From c00e83b16e3dd048c2396b57531a7cec40189a39 Mon Sep 17 00:00:00 2001 From: Cecil Hugh Watson Date: Fri, 27 Feb 2009 21:44:42 -0800 Subject: Really protect users from themselves. --- abs/core-testing/openssh/PKGBUILD | 8 ++++---- abs/core-testing/openssh/sshd.patch | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 abs/core-testing/openssh/sshd.patch diff --git a/abs/core-testing/openssh/PKGBUILD b/abs/core-testing/openssh/PKGBUILD index 81bc2a0..ade755f 100644 --- a/abs/core-testing/openssh/PKGBUILD +++ b/abs/core-testing/openssh/PKGBUILD @@ -4,7 +4,7 @@ pkgname=openssh pkgver=5.1p1 -pkgrel=3 +pkgrel=4 #_gsskexver=20080404 pkgdesc='A Secure SHell server/client' arch=(i686 x86_64) @@ -13,15 +13,15 @@ url="http://www.openssh.org/portable.html" backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') depends=('openssl>=0.9.8g' 'zlib' 'pam' 'tcp_wrappers' 'heimdal>=1.2-1') source=(ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$pkgver.tar.gz - sshd sshd.confd sshd.pam sshd_config.diff) + sshd sshd.confd sshd.pam sshd.patch) #http://www.sxw.org.uk/computing/patches/$pkgname-$pkgver-gsskex-$_gsskexver.patch md5sums=('03f2d0c1b5ec60d4ac9997a146d2faec' 'd9ee5e0a0d143689b3d6f11454a2a892' 'e2cea70ac13af7e63d40eb04415eacd5' '1c7c2ea8734ec7e3ca58d820634dc73a' - 'd41d8cd98f00b204e9800998ecf8427e') + 'd5e6ef9fd6126f6a560e402561f5be6e') build() { cd $startdir/src/$pkgname-$pkgver - patch -p1 < ../sshd_config.diff + patch -p1 < ../sshd.patch #patch -up0 < $startdir/src/$pkgname-$pkgver-gsskex-$_gsskexver.patch #NOTE we disable-strip so that makepkg can decide whether to strip or not diff --git a/abs/core-testing/openssh/sshd.patch b/abs/core-testing/openssh/sshd.patch new file mode 100644 index 0000000..e883a4c --- /dev/null +++ b/abs/core-testing/openssh/sshd.patch @@ -0,0 +1,35 @@ +diff -ruaN openssh-5.1p1.orig/sshd_config openssh-5.1p1/sshd_config +--- openssh-5.1p1.orig/sshd_config 2008-07-02 12:35:43.000000000 +0000 ++++ openssh-5.1p1/sshd_config 2009-02-28 05:40:09.000000000 +0000 +@@ -38,14 +38,14 @@ + # Authentication: + + #LoginGraceTime 2m +-#PermitRootLogin yes ++PermitRootLogin no + #StrictModes yes + #MaxAuthTries 6 + #MaxSessions 10 + + #RSAAuthentication yes +-#PubkeyAuthentication yes +-#AuthorizedKeysFile .ssh/authorized_keys ++PubkeyAuthentication yes ++AuthorizedKeysFile .ssh/authorized_keys + + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #RhostsRSAAuthentication no +@@ -88,7 +88,7 @@ + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no +-#X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PrintMotd yes +@@ -117,3 +117,4 @@ + # X11Forwarding no + # AllowTcpForwarding no + # ForceCommand cvs server ++DenyUsers mythtv -- cgit v0.12