aboutsummaryrefslogtreecommitdiffstats
path: root/security/openssh-portable
diff options
context:
space:
mode:
authorbdrewery <bdrewery@FreeBSD.org>2013-10-13 10:20:07 +0800
committerbdrewery <bdrewery@FreeBSD.org>2013-10-13 10:20:07 +0800
commitf716de30751cc6c066dace7cec7dfb06ab852f1a (patch)
treea58db6f5a2c42380559799748c6974bace624acb /security/openssh-portable
parent247a11af00f188ef28030d7e0d178e6d823b91c5 (diff)
downloadfreebsd-ports-gnome-f716de30751cc6c066dace7cec7dfb06ab852f1a.tar.gz
freebsd-ports-gnome-f716de30751cc6c066dace7cec7dfb06ab852f1a.tar.zst
freebsd-ports-gnome-f716de30751cc6c066dace7cec7dfb06ab852f1a.zip
- Update to 6.3p1
Changelog: http://www.openssh.org/txt/release-6.3 - Use options helpers where possible - Use upstream patch mirror for x509 and HPN - Update HPN patch to v14 and use upstream version - Add option NONECIPHER to allow disabling NONE in HPN patch - Update x509 patch from 7.4.1 to 7.6 - Add support for LDNS and enable by it and VerifyHostKeyDNS/SSHFP by default. See http://lists.freebsd.org/pipermail/freebsd-security/2013-September/007180.html which describes this change, but is supported on releases before 10 as well with LDNS option. - Update SCTP to patchlevel 2329 - Update recommendation on secure usage of SSH - Add pkg-message warning about ECDSA key possibly being incorrect due to previously being written as DSA by the rc script and fixed in r299902 in 2012
Diffstat (limited to 'security/openssh-portable')
-rw-r--r--security/openssh-portable/Makefile177
-rw-r--r--security/openssh-portable/distinfo26
-rw-r--r--security/openssh-portable/files/extra-patch-hpn-build-options142
-rw-r--r--security/openssh-portable/files/extra-patch-hpn-no-hpn32
-rw-r--r--security/openssh-portable/files/extra-patch-ldns51
-rw-r--r--security/openssh-portable/files/patch-session.c4
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.c10
-rw-r--r--security/openssh-portable/pkg-message6
-rw-r--r--security/openssh-portable/pkg-plist5
9 files changed, 338 insertions, 115 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 04d763465157..3f69f7b0b228 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= openssh
-DISTVERSION= 6.2p2
-PORTREVISION= 5
+DISTVERSION= 6.3p1
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ${MASTER_SITE_OPENBSD}
@@ -33,8 +32,8 @@ MAKE_ENV+= SUDO="${SUDO}"
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
HPN LPK X509 KERB_GSSAPI \
- OVERWRITE_BASE SCTP AES_THREADED
-OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN
+ OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
+OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= tcp_wrappers support
@@ -42,18 +41,84 @@ BSM_DESC= OpenBSM Auditing
KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI)
HPN_DESC= HPN-SSH patch
LPK_DESC= LDAP Public Key (LPK) [OBSOLETE]
+LDNS_DESC= SSHFP/LDNS support
X509_DESC= x509 certificate patch
SCTP_DESC= SCTP support
OVERWRITE_BASE_DESC= OpenSSH overwrite base
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
-AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental]
+AES_THREADED_DESC= Threaded AES-CTR
+NONECIPHER_DESC= NONE Cipher support
+OPTIONS_SUB= yes
PLIST_SUB+= MANPREFIX=${MANPREFIX}
+LDNS_CONFIGURE_WITH= ldns
+LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns
+LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
+LDNS_CFLAGS= -I${LOCALBASE}/include
+LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
+
+# http://www.psc.edu/index.php/hpn-ssh
+HPN_EXTRA_PATCHES= ${FILESDIR}/extra-patch-hpn-window-size
+HPN_CONFIGURE_WITH= hpn
+NONECIPHER_CONFIGURE_WITH= nonecipher
+AES_THREADED_CONFIGURE_WITH= aes-threaded
+
+# See http://code.google.com/p/openssh-lpk/wiki/Main
+# and svn repo described here:
+# http://code.google.com/p/openssh-lpk/source/checkout
+# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
+LPK_PATCHFILES= ${PORTNAME}-lpk-6.3p1.patch.gz
+LPK_CPPFLAGS= -I${LOCALBASE}/include
+LPK_CONFIGURE_ON= --with-ldap=yes \
+ --with-ldflags='-L${LOCALBASE}/lib' \
+ --with-cppflags='${CPPFLAGS}'
+LPK_USE= OPENLDAP=yes
+
+# See http://www.roumenpetrov.info/openssh/
+X509_VERSION= 7.6
+X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
+X509_PATCHFILES= ${PORTNAME}-6.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+
+# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
+SCTP_PATCHFILES= ${PORTNAME}-sctp-2329.patch.gz
+SCTP_CONFIGURE_WITH= sctp
+
+# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
+KERB_GSSAPI_PATCHFILES= openssh-6.3p1-gsskex-all-20110125.patch.gz
+
+
+MIT_LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5
+HEIMDAL_LIB_DEPENDS= krb5.26:${PORTSDIR}/security/heimdal
+
+PAM_CONFIGURE_WITH= pam
+TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
+
+LIBEDIT_CONFIGURE_WITH= libedit
+BSM_CONFIGURE_ON= --with-audit=bsm
+
+
+PORTDOCS= *
+
.include <bsd.port.pre.mk>
+# http://www.psc.edu/index.php/hpn-ssh
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+HPN_VERSION= 14v2
+PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/}
+PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${DISTVERSION}/:hpn
+PATCHFILES+= ${PORTNAME}-${DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-build-options
+# Remove HPN if only AES requested
+. if !${PORT_OPTIONS:MHPN}
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn
+. endif
+.endif
+
+PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn
+
.if ${OSVERSION} >= 900000
CONFIGURE_LIBS+= -lutil
.endif
@@ -66,14 +131,10 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size
.endif
.if ${PORT_OPTIONS:MX509}
-. if ${PORT_OPTIONS:MHPN}
+. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
-. if ${PORT_OPTIONS:MAES_THREADED}
-BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together
-. endif
-
. if ${PORT_OPTIONS:MSCTP}
BROKEN= X509 patch and SCTP patch do not apply cleanly together
. endif
@@ -92,44 +153,30 @@ BROKEN= X509 patch incompatible with KERB_GSSAPI patch
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
.endif
-.if defined(OPENSSH_OVERWRITE_BASE)
-PORT_OPTIONS+= OVERWRITE_BASE
-.endif
-
-.if ${PORT_OPTIONS:MPAM} && exists(/usr/include/security/pam_modules.h)
-CONFIGURE_ARGS+= --with-pam
+.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
+IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
.endif
-.if ${PORT_OPTIONS:MTCP_WRAPPERS} && exists(/usr/include/tcpd.h)
-CONFIGURE_ARGS+= --with-tcp-wrappers
+.if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h)
+IGNORE= Pam must be installed in base
.endif
-.if ${PORT_OPTIONS:MLIBEDIT}
-CONFIGURE_ARGS+= --with-libedit
+.if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h)
+IGNORE= Required /usr/include/tcpd.h missing
.endif
-.if ${PORT_OPTIONS:MBSM}
-CONFIGURE_ARGS+= --with-audit=bsm
+.if defined(OPENSSH_OVERWRITE_BASE)
+PORT_OPTIONS+= OVERWRITE_BASE
.endif
.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
-CONFIGURE_ARGS+= --with-kerberos5
-. if ${PORT_OPTIONS:MMIT}
-LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5
-. elif ${PORT_OPTIONS:MHEIMDAL}
-LIB_DEPENDS+= krb5.26:${PORTSDIR}/security/heimdal
-. elif ${PORT_OPTIONS:MHEIMDAL_BASE}
-. if !exists(/usr/lib/libkrb5.so)
-IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
-. else
+. if ${PORT_OPTIONS:MHEIMDAL_BASE}
+. if ${PORT_OPTIONS:MKERB_GSSAPI}
CONFIGURE_LIBS+= -lgssapi_krb5
-. endif
-. endif
-
-# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
-. if ${PORT_OPTIONS:MKERB_GSSAPI}
-PATCHFILES+= openssh-6.2p2-gsskex-all-20110125-2.patch.gz
-PATCH_DIST_STRIP=
+. endif
+CONFIGURE_ARGS+= --with-kerberos5=/usr
+. else
+CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE}
. endif
. if ${OPENSSLBASE} == "/usr"
CONFIGURE_ARGS+= --without-rpath
@@ -145,52 +192,10 @@ IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
.endif
-# http://www.psc.edu/index.php/hpn-ssh
-.if ${PORT_OPTIONS:MHPN}
-HPN_VERSION= 13v14
-PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size
-PATCH_DIST_STRIP=
-.endif
-
-# http://www.psc.edu/index.php/hpn-ssh
-.if ${PORT_OPTIONS:MAES_THREADED}
-AES_THREADED_VERSION= v14
-PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz
-PATCH_DIST_STRIP=
-.endif
-
-# See http://code.google.com/p/openssh-lpk/wiki/Main
-# and svn repo described here:
-# http://code.google.com/p/openssh-lpk/source/checkout
-# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
.if ${PORT_OPTIONS:MLPK}
-PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz
-USE_OPENLDAP= yes
-CPPFLAGS+= -I${LOCALBASE}/include
-CONFIGURE_ARGS+= --with-ldap=yes \
- --with-ldflags='-L${LOCALBASE}/lib' \
- --with-cppflags='${CPPFLAGS}'
CONFIGURE_LIBS+= -lldap
.endif
-# See http://www.roumenpetrov.info/openssh/
-.if ${PORT_OPTIONS:MX509}
-X509_VERSION= 7.4.1
-PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509
-PATCH_DIST_STRIP= -p1
-PLIST_SUB+= X509=""
-.else
-PLIST_SUB+= X509="@comment "
-.endif
-
-# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-.if ${PORT_OPTIONS:MSCTP}
-PATCHFILES+= ${PORTNAME}-sctp-2163.patch.gz
-CONFIGURE_ARGS+= --with-sctp
-.endif
-
EMPTYDIR= /var/empty
.if ${PORT_OPTIONS:MOVERWRITE_BASE}
@@ -201,17 +206,14 @@ NO_MTREE= yes
ETCSSH= /etc/ssh
USE_RCORDER= openssh
PLIST_SUB+= NOTBASE="@comment "
-PLIST_SUB+= BASE=""
PLIST_SUB+= BASEPREFIX="${PREFIX}"
.else
ETCSSH= ${PREFIX}/etc/ssh
USE_RC_SUBR= openssh
PLIST_SUB+= NOTBASE=""
-PLIST_SUB+= BASE="@comment "
.endif
# After all
-PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509
SUB_LIST+= ETCSSH="${ETCSSH}"
CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
.if !empty(CONFIGURE_LIBS)
@@ -222,7 +224,10 @@ RC_SCRIPT_NAME= openssh
post-patch:
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
- @${REINPLACE_CMD} -e 's|install: \(.*\) host-key check-config|install: \1|g' ${WRKSRC}/Makefile.in
+ @${REINPLACE_CMD} \
+ -e 's|install: \(.*\) host-key check-config|install: \1|g' \
+ -e 's|-lpthread|${PTHREAD_LIBS}|' \
+ ${WRKSRC}/Makefile.in
@${REINPLACE_CMD} -e 's|/usr/X11R6|${LOCALBASE}|' \
${WRKSRC}/pathnames.h ${WRKSRC}/sshd_config.5 \
${WRKSRC}/ssh_config.5
@@ -252,6 +257,10 @@ pre-install:
post-install:
${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist
${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+ ${MKDIR} ${STAGEDIR}${DOCSDIR}
+ ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
+.endif
test: build
(cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 31b2d303f71d..e7cbd2ab7fda 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,14 +1,12 @@
-SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
-SIZE (openssh-6.2p2.tar.gz) = 1182922
-SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b
-SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984
-SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9
-SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
-SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
-SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
-SHA256 (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 597634f1a9e624b928f0ae647ec2ffba641f94a3ecad1161bce8fb2512c476b8
-SIZE (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 24205
-SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
-SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
-SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
-SIZE (openssh-sctp-2163.patch.gz) = 6764
+SHA256 (openssh-6.3p1.tar.gz) = aea575ededd3ebd45c05d42d0a87af22c79131a847ea440c54e3fdd223f5a420
+SIZE (openssh-6.3p1.tar.gz) = 1201101
+SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca
+SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450
+SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460
+SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962
+SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767
+SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486
+SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
+SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
+SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb
+SIZE (openssh-sctp-2329.patch.gz) = 8706
diff --git a/security/openssh-portable/files/extra-patch-hpn-build-options b/security/openssh-portable/files/extra-patch-hpn-build-options
new file mode 100644
index 000000000000..c4551a51e756
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-hpn-build-options
@@ -0,0 +1,142 @@
+--- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500
++++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500
+@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co
+ }
+ }
+
++#ifdef AES_THREADED
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
+ * so the initial aes-ctr is defined to point to the original single process
+ * evp. After authentication we'll be past the fork and the sandboxed privsep
+@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co
+ cipher_reset_multithreaded();
+ packet_request_rekeying();
+ }
++#endif
+
+ debug("Authentication succeeded (%s).", authctxt.method->name);
+ }
+--- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500
++++ sshd.c 2013-10-11 08:53:25.929132033 -0500
+@@ -2186,6 +2186,7 @@ main(int ac, char **av)
+
+ /* Start session. */
+
++#ifdef AES_THREADED
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
+ * so the initial aes-ctr is defined to point ot the original single process
+ * evp. After authentication we'll be past the fork and the sandboxed privsep
+@@ -2201,6 +2202,7 @@ main(int ac, char **av)
+ cipher_reset_multithreaded();
+ packet_request_rekeying();
+ }
++#endif
+
+ do_authenticated(authctxt);
+
+--- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500
++++ readconf.c 2013-10-11 09:19:12.295135966 -0500
+@@ -251,12 +251,16 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+ { "requesttty", oRequestTTY },
++#ifdef NONECIPHER
+ { "noneenabled", oNoneEnabled },
+ { "noneswitch", oNoneSwitch },
++#endif
++#ifdef HPN
+ { "tcprcvbufpoll", oTcpRcvBufPoll },
+ { "tcprcvbuf", oTcpRcvBuf },
+ { "hpndisabled", oHPNDisabled },
+ { "hpnbuffersize", oHPNBufferSize },
++#endif
+ { "ignoreunknown", oIgnoreUnknown },
+
+ { NULL, oBadOption }
+@@ -1417,12 +1421,20 @@ fill_default_options(Options * options)
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+ options->server_alive_count_max = 3;
++#ifdef NONECIPHER
+ if (options->none_switch == -1)
++#endif
+ options->none_switch = 0;
++#ifdef NONECIPHER
+ if (options->none_enabled == -1)
++#endif
+ options->none_enabled = 0;
++#ifdef HPN
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
++#else
++ options->hpn_disabled = 1;
++#endif
+ if (options->hpn_buffer_size > -1)
+ {
+ /* if a user tries to set the size to 0 set it to 1KB */
+--- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500
++++ servconf.c 2013-10-11 09:25:50.777137928 -0500
+@@ -305,10 +305,16 @@ fill_default_server_options(ServerOption
+ options->permit_tun = SSH_TUNMODE_NO;
+ if (options->zero_knowledge_password_authentication == -1)
+ options->zero_knowledge_password_authentication = 0;
++#ifdef NONECIPHER
+ if (options->none_enabled == -1)
++#endif
+ options->none_enabled = 0;
++#ifdef HPN
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
++#else
++ options->hpn_disabled = 1;
++#endif
+
+ if (options->hpn_buffer_size == -1) {
+ /* option not explicitly set. Now we have to figure out */
+--- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500
++++ configure.ac 2013-10-12 17:18:35.610130039 -0500
+@@ -3968,6 +3968,34 @@
+ ]
+ ) # maildir
+
++#check whether user wants HPN support
++HPN_MSG="no"
++AC_ARG_WITH(hpn,
++ [ --with-hpn Enable HPN support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(HPN,1,[Define if you want HPN support.])
++ HPN_MSG="yes"
++ fi ]
++)
++#check whether user wants NONECIPHER support
++NONECIPHER_MSG="no"
++AC_ARG_WITH(nonecipher,
++ [ --with-nonecipher Enable NONECIPHER support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.])
++ NONECIPHER_MSG="yes"
++ fi ]
++)
++#check whether user wants AES_THREADED support
++AES_THREADED_MSG="no"
++AC_ARG_WITH(aes-threaded,
++ [ --with-aes-threaded Enable AES_THREADED support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.])
++ AES_THREADED_MSG="yes"
++ fi ]
++)
++
+ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
+ AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
+ disable_ptmx_check=yes
+@@ -4636,6 +4664,9 @@
+ echo " BSD Auth support: $BSD_AUTH_MSG"
+ echo " Random number source: $RAND_MSG"
+ echo " Privsep sandbox style: $SANDBOX_STYLE"
++echo " HPN support: $HPN_MSG"
++echo " NONECIPHER support: $NONECIPHER_MSG"
++echo " AES_THREADED support: $AES_THREADED_MSG"
+
+ echo ""
+
diff --git a/security/openssh-portable/files/extra-patch-hpn-no-hpn b/security/openssh-portable/files/extra-patch-hpn-no-hpn
new file mode 100644
index 000000000000..dc3b112a2fee
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-hpn-no-hpn
@@ -0,0 +1,32 @@
+--- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500
++++ sshd_config 2013-10-12 06:40:06.646129924 -0500
+@@ -125,20 +125,6 @@
+ # override default of no subsystems
+ Subsystem sftp /usr/libexec/sftp-server
+
+-# the following are HPN related configuration options
+-# tcp receive buffer polling. disable in non autotuning kernels
+-#TcpRcvBufPoll yes
+-
+-# disable hpn performance boosts
+-#HPNDisabled no
+-
+-# buffer size for hpn to non-hpn connections
+-#HPNBufferSize 2048
+-
+-
+-# allow the use of the none cipher
+-#NoneEnabled no
+-
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+--- version.h.orig 2013-10-12 06:42:19.578133368 -0500
++++ version.h 2013-10-12 06:42:28.581136160 -0500
+@@ -3,5 +3,4 @@
+ #define SSH_VERSION "OpenSSH_6.3"
+
+ #define SSH_PORTABLE "p1"
+-#define SSH_HPN "-hpn14v2"
+-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
++#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns
new file mode 100644
index 000000000000..162d8686a33c
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-ldns
@@ -0,0 +1,51 @@
+r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
+Changed paths:
+ M /head/crypto/openssh/readconf.c
+ M /head/crypto/openssh/ssh_config
+ M /head/crypto/openssh/ssh_config.5
+
+Change the default value of VerifyHostKeyDNS to "yes" if compiled with
+LDNS. With that setting, OpenSSH will silently accept host keys that
+match verified SSHFP records. If an SSHFP record exists but could not
+be verified, OpenSSH will print a message and prompt the user as usual.
+
+--- readconf.c 2013-10-03 08:15:03.496131082 -0500
++++ readconf.c 2013-10-03 08:15:22.716134315 -0500
+@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
+ options->rekey_limit = 0;
+ if (options->rekey_interval == -1)
+ options->rekey_interval = 0;
++#if HAVE_LDNS
++ if (options->verify_host_key_dns == -1)
++ /* automatically trust a verified SSHFP record */
++ options->verify_host_key_dns = 1;
++#else
+ if (options->verify_host_key_dns == -1)
+ options->verify_host_key_dns = 0;
++#endif
+ if (options->server_alive_interval == -1)
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+--- ssh_config 2013-10-03 08:15:03.537131330 -0500
++++ ssh_config 2013-10-03 08:15:22.755131175 -0500
+@@ -44,5 +44,6 @@
+ # TunnelDevice any:any
+ # PermitLocalCommand no
+ # VisualHostKey no
++# VerifyHostKeyDNS yes
+ # ProxyCommand ssh -q -W %h:%p gateway.example.com
+ # RekeyLimit 1G 1h
+--- ssh_config.5 2013-10-03 08:15:03.621130815 -0500
++++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500
+@@ -1246,7 +1246,10 @@ The argument must be
+ or
+ .Dq ask .
+ The default is
+-.Dq no .
++.Dq yes
++if compiled with LDNS and
++.Dq no
++otherwise.
+ Note that this option applies to protocol version 2 only.
+ .Pp
+ See also VERIFYING HOST KEYS in
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index 7a19c85c4787..b91928b93483 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -41,8 +41,8 @@
+ LOGIN_SETENV|LOGIN_SETPATH);
+ copy_environment(environ, &env, &envsize);
+ for (var = environ; *var != NULL; ++var)
-+ xfree(*var);
-+ xfree(environ);
++ free(*var);
++ free(environ);
+ environ = senv;
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 38abeaf70fbb..a7f6af9a6f27 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -90,13 +90,3 @@ disconnected.
default:
usage();
}
-@@ -1348,8 +1376,7 @@
- if (ac > 0)
- parent_alive_interval = 10;
- idtab_init();
-- if (!d_flag)
-- signal(SIGINT, SIG_IGN);
-+ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
- signal(SIGPIPE, SIG_IGN);
- signal(SIGHUP, cleanup_handler);
- signal(SIGTERM, cleanup_handler);
diff --git a/security/openssh-portable/pkg-message b/security/openssh-portable/pkg-message
index 7436aea5d132..0b4b1cb6b7c6 100644
--- a/security/openssh-portable/pkg-message
+++ b/security/openssh-portable/pkg-message
@@ -10,6 +10,6 @@ the base system. Please be aware of this when upgrading your
OpenSSH port, and if truly necessary, re-enable remote root login
by readjusting this option in your sshd_config.
-Users are encouraged to create single-purpose users with ssh keys
-and very narrowly defined sudo privileges instead of using root
-for automated tasks.
+Users are encouraged to create single-purpose users with ssh keys, disable
+Password auth with 'PasswordAuthentication no' and define very narrow sudo
+privileges instead of using root for automated tasks.
diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist
index 0befbc5b0959..7264ae4b7b7e 100644
--- a/security/openssh-portable/pkg-plist
+++ b/security/openssh-portable/pkg-plist
@@ -12,14 +12,15 @@ bin/ssh-keyscan
%%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
-%%BASE%%@cwd /
+%%OVERWRITE_BASE%%@cwd /
etc/ssh/ssh_config-dist
etc/ssh/sshd_config-dist
-%%BASE%%@cwd %%BASEPREFIX%%
+%%OVERWRITE_BASE%%@cwd %%BASEPREFIX%%
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi
%%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca
%%NOTBASE%%@dirrmtry etc/ssh
+@exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
sbin/sshd
libexec/sftp-server
libexec/ssh-keysign