Fixes from upstream for minor DOS #148228.

(Portage version: 2.1.2_pre1)
author: Mike Frysinger <vapier@gentoo.org> 2006-09-20 23:10:35 +0000
committer: Mike Frysinger <vapier@gentoo.org> 2006-09-20 23:10:35 +0000
commit: 7c129f290067c73c3df99213bfdb876157d3b39a (patch)
tree: 5115bad10524b978b62e997793d90867ce0d3876 /net-misc
parent: rename patch (diff)
download: gentoo-2-7c129f290067c73c3df99213bfdb876157d3b39a.tar.gz
gentoo-2-7c129f290067c73c3df99213bfdb876157d3b39a.tar.bz2
gentoo-2-7c129f290067c73c3df99213bfdb876157d3b39a.zip
7 files changed, 388 insertions, 9 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog
index bfa60169e5f7..4a570cb880f7 100644
--- a/net-misc/openssh/ChangeLog
+++ b/net-misc/openssh/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-misc/openssh
 # Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.183 2006/09/08 04:37:14 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.184 2006/09/20 23:10:35 vapier Exp $
+
+*openssh-4.3_p2-r3 (20 Sep 2006)
+
+  20 Sep 2006; Mike Frysinger <vapier@gentoo.org>
+  +files/openssh-4.3_p1-chroot.patch,
+  +files/openssh-4.3_p2-identical-simple-dos.patch, files/sshd.confd,
+  files/sshd.rc6, +openssh-4.3_p2-r3.ebuild:
+  Fixes from upstream for minor DOS #148228.
 
   08 Sep 2006; Mike Frysinger <vapier@gentoo.org> openssh-4.3_p2-r2.ebuild:
   Remove ugly flag mangling and fix building with USE=static #146654 by
diff --git a/net-misc/openssh/files/digest-openssh-4.3_p2-r3 b/net-misc/openssh/files/digest-openssh-4.3_p2-r3
new file mode 100644
index 000000000000..adb9f80e2b55
--- /dev/null
+++ b/net-misc/openssh/files/digest-openssh-4.3_p2-r3
@@ -0,0 +1,15 @@
+MD5 3611a21a0098c32416d4b8f75232c796 openssh-4.3p2+SecurID_v1.3.2.patch 47650
+RMD160 90c719e8b7576d06bda5fdfb86287bfa577c5e1a openssh-4.3p2+SecurID_v1.3.2.patch 47650
+SHA256 d6fc92a11c23f3fa0c77f50e6d76cb6c6635ae4907df724a12e460b90c90e988 openssh-4.3p2+SecurID_v1.3.2.patch 47650
+MD5 bc93a31436941ae32e7f9d20c592eca7 openssh-4.3p2+x509-5.5.diff.gz 136017
+RMD160 21069550bbb05ea22870da853f68ee9910b2b71e openssh-4.3p2+x509-5.5.diff.gz 136017
+SHA256 b62ee8afd927d9c97367ac738be55464327deacabf803a610159a98c569e72ad openssh-4.3p2+x509-5.5.diff.gz 136017
+MD5 41b69edab053387f5233798864fcec74 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642
+RMD160 34fd5390d602a9ab99edb25756318cc0dd842360 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642
+SHA256 14d8ec5601bf1977f583a45353213a2dc4e8a453e3fc9c7a65499d0645cc9063 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642
+MD5 7e9880ac20a9b9db0d3fea30a9ff3d46 openssh-4.3p2.tar.gz 941455
+RMD160 ccd5967e3296347e6dd2be43c3d6caacde2b6833 openssh-4.3p2.tar.gz 941455
+SHA256 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f openssh-4.3p2.tar.gz 941455
+MD5 d9eacb819a73daddb3d21ca7aa8e5c25 openssh-lpk-4.3p1-0.3.7.patch 60451
+RMD160 fda93b8ee3ef9b633947784fe84a9eed2acbd325 openssh-lpk-4.3p1-0.3.7.patch 60451
+SHA256 0bcfa28804caf685de2248ddc966666196f6df81d1d058066f2da17714518af4 openssh-lpk-4.3p1-0.3.7.patch 60451
diff --git a/net-misc/openssh/files/openssh-4.3_p1-chroot.patch b/net-misc/openssh/files/openssh-4.3_p1-chroot.patch
new file mode 100644
index 000000000000..e9ca7ae94ec4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.3_p1-chroot.patch
@@ -0,0 +1,54 @@
+http://chrootssh.sourceforge.net/
+
+--- openssh-4.3p1/session.c
++++ openssh-4.3p1/session.c
+@@ -59,6 +59,8 @@
+ #include "kex.h"
+ #include "monitor_wrap.h"
+ 
++#define CHROOT
++
+ #if defined(KRB5) && defined(USE_AFS)
+ #include <kafs.h>
+ #endif
+@@ -1251,6 +1253,11 @@
+ void
+ do_setusercontext(struct passwd *pw)
+ {
++#ifdef CHROOT
++	char *user_dir;
++	char *new_root;
++#endif /* CHROOT */
++
+ #ifndef HAVE_CYGWIN
+ 	if (getuid() == 0 || geteuid() == 0)
+ #endif /* HAVE_CYGWIN */
+@@ -1308,6 +1315,27 @@
+ 			restore_uid();
+ 		}
+ #endif
++
++#ifdef CHROOT
++	user_dir = xstrdup(pw->pw_dir);
++	new_root = user_dir + 1;
++
++	while ((new_root = strchr(new_root, '.')) != NULL) {
++		new_root--;
++		if (strncmp(new_root, "/./", 3) == 0) {
++			*new_root = '\0';
++			new_root += 2;
++
++			if(chroot(user_dir) != 0)
++				fatal("Couldn't chroot to user's directory %s", user_dir);
++			pw->pw_dir = new_root;
++			break;
++		}
++
++		new_root += 2;
++	}
++#endif /* CHROOT */
++
+ # ifdef USE_PAM
+ 		/*
+ 		 * PAM credentials may take the form of supplementary groups.
+
diff --git a/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch b/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch
new file mode 100644
index 000000000000..84c043fe6544
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch
@@ -0,0 +1,119 @@
+http://bugs.gentoo.org/148228
+
+taken from upstream cvs and munged a little to apply against 4.3p2
+
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v
+retrieving revision 1.29
+retrieving revision 1.30
+diff -u -r1.29 -r1.30
+--- src/usr.bin/ssh/deattack.c	2006/08/03 03:34:42	1.29
++++ src/usr.bin/ssh/deattack.c	2006/09/16 19:53:37	1.30
+@@ -30,6 +30,24 @@
+ #include "crc32.h"
+ #include "misc.h"
+ 
++/*
++ * CRC attack detection has a worst-case behaviour that is O(N^3) over
++ * the number of identical blocks in a packet. This behaviour can be 
++ * exploited to create a limited denial of service attack. 
++ * 
++ * However, because we are dealing with encrypted data, identical
++ * blocks should only occur every 2^35 maximally-sized packets or so. 
++ * Consequently, we can detect this DoS by looking for identical blocks
++ * in a packet.
++ *
++ * The parameter below determines how many identical blocks we will
++ * accept in a single packet, trading off between attack detection and
++ * likelihood of terminating a legitimate connection. A value of 32 
++ * corresponds to an average of 2^40 messages before an attack is
++ * misdetected
++ */
++#define MAX_IDENTICAL	32
++
+ /* SSH Constants */
+ #define SSH_MAXBLOCKS	(32 * 1024)
+ #define SSH_BLOCKSIZE	(8)
+@@ -85,7 +103,7 @@
+ 	static u_int16_t *h = (u_int16_t *) NULL;
+ 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ 	u_int32_t i, j;
+-	u_int32_t l;
++	u_int32_t l, same;
+ 	u_char *c;
+ 	u_char *d;
+ 
+@@ -122,11 +140,13 @@
+ 	if (IV)
+ 		h[HASH(IV) & (n - 1)] = HASH_IV;
+ 
+-	for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
++	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+ 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
+ 		    i = (i + 1) & (n - 1)) {
+ 			if (h[i] == HASH_IV) {
+ 				if (!CMP(c, IV)) {
++					if (++same > MAX_IDENTICAL)
++						return (DEATTACK_DOS_DETECTED);
+ 					if (check_crc(c, buf, len, IV))
+ 						return (DEATTACK_DETECTED);
+ 					else
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v
+retrieving revision 1.143
+retrieving revision 1.144
+diff -u -r1.143 -r1.144
+--- src/usr.bin/ssh/packet.c	2006/08/05 08:34:04	1.143
++++ src/usr.bin/ssh/packet.c	2006/09/16 19:53:37	1.144
+@@ -991,9 +991,16 @@
+ 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
+ 	 * Ariel Futoransky(futo@core-sdi.com)
+ 	 */
+-	if (!receive_context.plaintext &&
+-	    detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
+-		packet_disconnect("crc32 compensation attack: network attack detected");
++	if (!receive_context.plaintext) {
++		switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
++		case DEATTACK_DETECTED:
++			packet_disconnect("crc32 compensation attack: "
++			    "network attack detected");
++		case DEATTACK_DOS_DETECTED:
++			packet_disconnect("deattack denial of "
++			    "service detected");
++		}
++	}
+ 
+ 	/* Decrypt data to incoming_packet. */
+ 	buffer_clear(&incoming_packet);
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.h,v
+retrieving revision 1.9
+retrieving revision 1.10
+diff -u -r1.9 -r1.10
+--- src/usr.bin/ssh/deattack.h	2006/03/25 22:22:43	1.9
++++ src/usr.bin/ssh/deattack.h	2006/09/16 19:53:37	1.10
+@@ -25,6 +25,7 @@
+ /* Return codes */
+ #define DEATTACK_OK		0
+ #define DEATTACK_DETECTED	1
++#define DEATTACK_DOS_DETECTED	2
+ 
+ int	 detect_attack(u_char *, u_int32_t);
+ #endif
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v
+retrieving revision 1.144
+retrieving revision 1.145
+diff -u -r1.144 -r1.145
+--- src/usr.bin/ssh/packet.c	2006/09/16 19:53:37	1.144
++++ src/usr.bin/ssh/packet.c	2006/09/19 21:14:08	1.145
+@@ -682,6 +682,9 @@
+ 	 */
+ 	after_authentication = 1;
+ 	for (mode = 0; mode < MODE_MAX; mode++) {
++		/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
++		if (newkeys[mode] == NULL)
++			continue;
+ 		comp = &newkeys[mode]->comp;
+ 		if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
+ 			packet_init_compression();
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
index 8e75908369be..28952b4a285a 100644
--- a/net-misc/openssh/files/sshd.confd
+++ b/net-misc/openssh/files/sshd.confd
@@ -4,7 +4,18 @@
 
 SSHD_CONFDIR="/etc/ssh"
 
+
 # Any random options you want to pass to sshd.
 # See the sshd(8) manpage for more info.
 
 SSHD_OPTS=""
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="/var/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.rc6 b/net-misc/openssh/files/sshd.rc6
index 139f9cb8364e..77cfc5a4f4e1 100644
--- a/net-misc/openssh/files/sshd.rc6
+++ b/net-misc/openssh/files/sshd.rc6
@@ -1,7 +1,7 @@
 #!/sbin/runscript
 # Copyright 1999-2006 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.19 2006/02/28 00:09:52 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.20 2006/09/20 23:10:35 vapier Exp $
 
 opts="reload"
 
@@ -11,6 +11,8 @@ depend() {
 }
 
 SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
+SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
+SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
 
 checkconfig() {
 	if [[ ! -d /var/empty ]] ; then
@@ -19,13 +21,13 @@ checkconfig() {
 
 	if [[ ! -e ${SSHD_CONFDIR}/sshd_config ]] ; then
 		eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
-		eerror "There is a sample file in  /usr/share/doc/openssh"
+		eerror "There is a sample file in /usr/share/doc/openssh"
 		return 1
 	fi
 
 	gen_keys || return 1
 
-	/usr/sbin/sshd -t ${myopts} || return 1
+	${SSHD_BINARY} -t ${myopts} || return 1
 }
 
 gen_keys() {
@@ -46,24 +48,26 @@ gen_keys() {
 
 start() {
 	local myopts=""
-	[[ ${SVCNAME} != "sshd" ]] && myopts="${myopts} -o PidFile=/var/run/${SVCNAME}.pid"
-	[[ ${SSHD_CONFDIR} != "/etc/ssh" ]] && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config"
+	[[ ${SSHD_PIDFILE} != "/var/run/sshd.pid" ]] \
+		&& myopts="${myopts} -o PidFile=${SSHD_PIDFILE}"
+	[[ ${SSHD_CONFDIR} != "/etc/ssh" ]] \
+		&& myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config"
 
 	checkconfig || return 1
 	ebegin "Starting ${SVCNAME}"
-	/usr/sbin/sshd ${myopts} ${SSHD_OPTS}
+	${SSHD_BINARY} ${myopts} ${SSHD_OPTS}
 	eend $?
 }
 
 stop() {
 	ebegin "Stopping ${SVCNAME}"
-	start-stop-daemon --stop --quiet --pidfile /var/run/${SVCNAME}.pid
+	start-stop-daemon --stop --quiet --pidfile ${SSHD_PIDFILE}
 	eend $?
 }
 
 reload() {
 	ebegin "Reloading ${SVCNAME}"
-	start-stop-daemon --stop --quiet --pidfile /var/run/${SVCNAME}.pid \
+	start-stop-daemon --stop --quiet --pidfile ${SSHD_PIDFILE} \
 		--signal HUP
 	eend $?
 }
diff --git a/net-misc/openssh/openssh-4.3_p2-r3.ebuild b/net-misc/openssh/openssh-4.3_p2-r3.ebuild
new file mode 100644
index 000000000000..ccb78128b3e2
--- /dev/null
+++ b/net-misc/openssh/openssh-4.3_p2-r3.ebuild
@@ -0,0 +1,168 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-4.3_p2-r3.ebuild,v 1.1 2006/09/20 23:10:35 vapier Exp $
+
+inherit eutils flag-o-matic ccc pam multilib
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_/}
+
+X509_PATCH="${PARCH}+x509-5.5.diff.gz"
+SECURID_PATCH="${PARCH}+SecurID_v1.3.2.patch"
+LDAP_PATCH="${PARCH/-4.3p2/-lpk-4.3p1}-0.3.7.patch"
+HPN_PATCH="${PARCH}-hpn12-gentoo.patch.bz2"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	hpn? ( mirror://gentoo/${HPN_PATCH} http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )
+	X509? ( http://roumenpetrov.info/openssh/x509-5.5/${X509_PATCH} )
+	smartcard? ( http://www.omniti.com/~jesus/projects/${SECURID_PATCH} )
+	ldap? ( http://www.opendarwin.org/projects/openssh-lpk/files/${LDAP_PATCH} )"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509 ldap smartcard sftplogging hpn libedit X"
+
+RDEPEND="pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	selinux? ( >=sys-libs/libselinux-1.28 )
+	skey? ( >=app-admin/skey-1.1.5-r1 )
+	ldap? ( net-nds/openldap )
+	libedit? ( || ( dev-libs/libedit sys-freebsd/freebsd-lib ) )
+	>=dev-libs/openssl-0.9.6d
+	>=sys-libs/zlib-1.2.3
+	smartcard? ( dev-libs/opensc )
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
+	X? ( || ( x11-apps/xauth virtual/x11 ) )
+	userland_GNU? ( sys-apps/shadow )"
+DEPEND="${RDEPEND}
+	dev-util/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+
+PROVIDE="virtual/ssh"
+
+S=${WORKDIR}/${PARCH}
+
+src_unpack() {
+	unpack ${PARCH}.tar.gz
+	cd "${S}"
+
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+
+	epatch "${FILESDIR}"/openssh-4.3_p2-identical-simple-dos.patch #148228
+	epatch "${FILESDIR}"/openssh-4.3_p2-configure.patch #137921
+	epatch "${FILESDIR}"/openssh-4.3_p1-krb5-typos.patch #124494
+	use X509 && epatch "${DISTDIR}"/${X509_PATCH} "${FILESDIR}"/${P}-x509-hpn-glue.patch
+	use sftplogging && epatch "${FILESDIR}"/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2
+	use chroot && epatch "${FILESDIR}"/openssh-4.3_p1-chroot.patch
+	if use X509 ; then
+		cp "${FILESDIR}"/openssh-4.3_p2-selinux.patch .
+		epatch "${FILESDIR}"/openssh-4.3_p2-selinux.patch.glue ./openssh-4.3_p2-selinux.patch
+	else
+		epatch "${FILESDIR}"/openssh-4.3_p2-selinux.patch
+	fi
+	use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch
+	if ! use X509 ; then
+		if [[ -n ${SECURID_PATCH} ]] && use smartcard ; then
+			epatch "${DISTDIR}"/${SECURID_PATCH} "${FILESDIR}"/${P}-securid-hpn-glue.patch
+			use ldap && epatch "${FILESDIR}"/openssh-4.0_p1-smartcard-ldap-happy.patch
+		fi
+		if use ldap ; then
+			use sftplogging \
+				&& ewarn "Sorry, sftplogging and ldap don't get along, disabling ldap" \
+				|| epatch "${DISTDIR}"/${LDAP_PATCH}
+		fi
+	elif [[ -n ${SECURID_PATCH} ]] && use smartcard || use ldap ; then
+		ewarn "Sorry, x509 and smartcard/ldap don't get along"
+	fi
+	[[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH}
+
+	sed -i '/LD.*ssh-keysign/s:$: '$(bindnow-flags)':' Makefile.in || die "setuid"
+
+	sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die
+
+	autoconf || die "autoconf failed"
+}
+
+src_compile() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	local myconf=""
+	if use static ; then
+		append-ldflags -static
+		use pam && ewarn "Disabling pam support becuse of static flag"
+		myconf="${myconf} --without-pam"
+	else
+		myconf="${myconf} $(use_with pam)"
+	fi
+
+	use ipv6 || myconf="${myconf} --with-ipv4-default"
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--disable-suid-ssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		$(use_with ldap) \
+		$(use_with libedit) \
+		$(use_with kerberos kerberos5 /usr) \
+		$(use_with tcpd tcp-wrappers) \
+		$(use_with selinux) \
+		$(use_with skey) \
+		$(use_with smartcard opensc) \
+		${myconf} \
+		|| die "bad configure"
+	emake || die "compile problem"
+}
+
+src_install() {
+	make install-nokeys DESTDIR="${D}" || die
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include sshd
+	dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config
+	use pam \
+		&& dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config \
+		&& dosed "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" /etc/ssh/sshd_config
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+}
+
+pkg_postinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "restart sshd: '/etc/init.d/sshd restart'."
+	ewarn
+	einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation"
+	einfo "functionality, but please ensure that you do not explicitly disable"
+	einfo "this in your configuration as disabling it opens security holes"
+	einfo
+	einfo "This revision has removed your sshd user id and replaced it with a"
+	einfo "new one with UID 22.  If you have any scripts or programs that"
+	einfo "that referenced the old UID directly, you will need to update them."
+	einfo
+	if use pam ; then
+		einfo "Please be aware users need a valid shell in /etc/passwd"
+		einfo "in order to be allowed to login."
+		einfo
+	fi
+}
author	Mike Frysinger <vapier@gentoo.org>	2006-09-20 23:10:35 +0000
committer	Mike Frysinger <vapier@gentoo.org>	2006-09-20 23:10:35 +0000
commit	7c129f290067c73c3df99213bfdb876157d3b39a (patch)
tree	5115bad10524b978b62e997793d90867ce0d3876 /net-misc
parent	rename patch (diff)
download	gentoo-2-7c129f290067c73c3df99213bfdb876157d3b39a.tar.gz gentoo-2-7c129f290067c73c3df99213bfdb876157d3b39a.tar.bz2 gentoo-2-7c129f290067c73c3df99213bfdb876157d3b39a.zip