diff options
author | William A. Kennington III <william@wkennington.com> | 2015-08-20 10:36:06 -0700 |
---|---|---|
committer | William A. Kennington III <william@wkennington.com> | 2015-09-15 12:14:12 -0700 |
commit | 88b814575016ae9685851aa0d78f613e7d15d700 (patch) | |
tree | b2cddf6a4ec6fefa6b9c911d5ca6e2cacc608af7 /pkgs/tools | |
parent | 3f1d497fbe331f731a3cb10632b7ebb99d489bf4 (diff) | |
download | nixlib-88b814575016ae9685851aa0d78f613e7d15d700.tar nixlib-88b814575016ae9685851aa0d78f613e7d15d700.tar.gz nixlib-88b814575016ae9685851aa0d78f613e7d15d700.tar.bz2 nixlib-88b814575016ae9685851aa0d78f613e7d15d700.tar.lz nixlib-88b814575016ae9685851aa0d78f613e7d15d700.tar.xz nixlib-88b814575016ae9685851aa0d78f613e7d15d700.tar.zst nixlib-88b814575016ae9685851aa0d78f613e7d15d700.zip |
openssh: 6.9p1 -> 7.1p1
This intentionally leaves out support for using existing dsa keys as they are insecure and should not be enabled by default. If you need this support, please make the changes in your ssh_config and sshd_config.
Diffstat (limited to 'pkgs/tools')
-rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 6 | ||||
-rw-r--r-- | pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch | 65 |
2 files changed, 3 insertions, 68 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 2004e453a0d9..50d53bdff2cd 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -17,11 +17,11 @@ let in with stdenv.lib; stdenv.mkDerivation rec { - name = "openssh-6.9p1"; + name = "openssh-7.1p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf"; + sha256 = "0a44mnr8bvw41zg83xh4sb55d8nds29j95gxvxk5qg863lnns2pw"; }; prePatch = optionalString hpnSupport @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; - patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch]; + patches = [ ./locale_archive.patch ]; buildInputs = [ zlib openssl libedit pkgconfig pam ] ++ optional withKerberos [ kerberos ]; diff --git a/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch b/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch deleted file mode 100644 index 02e9eb3a9739..000000000000 --- a/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch +++ /dev/null @@ -1,65 +0,0 @@ -http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d - -diff --git a/sshpty.c b/sshpty.c -index 7bb7641..15da8c6 100644 ---- a/sshpty.c -+++ b/sshpty.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ -+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */ - /* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty) - /* Determine the group to make the owner of the tty. */ - grp = getgrnam("tty"); - gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; -- mode = (grp != NULL) ? 0622 : 0600; -+ mode = (grp != NULL) ? 0620 : 0600; - - /* - * Change owner and mode of the tty as required. -diff --git a/monitor.c b/monitor.c -index b410965..f1b873d 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; - int - mm_answer_pam_init_ctx(int sock, Buffer *m) - { -- - debug3("%s", __func__); -- authctxt->user = buffer_get_string(m, NULL); - sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); - sshpam_authok = NULL; - buffer_clear(m); -@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) - int - mm_answer_pam_free_ctx(int sock, Buffer *m) - { -+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; - - debug3("%s", __func__); - (sshpam_device.free_ctx)(sshpam_ctxt); -+ sshpam_ctxt = sshpam_authok = NULL; - buffer_clear(m); - mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); - auth_method = "keyboard-interactive"; - auth_submethod = "pam"; -- return (sshpam_authok == sshpam_ctxt); -+ return r; - } - #endif - -diff --git a/monitor_wrap.c b/monitor_wrap.c -index e6217b3..eac421b 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) - - debug3("%s", __func__); - buffer_init(&m); -- buffer_put_cstring(&m, authctxt->user); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); - debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); |