mirror of
git://slackware.nl/current.git
synced 2024-12-28 09:59:53 +01:00
7cde3ca9e7
a/kernel-generic-5.4.20-x86_64-1.txz: Upgraded.
a/kernel-huge-5.4.20-x86_64-1.txz: Upgraded.
a/kernel-modules-5.4.20-x86_64-1.txz: Upgraded.
a/shadow-4.8.1-x86_64-3.txz: Rebuilt.
a/util-linux-2.35.1-x86_64-3.txz: Rebuilt.
d/kernel-headers-5.4.20-x86-1.txz: Upgraded.
k/kernel-source-5.4.20-noarch-1.txz: Upgraded.
l/ConsoleKit2-1.2.1-x86_64-2.txz: Rebuilt.
l/dconf-editor-3.34.4-x86_64-1.txz: Upgraded.
l/libxkbcommon-0.10.0-x86_64-1.txz: Added.
l/openal-soft-1.19.1-x86_64-1.txz: Added.
l/qt5-5.13.2-x86_64-1.txz: Added.
Thanks to alienBOB.
n/openssh-8.2p1-x86_64-1.txz: Upgraded.
Potentially incompatible changes:
* ssh(1), sshd(8): the removal of "ssh-rsa" from the accepted
CASignatureAlgorithms list.
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
from the default key exchange proposal for both the client and
server.
* ssh-keygen(1): the command-line options related to the generation
and screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have
changed. Most options have been folded under the -O flag.
* sshd(8): the sshd listener process title visible to ps(1) has
changed to include information about the number of connections that
are currently attempting authentication and the limits configured
by MaxStartups.
x/mesa-19.3.4-x86_64-2.txz: Rebuilt.
Reverted "[PATCH] swr: Fix GCC 4.9 checks." which makes X fail to start with
an illegal instruction on some hardware.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
testing/packages/PAM/ConsoleKit2-1.2.1-x86_64-2_pam.txz: Rebuilt.
Rebuilt with --disable-libcgmanager to fix setting limits on PAM.
Thanks to gattocarlo.
testing/packages/PAM/openssh-8.2p1-x86_64-1_pam.txz: Upgraded.
testing/packages/PAM/shadow-4.8.1-x86_64-3_pam.txz: Rebuilt.
Moved some of the /etc/pam.d/ file to the util-linux package where they
more properly belong.
testing/packages/PAM/util-linux-2.35.1-x86_64-3_pam.txz: Rebuilt.
Added some /etc/pam.d/ files previously in the shadow package.
Changed /etc/pam.d/{chfn,chsh} and made chfn/chsh setuid root to fix them.
Added /etc/pam.d/{runuser,runuser-l}.
usb-and-pxe-installers/usbboot.img: Rebuilt.
139 lines
3.9 KiB
Diff
139 lines
3.9 KiB
Diff
--- ./configure.ac.orig 2020-02-13 18:40:54.000000000 -0600
|
|
+++ ./configure.ac 2020-02-14 19:28:45.566081482 -0600
|
|
@@ -1532,6 +1532,62 @@
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
|
|
+# Check whether user wants TCP wrappers support
|
|
+TCPW_MSG="no"
|
|
+AC_ARG_WITH([tcp-wrappers],
|
|
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
|
+ [
|
|
+ if test "x$withval" != "xno" ; then
|
|
+ saved_LIBS="$LIBS"
|
|
+ saved_LDFLAGS="$LDFLAGS"
|
|
+ saved_CPPFLAGS="$CPPFLAGS"
|
|
+ if test -n "${withval}" && \
|
|
+ test "x${withval}" != "xyes"; then
|
|
+ if test -d "${withval}/lib"; then
|
|
+ if test -n "${need_dash_r}"; then
|
|
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
|
+ else
|
|
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
|
+ fi
|
|
+ else
|
|
+ if test -n "${need_dash_r}"; then
|
|
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
|
+ else
|
|
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
|
+ fi
|
|
+ fi
|
|
+ if test -d "${withval}/include"; then
|
|
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
|
+ else
|
|
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
|
+ fi
|
|
+ fi
|
|
+ LIBS="-lwrap -lnsl $LIBS"
|
|
+ AC_MSG_CHECKING([for libwrap])
|
|
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
+#include <sys/types.h>
|
|
+#include <sys/socket.h>
|
|
+#include <netinet/in.h>
|
|
+#include <tcpd.h>
|
|
+int deny_severity = 0, allow_severity = 0;
|
|
+ ]], [[
|
|
+ hosts_access(0);
|
|
+ ]])], [
|
|
+ AC_MSG_RESULT([yes])
|
|
+ AC_DEFINE([LIBWRAP], [1],
|
|
+ [Define if you want
|
|
+ TCP Wrappers support])
|
|
+ SSHDLIBS="$SSHDLIBS -lwrap -lnsl"
|
|
+ TCPW_MSG="yes"
|
|
+ ], [
|
|
+ AC_MSG_ERROR([*** libwrap missing])
|
|
+
|
|
+ ])
|
|
+ LIBS="$saved_LIBS"
|
|
+ fi
|
|
+ ]
|
|
+)
|
|
+
|
|
# Check whether user wants to use ldns
|
|
LDNS_MSG="no"
|
|
AC_ARG_WITH(ldns,
|
|
@@ -5389,6 +5445,7 @@
|
|
echo " OSF SIA support: $SIA_MSG"
|
|
echo " KerberosV support: $KRB5_MSG"
|
|
echo " SELinux support: $SELINUX_MSG"
|
|
+echo " TCP Wrappers support: $TCPW_MSG"
|
|
echo " MD5 password support: $MD5_MSG"
|
|
echo " libedit support: $LIBEDIT_MSG"
|
|
echo " libldns support: $LDNS_MSG"
|
|
--- ./sshd.c.orig 2020-02-13 18:40:54.000000000 -0600
|
|
+++ ./sshd.c 2020-02-14 19:30:12.694084273 -0600
|
|
@@ -124,6 +124,13 @@
|
|
#include "ssherr.h"
|
|
#include "sk-api.h"
|
|
|
|
+#ifdef LIBWRAP
|
|
+#include <tcpd.h>
|
|
+#include <syslog.h>
|
|
+int allow_severity;
|
|
+int deny_severity;
|
|
+#endif /* LIBWRAP */
|
|
+
|
|
/* Re-exec fds */
|
|
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
|
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
|
@@ -2107,6 +2114,26 @@
|
|
the_active_state = ssh;
|
|
ssh_packet_set_server(ssh);
|
|
|
|
+/* Moved LIBWRAP check here */
|
|
+#ifdef LIBWRAP
|
|
+ allow_severity = options.log_facility|LOG_INFO;
|
|
+ deny_severity = options.log_facility|LOG_WARNING;
|
|
+ /* Check whether logins are denied from this host. */
|
|
+ if (ssh_packet_connection_is_on_socket(ssh)) { /* This check must be after ssh_packet_set_connection() */
|
|
+ struct request_info req;
|
|
+
|
|
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
|
+ fromhost(&req);
|
|
+
|
|
+ if (!hosts_access(&req)) {
|
|
+ debug("Connection refused by tcp wrapper");
|
|
+ refuse(&req);
|
|
+ /* NOTREACHED */
|
|
+ fatal("libwrap refuse returns");
|
|
+ }
|
|
+ }
|
|
+#endif /* LIBWRAP */
|
|
+
|
|
check_ip_options(ssh);
|
|
|
|
/* Prepare the channels layer */
|
|
--- ./sshd.8.orig 2020-02-13 18:40:54.000000000 -0600
|
|
+++ ./sshd.8 2020-02-14 19:28:45.574081482 -0600
|
|
@@ -893,6 +893,12 @@
|
|
This file should be writable only by the user, and need not be
|
|
readable by anyone else.
|
|
.Pp
|
|
+.It Pa /etc/hosts.allow
|
|
+.It Pa /etc/hosts.deny
|
|
+Access controls that should be enforced by tcp-wrappers are defined here.
|
|
+Further details are described in
|
|
+.Xr hosts_access 5 .
|
|
+.Pp
|
|
.It Pa /etc/hosts.equiv
|
|
This file is for host-based authentication (see
|
|
.Xr ssh 1 ) .
|
|
@@ -995,6 +1001,7 @@
|
|
.Xr ssh-keygen 1 ,
|
|
.Xr ssh-keyscan 1 ,
|
|
.Xr chroot 2 ,
|
|
+.Xr hosts_access 5 ,
|
|
.Xr login.conf 5 ,
|
|
.Xr moduli 5 ,
|
|
.Xr sshd_config 5 ,
|