Hello community, here is the log from the commit of package pam_ssh for openSUSE:Factory checked in at 2015-04-21 10:51:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_ssh (Old) and /work/SRC/openSUSE:Factory/.pam_ssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_ssh" Changes: -------- --- /work/SRC/openSUSE:Factory/pam_ssh/pam_ssh.changes 2013-11-22 07:25:03.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.pam_ssh.new/pam_ssh.changes 2015-04-21 10:51:52.000000000 +0200 @@ -1,0 +2,8 @@ +Sun Mar 8 23:48:59 UTC 2015 - p.drou...@gmail.com + +- Update to version 2.01 + * pam_ssh.1: updated man page to reflect the current implementation +- Remove gpg-offline require and verification; OBS handles it +- Use download Url as source + +------------------------------------------------------------------- Old: ---- pam_ssh-2.0.tar.xz pam_ssh-2.0.tar.xz.asc New: ---- pam_ssh-2.01.tar.xz pam_ssh-2.01.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_ssh.spec ++++++ --- /var/tmp/diff_new_pack.pwFs0l/_old 2015-04-21 10:51:52.000000000 +0200 +++ /var/tmp/diff_new_pack.pwFs0l/_new 2015-04-21 10:51:52.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package pam_ssh # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,17 +22,14 @@ BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: xz -%if %suse_version > 1220 -BuildRequires: gpg-offline -%endif -Version: 2.0 +Version: 2.01 Release: 0 Summary: PAM Module for SSH Authentication License: BSD-3-Clause Group: Productivity/Networking/SSH Url: http://sourceforge.net/projects/pam-ssh/ -Source: %{name}-%{version}.tar.xz -Source1: %{name}-%{version}.tar.xz.asc +Source: http://sourceforge.net/projects/pam-ssh/files/pam_ssh/%{version}/%{name}-%{version}.tar.xz +Source1: http://sourceforge.net/projects/pam-ssh/files/pam_ssh/%{version}/%{name}-%{version}.tar.xz.asc Source2: baselibs.conf Source3: %{name}.keyring BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -44,9 +41,6 @@ entire session, the user types no more passwords. %prep -%if 0%{?gpg_verify:1} -%gpg_verify %{S:1} -%endif %setup -q %build ++++++ pam_ssh-2.0.tar.xz -> pam_ssh-2.01.tar.xz ++++++ ++++ 1812 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_ssh-2.0/ChangeLog new/pam_ssh-2.01/ChangeLog --- old/pam_ssh-2.0/ChangeLog 2013-11-18 11:25:42.000000000 +0100 +++ new/pam_ssh-2.01/ChangeLog 2014-05-24 09:33:39.000000000 +0200 @@ -1,3 +1,12 @@ +Version 2.01 released +===================== + +2014-05-24 Wolfgang Rosenauer + + * changelog format cleanup + * pam_ssh.1: updated man page to reflect the current implementation + + Version 2.0 released ==================== @@ -10,52 +19,52 @@ 2013-11-10 Wolfgang Rosenauer - imported Debian patches - * update openssh embedded code - The upstream source embeds code from OpenSSH, - this embedded code is updated against OpenSSH-6.0p1 - code; then ECDSA keys can be supported. - Basically files containing the used code are - brought in from the OpenSSH-6.0p1 and then - the unused code is commented out by hand. - Ideally the involved code may be invoked through - a share library, but unfortunately such a library - does not exist. - - * pam_ssh.c: fix missing syslog include - - * pam_ssh.c: safe spawn of the ssh-agent - - * pam_ssh.c: inexistent configuration directory handling - Short cut the session phase if no configuration directory exists: - it is meant to prevent meangningless ssh-agent launches for users - that obviously never use ssh. - - * pam_ssh.c: let ssh-agent to determine the appropriate shell style - - * pam_get_pass.c, pam_get_pass.h, pam_ssh.c: - try_first_password implementation and specific login keys - Implement the intended semantics of try_first_password as described in - in the manual page (and PAM). - Ask for SSH passphrase even if user does not exist. - Look for SSH keys in $HOME/.ssh/login-keys.d/, given that SSH keys - with .disabled or .frozen as suffix are ignored. - "keyfiles" option has been removed - - * pam_ssh.c: handle session with no controlling tty - Let the PAM session handle situations where there is no controlling tty - by using the PID to construct the sessoin file name. + * imported Debian patches: + - openssh embedded code: update + The upstream source embeds code from OpenSSH, + this embedded code is updated against OpenSSH-6.0p1 + code; then ECDSA keys can be supported. + Basically files containing the used code are + brought in from the OpenSSH-6.0p1 and then + the unused code is commented out by hand. + Ideally the involved code may be invoked through + a share library, but unfortunately such a library + does not exist. + + - pam_ssh.c: fix missing syslog include + + - pam_ssh.c: safe spawn of the ssh-agent + + - pam_ssh.c: inexistent configuration directory handling + Short cut the session phase if no configuration directory exists: + it is meant to prevent meangningless ssh-agent launches for users + that obviously never use ssh. + + - pam_ssh.c: let ssh-agent to determine the appropriate shell style + + - pam_get_pass.c, pam_get_pass.h, pam_ssh.c: + try_first_password implementation and specific login keys + Implement the intended semantics of try_first_password as described in + in the manual page (and PAM). + Ask for SSH passphrase even if user does not exist. + Look for SSH keys in $HOME/.ssh/login-keys.d/, given that SSH keys + with .disabled or .frozen as suffix are ignored. + "keyfiles" option has been removed + + - pam_ssh.c: handle session with no controlling tty + Let the PAM session handle situations where there is no controlling tty + by using the PID to construct the sessoin file name. - * pam_ssh.c: fix faulty return in pam_sm_{open,close}_session() - Returns PAM_SESSION_ERR instead of PAM_AUTH_ERR in pam_sm_{open,close}_session() + - pam_ssh.c: fix faulty return in pam_sm_{open,close}_session() + Returns PAM_SESSION_ERR instead of PAM_AUTH_ERR in pam_sm_{open,close}_session() - * pam_ssh.c: consider TMPDIR for ssh-agent if set in environment + - pam_ssh.c: consider TMPDIR for ssh-agent if set in environment - * pam_ssh.c: configure option for specifying the SSH agent gid + - pam_ssh.c: configure option for specifying the SSH agent gid 2013-06-11 Wolfgang Rosenauer - * pam_ssh.c: fix credential restore if there is no TTY or the + * pam_ssh.c: fix credential restore if there is no TTY or the agent file cannot be stat()ted. Patch by James Carter. (https://bugzilla.novell.com/show_bug.cgi?id=823484) @@ -90,7 +99,7 @@ * pam_get_pass.c: CVE-2009-1273 pam_ssh used a certain prompt if a user found to exist to ask for the SSH passphrase explicitely depending on whether the - username was valid or invalid, which made it easier for remote + username was valid or invalid, which made it easier for remote attackers to enumerate usernames. ********************************************************************** @@ -107,9 +116,9 @@ * pam_ssh.c (key_load_private_maybe): New wrapper for key_load_private() that checks whether the private key's passphrase is blank. If so and if allow_blank_passphrase isn't set - or the user supplied passphrase isn't empty, this function returns - NULL. This approach is necessary because key_load_private() will - load a key with a blank passphrase regardless of the passphrase + or the user supplied passphrase isn't empty, this function returns + NULL. This approach is necessary because key_load_private() will + load a key with a blank passphrase regardless of the passphrase entered. Thanks to Rob Henderson for the report. Version 1.95 released (Novell DeveloperNet) @@ -135,7 +144,7 @@ * pam_ssh.c: fixed some debug output, create the agent file writable for the user to be able to recover from a system crash - and fixed a missing credential restore which caused pam to fail + and fixed a missing credential restore which caused pam to fail for following modules in error case Version 1.93 released (Novell DeveloperNet) @@ -152,8 +161,8 @@ PAM option 'debug' is supported now added more syslog output in debug mode - * pam_ssh.c: we should be able to recover now correctly after system - crashes where we are not able to run the close_session using + * pam_ssh.c: we should be able to recover now correctly after system + crashes where we are not able to run the close_session using the machine's uptime Version 1.92 released (Novell DeveloperNet) @@ -231,7 +240,7 @@ * ltconfig: Deleted this file because -avoid-version is all we need. - + * atomicio.c, authfd.c, authfile.c, bufaux.c, buffer.c, cipher.c, cipher-3des1.c, cipher-bf1.c, cipher-ctr.c, key.c, log.c, openpam_borrow_cred.c, openpam_restore_cred.c, pam_get_pass.c, @@ -369,7 +378,7 @@ environment file. Version 1.7 released -==================== +==================== 2002-08-09 Andrew J. Korty <a...@iu.edu> @@ -377,14 +386,14 @@ buffer.c, buffer.h, cipher.c, cipher.h, getput.h, kex.h, key.c, key.h, log.c, log.h, pam_ssh.c, rijndael.c, rijndael.h: Import changes from OpenSSH 3.4p1. - + * pam_ssh.c: Import changes from FreeBSD: remove extraneous free()s, add __unused qualifiers, add support for OpenPAM, add support for pam_std_option(). Retire old options mechanism. * pam_std_option.c: Import from FreeBSD for platforms that need it. - + * pam_get_pass.c, pam_mod_misc.h: Imported changes from FreeBSD. * openpam_borrow_cred.c, openpam_restore_cred.c: Imported from @@ -432,7 +441,7 @@ header files and macros before trying to use them. Version 1.6 released -==================== +==================== 2001-08-19 Andrew J. Korty <a...@iu.edu> @@ -446,7 +455,7 @@ * log-client.c, log-client.h: Removed--moved functionality into log.c and log.h. - + * authfd.c, authfd.h, authfile.c, authfile.h, cipher.c, key.c, key.h, log.c, log.h, rijndael.c, rijndael.h, xmalloc.c: Updated OpenSSH files to version 2.9p2. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_ssh-2.0/Makefile.am new/pam_ssh-2.01/Makefile.am --- old/pam_ssh-2.0/Makefile.am 2013-11-18 11:25:42.000000000 +0100 +++ new/pam_ssh-2.01/Makefile.am 2014-05-28 16:45:02.000000000 +0200 @@ -32,20 +32,21 @@ atomicio.c atomicio.h authfd.c authfd.h \ rsa.c rsa.h \ authfile.c authfile.h \ - bufec.c bufbn.c bufaux.c buffer.c buffer.h \ + bufec.c bufbn.c bufaux.c buffer.c buffer.h bufaux.h \ cipher.c cipher.h \ acss.c cipher-acss.c acss.h \ cipher-3des1.c cipher-bf1.c cipher-ctr.c \ getput.h kex.h key.c key.h cleanup.c fatal.c log.c log.h \ pam_ssh.c rijndael.c rijndael.h xmalloc.c \ - pam_ssh_log.c xmalloc.h + pam_ssh_log.c pam_ssh_log.h xmalloc.h \ + ssh2.h ssh.h defines.h includes.h libdir = @PAMDIR@ man_MANS = pam_ssh.8 AM_CFLAGS = -Wall -AUTOMAKE_OPTIONS = dist-bzip2 +AUTOMAKE_OPTIONS = dist-bzip2 dist-xz EXTRA_pam_ssh_la_SOURCES = openpam_cred.h pam_opttab.h pam_option.h \ pam_get_pass.h strlcpy.h strnvis.h -EXTRA_DIST = $(man_MANS) bootstrap.sh pam_ssh.spec \ +EXTRA_DIST = $(man_MANS) bootstrap.sh pam_ssh.spec pam.conf.example \ pam_test.c LIBTOOL_DEPS = @LIBTOOL_DEPS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_ssh-2.0/NEWS new/pam_ssh-2.01/NEWS --- old/pam_ssh-2.0/NEWS 2013-11-18 11:25:42.000000000 +0100 +++ new/pam_ssh-2.01/NEWS 2014-05-24 09:30:55.000000000 +0200 @@ -1,3 +1,14 @@ +Version 2.01 +============ + +Minor doc enhancements + +* updated man page +* changelog format cleanup +* added xz as dist target archive format +* no code changes + + Version 2.0 =========== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_ssh-2.0/configure.ac new/pam_ssh-2.01/configure.ac --- old/pam_ssh-2.0/configure.ac 2013-11-18 11:25:42.000000000 +0100 +++ new/pam_ssh-2.01/configure.ac 2014-05-24 09:27:40.000000000 +0200 @@ -1,5 +1,5 @@ dnl Copyright (c) 2002, 2004, 2007 Andrew J. Korty -dnl (c) 2006-2013 Wolfgang Rosenauer +dnl (c) 2006-2014 Wolfgang Rosenauer dnl All rights reserved. dnl dnl Redistribution and use in source and binary forms, with or without @@ -26,12 +26,12 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([pam_ssh],[2.0],[a...@ajk.name]) +AC_INIT([pam_ssh],[2.01],[a...@ajk.name]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_SRCDIR([pam_ssh.c]) AC_CANONICAL_TARGET([]) AM_DISABLE_STATIC -AM_INIT_AUTOMAKE(pam_ssh, 2.0) +AM_INIT_AUTOMAKE(pam_ssh, 2.01) AM_PROG_LIBTOOL AC_SUBST(LIBTOOL_DEPS) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_ssh-2.0/pam_ssh.8 new/pam_ssh-2.01/pam_ssh.8 --- old/pam_ssh-2.0/pam_ssh.8 2013-11-18 11:25:42.000000000 +0100 +++ new/pam_ssh-2.01/pam_ssh.8 2013-11-20 22:57:44.000000000 +0100 @@ -32,11 +32,8 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: pam_ssh.8,v 1.7 2008/05/12 18:57:12 rosenauer Exp $ -.\" -.Dd November 26, 2001 +.Dd November 20, 2013 .Dt PAM_SSH 8 -.Os .Sh NAME .Nm pam_ssh .Nd authentication and session management with SSH private keys @@ -66,13 +63,21 @@ The SSH authentication component -provides a function to verify the identity of a user -.Pq Fn pam_sm_authenticate , +verifies the identity of a user by prompting the user for a passphrase and verifying that it can -decrypt the target user's SSH key using that passphrase. +decrypt at least one of the user's SSH login +(or authentication) +keys using that passphrase. +.Pp +The user's SSH login keys must be +either located or symbolically linked into +the per-user dedicated folder +.Pa ~/.ssh/login-keys.d/ +in the user's home directory. .Pp The following options may be passed to the authentication module: -.Bl -tag -width ".Cm use_first_pass" +.\".Bl -tag -width ".Cm use_first_pass" +.Bl -tag -width Ds -compact .It Cm debug .Xr syslog 3 debugging information at @@ -84,77 +89,169 @@ and a previous module obtained the user's password, that password is used -to authenticate the user. +to decrypt the user's SSH login keys. If this fails, -the authentication module returns failure -without prompting the user for a password. -This option has no effect -if the authentication module -is the first in the stack, -or if no previous modules -obtained the user's password. +then the authentication module returns failure +without prompting the user for a passphrase. +.\"This option has no effect +.\"if the authentication module +.\"is the first in the stack, +.\"or if no previous modules +.\"obtained the user's password. .It Cm try_first_pass -This option is similar to the +Similar to the .Cm use_first_pass option, -except that if the previously obtained password fails, -the user is prompted for another password. +except that if the previously obtained password fails +to decrypt any of the SSH login keys, +then the user is prompted for an SSH passphrase. .It Cm nullok -Allow empty passphrases. +Allow SSH keys with no passphrase. .El +.Pp +If neither +.Cm use_first_pass +nor +.Cm try_first_pass +is specified, +.Nm pam_ssh +will unconditionally ask for an SSH passphrase. +.Pp +The now deprecated name +.Cm allow_blank_passphrase +for +.Cm nullok +is kept for compatibility reasons. .Ss SSH Session Management Module The SSH session management component -provides functions to initiate -.Pq Fn pam_sm_open_session -and terminate -.Pq Fn pam_sm_close_session -sessions. -The -.Fn pam_sm_open_session -function starts an SSH agent, -passing it any private keys it decrypted -during the authentication phase, -and sets the environment variables -the agent specifies. -The -.Fn pam_sm_close_session -function kills the previously started SSH agent +initiates sessions by launching an SSH agent, +passing it any user's SSH login keys successfully decrypted +during the authentication phase and any additional user SSH session keys successfully decrypted, +and sets dedicated environment variables +accordingly; +the environment variable TMPDIR, +which can be set through the pam_tmpdir module for instance, +is also honoured by being passed to the SSH agent. +.Pp +The SSH +session management component +terminates the session by killing the previously launched SSH agent by sending it a .Dv SIGTERM . .Pp -The following options may be passed to the session management module: -.Bl -tag -width ".Cm use_first_pass" +The traditional SSH keys +.Pa ~/.ssh/identity , +.Pa ~/.ssh/id_rsa , +.Pa ~/.ssh/id_dsa , +and +.Pa ~/.ssh/id_ecdsa +are considered as the default SSH session keys. +Nonetheless, +extra user SSH session keys can be +either located or symbolically linked into +the per-user dedicated folder +.Pa ~/.ssh/session-keys.d/ +in the user's home directory. +.Pp +The following option may be passed to the session management module: +.\".Bl -tag -width ".Cm use_first_pass" +.Bl -tag -width Ds -compact .It Cm debug .Xr syslog 3 debugging information at .Dv LOG_DEBUG level. .El +.Sh INFORMATION LEAKS +Be careful with the using the +.Cm try_first_pass +option when +.Nm pam_ssh +is the first authentication module +because it will then leak information about existing users +without login keys: such users will not be asked for a specific SSH +passphrase, whereas non-existing users and existing users with +login keys will be asked for a passphrase. .Sh FILES -.Bl -tag -width ".Pa $HOME/.ssh2/id_dsa_*" -compact -.It Pa $HOME/.ssh/identity -SSH1/OpenSSH RSA key -.It Pa $HOME/.ssh/id_dsa -OpenSSH DSA key -.It Pa $HOME/.ssh2/id_rsa_* -SSH2 RSA keys -.It Pa $HOME/.ssh2/id_dsa_* -SSH2 DSA keys +.Bl -tag -width Ds -compact +.It Pa ~/.ssh/ +This directory is the default per-user location +for all user-specific SSH configuration +and SSH authentication information +as expected by +SSH +and its friends. +.Pp +.It Pa ~/.ssh/identity +.It Pa ~/.ssh/id_rsa +.It Pa ~/.ssh/id_dsa +.It Pa ~/.ssh/id_ecdsa +Contains the traditional private key for authentication. +These files contain sensitive data +and should be readable by the user but not accessible by others: +any traditional private key file that is accessible by others +is simply ignored. +While the SSH authentication component ignores +the traditional private keys, +the SSH session management component passes +any successfully decrypted traditional key +to the launched SSH agent. +.Pp +.It Pa ~/.ssh/login-keys.d/ +This directory is the dedicated per-user location for +files or symbolic links to files +that +contains SSH private keys +considered +by the SSH authentication component. +.Nm pam_ssh +ignores +any private key file that is accessible by others +or that possesses .disabled or .frozen as suffix. +Each login key successfully decrypted is passed +by the SSH session management component +to the lauched SSH agent. +.Pp +.It Pa ~/.ssh/session-keys.d/ +This directory is the dedicated per-user location for +files or symbolic links to files +that contains (extra) SSH private keys +considered +only +by the SSH session management component. +.Nm pam_ssh +ignores +any private key file that is accessible by others +or that possesses .disabled or .frozen as suffix. +Each session key successfully decrypted is passed +to the lauched SSH agent. .El .Sh SEE ALSO +.Xr ssh 1 , .Xr ssh-agent 1 , +.Xr ssh-add 1 , +.Xr ssh-keygen 1 , .Xr syslog 3 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam.d 5 , +.Xr pam 8 , .Sh AUTHORS .Pp .An -nosplit -.An "Andrew J. Korty" Aq a...@iu.edu +.An "Andrew J. Korty" <a...@iu.edu> wrote .Nm . .An "Dag-Erling Smorgrav" wrote the original OpenPAM support code. .An "Mark R V Murray" wrote the original version of this manual page. +.An "Jens Peter Secher" +introduced the login-key concept. +Refreshed for Debian by +.An "Jerome Benoit" <calcu...@rezozer.net>. +.Nm +is currently maintained by +.An "Wolfgang Rosenauer". +.\" eof diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_ssh-2.0/pam_ssh.spec new/pam_ssh-2.01/pam_ssh.spec --- old/pam_ssh-2.0/pam_ssh.spec 2013-11-18 11:25:42.000000000 +0100 +++ new/pam_ssh-2.01/pam_ssh.spec 2014-05-24 09:24:08.000000000 +0200 @@ -4,7 +4,7 @@ BuildRequires: pam-devel License: BSD Group: Productivity/Networking/SSH -Version: 2.0 +Version: 2.01 Release: 1 Summary: A Pluggable Authentication Module (PAM) for use with SSH. URL: http://sourceforge.net/projects/pam-ssh/