happy new year OpenSSH: this is your new dress (configuration cleanups, fixes, adjustments, etc)

openssh/openssh.spec

@@ -41,7 +41,7 @@ Distribution: OpenPKG [CORE]
 Group:        Security
 License:      BSD
 Version:      %{V_base}%{V_portable}
-Release:      20031231
+Release:      20040101
 
 #   package options
 %option       with_fsl      yes
@@ -199,9 +199,11 @@ AutoReqProv:  no
     strip $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh/* 2>/dev/null || true
 
     #   install ssh-askpass wrapper
-    %{l_shtool} mkdir -f -p -m 755 $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh
+    %{l_shtool} mkdir -f -p -m 755 \
+        $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh
     %{l_shtool} install -c -m 755 %{l_value -s -a} \
-        %{SOURCE ssh-askpass} $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh/
+        %{SOURCE ssh-askpass} \
+        $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh/
 
     #   make sure the state directory exists
     %{l_shtool} mkdir -f -p -m 755 \
@@ -213,25 +215,33 @@ AutoReqProv:  no
         $RPM_BUILD_ROOT%{l_prefix}/bin \
         $RPM_BUILD_ROOT%{l_prefix}/man/man1
     %{l_shtool} install -c -m 755 %{l_value -s -a} \
-        %{SOURCE ssh-keyman} $RPM_BUILD_ROOT%{l_prefix}/bin/
+        %{SOURCE ssh-keyman} \
+        $RPM_BUILD_ROOT%{l_prefix}/bin/
     %{l_shtool} install -c -m 644 %{l_value -s -a} \
-        %{SOURCE ssh-keyman.1} $RPM_BUILD_ROOT%{l_prefix}/man/man1/
+        %{SOURCE ssh-keyman.1} \
+        $RPM_BUILD_ROOT%{l_prefix}/man/man1/
 
     #   install run-command script
-    %{l_shtool} mkdir -f -p -m 755 $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d
+    %{l_shtool} mkdir -f -p -m 755 \
+        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d
     %{l_shtool} install -c -m 755 %{l_value -s -a} \
-        %{SOURCE rc.openssh} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
+        %{SOURCE rc.openssh} \
+        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
 
     #   install reasonable ssh server and client configuration files
-    %{l_shtool} mkdir -f -p -m 755 $RPM_BUILD_ROOT%{l_prefix}/etc/openssh
+    %{l_shtool} mkdir -f -p -m 755 \
+        $RPM_BUILD_ROOT%{l_prefix}/etc/openssh
     %{l_shtool} install -c -m 644 %{l_value -s -a} \
         -e 's;@l_x11forwarding@;%{with_x11};' \
-        %{SOURCE sshd_config} $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/
+        %{SOURCE sshd_config} \
+        $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/
     %{l_shtool} install -c -m 644 %{l_value -s -a} \
-        %{SOURCE ssh_config} $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/
+        %{SOURCE ssh_config} \
+        $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/
 
     #   install OSSP fsl configuration
-    %{l_shtool} mkdir -f -p -m 755 $RPM_BUILD_ROOT%{l_prefix}/etc/fsl
+    %{l_shtool} mkdir -f -p -m 755 \
+        $RPM_BUILD_ROOT%{l_prefix}/etc/fsl
     %{l_shtool} install -c -m 644 %{l_value -s -a} \
         %{SOURCE fsl.openssh} \
         $RPM_BUILD_ROOT%{l_prefix}/etc/fsl/
@@ -251,7 +261,7 @@ AutoReqProv:  no
     rm -rf $RPM_BUILD_ROOT
 
 %post
-    #   generate server RSA1 (SSHv1) key
+    #   generate server RSA1 (SSH1) key
     if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_key" -o \
          ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_key" ] ; then
         $RPM_INSTALL_PREFIX/bin/ssh-keygen -t rsa1 -b 2048 \
@@ -259,7 +269,7 @@ AutoReqProv:  no
             -N '' -C `hostname` 1>&2
     fi
 
-    #   generate server RSA (SSHv2) key
+    #   generate server RSA (SSH2) key
     if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_rsa_key" -o \
          ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_rsa_key" ] ; then
         $RPM_INSTALL_PREFIX/bin/ssh-keygen -t rsa -b 2048 \
@@ -267,7 +277,7 @@ AutoReqProv:  no
             -N '' -C `hostname` 1>&2
     fi
 
-    #   generate server DSA (SSHv2) key
+    #   generate server DSA (SSH2) key
     if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_dsa_key" -o \
          ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_dsa_key" ] ; then
         $RPM_INSTALL_PREFIX/bin/ssh-keygen -t dsa -b 2048 \

openssh/rc.openssh

@@ -13,7 +13,7 @@
 
 %common
     openssh_signal () {
-        openssh_pidfile="@l_prefix@/var/openssh/sshd.pid"
+        openssh_pidfile="@l_prefix@/var/openssh/openssh.pid"
         [ -f $openssh_pidfile ] && kill -$1 `cat $openssh_pidfile`
     }
 

openssh/ssh-keyman.1

@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Tue May  7 19:43:46 2002
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.13
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "SSH-KEYMAN 1"
-.TH SSH-KEYMAN 1 "perl v5.6.1" "2002-05-07" "User Contributed Perl Documentation"
-.UC
+.TH SSH-KEYMAN 1 "2004-01-01" "perl v5.8.2" "User Contributed Perl Documentation"
 .SH "NAME"
-\&\fBssh-keyman\fR \- authentication key agent management
+\&\fBssh\-keyman\fR \- authentication key agent management
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBssh-keyman\fR 
@@ -153,6 +143,7 @@
 [\fB\-d\fR]
 [\fB\-a\fR]
 [\fB\-l\fR]
+[\fB\-i\fR]
 [\fIkeyfile\fR ...]
 .PP
 \&\fBssh-keyman\fR 
@@ -169,61 +160,63 @@ often than really necessary from a security point of view.
 .PP
 The command line options can be combined and are executed internally in
 the given order below.
-.Ip "\fB\-q\fR, \fB\*(--quiet\fR" 4
-.IX Item "-q, quiet"
+.IP "\fB\-q\fR, \fB\-\-quiet\fR" 4
+.IX Item "-q, --quiet"
 Quiet operation. Do not print verbose messages.
-.Ip "\fB\-c\fR, \fB\*(--cluster\fR" 4
-.IX Item "-c, cluster"
+.IP "\fB\-c\fR, \fB\-\-cluster\fR" 4
+.IX Item "-c, --cluster"
 Cluster indicator. This forces the use of
-\&\fB$HOME/.ssh/agent-\fR\fIhostname\fR as the agent attachment informations
+\&\fB$HOME/.ssh/agent\-\fR\fIhostname\fR as the agent attachment informations
 file instead of the default \fB$HOME/.ssh/agent\fR. Use this if your home
 directory is NFS-mounted on a cluster of desktops.
-.Ip "\fB\-k\fR, \fB\*(--kill\fR" 4
-.IX Item "-k, kill"
+.IP "\fB\-k\fR, \fB\-\-kill\fR" 4
+.IX Item "-k, --kill"
 Kill agent. This makes sure the \fBssh-agent\fR process
 is no longer running.
-.Ip "\fB\-s\fR, \fB\*(--start\fR" 4
-.IX Item "-s, start"
+.IP "\fB\-s\fR, \fB\-\-start\fR" 4
+.IX Item "-s, --start"
 Start agent. This makes sure the \fBssh-agent\fR process is
 running. If not, it automatically spawns a new one.
-.Ip "\fB\-e\fR, \fB\*(--env\fR" 4
-.IX Item "-e, env"
+.IP "\fB\-e\fR, \fB\-\-env\fR" 4
+.IX Item "-e, --env"
 Environment setup. This outputs to \fIstdout\fR the Bourne-Shell commands
 necessary to attach the current shell session to the \fBssh-agent\fR
 process. The intended usage is "\f(CW\*(C`eval `\f(CBssh-keyman\f(CW \-q \-e \-s`\*(C'\fR" from
 within \fB$HOME/.xsession\fR or \fB$HOME/.bash_login\fR scripts.
-.Ip "\fB\-d\fR, \fB\*(--delete\fR" 4
-.IX Item "-d, delete"
+.IP "\fB\-d\fR, \fB\-\-delete\fR" 4
+.IX Item "-d, --delete"
 Delete key. This deletes one or more (or all if not \fIkeyfile\fR arguments
 are specified at all) from the \fBssh-agent\fR process.
-.Ip "\fB\-a\fR, \fB\*(--add\fR" 4
-.IX Item "-a, add"
+.IP "\fB\-a\fR, \fB\-\-add\fR" 4
+.IX Item "-a, --add"
 Add key. This adds one or more keys (in \fIkeyfile\fR) to the \fBssh-agent\fR
 process. If a key is already loaded, it is skipped and not reloaded.
 Additionally, all specified keys are loaded with a single \fBssh-add\fR
 call. This way the pass-phrase dialog is reduced to its possible
 minimum.
-.Ip "\fB\-l\fR, \fB\*(--list\fR" 4
-.IX Item "-l, list"
+.IP "\fB\-l\fR, \fB\-\-list\fR" 4
+.IX Item "-l, --list"
 List keys. This lists the currently available keys in the \fBssh-agent\fR
 process.
-.Ip "\fB\-h\fR, \fB\*(--help\fR" 4
-.IX Item "-h, help"
+.IP "\fB\-i\fR, \fB\-\-install\fR" 4
+.IX Item "-i, --install"
+Install public keys into remote account. This extracts the currently available public keys in the \fBssh-agent\fR
+process and installs them into "\f(CW\*(C`~/.ssh/authorized_keys\*(C'\fR" on a specified remote account.
+.IP "\fB\-h\fR, \fB\-\-help\fR" 4
+.IX Item "-h, --help"
 Help information. Display a usage summary on \fIstdout\fR.
-.Ip "\fB\-v\fR, \fB\*(--version\fR" 4
-.IX Item "-v, version"
+.IP "\fB\-v\fR, \fB\-\-version\fR" 4
+.IX Item "-v, --version"
 Version information. Display a version summary on \fIstdout\fR.
 .SH "EXAMPLE"
 .IX Header "EXAMPLE"
 \&\fI.xsession\fR:
 .PP
-.Vb 5
+.Vb 2
 \& eval `ssh-keyman -q -s -e`
-\& ssh-keyman -q -a </dev/null \e
-\&     ~/.ssh/id_rsa_1 \e
-\&     ~/.ssh/id_rsa_2 \e
-\&     ~/.ssh/id_rsa_3
+\& ssh-keyman -q -a </dev/null ~/.ssh/id_rsa ~/.ssh/id_dsa
 .Ve
+.PP
 \&\fI.bash_login\fR:
 .PP
 .Vb 1
@@ -231,17 +224,17 @@ Version information. Display a version summary on \fIstdout\fR.
 .Ve
 .SH "FILES"
 .IX Header "FILES"
-.Ip "\fB$HOME/.ssh/agent\fR" 4
+.IP "\fB$HOME/.ssh/agent\fR" 4
 .IX Item "$HOME/.ssh/agent"
 The generated shell script for attaching the current shell
-session (and all of its sub-processes) to the \fBssh-agent\fR process.
+session (and all of its sub\-processes) to the \fBssh-agent\fR process.
 At any time this can be directly sourced from within the shell session
 or indirectly through the \fBssh-keyman\fR \fB\-e\fR option.
 This file is used if the cluster option \fB\-c\fR is not used.
-.Ip "\fB$HOME/.ssh/agent-\fR\fIhostname\fR" 4
+.IP "\fB$HOME/.ssh/agent\-\fR\fIhostname\fR" 4
 .IX Item "$HOME/.ssh/agent-hostname"
 The generated shell script for attaching the current shell
-session (and all of its sub-processes) to the \fBssh-agent\fR process.
+session (and all of its sub\-processes) to the \fBssh-agent\fR process.
 At any time this can be directly sourced from within the shell session
 or indirectly through the \fBssh-keyman\fR \fB\-e\fR option.
 This file is used if the cluster option \fB\-c\fR is used.

openssh/ssh-keyman.pod

@@ -127,10 +127,7 @@ Version information. Display a version summary on F<stdout>.
 F<.xsession>:
 
  eval `ssh-keyman -q -s -e`
- ssh-keyman -q -a </dev/null \
-     ~/.ssh/id_rsa_1 \
-     ~/.ssh/id_rsa_2 \
-     ~/.ssh/id_rsa_3
+ ssh-keyman -q -a </dev/null ~/.ssh/id_rsa ~/.ssh/id_dsa
 
 F<.bash_login>:
  

openssh/ssh_config

@@ -3,39 +3,40 @@
 ##
 
 Host localhost
-    Compression                     no
-    ForwardX11                      yes
-    KeepAlive                       yes
+    Compression                        no
+    ForwardX11                         yes
+    KeepAlive                          yes
 
 #   Global Default Settings
-#   (keep this section last here, because
-#   the rule is "first matching is used")
+#   (keep this host section last here, because the
+#   rule is "first matching host section is used")
 Host *
-    BatchMode                       no
-    CheckHostIP                     yes
-    Protocol                        1,2
-    HostKeyAlgorithms               ssh-rsa,ssh-dss
-    PreferredAuthentications        hostbased,publickey,keyboard-interactive,password
-    Cipher                          3des
-    Ciphers                         aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
-    MACs                            hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
-    Compression                     yes
-    CompressionLevel                4
-    ConnectionAttempts              2
-    PubkeyAuthentication            yes
-    DSAAuthentication               yes
-    RSAAuthentication               yes
-    ChallengeResponseAuthentication yes
-    PasswordAuthentication          yes
-    NumberOfPasswordPrompts         2
-    RhostsAuthentication            no
-    RhostsRSAAuthentication         no
-    StrictHostKeyChecking           no
-    UsePrivilegedPort               no
-    EscapeChar                      ~
-    ForwardAgent                    yes
-    ForwardX11                      no
-    GatewayPorts                    no
-    KeepAlive                       no
-    LogLevel                        INFO
+    BatchMode                          no
+    CheckHostIP                        yes
+    Protocol                           2,1
+    HostKeyAlgorithms                  ssh-rsa,ssh-dss
+    PreferredAuthentications           hostbased,publickey,keyboard-interactive,password
+    Cipher                             3des
+    Ciphers                            aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+    MACs                               hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+    Compression                        yes
+    CompressionLevel                   4
+    ConnectionAttempts                 2
+    PubkeyAuthentication               yes
+    DSAAuthentication                  yes
+    RSAAuthentication                  yes
+    ChallengeResponseAuthentication    yes
+    PasswordAuthentication             yes
+    NumberOfPasswordPrompts            2
+    NoHostAuthenticationForLocalhost   yes
+    HostbasedAuthentication            no
+    RhostsRSAAuthentication            no
+    StrictHostKeyChecking              no
+    UsePrivilegedPort                  no
+    EscapeChar                         ~
+    ForwardAgent                       yes
+    ForwardX11                         no
+    GatewayPorts                       no
+    KeepAlive                          no
+    LogLevel                           INFO
 

openssh/sshd_config

@@ -9,33 +9,37 @@ Subsystem                sftp @l_prefix@/libexec/openssh/sftp-server
 
 Protocol                 2,1
 HostKey                  @l_prefix@/etc/openssh/ssh_host_key
+HostKey                  @l_prefix@/etc/openssh/ssh_host_rsa_key
 HostKey                  @l_prefix@/etc/openssh/ssh_host_dsa_key
 ServerKeyBits            768
-KeyRegenerationInterval  3600
+KeyRegenerationInterval  1h
 
-PidFile                  @l_prefix@/var/openssh/sshd.pid
+PidFile                  @l_prefix@/var/openssh/openssh.pid
 SyslogFacility           AUTH
 LogLevel                 INFO
 
 PubkeyAuthentication     yes
 RSAAuthentication        yes
 PasswordAuthentication   yes
-RhostsAuthentication     no
+HostbasedAuthentication  no
 RhostsRSAAuthentication  no
 
 StrictModes              yes
 IgnoreRhosts             yes
 KeepAlive                yes
 GatewayPorts             no
+AllowTcpForwarding       yes
 X11Forwarding            @l_x11forwarding@
 Compression              yes
 
 UsePrivilegeSeparation   no
-LoginGraceTime           600
+LoginGraceTime           2m
 MaxStartups              10:30:60
 PermitRootLogin          no
 PermitEmptyPasswords     no
 UseLogin                 no
+UseDNS                   yes
 PrintMotd                yes
+PrintLastLog             yes
 PermitUserEnvironment    yes