diff options
author | bdrewery <bdrewery@FreeBSD.org> | 2013-05-18 03:47:35 +0800 |
---|---|---|
committer | bdrewery <bdrewery@FreeBSD.org> | 2013-05-18 03:47:35 +0800 |
commit | a669ac8951511cf30b0de9f58c5fdca2a12c492a (patch) | |
tree | 7373f8f1143ea52d37890bda37f8aa4ace292847 | |
parent | 12085e2b635ccc55468b76aca5ffb0aff89fae72 (diff) | |
download | freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.tar.gz freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.tar.zst freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.zip |
- Update to 6.2p2
- The LPK patch has been updated but is obsolete, deprecated and
untested. It has been replaced by AuthorizedKeysCommand
- The upstream HPN's last update was for 6.1 and is mostly
abandoned. The patch has had bugs since 5.9. I have reworked
it and split into into HPN and AES_THREADED options. The
debugging/logging part of the patch is incomplete. I may
change the patch to more closely match our base version
eventually.
- The KERB_GSSAPI option has been removed as the patch has not
been updated by upstream since 5.7
- sshd VersionAddendum is currently not working as intended;
it will be fixed later to allow removing the port/pkg version.
- Update our patchset to match latest base version
- Bring in ssh-agent -x support from base
- I incrementally updated the port from 5.8 up to 6.2p2 along
with patches. You can find all of the versions at
https://github.com/bdrewery/openssh
Changes:
http://www.openssh.com/txt/release-5.9
http://www.openssh.org/txt/release-6.0
http://www.openssh.org/txt/release-6.1
http://www.openssh.org/txt/release-6.2
http://www.openssh.org/txt/release-6.2p2
-rw-r--r-- | security/openssh-portable/Makefile | 48 | ||||
-rw-r--r-- | security/openssh-portable/distinfo | 20 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn-window-size | 24 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-sshd-utmp-size | 36 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-auth1.c | 68 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-auth2.c | 63 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-loginrec.c | 28 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-readconf.c | 42 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-servconf.c | 31 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-session.c | 56 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.1 | 27 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.c | 94 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshd.c | 6 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshd_config | 47 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshd_config.5 | 40 |
15 files changed, 369 insertions, 261 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index dcef21ca3821..46dd3bfb9521 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 5.8p2 -PORTREVISION= 5 +DISTVERSION= 6.2p2 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -20,9 +19,9 @@ MAN8= sftp-server.8 sshd.8 ssh-keysign.8 ssh-pkcs11-helper.8 CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* -# XXX: ports/52706 will allow using DEFAULT,x509,gsskex here. +# XXX: ports/52706 will allow using DEFAULT,x509 here. PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/ \ - http://mirror.shatow.net/freebsd/${PORTNAME}/:x509,gsskex + http://mirror.shatow.net/freebsd/${PORTNAME}/:x509 USE_PERL5_BUILD= yes USE_AUTOTOOLS= autoconf autoheader @@ -40,22 +39,22 @@ SUDO?= # empty MAKE_ENV+= SUDO="${SUDO}" OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ - KERB_GSSAPI HPN LPK X509 \ - OVERWRITE_BASE SCTP -OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS + HPN LPK X509 \ + OVERWRITE_BASE SCTP AES_THREADED +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= Enable tcp_wrappers support BSM_DESC= Enable OpenBSM Auditing -KERB_GSSAPI_DESC= Enable Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= Enable HPN-SSH patch -LPK_DESC= Enable LDAP Public Key (LPK) patch +LPK_DESC= Enable LDAP Public Key (LPK) [OBSOLETE] X509_DESC= Enable x509 certificate patch SCTP_DESC= Enable SCTP support OVERWRITE_BASE_DESC= OpenSSH overwrite base HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) +AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental] .include <bsd.port.pre.mk> @@ -63,8 +62,11 @@ MIT_DESC= MIT Kerberos (security/krb5) CONFIGURE_LIBS+= -lutil .endif +# 900007 is when utmp(5) was removed and utmpx(3) added .if ${OSVERSION} >= 900007 CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog +.else +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size .endif .if ${PORT_OPTIONS:MX509} @@ -72,8 +74,8 @@ CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog BROKEN= X509 patch and HPN patch do not apply cleanly together . endif -. if ${PORT_OPTIONS:MKERB_GSSAPI} -BROKEN= X509 patch incompatible with KERB_GSSAPI patch +. if ${PORT_OPTIONS:MAES_THREADED} +BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together . endif . if ${PORT_OPTIONS:MSCTP} @@ -118,11 +120,6 @@ IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in bas CONFIGURE_LIBS+= -lgssapi_krb5 . endif . endif -.if ${PORT_OPTIONS:MKERB_GSSAPI} -PATCH_SITES+= http://www.sxw.org.uk/computing/patches/:gsskex -PATCHFILES+= openssh-5.7p1-gsskex-all-20110125.patch:gsskex -PATCH_DIST_STRIP= -.endif .if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty @@ -135,15 +132,25 @@ CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} # http://www.psc.edu/index.php/hpn-ssh .if ${PORT_OPTIONS:MHPN} -PATCHFILES+= ${PORTNAME}-5.8p1-hpn13v11.diff.gz +HPN_VERSION= 13v14 +PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size +PATCH_DIST_STRIP= +.endif + +# http://www.psc.edu/index.php/hpn-ssh +.if ${PORT_OPTIONS:MAES_THREADED} +AES_THREADED_VERSION= v14 +PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz PATCH_DIST_STRIP= .endif # See http://code.google.com/p/openssh-lpk/wiki/Main # and svn repo described here: # http://code.google.com/p/openssh-lpk/source/checkout +# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1 .if ${PORT_OPTIONS:MLPK} -PATCHFILES+= ${PORTNAME}-lpk-5.8p2.patch.gz +PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz USE_OPENLDAP= yes CPPFLAGS+= -I${LOCALBASE}/include CONFIGURE_ARGS+= --with-ldap=yes \ @@ -154,8 +161,9 @@ CONFIGURE_LIBS+= -lldap # See http://www.roumenpetrov.info/openssh/ .if ${PORT_OPTIONS:MX509} -PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-7.0/:x509 -PATCHFILES+= ${PORTNAME}-5.8p1+x509-7.0.diff.gz:x509 +X509_VERSION= 7.4.1 +PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 +PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509 PATCH_DIST_STRIP= -p1 PLIST_SUB+= X509="" MAN5+= ssh_engine.5 diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index d8e67f738b72..0ad77f8e1f23 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,12 +1,12 @@ -SHA256 (openssh-5.8p2.tar.gz) = 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7368165cc8c4129694654f314 -SIZE (openssh-5.8p2.tar.gz) = 1115475 -SHA256 (openssh-5.8p1-hpn13v11.diff.gz) = 62b500d29d8889ce76c8b596eb65731d8ac3469d89d9c6eb29fec2a845159df7 -SIZE (openssh-5.8p1-hpn13v11.diff.gz) = 22993 -SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7ce026f95acda91c023dc47c85b -SIZE (openssh-5.8p1+x509-7.0.diff.gz) = 184277 -SHA256 (openssh-5.7p1-gsskex-all-20110125.patch) = bfdc72c3d7d5d4f9f8a78b649988dff8fad780cfa72bad4a69eb94c54de9a359 -SIZE (openssh-5.7p1-gsskex-all-20110125.patch) = 91889 -SHA256 (openssh-lpk-5.8p2.patch.gz) = 718221d13a09fdf5be857cc4b349e61698c42ae47bd357bd5c83f331d490c6c7 -SIZE (openssh-lpk-5.8p2.patch.gz) = 17822 +SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b +SIZE (openssh-6.2p2.tar.gz) = 1182922 +SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b +SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984 +SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9 +SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908 +SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae +SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496 +SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24 +SIZE (openssh-lpk-6.2p1.patch.gz) = 17881 SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03 SIZE (openssh-sctp-2163.patch.gz) = 6764 diff --git a/security/openssh-portable/files/extra-patch-hpn-window-size b/security/openssh-portable/files/extra-patch-hpn-window-size new file mode 100644 index 000000000000..76f50a43eccb --- /dev/null +++ b/security/openssh-portable/files/extra-patch-hpn-window-size @@ -0,0 +1,24 @@ +r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines +Changed paths: + M /user/brooks/openssh-hpn/channels.h + +It looks like the HPN patch didn't track the window size bump in OpenBSD +rev 1.89 back in 2007. Chase the updates to reduce diffs to head + +Index: channels.h +=================================================================== +--- channels.h (revision 223212) ++++ channels.h (revision 223213) +@@ -163,10 +163,10 @@ + + /* default window/packet sizes for tcp/x11-fwd-channel */ + #define CHAN_SES_PACKET_DEFAULT (32*1024) +-#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT) ++#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT) + + #define CHAN_TCP_PACKET_DEFAULT (32*1024) +-#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT) ++#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) + + #define CHAN_X11_PACKET_DEFAULT (16*1024) + #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) diff --git a/security/openssh-portable/files/extra-patch-sshd-utmp-size b/security/openssh-portable/files/extra-patch-sshd-utmp-size new file mode 100644 index 000000000000..d72985ff7768 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-sshd-utmp-size @@ -0,0 +1,36 @@ +r184122 | des | 2008-10-21 06:58:26 -0500 (Tue, 21 Oct 2008) | 11 lines +Changed paths: + M /head/crypto/openssh/loginrec.c + M /head/crypto/openssh/sshd.c + +At some point, construct_utmp() was changed to use realhostname() to fill +in the struct utmp due to concerns about the length of the hostname buffer. +However, this breaks the UseDNS option. There is a simpler and better +solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of +MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the +buffer. + +PR: bin/97499 +Submitted by: Bruce Cran <bruce@cran.org.uk> + +Index: sshd.c +=================================================================== +--- sshd.c (revision 184121) ++++ sshd.c (revision 184122) +@@ -72,6 +72,7 @@ + #include <stdlib.h> + #include <string.h> + #include <unistd.h> ++#include <utmp.h> + + #include <openssl/dh.h> + #include <openssl/bn.h> +@@ -238,7 +239,7 @@ + u_int session_id2_len = 0; + + /* record remote hostname or ip */ +-u_int utmp_len = MAXHOSTNAMELEN; ++u_int utmp_len = UT_HOSTSIZE; + + /* options.max_startup sized array of fd ints */ + int *startup_pipes = NULL; diff --git a/security/openssh-portable/files/patch-auth1.c b/security/openssh-portable/files/patch-auth1.c deleted file mode 100644 index 2b98f7f5b2e0..000000000000 --- a/security/openssh-portable/files/patch-auth1.c +++ /dev/null @@ -1,68 +0,0 @@ -r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines -Changed paths: - M /head/security/hpn-ssh/Makefile - M /head/security/hpn-ssh/files/patch-auth.c - A /head/security/hpn-ssh/files/patch-auth1.c - A /head/security/hpn-ssh/files/patch-auth2.c - M /head/security/hpn-ssh/files/patch-session.c - M /head/security/openssh-portable/Makefile - M /head/security/openssh-portable/files/patch-auth.c - A /head/security/openssh-portable/files/patch-auth1.c - A /head/security/openssh-portable/files/patch-auth2.c - M /head/security/openssh-portable/files/patch-session.c - -Merged patches for HAVE_LOGIN_CAP from stable - -PR: 35904 - ---- auth1.c.orig 2010-06-25 18:01:33.000000000 -0600 -+++ auth1.c 2010-09-14 16:14:12.000000000 -0600 -@@ -40,6 +40,7 @@ - #endif - #include "monitor_wrap.h" - #include "buffer.h" -+#include "canohost.h" - - /* import */ - extern ServerOptions options; -@@ -239,6 +240,13 @@ - char info[1024]; - int prev = 0, type = 0; - const struct AuthMethod1 *meth; -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+ const char *from_host, *from_ip; -+ -+ from_host = get_canonical_hostname(options.use_dns); -+ from_ip = get_remote_ipaddr(); -+#endif - - debug("Attempting authentication for %s%.100s.", - authctxt->valid ? "" : "invalid user ", authctxt->user); -@@ -292,6 +300,26 @@ - goto skip; - } - -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - if (!*(meth->enabled)) { - verbose("%s authentication disabled.", meth->name); - goto skip; diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c index 0c5730a733c6..f94918e9477a 100644 --- a/security/openssh-portable/files/patch-auth2.c +++ b/security/openssh-portable/files/patch-auth2.c @@ -1,31 +1,12 @@ -r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines +r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines Changed paths: - M /head/security/hpn-ssh/Makefile - M /head/security/hpn-ssh/files/patch-auth.c - A /head/security/hpn-ssh/files/patch-auth1.c - A /head/security/hpn-ssh/files/patch-auth2.c - M /head/security/hpn-ssh/files/patch-session.c - M /head/security/openssh-portable/Makefile - M /head/security/openssh-portable/files/patch-auth.c - A /head/security/openssh-portable/files/patch-auth1.c - A /head/security/openssh-portable/files/patch-auth2.c - M /head/security/openssh-portable/files/patch-session.c + M /head/crypto/openssh/auth2.c -Merged patches for HAVE_LOGIN_CAP from stable - -PR: 35904 +Apply class-imposed login restrictions. --- auth2.c.orig 2009-06-22 00:11:07.000000000 -0600 +++ auth2.c 2010-09-14 16:14:12.000000000 -0600 -@@ -46,6 +46,7 @@ - #include "key.h" - #include "hostfile.h" - #include "auth.h" -+#include "canohost.h" - #include "dispatch.h" - #include "pathnames.h" - #include "buffer.h" -@@ -217,6 +218,13 @@ +@@ -222,6 +221,13 @@ Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; @@ -39,29 +20,29 @@ PR: 35904 if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -261,6 +269,27 @@ +@@ -274,6 +274,27 @@ "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } ++ if (authctxt->pw != NULL) { ++ lc = login_getpwclass(authctxt->pw); ++ if (lc == NULL) ++ lc = login_getclassbyname(NULL, authctxt->pw); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ logit("Denied connection for %.200s from %.200s [%.200s].", ++ authctxt->pw->pw_name, from_host, from_ip); ++ packet_disconnect("Sorry, you are not allowed to connect."); ++ } ++ if (!auth_timeok(lc, time(NULL))) { ++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", ++ authctxt->pw->pw_name, from_host); ++ packet_disconnect("Logins not available right now."); ++ } ++ login_close(lc); ++ lc = NULL; ++ } +#endif /* HAVE_LOGIN_CAP */ + /* reset state */ diff --git a/security/openssh-portable/files/patch-loginrec.c b/security/openssh-portable/files/patch-loginrec.c deleted file mode 100644 index 8e2e847a2252..000000000000 --- a/security/openssh-portable/files/patch-loginrec.c +++ /dev/null @@ -1,28 +0,0 @@ -r63028 | dinoex | 2002-07-15 15:08:01 -0500 (Mon, 15 Jul 2002) | 6 lines - -- Fix Problem with HAVE_HOST_IN_UTMP -- update monitor.c - -PR: 40576 -Submitted by: lxv@a-send-pr.sink.omut.org - -r99768 | des | 2002-07-11 05:36:10 -0500 (Thu, 11 Jul 2002) | 6 lines - -Use realhostname_sa(3) so the IP address will be used instead of the -hostname if the latter is too long for utmp. - -Submitted by: ru - ---- loginrec.c.orig 2013-04-14 08:28:40.482762815 -0500 -+++ loginrec.c 2013-04-14 08:29:03.723757797 -0500 -@@ -694,8 +694,8 @@ - strncpy(ut->ut_name, li->username, - MIN_SIZEOF(ut->ut_name, li->username)); - # ifdef HAVE_HOST_IN_UTMP -- strncpy(ut->ut_host, li->hostname, -- MIN_SIZEOF(ut->ut_host, li->hostname)); -+ realhostname_sa(ut->ut_host, sizeof ut->ut_host, -+ &li->hostaddr.sa, li->hostaddr.sa.sa_len); - # endif - # ifdef HAVE_ADDR_IN_UTMP - /* this is just a 32-bit IP address */ diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c index 9e76a49f5990..6cb81723314c 100644 --- a/security/openssh-portable/files/patch-readconf.c +++ b/security/openssh-portable/files/patch-readconf.c @@ -6,6 +6,17 @@ Changed paths: Apply FreeBSD's configuration defaults. +------------------------------------------------------------------------ +r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines +Changed paths: + M /head/crypto/openssh/readconf.c + +Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. +Submitted upstream, no reaction. + +Submitted by: delphij@ + + --- readconf.c.orig 2010-08-03 00:04:46.000000000 -0600 +++ readconf.c 2010-09-14 16:14:12.000000000 -0600 @@ -1169,7 +1169,7 @@ @@ -17,3 +28,34 @@ Apply FreeBSD's configuration defaults. if (options->strict_host_key_checking == -1) options->strict_host_key_checking = 2; /* 2 is default */ if (options->compression == -1) +--- readconf.c (revision 181917) ++++ readconf.c (revision 181918) +@@ -18,6 +18,7 @@ + #include <sys/types.h> + #include <sys/stat.h> + #include <sys/socket.h> ++#include <sys/sysctl.h> + + #include <netinet/in.h> + +@@ -245,7 +246,19 @@ + Forward *fwd; + #ifndef NO_IPPORT_RESERVED_CONCEPT + extern uid_t original_real_uid; +- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) ++ int ipport_reserved; ++#ifdef __FreeBSD__ ++ size_t len_ipport_reserved = sizeof(ipport_reserved); ++ ++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", ++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) ++ ipport_reserved = IPPORT_RESERVED; ++ else ++ ipport_reserved++; ++#else ++ ipport_reserved = IPPORT_RESERVED; ++#endif ++ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0) + fatal("Privileged ports can only be forwarded by root."); + #endif + if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c index f962d1ca87fc..67e45e98a1fe 100644 --- a/security/openssh-portable/files/patch-servconf.c +++ b/security/openssh-portable/files/patch-servconf.c @@ -1,15 +1,7 @@ -r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/myproposal.h - M /head/crypto/openssh/readconf.c - M /head/crypto/openssh/servconf.c - -Apply FreeBSD's configuration defaults. - ---- servconf.c.orig 2010-06-25 17:38:45.000000000 -0600 -+++ servconf.c 2010-09-14 16:14:12.000000000 -0600 -@@ -139,7 +139,7 @@ - { +--- servconf.c.orig 2013-05-12 21:26:30.642630751 -0500 ++++ servconf.c 2013-05-12 21:52:43.069625377 -0500 +@@ -162,7 +162,7 @@ + /* Portable-specific options */ if (options->use_pam == -1) - options->use_pam = 0; @@ -17,7 +9,7 @@ Apply FreeBSD's configuration defaults. /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) -@@ -170,7 +170,7 @@ +@@ -197,7 +197,7 @@ if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) @@ -26,7 +18,7 @@ Apply FreeBSD's configuration defaults. if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) -@@ -180,7 +180,7 @@ +@@ -207,7 +207,7 @@ if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) @@ -35,7 +27,7 @@ Apply FreeBSD's configuration defaults. if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) -@@ -218,7 +218,11 @@ +@@ -245,7 +245,11 @@ if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; if (options->password_authentication == -1) @@ -47,3 +39,12 @@ Apply FreeBSD's configuration defaults. if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) +@@ -335,7 +339,7 @@ + options->version_addendum = xstrdup(""); + /* Turn privilege separation on by default */ + if (use_privsep == -1) +- use_privsep = PRIVSEP_NOSANDBOX; ++ use_privsep = PRIVSEP_ON; + + #ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index df1ab8e9db9a..7a19c85c4787 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -1,23 +1,6 @@ -r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines -Changed paths: - M /head/security/hpn-ssh/Makefile - M /head/security/hpn-ssh/files/patch-auth.c - A /head/security/hpn-ssh/files/patch-auth1.c - A /head/security/hpn-ssh/files/patch-auth2.c - M /head/security/hpn-ssh/files/patch-session.c - M /head/security/openssh-portable/Makefile - M /head/security/openssh-portable/files/patch-auth.c - A /head/security/openssh-portable/files/patch-auth1.c - A /head/security/openssh-portable/files/patch-auth2.c - M /head/security/openssh-portable/files/patch-session.c - -Merged patches for HAVE_LOGIN_CAP from stable - -PR: 35904 - ---- session.c.orig 2011-07-21 18:55:33.883559116 +0200 -+++ session.c 2011-07-21 19:02:17.789294035 +0200 -@@ -1125,6 +1143,9 @@ +--- session.c 2013-03-14 19:22:37.000000000 -0500 ++++ session.c 2013-04-12 21:10:44.510757912 -0500 +@@ -1131,6 +1136,9 @@ struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -27,7 +10,7 @@ PR: 35904 #endif /* Initialize the environment. */ -@@ -1146,6 +1167,9 @@ +@@ -1152,6 +1160,9 @@ } #endif @@ -37,7 +20,7 @@ PR: 35904 #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1165,11 +1189,22 @@ +@@ -1171,11 +1182,22 @@ child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -64,7 +47,7 @@ PR: 35904 #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1190,15 +1225,9 @@ +@@ -1196,15 +1218,9 @@ # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -80,35 +63,12 @@ PR: 35904 /* Set custom environment options from RSA authentication. */ if (!options.use_login) { -@@ -1473,9 +1502,9 @@ - platform_setusercontext(pw); - +@@ -1483,7 +1499,7 @@ if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER|LOGIN_SETENV))) < 0) { ++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); } -@@ -1700,6 +1729,10 @@ - */ - environ = env; - -+#ifdef HAVE_LOGIN_CAP -+ r = login_getcapbool(lc, "requirehome", 0); -+ login_close(lc); -+#endif - #if defined(KRB5) && defined(USE_AFS) - /* - * At this point, we check to see if AFS is active and if we have -@@ -1729,9 +1762,6 @@ - /* Change current directory to the user's home directory. */ - if (chdir(pw->pw_dir) < 0) { - /* Suppress missing homedir warning for chroot case */ --#ifdef HAVE_LOGIN_CAP -- r = login_getcapbool(lc, "requirehome", 0); --#endif - if (r || options.chroot_directory == NULL || - strcasecmp(options.chroot_directory, "none") == 0) - fprintf(stderr, "Could not chdir to home " diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1 new file mode 100644 index 000000000000..7d1e2a68ddf0 --- /dev/null +++ b/security/openssh-portable/files/patch-ssh-agent.1 @@ -0,0 +1,27 @@ +r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines + +Add a -x option that causes ssh-agent(1) to exit when all clients have +disconnected. + +Index: ssh-agent.1 +=================================================================== +--- ssh-agent.1 (revision 226102) ++++ ssh-agent.1 (revision 226103) +@@ -44,7 +44,7 @@ + .Sh SYNOPSIS + .Nm ssh-agent + .Op Fl c | s +-.Op Fl d ++.Op Fl dx + .Op Fl a Ar bind_address + .Op Fl t Ar life + .Op Ar command Op Ar arg ... +@@ -103,6 +103,8 @@ + .Xr ssh-add 1 + overrides this value. + Without this option the default maximum lifetime is forever. ++.It Fl x ++Exit after the last client has disconnected. + .El + .Pp + If a commandline is given, this is executed as a subprocess of the agent. diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 21a83d64beee..38abeaf70fbb 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -2,9 +2,68 @@ r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. ---- ssh-agent.c.orig 2010-04-15 23:56:22.000000000 -0600 -+++ ssh-agent.c 2010-09-14 16:14:13.000000000 -0600 -@@ -1086,6 +1086,7 @@ +r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines + +Add a -x option that causes ssh-agent(1) to exit when all clients have +disconnected. + +--- ssh-agent.c.orig 2011-06-02 23:14:16.000000000 -0500 ++++ ssh-agent.c 2013-05-09 15:59:14.044627857 -0500 +@@ -137,15 +137,34 @@ + /* Default lifetime (0 == forever) */ + static int lifetime = 0; + ++/* ++ * Client connection count; incremented in new_socket() and decremented in ++ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is ++ * normally initialized to 1, it will never reach 0. However, if the -x ++ * option is specified, it is initialized to 0 in main(); in that case, ++ * ssh-agent will exit as soon as it has had at least one client but no ++ * longer has any. ++ */ ++static int xcount = 1; ++ + static void + close_socket(SocketEntry *e) + { ++ int last = 0; ++ ++ if (e->type == AUTH_CONNECTION) { ++ debug("xcount %d -> %d", xcount, xcount - 1); ++ if (--xcount == 0) ++ last = 1; ++ } + close(e->fd); + e->fd = -1; + e->type = AUTH_UNUSED; + buffer_free(&e->input); + buffer_free(&e->output); + buffer_free(&e->request); ++ if (last) ++ cleanup_exit(0); + } + + static void +@@ -900,6 +919,10 @@ + { + u_int i, old_alloc, new_alloc; + ++ if (type == AUTH_CONNECTION) { ++ debug("xcount %d -> %d", xcount, xcount + 1); ++ ++xcount; ++ } + set_nonblock(fd); + + if (fd > max_fd) +@@ -1120,6 +1143,7 @@ + fprintf(stderr, " -d Debug mode.\n"); + fprintf(stderr, " -a socket Bind agent socket to given name.\n"); + fprintf(stderr, " -t life Default identity lifetime (seconds).\n"); ++ fprintf(stderr, " -x Exit when the last client disconnects.\n"); + exit(1); + } + +@@ -1149,6 +1173,7 @@ /* drop */ setegid(getgid()); setgid(getgid()); @@ -12,3 +71,32 @@ Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ +@@ -1160,7 +1185,7 @@ + __progname = ssh_get_progname(av[0]); + seed_rng(); + +- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) { + switch (ch) { + case 'c': + if (s_flag) +@@ -1189,6 +1214,9 @@ + usage(); + } + break; ++ case 'x': ++ xcount = 0; ++ break; + default: + usage(); + } +@@ -1348,8 +1376,7 @@ + if (ac > 0) + parent_alive_interval = 10; + idtab_init(); +- if (!d_flag) +- signal(SIGINT, SIG_IGN); ++ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN); + signal(SIGPIPE, SIG_IGN); + signal(SIGHUP, cleanup_handler); + signal(SIGTERM, cleanup_handler); diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c index 17c74f2b06dc..422d49a735b1 100644 --- a/security/openssh-portable/files/patch-sshd.c +++ b/security/openssh-portable/files/patch-sshd.c @@ -74,11 +74,11 @@ connections, do not protect connection handlers spawned from inetd. +#ifdef __FreeBSD__ + /* + * Initialize the resolver. This may not happen automatically -+ * before privsep chroot(). ++ * before privsep chroot(). + */ + if ((_res.options & RES_INIT) == 0) { -+ debug("res_init()"); -+ res_init(); ++ debug("res_init()"); ++ res_init(); + } +#ifdef GSSAPI + /* diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index 8802619fbcfb..4727afd69d26 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,13 +1,16 @@ -r99051 | des | 2002-06-29 05:55:18 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/ssh_config - M /head/crypto/openssh/sshd_config - -Document FreeBSD defaults. - ---- sshd_config.orig 2009-10-11 04:51:09.000000000 -0600 -+++ sshd_config 2010-09-14 16:14:13.000000000 -0600 -@@ -36,7 +36,7 @@ +--- sshd_config.orig 2013-02-11 18:02:09.000000000 -0600 ++++ sshd_config 2013-05-13 06:46:45.153627197 -0500 +@@ -10,6 +10,9 @@ + # possible, but leave them commented. Uncommented options override the + # default value. + ++# Note that some of FreeBSD's defaults differ from OpenBSD's, and ++# FreeBSD has a few additional options. ++ + #Port 22 + #AddressFamily any + #ListenAddress 0.0.0.0 +@@ -37,7 +40,7 @@ # Authentication: #LoginGraceTime 2m @@ -16,7 +19,17 @@ Document FreeBSD defaults. #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -@@ -55,11 +55,11 @@ +@@ -46,8 +49,7 @@ + #PubkeyAuthentication yes + + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +-# but this is overridden so installations will only check .ssh/authorized_keys +-AuthorizedKeysFile .ssh/authorized_keys ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + + #AuthorizedPrincipalsFile none + +@@ -64,11 +66,11 @@ # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -31,7 +44,7 @@ Document FreeBSD defaults. #ChallengeResponseAuthentication yes # Kerberos options -@@ -72,7 +72,7 @@ +@@ -81,7 +83,7 @@ #GSSAPIAuthentication no #GSSAPICleanupCredentials yes @@ -40,7 +53,7 @@ Document FreeBSD defaults. # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -@@ -81,12 +81,12 @@ +@@ -90,19 +92,19 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. @@ -55,3 +68,11 @@ Document FreeBSD defaults. #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes + #PrintLastLog yes + #TCPKeepAlive yes + #UseLogin no +-UsePrivilegeSeparation sandbox # Default for new installations. ++#UsePrivilegeSeparation sandbox + #PermitUserEnvironment no + #Compression delayed + #ClientAliveInterval 0 diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index f3ab982bd0fa..3e62cb1be0bf 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,8 +1,6 @@ -Document defaults - ---- sshd_config.5.orig 2010-07-01 21:37:17.000000000 -0600 -+++ sshd_config.5 2010-08-31 05:27:27.000000000 -0600 -@@ -223,7 +223,9 @@ +--- sshd_config.5.orig 2013-02-11 18:02:09.000000000 -0600 ++++ sshd_config.5 2013-05-13 06:49:28.164628328 -0500 +@@ -277,7 +277,9 @@ .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or though authentication styles supported in @@ -13,7 +11,16 @@ Document defaults The default is .Dq yes . .It Cm ChrootDirectory -@@ -714,7 +716,22 @@ +@@ -555,7 +557,7 @@ + .Pp + .Pa /etc/hosts.equiv + and +-.Pa /etc/shosts.equiv ++.Pa /etc/ssh/shosts.equiv + are still used. + The default is + .Dq yes . +@@ -841,7 +843,22 @@ .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -36,7 +43,7 @@ Document defaults .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -757,7 +774,14 @@ +@@ -887,7 +904,14 @@ or .Dq no . The default is @@ -52,9 +59,9 @@ Document defaults .Pp If this option is set to .Dq without-password , -@@ -869,7 +893,9 @@ - Note that if this file is not readable, then public key authentication will - be refused for all users. +@@ -1006,7 +1030,9 @@ + section in + .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or @@ -63,7 +70,7 @@ Document defaults with successful RSA host authentication is allowed. The default is .Dq no . -@@ -1009,7 +1035,7 @@ +@@ -1146,7 +1172,7 @@ .Xr sshd 8 as a non-root user. The default is @@ -72,7 +79,16 @@ Document defaults .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1034,7 +1060,7 @@ +@@ -1157,7 +1183,7 @@ + The goal of privilege separation is to prevent privilege + escalation by containing any corruption within the unprivileged processes. + The default is +-.Dq yes . ++.Dq sandbox . + If + .Cm UsePrivilegeSeparation + is set to +@@ -1182,7 +1208,7 @@ or .Dq no . The default is |