[CVS] OpenPKG: openpkg-src/openssh openssh.spec sshd_config openpkg-we...

[Ralf S. Engelschall]

  OpenPKG CVS Repository
  http://www.openpkg.org/cvsweb/cvsweb.cgi
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web, openpkg-src         Date:   06-Jul-2002 13:51:20
  Branch: HEAD                             Handle: 2002070612511901

  Modified files:
    openpkg-src/openssh     openssh.spec sshd_config
    openpkg-web             news.txt

  Log:
    After longer thinking and comparing what FreeBSD and NetBSD did, finally
    revert to the old state by kicking out the UsePrivilegeSeparation and
    Compression default value guessing because:
    
    1. we are predestined to fail in general because we cannot
       do it correctly by just looking at the platform id.
    
    2. UsePrivilegeSeparation is nice from a paranoid security point
       of view but OTOH really is too brand-new and internally limits or
       even breaks the OpenSSH functionality too dramatically. People who
       are paranoid enough and can live with this can feel free to change
       the "no" to a "yes" in their sshd_config easily.
    
    3. it is nasty to have a package "openssh" shipping with totally
       different default configuration (using "UsePrivilegeSeparation yes"
       makes a large difference under run-time!) on different platforms.
       This is nasty and we really want a single default config independent
       of a platform.
    
    So, unless "UsePrivilegeSeparation yes" works equally on all our
    plaforms and without such dramatical restrictions (Compression, PAM,
    etc) and internal brokeness we will stay with the _default_ config of
    "UsePrivilegeSeparation no". Once Privilege Separation is really ready
    for a global deployment, we are happy to enable it by default again.

  Summary:
    Revision    Changes     Path
    1.47        +2  -30     openpkg-src/openssh/openssh.spec
    1.8         +3  -3      openpkg-src/openssh/sshd_config
    1.884       +1  -0      openpkg-web/news.txt
  ____________________________________________________________________________

  Index: openpkg-src/openssh/openssh.spec
  ============================================================
  $ cvs diff -u -r1.46 -r1.47 openssh.spec
  --- openpkg-src/openssh/openssh.spec  27 Jun 2002 08:21:20 -0000      1.46
  +++ openpkg-src/openssh/openssh.spec  6 Jul 2002 11:51:19 -0000       1.47
  @@ -47,7 +47,7 @@
   Group:        Cryptography
   License:      BSD
   Version:      3.4p1
  -Release:      20020627
  +Release:      20020706
   
   #   list of sources
   Source0:      
ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
  @@ -198,38 +198,10 @@
           -e 's;@l_musr@;%{l_musr};g' -e 's;@l_mgrp@;%{l_mgrp};g' \
           %{SOURCE rc.openssh} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
   
  -    #   determine best variant for ssh server configuration 
  -    l_cfg_useprivsep=yes
  -    #   (privsep broken on old Linux at all)
  -    case "%{l_target}" in
  -        *-linux2.0* ) l_cfg_useprivsep=no ;; 
  -    esac
  -%if "%{with_pam}" == "yes"
  -    #   (PAM broken with privsep on non-Linux)
  -    case "%{l_target}" in
  -        *-linux* ) ;;
  -        * ) l_cfg_useprivsep=no ;;
  -    esac
  -%endif
  -    l_cfg_compression=yes
  -    if [ ".$l_cfg_useprivsep" = .yes ]; then
  -        #   (compression broken with privsep on old Linux)
  -        case "%{l_target}" in
  -            *-linux2.2* ) l_cfg_compression=no ;;
  -        esac
  -    fi
  -%if "%{with_x11}" == "yes"
  -    l_cfg_x11forwarding=yes
  -%else
  -    l_cfg_x11forwarding=no
  -%endif
  -
       #   install reasonable ssh server and client configuration files
       %{l_shtool} install -c -m 644 \
           -e 's;@l_prefix@;%{l_prefix};g' \
  -        -e "s;@l_cfg_useprivsep@;${l_cfg_useprivsep};" \
  -        -e "s;@l_cfg_compression@;${l_cfg_compression};" \
  -        -e "s;@l_cfg_x11forwarding@;${l_cfg_x11forwarding};" \
  +        -e 's;@l_x11forwarding@;%{with_x11};' \
           %{SOURCE sshd_config} $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/
       %{l_shtool} install -c -m 644 -e 's;@l_prefix@;%{l_prefix};g' \
           %{SOURCE ssh_config} $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/
  Index: openpkg-src/openssh/sshd_config
  ============================================================
  $ cvs diff -u -r1.7 -r1.8 sshd_config
  --- openpkg-src/openssh/sshd_config   26 Jun 2002 20:05:52 -0000      1.7
  +++ openpkg-src/openssh/sshd_config   6 Jul 2002 11:51:20 -0000       1.8
  @@ -28,10 +28,10 @@
   IgnoreRhosts             yes
   KeepAlive                yes
   GatewayPorts             no
  -X11Forwarding            @l_cfg_x11forwarding@
  -Compression              @l_cfg_compression@
  +X11Forwarding            @l_x11forwarding@
  +Compression              yes
   
  -UsePrivilegeSeparation   @l_cfg_useprivsep@
  +UsePrivilegeSeparation   no
   LoginGraceTime           600
   MaxStartups              10:30:60
   PermitRootLogin          yes
  Index: openpkg-web/news.txt
  ============================================================
  $ cvs diff -u -r1.883 -r1.884 news.txt
  --- openpkg-web/news.txt      6 Jul 2002 11:40:27 -0000       1.883
  +++ openpkg-web/news.txt      6 Jul 2002 11:51:19 -0000       1.884
  @@ -1,3 +1,4 @@
  +06-Jul-2002: Upgraded package: P<openssh-3.4p1-20020706>
   06-Jul-2002: Upgraded package: P<samhain-1.5.3-20020706>
   06-Jul-2002: Upgraded package: P<apache-1.3.26-20020706>
   06-Jul-2002: New package: P<scponly-2.0-20020706>
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]