + gnome-ssh-askpass2.c -o gnome-ssh-askpass3 \ + `$(PKG_CONFIG) --libs gtk+-3.0 x11` + clean: - rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass + rm -f *.o gnome-ssh-askpass gnome-ssh-askpass[123] diff --git a/contrib/README b/contrib/README index c0022386..60e19ba9 100644 --- a/contrib/README +++ b/contrib/README @@ -11,7 +11,7 @@ which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or https CONNECT style proxy server. His page for connect.c has extensive documentation on its use as well as compiled versions for Win32. -http://www.taiyo.co.jp/~gotoh/ssh/connect.html +https://bitbucket.org/gotoh/connect/wiki/Home X11 SSH Askpass: diff --git a/contrib/aix/README b/contrib/aix/README index 2a299350..1aa59197 100644 --- a/contrib/aix/README +++ b/contrib/aix/README @@ -35,7 +35,7 @@ The script treats all packages as USR packages (not ROOT+USR when appropriate). It seems to work, though...... If there are any patches to this that have not yet been integrated they -may be found at http://www.zip.com.au/~dtucker/openssh/. +may be found at http://www.dtucker.net/openssh/. Disclaimer: @@ -47,4 +47,3 @@ you get to keep both pieces. - Darren Tucker (dtucker at zip dot com dot au) 2002/03/01 -$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $ diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index 81d8cc30..55113d9d 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh @@ -1,7 +1,6 @@ #!/bin/sh # # buildbff.sh: Create AIX SMIT-installable OpenSSH packages -# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $ # # Author: Darren Tucker (dtucker at zip dot com dot au) # This file is placed in the public domain and comes with absolutely @@ -241,21 +240,7 @@ echo # Generate keys unless they already exist echo Creating host keys if required. -if [ -f "$sysconfdir/ssh_host_key" ] ; then - echo "$sysconfdir/ssh_host_key already exists, skipping." -else - $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N "" -fi -if [ -f $sysconfdir/ssh_host_dsa_key ] ; then - echo "$sysconfdir/ssh_host_dsa_key already exists, skipping." -else - $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N "" -fi -if [ -f $sysconfdir/ssh_host_rsa_key ] ; then - echo "$sysconfdir/ssh_host_rsa_key already exists, skipping." -else - $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N "" -fi +$bindir/ssh-keygen -A echo # Set startup command depending on SRC support diff --git a/contrib/aix/inventory.sh b/contrib/aix/inventory.sh index e2641e79..7d76f497 100755 --- a/contrib/aix/inventory.sh +++ b/contrib/aix/inventory.sh @@ -1,7 +1,6 @@ #!/bin/sh # # inventory.sh -# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $ # # Originally written by Ben Lindstrom, modified by Darren Tucker to use perl # This file is placed into the public domain. diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile index a0261f48..4b78cd95 100644 --- a/contrib/cygwin/Makefile +++ b/contrib/cygwin/Makefile @@ -13,6 +13,7 @@ defaultsdir=$(sysconfdir)/defaults/etc inetdefdir=$(defaultsdir)/inetd.d PRIVSEP_PATH=/var/empty INSTALL=/usr/bin/install -c +MKDIR_P=$(srcdir)/mkinstalldirs DESTDIR= @@ -23,7 +24,7 @@ all: @echo move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config - $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir) + $(MKDIR_P) $(DESTDIR)$(defaultsdir) mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) @@ -31,11 +32,11 @@ remove-empty-dir: rm -rf $(DESTDIR)$(PRIVSEP_PATH) install-inetd-config: - $(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir) + $(MKDIR_P) $(DESTDIR)$(inetdefdir) $(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd install-sshdoc: - $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) + $(MKDIR_P) $(DESTDIR)$(sshdocdir) -$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS -$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog -$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE @@ -52,13 +53,13 @@ install-sshdoc: -$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO install-cygwindoc: README - $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir) + $(MKDIR_P) $(DESTDIR)$(cygdocdir) $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README install-doc: install-sshdoc install-cygwindoc install-scripts: ssh-host-config ssh-user-config - $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(MKDIR_P) $(DESTDIR)$(bindir) $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config diff --git a/contrib/cygwin/README b/contrib/cygwin/README index 1396d99c..3745051f 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README @@ -25,6 +25,7 @@ Options: --yes -y Answer all questions with "yes" automatically. --no -n Answer all questions with "no" automatically. --cygwin -c <options> Use "options" as value for CYGWIN environment var. + --name -N <name> sshd windows service name. --port -p <n> sshd listens on port n. --user -u <account> privileged user for service, default 'cyg_server'. --pwd -w <passwd> Use "pwd" as password for privileged user. @@ -59,7 +60,7 @@ Options: Please note that OpenSSH does never use the value of $HOME to search for the users configuration files! It always uses the value of the pw_dir field in /etc/passwd as the home directory. -If no home diretory is set in /etc/passwd, the root directory +If no home directory is set in /etc/passwd, the root directory is used instead! ================ @@ -76,7 +77,7 @@ with the aforementioned cygport script: zlib crypt - openssl-devel + libssl-devel libedit-devel libkrb5-devel diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index d934d09b..a8572e2a 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -22,7 +22,7 @@ CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh -# List of apps used. This is checkad for existance in csih_sanity_check +# List of apps used. This is checkad for existence in csih_sanity_check # Don't use *any* transient commands before sourcing the csih helper script, # otherwise the sanity checks are short-circuited. declare -a csih_required_commands=( @@ -61,9 +61,8 @@ LOCALSTATEDIR=/var sshd_config_configured=no port_number=22 -service_name=sshd +service_name=cygsshd strictmodes=yes -privsep_used=yes cygwin_value="" user_account= password_value= @@ -140,33 +139,21 @@ sshd_strictmodes() { # ====================================================================== # Routine: sshd_privsep -# MODIFIES: privsep_used +# Try to create ssshd user account # ====================================================================== sshd_privsep() { local ret=0 if [ "${sshd_config_configured}" != "yes" ] then - echo - csih_inform "Privilege separation is set to 'sandbox' by default since" - csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" - csih_inform "to 'yes' or 'no'." - csih_inform "However, using privilege separation requires a non-privileged account" - csih_inform "called 'sshd'." - csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." - if csih_request "Should privilege separation be used?" + if ! csih_create_unprivileged_user sshd then - privsep_used=yes - if ! csih_create_unprivileged_user sshd - then - csih_error_recoverable "Couldn't create user 'sshd'!" - csih_error_recoverable "Privilege separation set to 'no' again!" - csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" - let ++ret - privsep_used=no - fi - else - privsep_used=no + csih_error_recoverable "Could not create user 'sshd'!" + csih_error_recoverable "You will not be able to run an sshd service" + csih_error_recoverable "under a privileged account successfully." + csih_error_recoverable "Make sure to create a non-privileged user 'sshd'" + csih_error_recoverable "manually before trying to run the service!" + let ++ret fi fi return $ret @@ -202,18 +189,6 @@ sshd_config_tweak() { let ++ret fi fi - if [ "${sshd_config_configured}" != "yes" ] - then - /usr/bin/sed -i -e " - s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ - ${SYSCONFDIR}/sshd_config - if [ $? -ne 0 ] - then - csih_warning "Setting privilege separation failed!" - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" - let ++ret - fi - fi return $ret } # --- End of sshd_config_tweak --- # @@ -332,7 +307,7 @@ check_service_files_ownership() { if [ -z "${run_service_as}" ] then - accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | + accnt_name=$(/usr/bin/cygrunsrv -VQ "${service_name}" | /usr/bin/sed -ne 's/^Account *: *//gp') if [ "${accnt_name}" = "LocalSystem" ] then @@ -354,9 +329,9 @@ check_service_files_ownership() { fi if [ -z "${run_service_as}" ] then - csih_warning "Couldn't determine name of user running sshd service from account database!" + csih_warning "Couldn't determine name of user running ${service_name} service from account database!" csih_warning "As a result, this script cannot make sure that the files used" - csih_warning "by the sshd service belong to the user running the service." + csih_warning "by the ${service_name} service belong to the user running the service." return 1 fi fi @@ -392,8 +367,8 @@ check_service_files_ownership() { if [ $ret -ne 0 ] then csih_warning "Couldn't change owner of important files to ${run_service_as}!" - csih_warning "This may cause the sshd service to fail! Please make sure that" - csih_warning "you have suufficient permissions to change the ownership of files" + csih_warning "This may cause the ${service_name} service to fail! Please make sure that" + csih_warning "you have sufficient permissions to change the ownership of files" csih_warning "and try to run the ssh-host-config script again." fi return $ret @@ -419,14 +394,24 @@ install_service() { then csih_get_cygenv "${cygwin_value}" - if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) + if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] ) then - csih_inform "On Windows Server 2003, Windows Vista, and above, the" - csih_inform "SYSTEM account cannot setuid to other users -- a capability" - csih_inform "sshd requires. You need to have or to create a privileged" - csih_inform "account. This script will help you do so." - echo + # Enforce using privileged user on 64 bit Vista or W7 under WOW64 + is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0) + if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] ) + then + csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7" + csih_inform "the SYSTEM account is not sufficient to setuid to a local" + csih_inform "user account. You need to have or to create a privileged" + csih_inform "account. This script will help you do so." + echo + csih_FORCE_PRIVILEGED_USER=yes + fi + fi + + if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) + then [ "${opt_force}" = "yes" ] && opt_f=-f [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" csih_select_privileged_username ${opt_f} ${opt_u} sshd @@ -437,11 +422,12 @@ install_service() { csih_request "Do you want to proceed anyway?" || exit 1 let ++ret fi + # Never returns empty if NT or above + run_service_as=$(csih_service_should_run_as) + else + run_service_as="SYSTEM" fi - # Never returns empty if NT or above - run_service_as=$(csih_service_should_run_as) - if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] then password="${csih_PRIVILEGED_PASSWORD}" @@ -471,7 +457,7 @@ install_service() { echo csih_inform "The sshd service has been installed under the LocalSystem" csih_inform "account (also known as SYSTEM). To start the service now, call" - csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" + csih_inform "\`net start ${service_name}' or \`cygrunsrv -S ${service_name}'. Otherwise, it" csih_inform "will start automatically after the next reboot." fi else @@ -693,15 +679,25 @@ then fi fi -# handle sshd_config (and privsep) +# handle sshd_config +# make sure not to change the existing file +mod_before="" +if [ -e "${SYSCONFDIR}/sshd_config" ] +then + mod_before=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:') +fi csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt +mod_now=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:') if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 then sshd_config_configured=yes fi -sshd_strictmodes || let warning_cnt+=$? -sshd_privsep || let warning_cnt+=$? -sshd_config_tweak || let warning_cnt+=$? +if [ "${mod_before}" != "${mod_now}" ] +then + sshd_strictmodes || let warning_cnt+=$? + sshd_config_tweak || let warning_cnt+=$? +fi +#sshd_privsep || let warning_cnt+=$? update_services_file || let warning_cnt+=$? update_inetd_conf || let warning_cnt+=$? install_service || let warning_cnt+=$? diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index 33dc0cbe..6fa4bb3e 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config @@ -127,7 +127,7 @@ readonly -f check_user_homedir check_user_dot_ssh_dir() { if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] then - csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." + csih_error "${pwdhome}/.ssh is existent but not a directory. Cannot create user identity files." fi if [ ! -e "${pwdhome}/.ssh" ] diff --git a/contrib/findssl.sh b/contrib/findssl.sh index 263fd264..95a0d66d 100644 --- a/contrib/findssl.sh +++ b/contrib/findssl.sh @@ -1,7 +1,5 @@ #!/bin/sh # -# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $ -# # findssl.sh # Search for all instances of OpenSSL headers and libraries # and print their versions. diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c index 9d97c30c..bc83a2d6 100644 --- a/contrib/gnome-ssh-askpass2.c +++ b/contrib/gnome-ssh-askpass2.c @@ -39,6 +39,10 @@ #define GRAB_TRIES 16 #define GRAB_WAIT 250 /* milliseconds */ +#define PROMPT_ENTRY 0 +#define PROMPT_CONFIRM 1 +#define PROMPT_NONE 2 + /* * Compile with: * @@ -57,19 +61,17 @@ #include <gdk/gdkx.h> static void -report_failed_grab (const char *what) +report_failed_grab (GtkWidget *parent_window, const char *what) { GtkWidget *err; - err = gtk_message_dialog_new(NULL, 0, + err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE, "Could not grab %s. " "A malicious client may be eavesdropping " "on your session.", what); gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); - gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label), - TRUE); gtk_dialog_run(GTK_DIALOG(err)); @@ -84,51 +86,67 @@ ok_dialog(GtkWidget *entry, gpointer dialog) } static int -passphrase_dialog(char *message) +passphrase_dialog(char *message, int prompt_type) { const char *failed; char *passphrase, *local; int result, grab_tries, grab_server, grab_pointer; - GtkWidget *dialog, *entry; + int buttons, default_response; + GtkWidget *parent_window, *dialog, *entry; GdkGrabStatus status; grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); grab_tries = 0; - dialog = gtk_message_dialog_new(NULL, 0, - GTK_MESSAGE_QUESTION, - GTK_BUTTONS_OK_CANCEL, - "%s", - message); + /* Create an invisible parent window so that GtkDialog doesn't + * complain. */ + parent_window = gtk_window_new(GTK_WINDOW_TOPLEVEL); + + switch (prompt_type) { + case PROMPT_CONFIRM: + buttons = GTK_BUTTONS_YES_NO; + default_response = GTK_RESPONSE_YES; + break; + case PROMPT_NONE: + buttons = GTK_BUTTONS_CLOSE; + default_response = GTK_RESPONSE_CLOSE; + break; + default: + buttons = GTK_BUTTONS_OK_CANCEL; + default_response = GTK_RESPONSE_OK; + break; + } - entry = gtk_entry_new(); - gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, - FALSE, 0); - gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); - gtk_widget_grab_focus(entry); - gtk_widget_show(entry); + dialog = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, + GTK_MESSAGE_QUESTION, buttons, "%s", message); gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); - gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label), - TRUE); - - /* Make <enter> close dialog */ - gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); - g_signal_connect(G_OBJECT(entry), "activate", - G_CALLBACK(ok_dialog), dialog); - + gtk_dialog_set_default_response(GTK_DIALOG(dialog), default_response); gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); + if (prompt_type == PROMPT_ENTRY) { + entry = gtk_entry_new(); + gtk_box_pack_start( + GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), + entry, FALSE, FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + gtk_widget_show(entry); + /* Make <enter> close dialog */ + g_signal_connect(G_OBJECT(entry), "activate", + G_CALLBACK(ok_dialog), dialog); + } + /* Grab focus */ gtk_widget_show_now(dialog); if (grab_pointer) { for(;;) { status = gdk_pointer_grab( - (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, - NULL, GDK_CURRENT_TIME); + (gtk_widget_get_window(GTK_WIDGET(dialog))), TRUE, + 0, NULL, NULL, GDK_CURRENT_TIME); if (status == GDK_GRAB_SUCCESS) break; usleep(GRAB_WAIT * 1000); @@ -139,8 +157,9 @@ passphrase_dialog(char *message) } } for(;;) { - status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, - FALSE, GDK_CURRENT_TIME); + status = gdk_keyboard_grab( + gtk_widget_get_window(GTK_WIDGET(dialog)), FALSE, + GDK_CURRENT_TIME); if (status == GDK_GRAB_SUCCESS) break; usleep(GRAB_WAIT * 1000); @@ -157,46 +176,51 @@ passphrase_dialog(char *message) /* Ungrab */ if (grab_server) - XUngrabServer(GDK_DISPLAY()); + XUngrabServer(gdk_x11_get_default_xdisplay()); if (grab_pointer) gdk_pointer_ungrab(GDK_CURRENT_TIME); gdk_keyboard_ungrab(GDK_CURRENT_TIME); gdk_flush(); /* Report passphrase if user selected OK */ - passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry))); - if (result == GTK_RESPONSE_OK) { - local = g_locale_from_utf8(passphrase, strlen(passphrase), - NULL, NULL, NULL); - if (local != NULL) { - puts(local); - memset(local, '\0', strlen(local)); - g_free(local); - } else { - puts(passphrase); + if (prompt_type == PROMPT_ENTRY) { + passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry))); + if (result == GTK_RESPONSE_OK) { + local = g_locale_from_utf8(passphrase, + strlen(passphrase), NULL, NULL, NULL); + if (local != NULL) { + puts(local); + memset(local, '\0', strlen(local)); + g_free(local); + } else { + puts(passphrase); + } } + /* Zero passphrase in memory */ + memset(passphrase, '\b', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + memset(passphrase, '\0', strlen(passphrase)); + g_free(passphrase); } - - /* Zero passphrase in memory */ - memset(passphrase, '\b', strlen(passphrase)); - gtk_entry_set_text(GTK_ENTRY(entry), passphrase); - memset(passphrase, '\0', strlen(passphrase)); - g_free(passphrase); - + gtk_widget_destroy(dialog); - return (result == GTK_RESPONSE_OK ? 0 : -1); + if (result != GTK_RESPONSE_OK && result != GTK_RESPONSE_YES) + return -1; + return 0; - /* At least one grab failed - ungrab what we got, and report - the failure to the user. Note that XGrabServer() cannot - fail. */ nograbkb: + /* + * At least one grab failed - ungrab what we got, and report + * the failure to the user. Note that XGrabServer() cannot + * fail. + */ gdk_pointer_ungrab(GDK_CURRENT_TIME); nograb: if (grab_server) - XUngrabServer(GDK_DISPLAY()); + XUngrabServer(gdk_x11_get_default_xdisplay()); gtk_widget_destroy(dialog); - report_failed_grab(failed); + report_failed_grab(parent_window, failed); return (-1); } @@ -204,8 +228,8 @@ passphrase_dialog(char *message) int main(int argc, char **argv) { - char *message; - int result; + char *message, *prompt_mode; + int result, prompt_type = PROMPT_ENTRY; gtk_init(&argc, &argv); @@ -215,8 +239,15 @@ main(int argc, char **argv) message = g_strdup("Enter your OpenSSH passphrase:"); } + if ((prompt_mode = getenv("SSH_ASKPASS_PROMPT")) != NULL) { + if (strcasecmp(prompt_mode, "confirm") == 0) + prompt_type = PROMPT_CONFIRM; + else if (strcasecmp(prompt_mode, "none") == 0) + prompt_type = PROMPT_NONE; + } + setvbuf(stdout, 0, _IONBF, 0); - result = passphrase_dialog(message); + result = passphrase_dialog(message, prompt_type); g_free(message); return (result); diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 7ac4ed0a..dcd57aa1 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,70 +1,81 @@ -%define ver 6.8p1 -%define rel 1 +%global ver 8.3p1 +%global rel 1%{?dist} # OpenSSH privilege separation requires a user & group ID -%define sshd_uid 74 -%define sshd_gid 74 +%global sshd_uid 74 +%global sshd_gid 74 # Version of ssh-askpass -%define aversion 1.2.4.1 +%global aversion 1.2.4.1 # Do we want to disable building of x11-askpass? (1=yes 0=no) -%define no_x11_askpass 0 +%global no_x11_askpass 0 # Do we want to disable building of gnome-askpass? (1=yes 0=no) -%define no_gnome_askpass 0 +%global no_gnome_askpass 0 # Do we want to link against a static libcrypto? (1=yes 0=no) -%define static_libcrypto 0 +%global static_libcrypto 0 # Do we want smartcard support (1=yes 0=no) -%define scard 0 +%global scard 0 # Use GTK2 instead of GNOME in gnome-ssh-askpass -%define gtk2 1 +%global gtk2 1 -# Is this build for RHL 6.x? -%define build6x 0 +# Use build6x options for older RHEL builds +# RHEL 7 not yet supported +%if 0%{?rhel} > 6 +%global build6x 0 +%else +%global build6x 1 +%endif + +%if 0%{?fedora} >= 26 +%global compat_openssl 1 +%else +%global compat_openssl 0 +%endif # Do we want kerberos5 support (1=yes 0=no) -%define kerberos5 1 +%global kerberos5 1 # Reserve options to override askpass settings with: # rpm -ba|--rebuild --define 'skip_xxx 1' -%{?skip_x11_askpass:%define no_x11_askpass 1} -%{?skip_gnome_askpass:%define no_gnome_askpass 1} +%{?skip_x11_askpass:%global no_x11_askpass 1} +%{?skip_gnome_askpass:%global no_gnome_askpass 1} # Add option to build without GTK2 for older platforms with only GTK+. # RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. # rpm -ba|--rebuild --define 'no_gtk2 1' -%{?no_gtk2:%define gtk2 0} +%{?no_gtk2:%global gtk2 0} # Is this a build for RHL 6.x or earlier? -%{?build_6x:%define build6x 1} +%{?build_6x:%global build6x 1} # If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. %if %{build6x} -%define _sysconfdir /etc +%global _sysconfdir /etc %endif # Options for static OpenSSL link: # rpm -ba|--rebuild --define "static_openssl 1" -%{?static_openssl:%define static_libcrypto 1} +%{?static_openssl:%global static_libcrypto 1} # Options for Smartcard support: (needs libsectok and openssl-engine) # rpm -ba|--rebuild --define "smartcard 1" -%{?smartcard:%define scard 1} +%{?smartcard:%global scard 1} # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) -%define rescue 0 -%{?build_rescue:%define rescue 1} +%global rescue 0 +%{?build_rescue:%global rescue 1} # Turn off some stuff for resuce builds %if %{rescue} -%define kerberos5 0 +%global kerberos5 0 %endif -Summary: The OpenSSH implementation of SSH protocol versions 1 and 2. +Summary: The OpenSSH implementation of SSH protocol version 2. Name: openssh Version: %{ver} %if %{rescue} @@ -72,11 +83,9 @@ Release: %{rel}rescue %else Release: %{rel} %endif -URL: http://www.openssh.com/portable.html -Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -%if ! %{no_x11_askpass} +URL: https://www.openssh.com/portable.html +Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz -%endif License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot @@ -86,15 +95,27 @@ PreReq: initscripts >= 5.00 %else Requires: initscripts >= 5.20 %endif -BuildRequires: perl, openssl-devel +BuildRequires: perl +%if %{compat_openssl} +BuildRequires: compat-openssl10-devel +%else +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: openssl-devel < 1.1 +%endif BuildRequires: /bin/login %if ! %{build6x} -BuildPreReq: glibc-devel, pam +BuildRequires: glibc-devel, pam %else BuildRequires: /usr/include/security/pam_appl.h %endif %if ! %{no_x11_askpass} BuildRequires: /usr/include/X11/Xlib.h +# Xt development tools +BuildRequires: libXt-devel +# Provides xmkmf +BuildRequires: imake +# Rely on relatively recent gtk +BuildRequires: gtk2-devel %endif %if ! %{no_gnome_askpass} BuildRequires: pkgconfig @@ -183,20 +204,17 @@ environment. CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS %endif -%if %{kerberos5} -K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'` -echo K5DIR=$K5DIR -%endif - %configure \ --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/openssh \ --datadir=%{_datadir}/openssh \ - --with-rsh=%{_bindir}/rsh \ --with-default-path=/usr/local/bin:/bin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ --with-privsep-path=%{_var}/empty/sshd \ --with-md5-passwords \ + --mandir=%{_mandir} \ + --with-mantype=man \ + --disable-strip \ %if %{scard} --with-smartcard \ %endif @@ -263,12 +281,12 @@ install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd %if ! %{no_x11_askpass} -install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass +install x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass %endif %if ! %{no_gnome_askpass} -install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass +install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass %endif %if ! %{scard} @@ -359,8 +377,6 @@ fi %attr(0644,root,root) %{_mandir}/man1/ssh.1* %attr(0644,root,root) %{_mandir}/man5/ssh_config.5* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%attr(-,root,root) %{_bindir}/slogin -%attr(-,root,root) %{_mandir}/man1/slogin.1* %if ! %{rescue} %attr(2755,root,nobody) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add @@ -394,7 +410,7 @@ fi %doc x11-ssh-askpass-%{aversion}/README %doc x11-ssh-askpass-%{aversion}/ChangeLog %doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass +%{_libexecdir}/openssh/ssh-askpass %attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass %endif @@ -406,6 +422,22 @@ fi %endif %changelog +* Sat Feb 10 2018 Darren Tucker <dtucker@dtucker.net> +- Update openssl-devel dependency to match current requirements. +- Handle Fedora >=6 openssl 1.0 compat libs. +- Remove SSH1 from description. +- Don't strip binaries at build time so that debuginfo package can be + created. + +* Sun Nov 16 2014 Nico Kadel-Garcia <nakdel@gmail.com> +- Add '--mandir' and '--with-mantype' for RHEL 5 compatibility +- Add 'dist' option to 'ver' so package names reflect OS at build time +- Always include x11-ssh-askpass tarball in SRPM +- Add openssh-x11-aspass BuildRequires for libXT-devel, imake, gtk2-devel +- Discard 'K5DIR' reporting, not usable inside 'mock' for RHEL 5 compatibility +- Discard obsolete '--with-rsh' configure option +- Update openssl-devel dependency to 0.9.8f, as found in autoconf + * Wed Jul 14 2010 Tim Rice <tim@multitalents.net> - test for skip_x11_askpass (line 77) should have been for no_x11_askpass @@ -417,7 +449,7 @@ fi - Don't install profile.d scripts when not building with GNOME/GTK askpass (patch from bet@rahul.net) -* Wed Oct 01 2002 Damien Miller <djm@mindrot.org> +* Tue Oct 01 2002 Damien Miller <djm@mindrot.org> - Install ssh-agent setgid nobody to prevent ptrace() key theft attacks * Mon Sep 30 2002 Damien Miller <djm@mindrot.org> @@ -463,7 +495,7 @@ fi - remove dependency on db1-devel, which has just been swallowed up whole by gnome-libs-devel -* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com> +* Sat Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com> - adjust build dependencies so that build6x actually works right (fix from Hugo van der Kooij) diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index 40c8dfd9..8ee5fcd3 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init @@ -40,7 +40,6 @@ start() # Create keys if necessary /usr/bin/ssh-keygen -A if [ -x /sbin/restorecon ]; then - /sbin/restorecon /etc/ssh/ssh_host_key.pub /sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub /sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub diff --git a/contrib/redhat/sshd.init.old b/contrib/redhat/sshd.init.old index 0deb6080..8a30f7da 100755 --- a/contrib/redhat/sshd.init.old +++ b/contrib/redhat/sshd.init.old @@ -24,7 +24,6 @@ prog="sshd" # Some functions to make the below more readable KEYGEN=/usr/bin/ssh-keygen SSHD=/usr/sbin/sshd -RSA1_KEY=/etc/ssh/ssh_host_key RSA_KEY=/etc/ssh/ssh_host_rsa_key DSA_KEY=/etc/ssh/ssh_host_dsa_key PID_FILE=/var/run/sshd.pid @@ -61,21 +60,6 @@ my_failure() { ;; esac } -do_rsa1_keygen() { - if [ ! -s $RSA1_KEY ]; then - echo -n "Generating SSH1 RSA host key: " - if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then - chmod 600 $RSA1_KEY - chmod 644 $RSA1_KEY.pub - my_success "RSA1 key generation" - echo - else - my_failure "RSA1 key generation" - echo - exit 1 - fi - fi -} do_rsa_keygen() { if [ ! -s $RSA_KEY ]; then echo -n "Generating SSH2 RSA host key: " @@ -119,7 +103,6 @@ do_restart_sanity_check() { case "$1" in start) # Create keys if necessary - do_rsa1_keygen; do_rsa_keygen; do_dsa_keygen; diff --git a/contrib/solaris/README b/contrib/solaris/README index fefdd4b5..cabecaa1 100644 --- a/contrib/solaris/README +++ b/contrib/solaris/README @@ -5,7 +5,7 @@ SVR4 style package tools. The build process is called a 'dummy install'.. Which means the software does a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should -be handled correctly and key are defered until the first time the sshd +be handled correctly and key are deferred until the first time the sshd is started. Directions: diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index ae88e995..b83b8361 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (c) 1999-2013 Philip Hands <phil@hands.com> +# Copyright (c) 1999-2016 Philip Hands <phil@hands.com> # 2013 Martin Kletzander <mkletzan@redhat.com> # 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es> # 2010 Eric Moret <eric.moret@gmail.com> @@ -56,10 +56,14 @@ then fi fi -DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) +most_recent_id="$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)" +DEFAULT_PUB_ID_FILE="${most_recent_id:+$HOME/}$most_recent_id" usage () { - printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2 + printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2 + printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2 + printf '\t-n: dry run -- no keys are actually copied\n' >&2 + printf '\t-h|-?: print this help\n' >&2 exit 1 } @@ -71,21 +75,29 @@ quote() { use_id_file() { local L_ID_FILE="$1" + if [ -z "$L_ID_FILE" ] ; then + printf "%s: ERROR: no ID file found\n" "$0" + exit 1 + fi + if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then PUB_ID_FILE="$L_ID_FILE" else PUB_ID_FILE="$L_ID_FILE.pub" fi - PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) + [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) # check that the files are readable - for f in $PUB_ID_FILE $PRIV_ID_FILE ; do - ErrMSG=$( { : < $f ; } 2>&1 ) || { - printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')" + for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do + ErrMSG=$( { : < "$f" ; } 2>&1 ) || { + local L_PRIVMSG="" + [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)" + printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')" exit 1 } done + printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2 GET_ID="cat \"$PUB_ID_FILE\"" } @@ -121,7 +133,7 @@ do } shift ;; - -n|-h|-\?) + -f|-n|-h|-\?) OPT="$1" OPTARG= shift @@ -154,6 +166,9 @@ do -o|-p) SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'" ;; + -f) + FORCED=1 + ;; -n) DRY_RUN=1 ;; @@ -194,56 +209,65 @@ fi populate_new_ids() { local L_SUCCESS="$1" + if [ "$FORCED" ] ; then + NEW_IDS=$(eval $GET_ID) + return + fi + # repopulate "$@" inside this function eval set -- "$SSH_OPTS" umask 0177 local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then - echo "mktemp failed" 1>&2 + printf '%s: ERROR: mktemp failed\n' "$0" >&2 exit 1 fi - trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT + local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\"" + trap "$L_CLEANUP" EXIT TERM INT QUIT printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2 NEW_IDS=$( eval $GET_ID | { - while read ID ; do - printf '%s\n' "$ID" > $L_TMP_ID_FILE + while read ID || [ "$ID" ] ; do + printf '%s\n' "$ID" > "$L_TMP_ID_FILE" # the next line assumes $PRIV_ID_FILE only set if using a single id file - this # assumption will break if we implement the possibility of multiple -i options. # The point being that if file based, ssh needs the private key, which it cannot # find if only given the contents of the .pub file in an unrelated tmpfile ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \ + -o ControlPath=none \ + -o LogLevel=INFO \ -o PreferredAuthentications=publickey \ - -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null + -o IdentitiesOnly=yes "$@" exit 2>"$L_TMP_ID_FILE.stderr" </dev/null if [ "$?" = "$L_SUCCESS" ] ; then - : > $L_TMP_ID_FILE + : > "$L_TMP_ID_FILE" else - grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || { - sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE + grep 'Permission denied' "$L_TMP_ID_FILE.stderr" >/dev/null || { + sed -e 's/^/ERROR: /' <"$L_TMP_ID_FILE.stderr" >"$L_TMP_ID_FILE" cat >/dev/null #consume the other keys, causing loop to end } fi - cat $L_TMP_ID_FILE + cat "$L_TMP_ID_FILE" done } ) - rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT + eval "$L_CLEANUP" && trap - EXIT TERM INT QUIT if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2 exit 1 fi if [ -z "$NEW_IDS" ] ; then - printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2 + printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2 + printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2 exit 0 fi printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2 } -REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 | +REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 | sed -ne 's/.*remote software version //p') case "$REMOTE_VERSION" in @@ -269,10 +293,10 @@ case "$REMOTE_VERSION" in *) # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect populate_new_ids 0 - [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" " - umask 077 ; - mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; - if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \ + # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; + # 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh. + [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \ + ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ || exit 1 ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) ;; diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 index 67a59e49..ae75c79a 100644 --- a/contrib/ssh-copy-id.1 +++ b/contrib/ssh-copy-id.1 @@ -29,6 +29,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .Nd use locally available keys to authorise logins on a remote machine .Sh SYNOPSIS .Nm +.Op Fl f .Op Fl n .Op Fl i Op Ar identity_file .Op Fl p Ar port @@ -76,6 +77,10 @@ is used. Note that this can be used to ensure that the keys copied have the comment one prefers and/or extra options applied, by ensuring that the key file has these set as preferred before the copy is attempted. +.It Fl f +Forced mode: doesn't check if the keys are present on the remote server. +This means that it does not need the private key. Of course, this can result +in more than one copy of the key being installed on the remote system. .It Fl n do a dry-run. Instead of installing keys on the remote system simply prints the key(s) that would have been installed. @@ -153,7 +158,7 @@ asked for confirmation, which is your cue to log back out and run The reason you might want to specify the -i option in this case is to ensure that the comment on the installed key is the one from the .Pa .pub -file, rather than just the filename that was loaded into you agent. +file, rather than just the filename that was loaded into your agent. It also ensures that only the id you intended is installed, rather than all the keys that you have in your .Xr ssh-agent 1 . diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 0eb779c9..a2789052 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,8 +13,8 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 6.8p1 -URL: http://www.openssh.com/ +Version: 8.3p1 +URL: https://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz Source1: x11-ssh-askpass-%{xversion}.tar.gz @@ -56,7 +56,7 @@ arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). +patented algorithms to separate libraries (OpenSSL). This package includes all files necessary for both the OpenSSH client and server. @@ -70,7 +70,7 @@ arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all -patented algorithms to seperate libraries (OpenSSL). +patented algorithms to separate libraries (OpenSSL). This package contains an X Window System passphrase dialog for OpenSSH. @@ -202,7 +202,6 @@ rm -rf $RPM_BUILD_ROOT %attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0755,root,root) %{_bindir}/scp %attr(0755,root,root) %{_bindir}/ssh -%attr(-,root,root) %{_bindir}/slogin %attr(0755,root,root) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add %attr(0755,root,root) %{_bindir}/ssh-keyscan @@ -214,7 +213,6 @@ rm -rf $RPM_BUILD_ROOT %attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper %attr(0644,root,root) %doc %{_mandir}/man1/scp.1* %attr(0644,root,root) %doc %{_mandir}/man1/sftp.1* -%attr(-,root,root) %doc %{_mandir}/man1/slogin.1* %attr(0644,root,root) %doc %{_mandir}/man1/ssh.1* %attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1* %attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1* |