- Update to 6.7p1.

Several patches do not currently apply. Use security/openssh-portable66 for: HPN, NONECIPHER, KERB_GSSAPI, X509. - Add a TCP_WRAPPER patch to re-enable support after it was removed upstream.
author: bdrewery <bdrewery@FreeBSD.org> 2014-11-18 02:08:14 +0800
committer: bdrewery <bdrewery@FreeBSD.org> 2014-11-18 02:08:14 +0800
commit: 9055c124fb54881d96f5b0b18d9e772c9820afb2 (patch)
tree: 9bd466fa54818f0dd51dff763428513298558995 /security/openssh-portable
parent: e8290bfc31158238dea8991d0f3d6330003bb740 (diff)
download: freebsd-ports-gnome-9055c124fb54881d96f5b0b18d9e772c9820afb2.tar.gz
freebsd-ports-gnome-9055c124fb54881d96f5b0b18d9e772c9820afb2.tar.zst
freebsd-ports-gnome-9055c124fb54881d96f5b0b18d9e772c9820afb2.zip
7 files changed, 241 insertions, 235 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index fd76ddab489e..d5d8b7ec4e6d 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	6.6p1
-PORTREVISION=	4
+DISTVERSION=	6.7p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@@ -33,33 +33,31 @@ ETCOLD=			${PREFIX}/etc
 SUDO?=		# empty
 MAKE_ENV+=	SUDO="${SUDO}"
 
-# https://github.com/openssh/openssh-portable/commit/5618210618256bbf5f4f71b2887ff186fd451736.patch
-EXTRA_PATCHES+=		${FILESDIR}/extra-patch-openssh661
-
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
-			HPN LPK X509 KERB_GSSAPI \
+			HPN X509 KERB_GSSAPI \
 			OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
-OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER
+OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
 BSM_DESC=		OpenBSM Auditing
-KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI)
-HPN_DESC=		HPN-SSH patch
-LPK_DESC=		LDAP Public Key (LPK) [OBSOLETE]
+KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI) [BROKEN]
+HPN_DESC=		HPN-SSH patch [BROKEN]
 LDNS_DESC=		SSHFP/LDNS support
-X509_DESC=		x509 certificate patch
+X509_DESC=		x509 certificate patch [BROKEN]
 SCTP_DESC=		SCTP support
 OVERWRITE_BASE_DESC=	OpenSSH overwrite base
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
-AES_THREADED_DESC=	Threaded AES-CTR
-NONECIPHER_DESC=	NONE Cipher support
+AES_THREADED_DESC=	Threaded AES-CTR [BROKEN]
+NONECIPHER_DESC=	NONE Cipher support [BROKEN]
 
 OPTIONS_SUB=		yes
 PLIST_SUB+=		MANPREFIX=${MANPREFIX}
 
+TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
+
 LDNS_CONFIGURE_WITH=	ldns
 LDNS_LIB_DEPENDS=	libldns.so:${PORTSDIR}/dns/ldns
 LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
@@ -72,24 +70,13 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 AES_THREADED_CONFIGURE_WITH=	aes-threaded
 
-# See http://code.google.com/p/openssh-lpk/wiki/Main
-# and svn repo described here:
-# http://code.google.com/p/openssh-lpk/source/checkout
-# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
-LPK_PATCHFILES=		${PORTNAME}-lpk-6.3p1.patch.gz
-LPK_CPPFLAGS=		-I${LOCALBASE}/include
-LPK_CONFIGURE_ON=	--with-ldap=yes \
-			--with-ldflags='-L${LOCALBASE}/lib' \
-			--with-cppflags='${CPPFLAGS}'
-LPK_USE=		OPENLDAP=yes
-
 # See http://www.roumenpetrov.info/openssh/
 X509_VERSION=		7.9
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_PATCHFILES=	${PORTNAME}-6.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-SCTP_PATCHFILES=	${PORTNAME}-6.6p1-sctp-2329.patch.gz
+SCTP_PATCHFILES=	${PORTNAME}-6.7p1-sctp-2496.patch.gz:-p1
 SCTP_CONFIGURE_WITH=	sctp
 
 # 6.6 patch taken from http://www.stacken.kth.se/~haba/ which was originally
@@ -137,6 +124,16 @@ EXTRA_PATCHES+=		${FILESDIR}/extra-patch-sshd-utmp-size
 .endif
 
 .if ${PORT_OPTIONS:MX509}
+BROKEN=		X509 does not apply yet. Use security/openssh-portable66
+.endif
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+BROKEN=		HPN does not apply yet. Use security/openssh-portable66
+.endif
+.if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN=		KERB_GSSAPI does not apply yet. Use security/openssh-portable66
+.endif
+
+.if ${PORT_OPTIONS:MX509}
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
 BROKEN=		X509 patch and HPN patch do not apply cleanly together
 .  endif
@@ -145,10 +142,6 @@ BROKEN=		X509 patch and HPN patch do not apply cleanly together
 BROKEN=		X509 patch and SCTP patch do not apply cleanly together
 .  endif
 
-.  if ${PORT_OPTIONS:MLPK}
-BROKEN=		X509 patch and LPK patch do not apply cleanly together
-.  endif
-
 .  if ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		X509 patch incompatible with KERB_GSSAPI patch
 .  endif
@@ -196,10 +189,6 @@ IGNORE=	KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
 CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 .endif
 
-.if ${PORT_OPTIONS:MLPK}
-CONFIGURE_LIBS+=	-lldap
-.endif
-
 EMPTYDIR=		/var/empty
 
 .if ${PORT_OPTIONS:MOVERWRITE_BASE}
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 59371f6b15df..ca3e7f44787f 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,5 +1,5 @@
-SHA256 (openssh-6.6p1.tar.gz) = 48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb
-SIZE (openssh-6.6p1.tar.gz) = 1282502
+SHA256 (openssh-6.7p1.tar.gz) = b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507
+SIZE (openssh-6.7p1.tar.gz) = 1351367
 SHA256 (openssh-6.6.1p1-hpnssh14v2.diff.gz) = b7f5bd22f1c0bacd41fc4884aeb19bba460d548af875eeb6c857cb77bab53376
 SIZE (openssh-6.6.1p1-hpnssh14v2.diff.gz) = 24473
 SHA256 (openssh-6.6p1+x509-7.9.diff.gz) = 463473f75c1dc250ea4eda21f2c79df6f0b479ea499d044cb51d73073881ca34
@@ -8,5 +8,5 @@ SHA256 (openssh-6.6p1-gsskex-all-20140318.patch.gz) = 9436c03ba46cdda8753f895781
 SIZE (openssh-6.6p1-gsskex-all-20140318.patch.gz) = 24299
 SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
 SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
-SHA256 (openssh-6.6p1-sctp-2329.patch.gz) = e054529810815d63f7de5d1c6cc76fccb7766e1b2d1b62438ca83770afac9bfa
-SIZE (openssh-6.6p1-sctp-2329.patch.gz) = 8695
+SHA256 (openssh-6.7p1-sctp-2496.patch.gz) = ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db
+SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052
diff --git a/security/openssh-portable/files/extra-patch-openssh661 b/security/openssh-portable/files/extra-patch-openssh661
deleted file mode 100644
index d11c14f610f3..000000000000
--- a/security/openssh-portable/files/extra-patch-openssh661
+++ /dev/null
@@ -1,162 +0,0 @@
-From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Sun, 20 Apr 2014 13:44:47 +1000
-Subject: [PATCH]  - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c
- version.h]    OpenSSH 6.5 and 6.6 sometimes encode a value used in the
- curve25519    key exchange incorrectly, causing connection failures about
- 0.2% of    the time when this method is used against a peer that implements  
-  the method properly.
-
-   Fix the problem and disable the curve25519 KEX when speaking to
-   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
-   to enable the compatability code.
----
- ChangeLog     | 11 +++++++++++
- bufaux.c      |  5 ++++-
- compat.c      | 17 ++++++++++++++++-
- compat.h      |  2 ++
- sshconnect2.c |  2 ++
- sshd.c        |  3 +++
- version.h     |  2 +-
- 7 files changed, 39 insertions(+), 3 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 9c59cc4..60f181a 100644
---- ChangeLog
-+++ ChangeLog
-@@ -1,3 +1,14 @@
-+20140420
-+ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
-+   OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
-+   key exchange incorrectly, causing connection failures about 0.2% of
-+   the time when this method is used against a peer that implements
-+   the method properly.
-+
-+   Fix the problem and disable the curve25519 KEX when speaking to
-+   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
-+   to enable the compatability code.
-+
- 20140313
-  - (djm) Release OpenSSH 6.6
- 
-diff --git a/bufaux.c b/bufaux.c
-index e24b5fc..f6a6f2a 100644
---- bufaux.c
-+++ bufaux.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
-+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
- 
- 	if (l > 8 * 1024)
- 		fatal("%s: length %u too long", __func__, l);
-+	/* Skip leading zero bytes */
-+	for (; l > 0 && *s == 0; l--, s++)
-+		;
- 	p = buf = xmalloc(l + 1);
- 	/*
- 	 * If most significant bit is set then prepend a zero byte to
-diff --git a/compat.c b/compat.c
-index 9d9fabe..2709dc5 100644
---- compat.c
-+++ compat.c
-@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
- 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
- 		{ "OpenSSH_4*",		0 },
- 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
-+		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
-+		{ "OpenSSH_6.5*,"
-+		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
- 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
- 		{ "*MindTerm*",		0 },
- 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
- 	return cipher_prop;
- }
- 
--
- char *
- compat_pkalg_proposal(char *pkalg_prop)
- {
-@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
- 	return pkalg_prop;
- }
- 
-+char *
-+compat_kex_proposal(char *kex_prop)
-+{
-+	if (!(datafellows & SSH_BUG_CURVE25519PAD))
-+		return kex_prop;
-+	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
-+	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
-+	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
-+	if (*kex_prop == '\0')
-+		fatal("No supported key exchange algorithms found");
-+	return kex_prop;
-+}
-+
-diff --git a/compat.h b/compat.h
-index b174fa1..a6c3f3d 100644
---- compat.h
-+++ compat.h
-@@ -59,6 +59,7 @@
- #define SSH_BUG_RFWD_ADDR	0x02000000
- #define SSH_NEW_OPENSSH		0x04000000
- #define SSH_BUG_DYNAMIC_RPORT	0x08000000
-+#define SSH_BUG_CURVE25519PAD	0x10000000
- 
- void     enable_compat13(void);
- void     enable_compat20(void);
-@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
- int	 proto_spec(const char *);
- char	*compat_cipher_proposal(char *);
- char	*compat_pkalg_proposal(char *);
-+char	*compat_kex_proposal(char *);
- 
- extern int compat13;
- extern int compat20;
-diff --git a/sshconnect2.c b/sshconnect2.c
-index 7f4ff41..ec3ad6a 100644
---- sshconnect2.c
-+++ sshconnect2.c
-@@ -195,6 +195,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
- 	}
- 	if (options.kex_algorithms != NULL)
- 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-+	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+	    myproposal[PROPOSAL_KEX_ALGS]);
- 
- 	if (options.rekey_limit || options.rekey_interval)
- 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
-diff --git a/sshd.c b/sshd.c
-index 7523de9..e9084b7 100644
---- sshd.c
-+++ sshd.c
-@@ -2462,6 +2462,9 @@ do_ssh2_kex(void)
- 	if (options.kex_algorithms != NULL)
- 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
- 
-+	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+	    myproposal[PROPOSAL_KEX_ALGS]);
-+
- 	if (options.rekey_limit || options.rekey_interval)
- 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
- 		    (time_t)options.rekey_interval);
-diff --git a/version.h b/version.h
-index a1579ac..a33e77c 100644
---- version.h
-+++ version.h
-@@ -1,6 +1,6 @@
- /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
- 
--#define SSH_VERSION	"OpenSSH_6.6"
-+#define SSH_VERSION	"OpenSSH_6.6.1"
- 
- #define SSH_PORTABLE	"p1"
- #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--- 
-1.9.1
-
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
new file mode 100644
index 000000000000..f1514a9c05cc
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -0,0 +1,179 @@
+Revert TCPWRAPPER removal -bdrewery
+$FreeBSD$
+
+commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Apr 20 13:22:18 2014 +1000
+
+       - tedu@cvs.openbsd.org 2014/03/26 19:58:37
+         [sshd.8 sshd.c]
+         remove libwrap support. ok deraadt djm mfriedl
+
+diff --git sshd.8 sshd.8
+index 289e13d..e6a900b 100644
+--- sshd.8
++++ sshd.8
+@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+diff --git sshd.c sshd.c
+index 0ade557..045f149 100644
+--- sshd.c
++++ sshd.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshd.c,v 1.421 2014/03/26 19:58:37 tedu Exp $ */
++/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -122,6 +122,13 @@
+ #include "ssh-sandbox.h"
+ #include "version.h"
+ 
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ #ifndef O_NOCTTY
+ #define O_NOCTTY	0
+ #endif
+@@ -2027,6 +2034,24 @@ main(int ac, char **av)
+ #ifdef SSH_AUDIT_EVENTS
+ 	audit_connection_from(remote_ip, remote_port);
+ #endif
++#ifdef LIBWRAP
++	allow_severity = options.log_facility|LOG_INFO;
++	deny_severity = options.log_facility|LOG_WARNING;
++	/* Check whether logins are denied from this host. */
++	if (packet_connection_is_on_socket()) {
++		struct request_info req;
++
++		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++		fromhost(&req);
++
++		if (!hosts_access(&req)) {
++			debug("Connection refused by tcp wrapper");
++			refuse(&req);
++			/* NOTREACHED */
++			fatal("libwrap refuse returns");
++		}
++	}
++#endif /* LIBWRAP */
+ 
+ 	/* Log the connection. */
+ 	verbose("Connection from %s port %d on %s port %d",
+commit f9696566fb41320820f3b257ab564fa321bb3751
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Jun 13 11:06:04 2014 +1000
+
+     - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
+       been removed from sshd.c.
+
+diff --git ChangeLog ChangeLog
+index f4c6ea6..1c043ae 100644
+--- ChangeLog
++++ ChangeLog
+@@ -1,7 +1,3 @@
+-20140612
+- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
+-   been removed from sshd.c.
+-
+ 20140611
+  - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
+    openbsd-compat/bsd-asprintf.c.
+diff --git configure.ac configure.ac
+index f48ba4a..66fbe82 100644
+--- configure.ac
++++ configure.ac
+@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey],
+ 	]
+ )
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -4803,6 +4859,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
index 9f2b6369dd66..45983bf13254 100644
--- a/security/openssh-portable/files/patch-readconf.c
+++ b/security/openssh-portable/files/patch-readconf.c
@@ -18,22 +18,21 @@ Submitted upstream, no reaction.
 
 Submitted by:   delphij@
 
-
---- readconf.c.orig	2013-10-03 06:56:21.649139613 -0500
-+++ readconf.c	2013-10-03 06:56:50.961467272 -0500
+--- readconf.c.orig	2014-07-17 23:11:26.000000000 -0500
++++ readconf.c	2014-11-03 16:45:05.188796445 -0600
 @@ -17,6 +17,7 @@
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <sys/socket.h>
 +#include <sys/sysctl.h>
  #include <sys/wait.h>
+ #include <sys/un.h>
  
- #include <netinet/in.h>
-@@ -282,7 +283,19 @@
- 	Forward *fwd;
+@@ -281,7 +282,19 @@ add_local_forward(Options *options, cons
+ 	struct Forward *fwd;
  #ifndef NO_IPPORT_RESERVED_CONCEPT
  	extern uid_t original_real_uid;
--	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
+-	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
 +	int ipport_reserved;
 +#ifdef __FreeBSD__
 +	size_t len_ipport_reserved = sizeof(ipport_reserved);
@@ -46,11 +45,11 @@ Submitted by:   delphij@
 +#else
 +	ipport_reserved = IPPORT_RESERVED;
 +#endif
-+	if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
++	if (newfwd->listen_port < ipport_reserved && original_real_uid != 0 &&
+ 	    newfwd->listen_path == NULL)
  		fatal("Privileged ports can only be forwarded by root.");
  #endif
- 	options->local_forwards = xrealloc(options->local_forwards,
-@@ -1607,7 +1620,7 @@
+@@ -1674,7 +1687,7 @@ fill_default_options(Options * options)
  	if (options->batch_mode == -1)
  		options->batch_mode = 0;
  	if (options->check_host_ip == -1)
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index a7f6af9a6f27..f0ca874922ee 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -7,11 +7,11 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2011-06-02 23:14:16.000000000 -0500
-+++ ssh-agent.c	2013-05-09 15:59:14.044627857 -0500
-@@ -137,15 +137,34 @@
- /* Default lifetime (0 == forever) */
- static int lifetime = 0;
+--- ssh-agent.c.orig	2014-07-29 21:32:46.000000000 -0500
++++ ssh-agent.c	2014-11-03 16:48:03.930786112 -0600
+@@ -142,15 +142,34 @@ extern char *__progname;
+ /* Default lifetime in seconds (0 == forever) */
+ static long lifetime = 0;
  
 +/*
 + * Client connection count; incremented in new_socket() and decremented in
@@ -44,7 +44,7 @@ disconnected.
  }
  
  static void
-@@ -900,6 +919,10 @@
+@@ -810,6 +829,10 @@ new_socket(sock_type type, int fd)
  {
  	u_int i, old_alloc, new_alloc;
  
@@ -55,15 +55,16 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1120,6 +1143,7 @@
- 	fprintf(stderr, "  -d          Debug mode.\n");
- 	fprintf(stderr, "  -a socket   Bind agent socket to given name.\n");
- 	fprintf(stderr, "  -t life     Default identity lifetime (seconds).\n");
-+	fprintf(stderr, "  -x          Exit when the last client disconnects.\n");
+@@ -1026,7 +1049,7 @@ usage(void)
+ {
+ 	fprintf(stderr,
+ 	    "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n"
+-	    "                 [command [arg ...]]\n"
++	    "                 [-x] [command [arg ...]]\n"
+ 	    "       ssh-agent [-c | -s] -k\n");
  	exit(1);
  }
- 
-@@ -1149,6 +1173,7 @@
+@@ -1056,6 +1079,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -71,7 +72,7 @@ disconnected.
  
  #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
  	/* Disable ptrace on Linux without sgid bit */
-@@ -1160,7 +1185,7 @@
+@@ -1069,7 +1093,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
@@ -80,7 +81,7 @@ disconnected.
  		switch (ch) {
  		case 'c':
  			if (s_flag)
-@@ -1189,6 +1214,9 @@
+@@ -1098,6 +1122,9 @@ main(int ac, char **av)
  				usage();
  			}
  			break;
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 096631d0df3d..93d7bec1f85f 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,9 +1,9 @@
---- sshd_config.5.orig	2013-02-11 18:02:09.000000000 -0600
-+++ sshd_config.5	2013-05-13 06:49:28.164628328 -0500
-@@ -277,7 +277,9 @@
+--- sshd_config.5.orig	2014-10-02 18:24:57.000000000 -0500
++++ sshd_config.5	2014-11-03 16:49:35.943778119 -0600
+@@ -304,7 +304,9 @@
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
- PAM or though authentication styles supported in
+ PAM or through authentication styles supported in
 -.Xr login.conf 5 )
 +.Xr login.conf 5 ) .
 +See also
@@ -11,7 +11,7 @@
  The default is
  .Dq yes .
  .It Cm ChrootDirectory
-@@ -555,7 +557,7 @@
+@@ -615,7 +617,7 @@
  .Pp
  .Pa /etc/hosts.equiv
  and
@@ -20,7 +20,7 @@
  are still used.
  The default is
  .Dq yes .
-@@ -841,7 +843,22 @@
+@@ -977,7 +979,22 @@
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
@@ -43,7 +43,7 @@
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
-@@ -887,7 +904,14 @@
+@@ -1023,7 +1040,14 @@
  or
  .Dq no .
  The default is
@@ -59,8 +59,8 @@
  .Pp
  If this option is set to
  .Dq without-password ,
-@@ -1006,7 +1030,9 @@
- section in
+@@ -1178,7 +1202,9 @@
+ For more information on KRLs, see the KEY REVOCATION LISTS section in
  .Xr ssh-keygen 1 .
  .It Cm RhostsRSAAuthentication
 -Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -70,7 +70,7 @@
  with successful RSA host authentication is allowed.
  The default is
  .Dq no .
-@@ -1146,7 +1172,7 @@
+@@ -1343,7 +1369,7 @@
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -79,7 +79,7 @@
  .It Cm UsePrivilegeSeparation
  Specifies whether
  .Xr sshd 8
-@@ -1182,7 +1208,7 @@
+@@ -1379,7 +1405,7 @@
  or
  .Dq no .
  The default is
author	bdrewery <bdrewery@FreeBSD.org>	2014-11-18 02:08:14 +0800
committer	bdrewery <bdrewery@FreeBSD.org>	2014-11-18 02:08:14 +0800
commit	9055c124fb54881d96f5b0b18d9e772c9820afb2 (patch)
tree	9bd466fa54818f0dd51dff763428513298558995 /security/openssh-portable
parent	e8290bfc31158238dea8991d0f3d6330003bb740 (diff)
download	freebsd-ports-gnome-9055c124fb54881d96f5b0b18d9e772c9820afb2.tar.gz freebsd-ports-gnome-9055c124fb54881d96f5b0b18d9e772c9820afb2.tar.zst freebsd-ports-gnome-9055c124fb54881d96f5b0b18d9e772c9820afb2.zip